Summary As proposed in COM(2026) 502 final, Denmark would face a strict, staggered timeline to implement the Cloud and AI Development Act (CADA) once the regulation enters into force. The most immediate obligation is designating at least one data centre acceleration zone within six months. This is followed by the adoption of a national cloud and AI strategy and the designation of a national competent authority, both due within one year of entry into force. Crucially, Denmark would also be required to notify the European Commission of its national strategy within three months of its adoption. These deadlines are binding on Member States from the moment the law enters into force, distinct from the later date when the rules fully apply to cloud providers.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a harmonised framework to strengthen the EU's cloud and AI ecosystem, addressing critical gaps in computing capacity and strategic autonomy. For Member States like Denmark, the proposal imposes specific, time-bound obligations that begin counting from the date the regulation enters into force.

It is vital to distinguish between two key dates in the legislative process:

  1. Entry into force: The date the regulation becomes legally binding as an act of the EU (20 days after publication in the Official Journal). This is the trigger for Member State obligations.
  2. Application: The date the substantive rules (e.g., procurement requirements for cloud providers) become legally binding for operators (one year after entry into force).

While the rules for cloud providers apply one year later, the preparatory obligations for Denmarkβ€”designating zones, drafting strategies, and appointing authoritiesβ€”must be completed before that application date to ensure the framework is operational when needed.

1. Designation of Data Centre Acceleration Zones (6 Months)

The most immediate infrastructure deadline relates to the physical deployment of computing capacity. Under Article 10(1) of the proposal, Denmark would be required to designate at least one data centre acceleration zone within its territory within six months of the regulation's entry into force.

An acceleration zone is a specific geographic area where the development, expansion, and modernisation of data centres are facilitated through streamlined permitting and clear regulatory frameworks. When designating these zones, Denmark would need to conduct a comprehensive analysis considering:

  • Power Grid Capacity: Current and future availability of electricity, including the possibility of on-site clean energy generation.
  • Network Connectivity: Availability of high-speed, gigabit, and beyond connectivity.
  • Environmental Sustainability: Measures to prevent or minimise environmental impacts, including waste heat reuse and carbon emission reduction.
  • Brownfield Preference: A stated preference for reusing existing industrial sites over greenfield development.

The objective is to create a predictable environment for investors to deploy high-capacity, sustainable computing resources rapidly. Failure to designate these zones within the six-month window would leave Denmark without the streamlined permitting mechanisms intended to accelerate data centre deployment.

2. National Cloud and AI Strategy (1 Year + Notification)

Parallel to infrastructure planning, Article 7(1) mandates that Denmark establish a national cloud and AI strategy within one year of the regulation's entry into force. This is not merely a policy statement but a comprehensive governance framework that must include:

  • Key Objectives: Priorities for cloud and AI adoption aligned with the "AI first" principle.
  • Deployment Measures: Specific actions to accelerate development at national, regional, and local levels, particularly for SMEs and public sector bodies.
  • Infrastructure Investment: Plans for deploying data centre capacity and investing in high-intensity computing infrastructure, such as AI factories and quantum computers.
  • Sovereignty Measures: Initiatives to support the development of cloud computing stack technologies built upon open hardware and software to strengthen technological sovereignty.
  • Data Accessibility: Measures to ensure the availability of high-quality data for AI development.

Crucially, Article 7(5) imposes a subsequent reporting obligation: Denmark must notify the European Commission of its national strategy within three months of its adoption. The strategy must also be assessed and updated at least every three years based on key performance indicators. The European Artificial Intelligence Board (established by the AI Act) would advise and assist Denmark in coordinating this strategy with other Member States.

3. Designation of National Competent Authority (1 Year)

To enforce the sovereignty framework, Article 25(1) requires Denmark to designate one or more national competent authorities within one year of entry into force. These authorities would be responsible for the entire cloud computing sovereignty framework, including:

  • Recognition: Assessing applications from cloud providers seeking recognition at Union assurance levels 1 through 4.
  • Supervision: Monitoring compliance with the criteria for Union assurance levels.
  • Enforcement: Exercising investigative and enforcement powers, including the ability to order the cessation of infringements and impose fines.

The designated authority must be granted all necessary resourcesβ€”technical, financial, and humanβ€”to perform these tasks impartially and effectively. Denmark would then be required to notify the Commission of the names, tasks, and powers of these authorities, who would be listed in a public register maintained by the Commission. The Member State where the cloud provider has its main establishment holds exclusive competence for enforcement, meaning Denmark's authority would be the primary regulator for any provider established in Denmark.

What this means for you

For public-sector procurement officers, digital transformation leads, and IT strategists in Denmark, this timeline creates a non-negotiable roadmap for preparation. The deadlines are designed to ensure that the regulatory infrastructure is in place before the procurement rules become active.

  • Immediate Action (0–6 Months): The focus must be on identifying potential sites for data centre acceleration zones. This requires early coordination between national, regional, and local authorities, as well as grid operators and environmental agencies. Procurement teams should begin assessing current data centre dependencies to understand where capacity gaps exist.
  • Strategic Planning (6–12 Months): The national cloud and AI strategy is the blueprint for future procurement. Procurement officers should engage early in the drafting process to ensure the strategy reflects practical needs for public sector cloud adoption. The strategy must align with the "AI first" principle and include specific measures for public procurement of innovation, potentially targeting a 25% award rate to innovative SMEs.
  • Operational Readiness (12+ Months): Once the national competent authority is designated, procurement teams will need to interact with them to verify the sovereignty status of cloud providers. You will need to understand the "Union assurance levels" (Level 1–4) to ensure that contracts for critical public services meet the required sovereignty criteria. For activities contributing to public order (e.g., law enforcement, defence), procurement would be restricted to services recognised at levels 2, 3, or 4.

Failure to meet these deadlines could result in non-compliance with EU law, potentially affecting Denmark's ability to access certain EU funding or facing infringement procedures. Early coordination between IT, procurement, legal, and infrastructure departments is essential to avoid bottlenecks.

Common misconceptions

"The deadlines start when the law is published."

  • Reality: The deadlines are tied to the "entry into force" date, which occurs 20 days after publication in the Official Journal. While the regulation only applies (becomes legally binding for cloud providers) one year after entry into force, the Member State obligations (like designating zones and appointing authorities) start counting immediately from the entry into force date.

"Denmark can use existing national strategies as-is."

  • Reality: Article 7(3) explicitly states that national strategies must be consistent with the objectives of CADA. If Denmark's current digital strategy does not explicitly cover cloud sovereignty, open-source mandates, data centre acceleration zones, or the specific "AI first" principle as defined in the proposal, it must be updated or supplemented. The strategy must also include specific measures for data centre capacity deployment and high-intensity computing infrastructure.

"Competent authorities are only for cybersecurity."

  • Reality: The national competent authority under Article 25 has a broader role than technical cybersecurity. They are responsible for the entire cloud sovereignty framework, including verifying that cloud providers meet the criteria for Union assurance levels (sovereignty), which encompasses establishment, personnel citizenship, third-country control, and supply chain resilience. This requires expertise in legal jurisdiction, data protection, and geopolitical risk, not just technical security standards.

"The six-month deadline for acceleration zones is a suggestion."

  • Reality: Article 10(1) uses mandatory language ("shall designate"). The six-month deadline is a strict legal obligation. Missing this deadline would mean Denmark fails to establish the streamlined permitting framework required to accelerate data centre deployment, potentially hindering the country's ability to meet its computing capacity targets.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.