Does the EU AI Act apply to my business if I am established outside Denmark but sell AI products to Danish customers?

Yes. The EU AI Act applies to any provider that places an AI system on the Danish market, regardless of where that provider is established. A business incorporated in the United States, United Kingdom, or any non-EU jurisdiction must satisfy full AI Act obligations – including conformity assessment and EU database registration – before its AI system reaches Danish users. Non-EU providers are also required to designate an authorised representative established within the EU.

How long does an AI Act conformity assessment take for a high-risk system in Denmark?

The timeline depends on the completeness of existing technical documentation and the complexity of the system. For a well-documented system with an established risk management process, a self-assessment conformity procedure typically takes between eight and sixteen weeks. Where third-party assessment by a notified body is required – as for certain critical infrastructure or biometric applications – the timeline extends considerably, often to six months or more. Engaging a lawyer in Denmark experienced in AI regulation early in the product development cycle reduces this timeline materially.

Is it a common misconception that the EU AI Act only applies to large technology companies?

Yes, and the misconception carries real risk. The AI Act applies to providers and deployers of AI systems regardless of company size. Small and medium-sized enterprises benefit from certain proportionality provisions and reduced fees for conformity assessments, but the core obligations – conformity assessment, technical documentation, post-market monitoring for high-risk systems – apply equally. A law firm in Denmark advising SMEs consistently finds that size-based assumptions are among the most expensive compliance mistakes a technology business can make.

AI & Technology Law in Denmark

A technology company launching an AI-powered product in Denmark faces a compliance question that did not exist five years ago. Under the EU AI Act, that product may qualify as a high-risk system – triggering mandatory conformity assessments, technical documentation obligations, and ongoing monitoring requirements before it reaches a single Danish customer. The cost of misclassifying the system is not theoretical. Regulators in Denmark have demonstrated a clear appetite for enforcement, and non-compliant products face market withdrawal orders alongside financial penalties.

AI & Technology Law in Denmark sits at the intersection of EU-level regulation and Danish national legislation governing software liability, data processing, and digital services. Businesses deploying AI systems, licensing technology, or operating digital platforms in Denmark must satisfy requirements drawn from EU regulation, Danish consumer protection legislation, and sector-specific rules enforced by Danish supervisory authorities. Compliance timelines vary by system risk tier, but high-risk AI systems require documented conformity before market placement.

This page covers the regulatory instruments that govern AI and technology operations in Denmark, the procedural steps for compliance, common pitfalls that affect international clients. Cross-border considerations linking Denmark to Portugal and the broader EU. Additionally, a self-assessment checklist to guide your next steps.

The regulatory conditions for AI and technology operations in Denmark

Denmark operates within the EU regulatory system. That means the EU AI Act is directly applicable, without transposition, to any business placing an AI system on the Danish market or putting it into service there. The Act introduces a risk-based tiered structure. Prohibited systems are banned outright. High-risk systems face the most demanding pre-market and post-market obligations. Limited-risk and minimal-risk systems carry lighter transparency or no specific obligations at all.

Danish corporate legislation and consumer protection legislation add a further layer. A technology business structured as a Danish anpartsselskab (private limited company) or a foreign branch operates under Danish contract law when licensing software or entering technology services agreements. Danish courts apply strict rules on limitation of liability clauses, particularly where a counterparty is a consumer or small business. A clause that is standard in a US or UK software licence may be deemed unenforceable before a Danish court.

Algorithmic accountability has emerged as a distinct area of practice. Danish data protection legislation, implementing the EU General Data Protection Regulation, imposes specific obligations on automated decision-making systems that produce legal or similarly significant effects on individuals. Any AI system performing automated scoring, profiling, or decision-making in a Danish business context must satisfy both the AI Act and data protection legislation simultaneously. These two regimes interact – and their interaction generates compliance obligations that neither framework addresses in isolation.

