Summary As proposed in the Cloud and AI Development Act (CADA), Denmark has not yet designated a specific national competent authority, as the regulation is not yet in force. Under Article 25(1), Denmark is required to designate one or more national competent authorities within one year of the Regulation's entry into force. The designated authority will hold exclusive investigative and enforcement powers under Article 26 for cloud computing service providers whose main establishment is in Denmark. Until the Regulation enters into force and the designation is made, no single Danish body currently holds these specific CADA mandates.

Detail

The Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, establishes a harmonised framework for cloud sovereignty and autonomy across the European Union. A central pillar of this framework is the supervision of cloud computing service providers seeking recognition under the Union assurance levels. The enforcement of these obligations rests with national competent authorities designated by each Member State, including Denmark.

Designation and Timeline

Under Article 25(1) of the proposed CADA, Member States must designate one or more national competent authorities responsible for enforcing Chapter I of Title IV (the cloud computing sovereignty framework). The deadline for this designation is set as "[P.O. insert date of entry into force plus 1 year]" (Article 25(1)).

Given that the Regulation is proposed to enter into force on the twentieth day following its publication in the Official Journal and apply one year thereafter (Article 48), Denmark has a clear one-year window from the date of application to formalise its designation. This timeline ensures that Member States have sufficient time to align their existing administrative structures with the new regulatory requirements before the obligations become active.

Crucially, Article 25(1) allows Member States to designate an existing authority or authorities. This suggests that Denmark may not need to create a new regulatory body from scratch but could assign these tasks to an existing entity, such as the Danish Data Protection Agency (Datatilsynet), the Danish Business Authority (Erhvervsstyrelsen), or the Danish Cyber and Information Security Agency (CFCS), provided it has the necessary resources and expertise. The choice of authority will depend on Denmark's internal administrative organisation and the specific competencies required to assess sovereignty criteria, which extend beyond pure cybersecurity to include legal control, data localisation, and personnel citizenship.

Public Register and Transparency

Once designated, the authority must be notified to the European Commission. Article 25(2) requires Member States to notify the Commission of the names of the competent authorities and their tasks and powers. The Commission is then obligated to maintain a public register of these authorities.

This register ensures transparency for cloud computing service providers, who must know which authority has jurisdiction over their establishment. For providers operating across the EU, this centralised register is critical for identifying the correct point of contact for recognition applications and compliance inquiries. The Commission's role in maintaining this register underscores the Union-wide nature of the sovereignty framework, ensuring that the "one-stop-shop" principle functions effectively across borders.

Exclusive Competence: The Main Establishment Rule

A critical feature of the CADA enforcement model is the principle of exclusive competence based on the location of the provider's main establishment. Article 25(4) states: "The Member State in which the cloud computing service provider has its main establishment, that is, where the cloud computing service provider has its head office or registered office from which the principal financial functions and operational control are exercised, shall have exclusive competence for enforcing this Chapter."

For Denmark, this means that the Danish national competent authority will have exclusive jurisdiction over cloud computing service providers that have their main establishment in Denmark. If a provider is established in Germany but operates in Denmark, the German authority would be the evaluating authority, not the Danish one. This single-point-of-contact approach is designed to reduce regulatory fragmentation and administrative burden for providers operating cross-border. It prevents the scenario where a provider faces simultaneous, potentially conflicting enforcement actions from multiple Member States regarding the same sovereignty criteria.

Investigative and Enforcement Powers

The powers granted to the Danish national competent authority are detailed in Article 26. These powers are necessary to ensure that cloud computing service providers comply with the sovereignty criteria and transparency obligations.

Investigative Powers (Article 26(1)): To carry out their tasks, particularly regarding the recognition of Union assurance levels (Article 17), the competent authority has the power to:

  1. Require information: Demand that cloud computing service providers, and any other persons acting for purposes related to their trade, business, craft, or profession, provide information as soon as possible if they may reasonably be expected to be aware of information relating to a suspected infringement.
  2. Conduct inspections: Carry out, or request a judicial authority to order, inspections of any premises used by the provider for trade, business, craft, or profession. This includes the power to examine, seize, take, or obtain copies of information relating to a suspected infringement in any form, irrespective of the storage medium.
  3. Request explanations: Ask any member of staff or representative of the provider to give explanations regarding information relating to a suspected infringement and, with their consent, record their answers by any technical means.

