What is AI regulation in Denmark?
AI regulation: countries and regions
AI regulation in Denmark is mainly the EU AI Act, which applies directly in Denmark, backed by Danish authorities, guidance and a 2025 supplementary law on supervision, inspections and fines. Digitaliseringsstyrelsen is Denmark's coordinating AI authority and supervises five prohibited AI practices, Datatilsynet supervises two data sensitive prohibited practices, and some court related supervision sits with Domstolsstyrelsen. Broader Danish supervision for high-risk AI and transparency duties is still being finalised.
What this means
Denmark does not have a fully separate national AI code that replaces the EU framework. The main rulebook is the EU AI Act. Denmark's job is to make that rulebook work on the ground by naming authorities, issuing guidance, organising supervision and adding national enforcement powers where the EU law expects member states to do so.
That means a Danish organisation usually has to read two layers together. First, the EU AI Act itself. Second, Danish materials that explain who supervises what, how to contact regulators, how prohibited practices are handled, and how Denmark is preparing for the parts of the AI Act that apply from 2026 and 2027.
It also means AI regulation in Denmark is not the same thing as privacy law. If an AI system uses personal data, GDPR and Danish data protection law still matter. The AI Act adds AI specific duties, especially for prohibited practices, high-risk AI, transparency and general-purpose AI models.
Why it matters
For founders, operators, buyers and public bodies, the practical question is not whether Denmark has "an AI law". It is whether your organisation is acting as a provider, deployer, importer or distributor under the EU AI Act, and which Danish authority will expect answers if something goes wrong.
That matters now because some duties already apply. AI literacy is already live, prohibited AI practices are already banned, and general-purpose AI model rules are already supervised at EU level. It matters even more as Denmark moves into the 2026 to 2027 phase, when transparency duties and most high-risk obligations become operational. Public authorities, banks, insurers and organisations using AI in sensitive settings may need stronger governance, formal rights analysis, registration and closer regulator engagement.
It also matters because Denmark is still settling parts of its supervisory map. The core EU duties are durable, but the Danish allocation of oversight for high-risk and transparency matters is not completely finished. That creates a planning problem for organisations that wait for total certainty before doing basic governance work.
How it works
The legal base is EU first, Danish second
In Denmark, the core rules come from the EU AI Act itself. Because it is an EU regulation, it has direct effect and does not need Denmark to rewrite the substantive duties in a full national statute. Danish law mainly adds the national pieces the EU framework expects, such as competent authorities, market surveillance powers, procedures and penalties.
So if you are asking what is lawful, who has duties and when those duties apply, the starting point is the AI Act. If you are asking who supervises you in Denmark, how Danish enforcement works, or what guidance exists in Danish practice, the national layer becomes important.
The regime is phased, not all at once
The AI Act entered into force in 2024, but its provisions apply in stages. The basic definitions, AI literacy duty and prohibited practices started first. Governance rules, the AI Office framework and the rules for general-purpose AI models came next. Most transparency rules and many high-risk duties are due from 2 August 2026, while some product safety linked high-risk obligations apply from 2 August 2027.
Denmark's current supplementary AI law entered into force on 2 August 2025. Note that the European Commission has proposed a digital Omnibus package that could defer some high-risk obligations, so the 2 August 2026 dates should be read as the current legal position rather than a settled certainty. That law gives Danish authorities powers to supervise the first live parts of the regime and to prepare the national enforcement architecture.
Which Danish authorities matter most
The current Danish set-up centres on three public bodies. Digitaliseringsstyrelsen is the national coordinating authority and central contact point. It also acts as market surveillance authority for five prohibited AI practices: harmful manipulation, harmful exploitation of vulnerabilities, social scoring, untargeted scraping of facial images to build face recognition databases, and emotion recognition in workplaces and educational institutions.
Datatilsynet supervises two prohibited practices that sit close to its data protection remit: predictive policing style risk scoring based on profiling or personality traits, and certain biometric categorisation uses. Domstolsstyrelsen has a distinct role for court related uses of AI when courts are not acting in their judicial capacity, while court decisions remain with the courts when they are acting as courts.
By contrast, supervision of general-purpose AI models is not primarily Danish. That sits with the European Commission's AI Office, reflecting the cross border nature of those models.
Denmark has a specific carve out because of its EU justice opt-out
A Danish specific wrinkle is the justice and home affairs opt-out. Official Danish guidance says that parts of Article 5 on prohibited AI practices do not apply in Denmark because of Denmark's special position under Protocol No. 22. In practical terms, some law enforcement and criminal justice related prohibitions in Article 5 do not land in Denmark in exactly the same way as they do elsewhere in the EU.
