Summary As proposed, the Cloud and AI Development Act (CADA) is a directly applicable EU Regulation (COM(2026) 502 final), meaning it would bind Denmark immediately upon entry into force without the need for national transposition or implementing legislation. Denmark would be required to adopt a national cloud and AI strategy within one year, designate at least one data centre acceleration zone, and appoint a national competent authority to oversee the cloud sovereignty framework. For Danish public-sector bodies, this introduces mandatory risk assessments and procurement rules that restrict cloud services based on "Union assurance levels." Cloud providers and data centre operators would face new audit, recognition, and permitting obligations tied to these zones.

Detail

The proposed Cloud and AI Development Act (CADA), formally the proposal for a Regulation of the European Parliament and of the Council establishing a framework of measures for strengthening Europe's cloud and AI ecosystem (COM(2026) 502 final), represents a fundamental shift in the governance of digital infrastructure within the EU. Unlike a Directive, which requires Member States to transpose its goals into national law, a Regulation is directly applicable. As stated in Article 48, the Regulation "shall be binding in its entirety and directly applicable in all Member States." Consequently, once adopted, CADA would become part of the Danish legal order automatically, bypassing the traditional parliamentary process required for transposing directives.

For Denmark, this creates a unified legal baseline that aligns with other EU members but imposes specific, binding obligations on the state and its entities. The Act's primary goal, as defined in Article 1(1), is to establish a framework for strengthening the cloud and AI ecosystem through five measures: establishing Cloud and AI Leadership Initiatives; accelerating data centre deployment; enabling a sovereign cloud offer to safeguard public order; reducing dependencies on critical technologies; and fostering public-sector adoption.

The impact on Denmark can be broken down into three core areas of obligation: strategic planning, infrastructure deployment, and regulatory enforcement.

1. National Strategy and Coordination (Article 7)

Under Article 7, Denmark would be obligated to establish a "national cloud and AI strategy" within one year of the Regulation's entry into force. This is not merely a symbolic document; the strategy must include specific, actionable measures. According to Article 7(2), the strategy must cover:

  • Key objectives and priorities for cloud and AI adoption, aligned with the "AI first" principle.
  • Measures to accelerate development and adoption at national, regional, and local levels, particularly for public sector bodies, SMEs, and small mid-caps (SMCs).
  • Support for the deployment of data centre capacity, focusing on high-value projects with high environmental and energy-efficiency standards.
  • Investment in high-intensity computing infrastructure, including AI factories and quantum computers.
  • Measures to support the development of cloud computing stack technologies built on open hardware and software to strengthen technological sovereignty.

Crucially, Article 7(4) mandates that these national strategies must be consistent with the associated digital targets established under the Digital Decade Policy Programme (Decision (EU) 2022/2481). Denmark would need to notify the European Commission of its strategy within three months of adoption and assess it at least every three years based on key performance indicators. The European Artificial Intelligence Board, established by the AI Act, would advise and assist Denmark in coordinating this strategy.

2. Infrastructure and Data Centres (Article 10)

Article 10 imposes direct duties on Denmark regarding physical infrastructure. If data centre capacity is being deployed within Danish territory, the state "shall designate at least one data centre acceleration zone" within six months of the Regulation's entry into force. These zones are specific areas where the deployment of data centres is facilitated through streamlined regulatory frameworks.

When designating these zones, Denmark must consider specific factors listed in Article 10(1), including:

  • The location, dimension, and size of facilities.
  • Available and future power grid capacity and the possibility of on-site clean energy generation.
  • Network connectivity capacity.
  • The ability to reuse waste heat.
  • The preference for reusing brownfield sites over greenfield sites.
  • Measures to accelerate permitting.

Furthermore, Article 10(2) requires Denmark to conduct a comprehensive analysis of the energy needs and greenhouse gas emissions impacts of these zones. This analysis must be reviewed at least every three years. The results must be reflected in national network development plans to ensure that grid investments anticipate future energy demands. This creates a direct link between Denmark's digital infrastructure expansion and its energy planning, ensuring that new compute capacity does not outstrip the grid's ability to support it sustainably.

3. Regulatory Oversight and Sovereignty (Article 25)

To enforce the Act's cloud sovereignty framework, Article 25 requires Denmark to designate one or more "national competent authorities" responsible for enforcing the Chapter on Autonomy (Title IV). Denmark could designate an existing authority or create a new one, but it must ensure this body has sufficient technical, financial, and human resources to supervise all cloud computing service providers within its competence.

