Summary Under the proposed Cloud and AI Development Act (CADA), public-sector bodies in Denmark must align their digital transformation with a national strategy driven by the "AI first" principle, as required by Article 7. Procurement is strictly governed by Articles 29 and 30: all public bodies must procure at least Union assurance level 1, while activities identified as critical to "public order" (e.g., defence, justice, law enforcement) must procure only services recognised at levels 2, 3, or 4. Furthermore, Danish authorities must apply Union added value criteria in tenders (Article 32) and leverage the newly established Experience and Acceleration Centres for AI (Article 5) as primary entry points for support, skills, and access to European providers.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, represents a structural shift in how the EU governs the infrastructure beneath AI systems. For Denmark, as a Member State, compliance is not a passive administrative task but an active, multi-year programme of strategic alignment, risk assessment, and procurement reform. The proposal establishes a harmonised framework where national strategies drive adoption, and a tiered sovereignty framework dictates procurement choices.

1. The National Strategy and the "AI First" Principle (Article 7)

The foundation of CADA compliance in Denmark lies in the national strategy. Article 7(1) mandates that Member States establish national cloud and AI strategies within one year of the Regulation's entry into force. For Denmark, this document is the primary driver for public-sector adoption.

Article 7(2) explicitly requires these strategies to include key objectives and priorities for cloud and AI adoption, aligned with the "AI first" principle. As defined in the proposal's recitals and linked to the Apply AI Strategy, this principle "urges organisations to reflect on their business processes, considering the needs and opportunities offered by AI, while taking into account the potential risks."

For Danish public-sector bodies, this translates into three concrete obligations:

  • Strategic Consistency: Under Article 7(3), national strategies must be consistent with the objectives of CADA. Danish public entities must ensure their internal digital transformation plans are not developed in isolation but are fully aligned with the Danish national strategy. This strategy must outline specific measures to accelerate AI adoption at national, regional, and local levels, with a particular focus on public sector bodies.
  • Governance and Monitoring: The strategy must include a governance and monitoring framework (Article 7(2)(a)). Danish authorities are required to use this framework to track progress in AI integration across strategic sectors such as healthcare, energy, and mobility. This ensures that the "AI first" principle is not merely rhetorical but is measured against key performance indicators.
  • Support via Centres for AI: Crucially, Article 7(2)(b) mandates that the national strategy includes measures to support the broad deployment of AI by supporting Experience and Acceleration Centres for AI (Centres for AI). These centres are designated as the "entry points to the European AI innovation ecosystem." Danish public bodies must actively engage with these centres to access expertise, testing facilities, and skills training, rather than attempting to navigate the complex CADA landscape alone.

2. Procurement Obligations: Risk Assessments and Assurance Levels (Articles 29 & 30)

The most immediate operational impact of CADA on Danish public bodies is the introduction of a mandatory sovereignty framework. This framework is built on Union assurance levels (1 through 4) and is triggered by a national risk assessment.

The Mandatory Risk Assessment (Article 29)

Before any procurement decision can be made regarding cloud services, the Danish state must conduct a risk assessment. Article 29(1) requires Member States to carry out these assessments within one year of entry into force, and thereafter every two years.

The assessment must:

  • Identify Public Order Activities: Determine which public sector activities contribute to the preservation of public order. This explicitly includes sectors falling under Annex I or II of the NIS2 Directive, as well as areas of national security, internal security, external border management, defence, justice, or law enforcement (including the prevention, investigation, detection, and prosecution of criminal offences).
  • Determine Assurance Levels: Based on the sensitivity, criticality, and magnitude of data processed, and the risk of third-country access or service disruption, the assessment must determine which Union assurance level (2, 3, or 4) is appropriate for these identified activities.

Procurement Rules (Article 30)

Once the risk assessment is complete, Article 30 imposes strict procurement obligations on Danish contracting authorities:

  • The Baseline (Level 1): Under Article 30(2), Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognised as having Union assurance level 1. This is the mandatory minimum for all public-sector cloud procurement in Denmark.
  • The Public Order Requirement (Levels 2–4): Under Article 30(3), contracting authorities whose activities have been identified as contributing to the preservation of public order (e.g., the Danish Defence Command, the Danish Police, or the Danish Courts) must only procure cloud computing services recognised as having Union assurance levels 2, 3, or 4.

Derogations: Article 30(4) provides limited exceptions. Authorities may decide not to procure recognised services only if: (a) no adequate alternative exists in the central repository; (b) a similar procurement failed to receive suitable tenders in the previous year; or (c) applying the requirements would result in disproportionate cost. These exceptions are narrow and require strict justification.

3. Union Added Value and Innovation Procurement (Articles 32 & 33)

Beyond sovereignty, CADA aims to strengthen the European digital supply chain. Article 32 requires Danish contracting authorities to include Union added value as a non-price award criterion in public procurement procedures for innovative cloud computing services and AI systems.