That does not make Denmark lightly regulated. It does mean organisations, advisers and public bodies should not assume that every Article 5 rule maps across identically without checking the Danish position.
High-risk AI duties are clear at EU level, but the Danish supervision map is still settling
For high-risk AI, the EU side is relatively clear. Providers can face duties on risk management, data governance, technical documentation, logging, information for deployers, human oversight, accuracy, robustness, cybersecurity, quality management, conformity assessment, registration and incident handling. Deployers must generally follow instructions for use, assign human oversight, monitor the system in operation, handle relevant input data carefully and keep certain logs where they control them.
Danish official guidance also highlights extra deployer duties for public authorities, banks and insurers using relevant high-risk systems. These include a fundamental rights impact assessment and, in relevant cases, registration of the system in the EU database.
The harder Danish question is who supervises which high-risk category. Digitaliseringsstyrelsen says this is not yet finally settled and that the answer is likely to vary by sector and use case. That uncertainty matters for organisations in health, employment, finance, education, justice or public administration.
Transparency duties start in 2026, and Denmark has not fully settled the national overseer yet
The AI Act's transparency duties for certain AI systems, such as some chatbots, AI generated content and deepfakes, apply from 2 August 2026. Danish guidance explains the practical idea simply: people should know when they are interacting with an AI system or seeing synthetic or manipulated content.
Digitaliseringsstyrelsen also states that Denmark still has to designate one or more authorities to supervise these transparency duties. So the legal duty is approaching on the EU timetable, but the final Danish institutional arrangement for oversight is still not fully pinned down.
Data protection, sandboxes and practical support remain part of the real picture
In Denmark, AI governance is not only about the AI Act text. If personal data are involved, GDPR and Danish data protection law still run alongside it. That is why Datatilsynet and Digitaliseringsstyrelsen operate a joint regulatory sandbox for mature AI projects. The sandbox offers free project specific guidance on GDPR and, in its later rounds, AI Act risk classification.
This is useful because Denmark's current official practice is still guidance heavy. Digitaliseringsstyrelsen has published a package of guidance on the prohibited practices it supervises. Datatilsynet has AI guidance for organisations, including public bodies, and the sandbox has produced public reports on real Danish projects so others can learn from them.
Enforcement exists now, but parts of the architecture remain transitional
Denmark's 2025 supplementary law gives national authorities meaningful enforcement tools. They can request information, access business premises when necessary for supervision, perform technical examinations, publish certain decisions, issue orders and temporary bans, and fine specified breaches and obstruction.
At the same time, official Danish materials still describe part of the system as transitional. Digitaliseringsstyrelsen says there is currently no dedicated complaint route on its side for prohibited practices, even though people can contact the agency. Official legislative materials for a broader 2026 replacement bill also said the 2025 law did not yet regulate supervision of high-risk systems or Article 50 transparency duties in full. That proposal would have created a fuller national framework, but the Folketinget case page shows the bill lapsed. So the architecture is real, but not yet complete.
Examples
Example 1. A private insurer developing internal generative AI support for claims work can land inside Danish AI governance long before a product reaches the public. In the first round of Denmark's AI sandbox, Tryg's "Dokumentassistent" was described as a generative AI tool for summarising the many documents in personal injury insurance cases. The public report shows a Danish style of governance in practice: document the data protection issues early, work through the lifecycle phases, and treat the tool as a support function for human case handlers and doctors rather than a fully autonomous decision maker.
Example 2. Danish public sector AI projects face the same need for early legal framing. The "Talt" project, run by Copenhagen, Aalborg and Aarhus municipalities with Systematic, used generative AI and machine learning to explore whether documentation burdens in health and care work could be reduced. The official sandbox materials show why Denmark's approach matters for public bodies: a project can look operationally attractive, but it still has to be structured around data protection, sector law and, where relevant, future high-risk and fundamental rights duties.
Example 3. The 2026 sandbox round shows the current Danish support route for mature provider side projects. Datatilsynet and Digitaliseringsstyrelsen invited organisations with concrete regulatory questions to apply by 1 May 2026. Selected participants were due to receive an introduction meeting, a project plan, a possible site visit and up to four follow up meetings later in 2026. In other words, Denmark is not only building enforcement. It is also building a supervised learning route for organisations that are serious enough to prepare before deployment.
Common misunderstandings
Misunderstanding: "Denmark has its own standalone AI Act." Correction: The main rules are the EU AI Act. Denmark mainly adds authorities, procedures, guidance and enforcement powers.
