In a significant wake-up call for public-sector cybersecurity across the Nordics, the Danish Road Directorate (Vejdirektoratet) has announced sweeping new restrictions on the use of foreign softwareāspecifically targeting Russian-origin toolsāfollowing revelations that suppliers have for over a decade employed the Russian photogrammetry software Agisoft Metashape to map Denmarkās roads, bridges, and other critical infrastructure.
A Long-Standing Blind Spot
According to investigative reports by BĆørsen, Computerworld, and IngeniĆøren, Agisoft Metashapeādeveloped by a firm headquartered in St. Petersburgāhas been widely used by Danish contractors since at least the early 2010s to generate high-resolution 3D models of roads and bridges for the Road Directorate. While the agency itself did not directly procure or operate the software, its reliance on third-party vendors created an unmonitored vector for potential data exposure.
The issue came under scrutiny this year as European security agencies escalated warnings about Russian-developed software. Germany and Switzerland have already banned the use of Agisoft in public-sector projects, citing cybersecurity and espionage concerns. Now, Denmark is following suitāwith consequences that could reshape how public infrastructure contracts are awarded and monitored across the region.
From Oversight Gap to Strategic Shift
In a statement to Ritzau, the Danish Road Directorate confirmed it is implementing stricter contractual clauses that explicitly prohibit the use of software originating in āhigh-risk jurisdictions,ā with Russia at the top of that list. Going forward, all suppliers must certify compliance with Denmarkās national cybersecurity framework, and software provenance will be subject to audit.
āThe Danish Road Directorate emphasizes that while it did not itself use Russian software, it recognizes the systemic risk posed by unvetted tools in its supply chain,ā the agency said. āBased on threat assessments from the Danish Agency for Cyber and Information Security (CFCS, formerly the Danish Agency for Community Safety), there is a credible and significant risk of cyber espionage through deliberate backdoors or data exfiltration channels embedded in such software.ā
The agency warned that detailed geospatial dataāespecially of critical transport infrastructureācould be weaponized in hybrid warfare scenarios, used to plan cyberattacks, physical sabotage, or even influence strategic military planning in times of crisis.
Why This Matters Beyond Denmark
This development is a cautionary tale for Nordic governments and businesses alike. The Nordic region, known for its advanced digital infrastructure and high degree of public-private collaboration, has often prioritised efficiency and innovation over supply chain security. But the Danish case reveals a critical vulnerability: when contractors operate with minimal oversight on software sourcing, national security can be compromisedāeven without malicious intent.
āInfrastructure mapping may seem technical and benign, but in the hands of a hostile state actor, itās intelligence gold,ā says Dr. Lena Holm, a cyber-risk analyst at the Copenhagen Institute for Security Policy. āRussiaās long-standing interest in Western infrastructure is well-documented. The fact that this went unnoticed for over ten years shows how blind spots in procurement policy can become strategic liabilities.ā
A Broader European Trend
Denmarkās move aligns with the EUās 2023 Cyber Resilience Act and the updated NIS2 Directive, which require member states to enforce stricter due diligence on software used in critical sectors. Several Nordic countries are now reviewing similar exposures: Swedenās Transport Agency launched an audit of geospatial tools in October 2025, while Finlandās National Cyber Security Centre issued new guidance in November advising against all Russian- and Belarusian-origin software in public tenders.
Moreover, with NATO increasingly focused on hybrid threatsāincluding cyber and geospatial intelligence gatheringāthe Danish Road Directorateās response may set a precedent for how civilian infrastructure agencies contribute to collective defence.
What Nordic Businesses Should Do Now
For Nordic companies working with public infrastructureāwhether in construction, engineering, or digital servicesāthe Danish case is a stark reminder:
- Audit Your Software Stack: Know the origin, ownership, and data-handling practices of every tool in your workflowāespecially those processing geospatial or infrastructure data.
- Anticipate Stricter Procurement Rules: Expect public tenders to include mandatory cybersecurity annexes and software provenance requirements.
- Diversify Suppliers: Reduce dependency on single-source or geopolitically sensitive vendors. Open-source or EU-hosted alternatives (e.g., OpenDroneMap, Pix4D) are gaining traction.
- Engage with National Cyber Authorities: Proactively consult bodies like Denmarkās CFCS, Swedenās MSB, or Norwayās NSM for risk assessments before deploying new software.
Prospective Expectation
The Danish Road Directorate says it is now working with the Ministry of Transport and CFCS to develop a ātrusted software listā for infrastructure projectsāa move that could become a model for other Nordic agencies. Meanwhile, investigations into historical data exposure are ongoing, though officials stress there is no confirmed evidence of data exfiltration to date.
Still, in an era where digital infrastructure is inseparable from national security, the message is clear: convenience can no longer outweigh caution. As one senior Danish official put it, āWe map our roads to keep the country movingābut we must ensure weāre not also drawing a map for our adversaries.ā
ā Nordic Business Journal is the leading source for insight on Nordic economic policy, innovation, and security in an age of strategic competition.