When evaluating tenders, Danish authorities must assess:

  • The tenderer's contribution to strengthening the digital technology supply chain in the Union, including the use of software or hardware designed or manufactured in the Union.
  • The integration of technologies developed in the Union, including results from Union-funded R&D programmes.
  • The extent to which the service is delivered using critical computing, storage, and networking hardware components designed and/or manufactured in the Union.

Article 32(2) clarifies that these criteria must be "ancillary and not decisive" in the award of the contract, ensuring that technical and financial performance remain primary. However, they must be expressly set out in procurement documents.

Furthermore, Article 33 introduces a specific objective for innovation procurement. Member States must pursue an objective that at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs. Danish authorities must monitor and report on this uptake annually, ensuring that the market remains open to smaller European providers.

4. Leveraging Experience and Acceleration Centres for AI (Article 5)

To facilitate this transition, Article 5 mandates that each Member State, including Denmark, establish Experience and Acceleration Centres for AI (Centres for AI). These centres build on existing European Digital Innovation Hubs and serve as the operational backbone for CADA implementation at the regional and local level.

For Danish public-sector bodies, these Centres for AI are not optional; they are the designated support mechanism. Their objectives include:

  • Scaling Use Cases: Supporting the integration and scaling-up of AI use cases in strategic public sectors.
  • Regional Adoption: Accelerating the broad adoption of cloud and AI technologies at regional and local levels, notably for SMEs, small mid-caps, and public sector bodies.
  • Ecosystem Connection: Helping organisations accelerate digital transformation by connecting them with European providers of cloud and AI technologies.

Public-sector bodies are encouraged to use these centres to access expertise, testing facilities, and skills training, thereby reducing the barrier to entry for adopting sovereign and compliant AI solutions.

What this means for you

For Danish public-sector procurement officers, IT directors, and strategic planners, CADA introduces a new compliance regime that requires immediate action:

  1. Align with the National Strategy: Ensure your department's digital roadmap is consistent with the Danish national cloud and AI strategy. Verify that your plans incorporate the "AI first" principle and that you are actively engaging with the national governance framework.
  2. Participate in Risk Assessments: Stay informed about the risk assessments conducted by the Danish government. These assessments will dictate whether your specific department falls under the "public order" category. If your activities involve law enforcement, defence, or critical infrastructure, you must prepare to migrate to Union assurance levels 2, 3, or 4.
  3. Audit Current Contracts: Review all existing and upcoming cloud contracts. Ensure that at a minimum, your provider is recognised under Union assurance level 1. If your department handles sensitive data, verify if your activities fall under the "public order" category. If so, you must migrate to Level 2, 3, or 4 providers. Article 29(6) allows for a reasonable transition period not exceeding 12 months for migration, but planning must begin immediately.
  4. Update Procurement Templates: Integrate Union added value criteria into your tender documents for innovative cloud and AI services. Ensure these criteria are linked to the subject matter and do not confer unrestricted freedom of choice. Consider setting aside lots or targeting SMEs to meet the 25% innovation procurement objective.
  5. Utilize Centres for AI: Do not navigate AI adoption alone. Engage with Denmark's designated Experience and Acceleration Centres for AI. Use them for technical advice, skills training for staff, and connections to trusted European providers. They are the designated entry points for support under the national strategy.

Common misconceptions

Misconception 1: CADA bans all non-EU cloud providers. Correction: CADA does not ban non-EU providers outright. However, for public-sector procurement, providers must meet specific Union assurance levels. Non-EU providers can qualify for Level 3 if the Commission adopts a decision recognising their third country as providing sufficient assurances (Article 18). For Level 1, the provider must be established in the Union, and infrastructure/data must remain in the Union unless explicitly required otherwise by the public body.

Misconception 2: "AI First" means replacing all human decision-making with AI. Correction: The "AI first" principle is about strategic consideration of AI opportunities in business processes, not total automation. It encourages public bodies to reflect on how AI can improve services while managing risks. Human oversight and fundamental rights protections remain paramount, especially under the AI Act and CADA's sovereignty framework.

Misconception 3: Union added value criteria will make procurement prohibitively expensive. Correction: Article 32 states that Union added value criteria are ancillary and not decisive in the award of the contract. They are designed to strengthen the supply chain and security, not to inflate costs. The focus remains on technical and financial performance, with EU value as a secondary quality factor.

Misconception 4: Only large central government bodies are affected. Correction: CADA applies to all contracting authorities, including regional and local public bodies. Article 7's national strategy explicitly mentions accelerating adoption at national, regional, and local levels. Therefore, municipal IT departments in Denmark are equally subject to these procurement rules.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.