The competent authority in Denmark would act as the primary point of contact for cloud providers seeking recognition. Under Article 25(4), the Member State in which the cloud computing service provider has its main establishment (i.e., where its head office or registered office is located) has "exclusive competence" for enforcing the sovereignty chapter. This means if a provider is established in Denmark, the Danish authority has exclusive jurisdiction, centralizing oversight and ensuring that Danish public bodies are buying into a verified, EU-wide standard of trust. These authorities would possess investigative powers, including the ability to require information and conduct inspections, and enforcement powers to order the cessation of infringements and impose fines.

What this means for you

The implications of CADA differ significantly depending on your role in the Danish digital ecosystem.

For Public-Sector Procurement Officers

The most immediate change for you is the introduction of mandatory procurement rules tied to sovereignty. Under the proposed framework, you can no longer choose cloud providers based solely on price or technical features. You must first conduct a risk assessment (as required by Article 29) to determine if your public sector activity contributes to the preservation of public order.

  • Standard Services: If your activity is not deemed critical to public order, Article 30(2) requires you to use cloud computing services recognized as offering at least "Union assurance level 1." This is the baseline for trusted services.
  • Critical Services: If your activity involves national security, defence, justice, or other high-risk areas identified in your risk assessment, Article 30(3) mandates that you "shall only procure and use services that have been recognised as offering Union assurance levels 2, 3, or 4." These higher levels require stricter controls, such as Union citizenship for personnel and stricter data localization.

You will also need to monitor the "central repository" established by the Commission to identify which providers are recognized. Additionally, you may be encouraged to use the "EuroCloud Federation," a mechanism allowing Danish public bodies to share idle cloud capacity with other EU public entities, potentially reducing costs and increasing resilience.

For Cloud Service Providers

If you provide cloud services to Danish public bodies, you must engage with the Danish national competent authority to seek recognition for your services.

  • Level 1: You can self-assess your compliance with Level 1 criteria and issue an EU statement of conformity. However, unless you are an SME (which gets automatic recognition under Article 17(3)), you must submit this to the Danish authority for formal recognition.
  • Levels 2-4: You must undergo independent third-party audits. These audits are rigorous, checking everything from the location of your data centres and personnel to your software supply chain transparency. You must prove that your data remains exclusively within the Union (unless explicitly authorized otherwise) and that you are not subject to the control of third-country entities that could compel data access.

For Data Centre Operators

If you are building or expanding data centres in Denmark, you should look for designated "acceleration zones." Operating within these zones offers significant advantages, including streamlined permitting processes. Article 13 states that the permit-granting procedure for data centre projects in acceleration zones "shall not exceed 12 months." However, you must adhere to strict sustainability requirements, using the key performance indicators defined in Delegated Regulation (EU) 2024/1364. You will also need to coordinate closely with Danish grid operators, as the state will be actively managing the energy integration of these zones.

Common misconceptions

"Denmark needs to pass a new law to make CADA work." This is incorrect. As an EU Regulation, CADA is directly applicable. While Denmark may issue guidance or administrative instructions to help public bodies comply, the legal obligations arise directly from the EU text. National parliaments do not need to transpose it into Danish statutes.

"All Danish public bodies must use the highest level of sovereign cloud." No. The framework is risk-based. Only activities identified as contributing to the preservation of public order (such as defence or critical infrastructure) require the higher assurance levels (2, 3, or 4). Standard administrative tasks may only require Level 1 assurance. The risk assessment determines the required level, preventing unnecessary cost and complexity for low-risk services.

"CADA replaces the GDPR or the AI Act." CADA complements these laws but does not replace them. The GDPR still governs the processing of personal data. The AI Act still governs the safety and fundamental rights risks of AI systems. CADA focuses specifically on sovereignty, operational resilience, and procurement of cloud infrastructure. A service must comply with all three regimes to be fully compliant in the Danish market.

"Only EU-based companies can provide cloud services to Denmark." Not necessarily. The criteria focus on control and jurisdiction, not just incorporation. A company incorporated in a third country could theoretically qualify for higher assurance levels if it can demonstrate that it is not subject to the control of a third country that could compel data access or service disruption. However, for Levels 3 and 4, the barriers for third-country controlled entities are extremely high, effectively limiting these tiers to providers with strong EU independence.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.