Only 16% of organizations required to comply with NIS2 consider themselves fully compliant — a figure that has not moved in six months, according to CyberSmart’s April 2026 NIS2 Survey of 670 business leaders across Europe.
For Danish IT teams, a parallel deadline sharpens the pressure. Under the 2026 municipal budget agreement between the Danish government and KL, Danish municipalities must establish 4–5 regional shared IT service organizations by 1 January 2027.
The two deadlines converge at the same operational question: what evidence does your IT environment actually produce — and is it audit-ready?
The compliance gap is not a motivation problem. The barriers are practical: budget constraints, lack of implementation guidance, and insufficient internal expertise. The organizations closing the gap fastest are not the ones with the most tools. They are the ones with the clearest operational ownership of their endpoint compliance evidence stack.
Why NIS2 Compliance Is Stalling Across Europe
NIS2 entered force in October 2024. Enforcement is already active in Belgium, Germany, France, and the Netherlands. Despite this, CyberSmart’s research shows the compliance rate has not improved.
Three patterns stand out for IT teams:
- Compliance ownership is unclear. NIS2 requires documented controls across patch management, endpoint privilege management, device configuration governance, and vulnerability visibility — but in many organizations, no single team owns the evidence trail.
- Tooling is fragmented. IT teams running separate solutions for patching, privilege management, driver updates, and vulnerability visibility cannot easily produce a unified compliance view.
- Partner pressure is increasing. 42% of in-scope organizations have already been asked to demonstrate NIS2 status as part of standard due diligence. That pressure will only grow.
The organizations closing the gap fastest are not necessarily those with the most mature security programs. They are the ones with the clearest operational ownership and the most consolidated evidence stack.
The Danish Municipal IT Consolidation: What It Actually Means
The decision to consolidate municipal IT operations is not primarily about cost savings. KL’s own materials are explicit: the driver is cybersecurity. According to KL, one in four Danish municipalities experiences more than 200 attempted cyberattacks per day. The pro-Russian hacker group NoName057(16) targeted municipal websites repeatedly during the 2025 local elections.
The new regional IT service organizations will initially take over server and network infrastructure from the 98 municipalities. The ambition extends further: endpoint management, user administration, monitoring, and service desk by 2030.
The Consolidation Compliance Problem
Each new regional IT service organization will take on infrastructure from multiple municipalities — in some cases, up to 25. Each of those municipalities has operated its own patch stack, its own privilege management approach, its own driver update process, and its own mobile device management configuration.
The organizations that start the consolidation with fragmented tooling will pay twice: once during the transition, and again at the first NIS2 audit. The ones that establish a unified evidence stack from day one will have a structural compliance advantage that compounds over time.
What NIS2 Endpoint Compliance Actually Requires
NIS2 does not prescribe specific tools. It prescribes outcomes and documentation. For IT teams, that translates into four operational evidence requirements:
1. Patch and Application Currency
Which applications are installed across which endpoints, at which versions, and when were they last updated? For third-party applications — the software outside Windows Update — this requires an automated update process with a documented evidence trail.
2. Privilege and Access Control
Who has elevated access, under what policy, for how long, and with what logging? NIS2’s requirements around access management mean that standing local admin rights — the default in many municipal environments — represent a documented compliance gap. Just-in-time elevation with full audit logging is the operational standard the directive points toward.
3. Endpoint Configuration and Drift Visibility
Are security configurations consistent across the fleet? Is drift from the intended configuration state detected and remediated? Consolidated visibility into patch status, configuration posture, and vulnerability exposure enables an IT team to answer these questions in a time-pressured audit context.
4. Mobile Device Compliance
iOS, iPadOS, Android, and Windows devices all require documented enrollment, configuration, and policy enforcement. For municipal environments managing thousands of devices across schools, administration, and field services, mobile compliance is often the least documented layer of the endpoint estate.
How CapaOne Supports the Evidence Stack
CapaOne Endpoint Management Platform is built to produce the technical controls and evidence data points required by NIS2 compliance documentation. It operates as a complete endpoint management platform — standalone or alongside Microsoft Intune.
- Application Manager automates third-party application updates across a governed catalog with staged rollouts and audit evidence, closing the patch-currency gap left open by OS-level tooling.
- Privilege Manager enforces least-privilege with policy-based, just-in-time elevation and no standing local admin rights. Every elevation event is logged for governance review.
- Security Monitor surfaces configuration drift and vulnerability insights across all endpoints, with exportable reports for auditors and leadership.
- Mobile Manager unifies enrollment, configuration, compliance, and application delivery across iOS, iPadOS, Android, and Windows.
The platform consolidates endpoint operations, reporting, and compliance visibility into a single EU-hosted operational layer — built in Denmark, designed for GDPR alignment, and operated under European data sovereignty.
Danish Municipal Reference
Ishøj Kommune and Holbæk Kommune are both existing CapaOne customers. Ishøj Kommune uses CapaOne to manage 2,500+ endpoints across driver updates, device monitoring, and mobile device management:
“Today, CapaOne is an essential part of our IT preparedness. It ensures our devices are always up to date. Everything operates automatically — especially Mobile Manager, which has made a huge difference for us.” — Victor Bjørke, IT Systems Administrator, Ishøj Kommune
What to Establish Before the Consolidation Deadline
The 1 January 2027 deadline for establishing the new IT service organizations is closer than it appears. The transition work starts now — and the evidence requirements do not pause during it.
- Audit your current evidence stack. For each NIS2 requirement area — third-party patch management, endpoint privilege control, device configuration posture, vulnerability visibility, and mobile device compliance — identify which tool produces which evidence, and whether that evidence is audit-ready or manually assembled.
- Map your third-party application posture. List the most widely deployed applications across your municipality and confirm ownership, deployment cadence, and documentation for each. Applications outside Windows Update are the most common compliance gap.
- Review privilege management policy. If standing local admin rights are still the default in your environment, that is a documented NIS2 gap — and a security exposure.
- Establish a mobile compliance baseline. Before devices from multiple municipalities merge into a shared service organization, document the current enrollment, configuration, and policy state for iOS, Android, and Windows mobile endpoints.
- Evaluate tooling consolidation early. Starting the new IT service organizations with fragmented endpoint management tooling means inheriting compliance debt. A unified evidence stack from day one reduces both transition costs and audit risk.
NIS2 compliance is not a reporting exercise. It is the operational outcome of daily IT practices that automatically enforce security and governance standards.
Ready to see how CapaOne handles this? Request a demo.