Software liability in Denmark follows the general rules of Danish contract law and tort law, supplemented by the EU Product Liability Directive as updated. The revised directive extends product liability to software, including AI-embedded software updates. A Danish business that deploys third-party AI software – and that software causes damage – may face primary liability to affected parties even where the developer is located outside Denmark. Understanding the contractual allocation of this risk before deployment is essential.

Technology licensing in Denmark is governed by commercial legislation and, where relevant, by EU competition legislation. Exclusive licensing arrangements, source code escrow obligations, and open-source licence compliance each require specific legal attention. Danish competition authorities have an active track record in the technology sector. Restrictive licensing terms that foreclose competitors or lock in customers may attract scrutiny independent of any contractual dispute.

Key instruments and procedures for AI Act compliance in Denmark

The EU AI Act requires providers of high-risk AI systems to complete a conformity assessment before market placement. For most high-risk system categories, this is a self-assessment supported by detailed technical documentation. For certain categories – AI systems used in critical infrastructure, employment decisions, access to essential services, and law enforcement – third-party assessment by a notified conformity assessment body may be required.

The documentation package for a high-risk system in Denmark must address the system's intended purpose, the data governance measures applied. The technical accuracy and robustness specifications, the risk management system, the post-market monitoring plan. Additionally, the transparency information provided to deployers. Assembling this package requires collaboration between legal, technical, and compliance teams. In practice, many international clients underestimate the volume of documentation required and discover the gap only when a Danish deployer or procurement authority requests the technical file.

Registration in the EU database for high-risk AI systems is a procedural step that cannot be deferred. Providers must register before the system is placed on the Danish market. This registration is public. Competitors, regulators, and procurement officers can verify whether a system has been registered. A system that is not registered is presumed non-compliant. The Danish Business Authority coordinates with EU-level enforcement on registration matters.

For businesses operating digital services platforms – marketplaces, search engines, social media, or app distribution platforms – the EU Digital Services Act adds a parallel layer of obligations. Danish users accessing these platforms trigger DSA compliance requirements. Very large online platforms and very large online search engines face additional systemic risk assessment obligations. The Digital Services Coordinator in Denmark oversees national enforcement of the DSA alongside the relevant EU-level authority.

Technology licensing agreements in Denmark require specific drafting to address AI Act obligations. Where a licensee deploys an AI system, the licence should allocate responsibility for conformity assessment, technical documentation, post-market monitoring, and incident reporting between licensor and licensee. Danish courts will interpret ambiguous allocations against the party that drafted the contract. Standard software licence templates from non-EU jurisdictions typically do not address these obligations at all.

For companies exploring their options under Danish technology and IP legislation, our dedicated page on intellectual property law in Denmark covers trade mark registration, copyright protection for software, and enforcement procedures before Danish courts.

To receive an expert assessment of your AI system's compliance obligations in Denmark, contact us at info@ferrazwhitmore.com.

Practical insights and common pitfalls for international clients

The most frequent error made by international technology businesses entering Denmark is treating the EU AI Act as a future obligation. The Act's provisions for high-risk systems are already in effect for systems placed on the market after the relevant application dates. A company that began selling an AI-powered recruitment tool, credit scoring system. Alternatively. Medical device AI module in Denmark without completing its conformity assessment is already operating outside the regulatory regime. not merely unprepared for a future obligation.

A related error is misclassifying a system's risk tier. The AI Act's list of high-risk system categories is specific, but its application to novel system architectures is not always obvious. Practitioners in Denmark advise clients to conduct a formal classification analysis as a distinct legal step, documented separately from the conformity assessment. A classification decision that is later reversed by a regulator – reclassifying a system from limited-risk to high-risk – triggers an immediate retroactive documentation obligation. This is a commercial disruption, not merely a compliance inconvenience.