Enforcement Powers (Article 26(2)): If infringements are identified, the competent authority has the power to:

  1. Order cessation: Order the cessation of infringements and, where appropriate, impose remedies proportionate to the infringement and necessary to bring it effectively to an end. The authority can also request a judicial authority to do so.
  2. Impose fines: Impose fines, or request a judicial authority to do so, for failure to comply with the Regulation, including failure to comply with investigative orders.
  3. Impose periodic penalty payments: Impose a periodic penalty payment, or request a judicial authority to do so, in accordance with Article 24, to ensure that an infringement is terminated in compliance with a cessation order or to penalise failure to comply with investigative orders.

These measures must be effective, dissuasive, and proportionate, taking into account the nature, gravity, recurrence, and duration of the infringement, as well as the economic, technical, and operational capacity of the service provider (Article 26(3)).

Penalties and Compensation

While the competent authority enforces the rules, the specific penalties for infringements are laid down in Article 24. Member States must lay down rules on penalties applicable to infringements by cloud computing service providers. These penalties must be effective, proportionate, and dissuasive. When imposing penalties, Member States must consider criteria such as the nature and gravity of the infringement, any previous infringements, the financial benefits gained, and the infringing party's annual turnover in the Union (Article 24(2)).

Furthermore, recipients of cloud computing services have the right to seek compensation from providers for any damage or loss suffered due to an infringement of their obligations under Chapter I (Article 24(3)). This civil liability provision complements the administrative penalties, ensuring that affected public sector bodies and Union entities can seek redress for failures in sovereignty compliance.

What this means for you

For in-house counsel and compliance officers at cloud computing service providers with a main establishment in Denmark, the designation of a national competent authority under CADA will define your primary regulatory interface for sovereignty compliance.

  1. Monitor the Designation: Keep a close watch on the European Commission's public register of competent authorities (required by Article 25(2)). Once Denmark publishes its designation, you must direct all applications for Union assurance level recognition and subsequent compliance communications to this specific authority. Until then, no single body holds these specific CADA powers.
  2. Prepare for Inspections: Article 26(1) grants broad investigative powers, including on-site inspections and the seizure of data. Ensure your internal audit trails, documentation of conformity self-assessments (for Level 1) or audit reports (for Levels 2-4), and records of subcontractor oversight are readily accessible. Your legal team should be prepared to respond to information requests "as soon as possible" (Article 26(1)(a)).
  3. Understand Jurisdiction: If your company is a subsidiary of a non-Danish parent, verify whether the "main establishment" test in Article 25(4) places you under the jurisdiction of the Danish authority or another Member State's authority. This determines which national competent authority has exclusive competence to enforce the Regulation against you. The definition hinges on where the principal financial functions and operational control are exercised.
  4. Risk of Penalties: Be aware that non-compliance can lead to fines, periodic penalty payments, and orders to cease operations. Article 24 emphasizes that penalties will consider your turnover and the gravity of the breach. Proactive cooperation with the competent authority, as encouraged by the proportionality principle in Article 26(3), may mitigate these risks.
  5. Cross-Border Cooperation: While the Danish authority has exclusive competence for providers established in Denmark, Articles 27 and 28 establish mechanisms for mutual assistance and cross-border cooperation. If your services are used in other Member States, the Danish authority may need to cooperate with other national authorities. Ensure your compliance framework can support such information sharing.

Common misconceptions

  • Misconception: Denmark has already named its CADA authority.
    • Fact: CADA is a proposal. While Denmark may have existing authorities that could be designated (e.g., the Danish Data Protection Agency or the Danish Business Authority), no official designation under CADA Article 25 has occurred yet. The designation must happen within one year of the Regulation's entry into force.
  • Misconception: Any EU authority can investigate a Danish-based provider.
    • Fact: Article 25(4) establishes exclusive competence for the Member State of the main establishment. Only the Danish national competent authority (once designated) can enforce the sovereignty framework against a provider with its main establishment in Denmark. Other Member States' authorities can only request assistance or cooperation under Articles 27 and 28.
  • Misconception: The competent authority only handles technical cybersecurity.
    • Fact: The CADA sovereignty framework goes beyond technical cybersecurity (which is covered by the Cybersecurity Act and EUCS). The competent authority enforces sovereignty criteria, including data localisation, personnel citizenship, and freedom from third-country control (Annex II). The authority's powers under Article 26 are broad enough to investigate these non-technical, legal, and operational aspects.
  • Misconception: Penalties are fixed amounts.
    • Fact: Article 24(2) lists non-exhaustive criteria for imposing penalties, including the infringing party's annual turnover and the financial benefits gained. Penalties are not fixed; they are tailored to the specific case and must be effective, proportionate, and dissuasive.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.