Misunderstanding: "If our internal risk assessment says the system is low risk, that is enough." Correction: The legal classification follows the AI Act's categories and triggers, not your organisation's own labelling.
Misunderstanding: "Only the company that built the model is regulated." Correction: Providers matter, but so do deployers, importers, distributors and public bodies using AI in sensitive contexts.
Misunderstanding: "The AI Act replaces GDPR." Correction: It does not. In Denmark, AI specific rules and data protection rules can apply at the same time.
Misunderstanding: "Every Article 5 prohibition works in Denmark exactly as it does elsewhere in the EU." Correction: Denmark's justice opt-out means some law enforcement and criminal justice related Article 5 provisions do not apply in the same way.
Risks and boundaries
The most important boundary is this: Denmark's AI regulation is not one neat national code. It is a layered system made up of the EU AI Act, Danish supplementary law, regulator guidance, data protection law and sector specific rules. That means a simple answer like "we are compliant with the AI Act" can still miss issues in employment law, health law, procurement, public administration or GDPR.
There is also genuine near term uncertainty. Official Danish materials say it is still not finally settled which authorities will supervise the different high-risk categories, and the same is true for Article 50 transparency supervision. A broader replacement AI bill was proposed in February 2026, but the parliamentary case page marks it as lapsed. So the substantive EU duties are clearer than the final Danish supervisory map.
Another boundary is territorial. Denmark's supplementary AI law does not apply to the Faroe Islands and Greenland, and the EU AI Act itself does not automatically apply there because they are not part of the EU.
Finally, this topic is easy to overread as a ban on "AI" in general. It is not. Most AI uses are not prohibited, and many are not high-risk. But sensitive uses, especially those tied to public power, employment, education, insurance, biometrics, health or essential services, deserve early legal and governance work rather than late stage patching.
What to do next
Build a current inventory of AI use across the organisation and classify your role for each use case. Ask whether you are the provider, deployer, importer or distributor, not just the buyer or builder.
Run an immediate prohibited practice check. In Denmark, give extra attention to the split between Digitaliseringsstyrelsen supervised practices and Datatilsynet supervised practices, and do not assume the law enforcement Article 5 rules work identically to the rest of the EU.
Identify anything that may become high-risk or subject to transparency duties from 2 August 2026. If you are in the public sector, banking, insurance, education, employment or critical services, do not wait for final Danish authority designations before preparing your governance file.
Prepare for evidence. That means internal documentation, human oversight arrangements, staff training, supplier diligence, logs, escalation routes and a clear account of why the system sits in the category you say it sits in.
Treat data protection as part of the same workstream. If personal data are involved, review lawful basis, necessity, security, retention and whether a GDPR impact assessment is also needed.
If you are developing a mature provider side project and face real regulatory uncertainty, consider the Danish regulatory sandbox route. It is one of the clearest signs that Denmark expects organisations to do structured preparation, not simply wait for enforcement.
FAQs
Is AI regulation in Denmark mostly EU law or Danish law?
Mostly EU law. The EU AI Act is the main rulebook, while Danish law and guidance organise supervision, enforcement and practical implementation in Denmark.
Which Danish authority should most organisations know first?
Usually Digitaliseringsstyrelsen. It is the national coordinating authority and central contact point, and it supervises five prohibited AI practices. Datatilsynet and, in some court related cases, Domstolsstyrelsen also matter.
Are all AI systems heavily regulated in Denmark?
No. Most AI systems are not prohibited and are not classed as high-risk. The heaviest duties attach to specific prohibited practices, certain transparency cases, high-risk AI systems and general-purpose AI models.
Does Denmark supervise general-purpose AI models itself?
Not mainly. The EU AI Office is the key supervisor for general-purpose AI model rules, because those models typically operate across borders.
Do chatbot and deepfake transparency rules already apply in Denmark?
They apply from 2 August 2026. Danish guidance says the final national authority or authorities for supervising those duties have not yet been fully settled.
Are Denmark's high-risk AI enforcement arrangements fully settled?
Not yet. The EU duties are largely clear, but official Danish materials say it is still not finally settled which authorities will supervise the different high-risk categories, and a broader 2026 replacement bill lapsed.
Does the AI Act replace GDPR in Denmark?
No. If an AI project uses personal data, GDPR and Danish data protection law still apply alongside the AI Act.
Does this regime cover the Faroe Islands and Greenland?
Not automatically. Denmark's supplementary AI law expressly excludes them, and the EU AI Act does not apply there as non-EU territories.