Software liability allocation deserves careful attention. Many international clients arrive with licensing agreements that cap the licensor's liability at the fees paid in the preceding twelve months. Under Danish law, this cap may be unenforceable where the software causes personal injury or property damage, or where the limitation was not fairly communicated before contract formation. Danish courts have consistently held that unexpected limitation clauses in standard form contracts warrant scrutiny. Clients that rely on their standard liability cap without Danish law review are exposed to claims they believed were contractually excluded.

Algorithmic accountability obligations under Danish data protection legislation are frequently overlooked in the AI Act compliance process. A business may complete its AI Act conformity assessment for a high-risk system and then discover that the same system triggers separate obligations under data protection legislation. including the requirement to carry out a data protection impact assessment. To implement human review mechanisms. Additionally, to provide individuals with information about automated decisions. These obligations are not satisfied by the AI Act documentation. They require independent analysis and documentation under data protection law.

Technology licensing agreements drafted under English or US law frequently omit open-source compliance obligations. Danish commercial practice expects licensees to audit the open-source components embedded in licensed software before deployment. An undisclosed GPL-licensed component in a commercial AI product can, in certain circumstances, trigger obligations to release proprietary code. This is a risk that surfaces at the worst possible time – during due diligence in an acquisition or when a business partner or regulator requests the technical file.

The digital services compliance calendar requires active management. DSA obligations for very large online platforms and search engines are already in full effect. Obligations for smaller digital service providers under Danish national implementing measures apply on a different timetable. Missing a compliance deadline exposes a business to enforcement action by the Danish Digital Services Coordinator. In practice, Danish authorities have adopted a proportionate approach to first-time compliance failures accompanied by a credible remediation plan. However, repeated or wilful non-compliance attracts significantly higher penalties.

Cross-border considerations: Denmark, Portugal, and the EU dimension

Denmark is an EU member state. The EU AI Act, the General Data Protection Regulation, the Digital Services Act, and the Product Liability Directive apply directly in Denmark alongside equivalent obligations in Portugal and across all EU jurisdictions. This creates an important strategic opportunity for businesses operating in both markets. A single conformity assessment completed to AI Act standards covers both the Danish and Portuguese markets. A business that invests in a robust EU-compliant AI governance structure avoids the cost of separate national compliance programmes.

The practical divergence between Denmark and Portugal arises at the national legislative level. Portuguese corporate legislation (CSC) and Danish commercial legislation differ on software liability allocation, technology licensing enforceability, and the procedural rules for resolving technology disputes. A licensing agreement valid under Portuguese law may require amendment before it is enforceable in Denmark. Cross-border technology transactions between the two markets require legal review in both jurisdictions.

Our analysis of AI and technology law in Portugal sets out how these obligations are structured in the Portuguese market. Additionally. There. The interaction between Portuguese national legislation and EU regulation creates specific compliance considerations for businesses operating across both jurisdictions.

Enforcement jurisdiction is a recurring question for international technology businesses. An AI system placed on the Danish market by a provider established in Portugal is subject to Danish supervisory authority oversight for market conduct, and Portuguese supervisory authority oversight for the provider's establishment. Where the AI system causes harm to a Danish user, Danish courts are competent to hear the claim. The damages rules applicable will be those of Danish law unless the applicable law has been contractually designated otherwise in a B2B context.

Tax structuring for technology licensing income flowing between Denmark and Portugal engages the Denmark-Portugal double taxation treaty and EU transfer pricing rules. Royalty payments for AI-embedded software licences require arm's length pricing. Danish tax authorities have focused on transfer pricing in technology transactions. Businesses that structure a cross-border licensing arrangement without concurrent tax advice face the risk of a post-filing adjustment that eliminates the commercial rationale of the structure.

For businesses setting up a Danish entity to manage their Nordic technology operations, our guide to company formation in Denmark covers the incorporation options, timeline, and initial compliance obligations relevant to technology businesses.

For a tailored strategy on AI Act compliance and technology licensing in Denmark, reach out to info@ferrazwhitmore.com.

Self-assessment checklist before operating in Denmark

The following checklist identifies the conditions under which AI and technology law obligations arise in Denmark, and the verification steps that should be completed before market entry or product launch.

This approach in Denmark is applicable if:

Your business places, or intends to place, an AI system on the Danish market or puts it into service for Danish users.
You operate a digital services platform – including a marketplace, search engine, or application store – accessible to Danish users.
You license technology – including AI-embedded software – to Danish businesses or consumers under an agreement that has not been reviewed under Danish law.
You process personal data about Danish individuals using automated decision-making or profiling tools.
Your business is involved in a technology M&A transaction where the target operates in Denmark or holds Danish market authorisations for AI systems.

Before initiating operations, verify:

Your AI system has been formally classified under the EU AI Act risk tier structure, and that classification is documented.
High-risk AI systems have completed their conformity assessment and are registered in the EU database before market placement in Denmark.
Your technology licensing agreements allocate AI Act conformity, post-market monitoring, and incident reporting obligations between the parties.
Limitation of liability clauses in your software licences have been reviewed for enforceability under Danish law.
Your data protection impact assessments and automated decision-making disclosures satisfy Danish data protection legislation independently of your AI Act documentation.

Frequently asked questions

Does the EU AI Act apply to my business if I am established outside Denmark but sell AI products to Danish customers?: Yes. The EU AI Act applies to any provider that places an AI system on the Danish market, regardless of where that provider is established. A business incorporated in the United States, United Kingdom, or any non-EU jurisdiction must satisfy full AI Act obligations – including conformity assessment and EU database registration – before its AI system reaches Danish users. Non-EU providers are also required to designate an authorised representative established within the EU.
How long does an AI Act conformity assessment take for a high-risk system in Denmark?: The timeline depends on the completeness of existing technical documentation and the complexity of the system. For a well-documented system with an established risk management process, a self-assessment conformity procedure typically takes between eight and sixteen weeks. Where third-party assessment by a notified body is required – as for certain critical infrastructure or biometric applications – the timeline extends considerably, often to six months or more. Engaging a lawyer in Denmark experienced in AI regulation early in the product development cycle reduces this timeline materially.
Is it a common misconception that the EU AI Act only applies to large technology companies?: Yes, and the misconception carries real risk. The AI Act applies to providers and deployers of AI systems regardless of company size. Small and medium-sized enterprises benefit from certain proportionality provisions and reduced fees for conformity assessments, but the core obligations – conformity assessment, technical documentation, post-market monitoring for high-risk systems – apply equally. A law firm in Denmark advising SMEs consistently finds that size-based assumptions are among the most expensive compliance mistakes a technology business can make.

About Ferraz & Whitmore

Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our AI and technology law practice covers AI Act compliance, algorithmic accountability, software liability, technology licensing, and digital services regulation across Denmark, Portugal, and the broader EU. We combine Portuguese civil law expertise with English common law tradition to serve international technology companies, institutional investors, and in-house legal teams operating across multiple legal systems. The firm's technology practice includes practitioners with experience before EU supervisory authorities and in cross-border technology transactions spanning both civil and common law systems. Ferraz & Whitmore participates in cross-border practice groups focused on AI regulation and digital services compliance, providing clients with direct access to EU regulatory conditions through our Lisbon base. As an international law firm in Denmark and across the EU, we advise clients at every stage of the AI product lifecycle. To discuss your AI compliance or technology law matter in Denmark, contact us at info@ferrazwhitmore.com.

Sophie Laurent Legal Analyst, Tax & Data Protection

Sophie Laurent leads our French and Scandinavian desks. She advises Swiss banks, French private clients and Scandinavian fintech founders on cross-border tax planning, GDPR compliance and banking regulation. Sophie qualified in both France and Switzerland and worked for six years in a tier-one Geneva tax boutique before joining Ferraz & Whitmore. She is fluent in three languages and writes our French-, Swiss- and Scandinavian-jurisdiction guides on tax and data protection.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.