Artificial Intelligence 2026 Comparisons

While the regulation of AI in Denmark remains largely governed by existing Danish legal principles and legislation, new laws and amendments to existing legislation specifically addressing the regulation of AI are increasingly being enacted – as elaborated in 3.2 Jurisdictional Law.

General Background Law

Regardless of the above, the regulation of AI in Denmark is not limited to AI-specific legislation. Thus, several established legal frameworks apply to the development and deployment of AI systems, including, in particular, the following areas.

Data Protection

Applicable data protection legislation in Denmark – meaning the General Data Protection Regulation (GDPR) and the Danish Data Protection Act – is technology-neutral, and there are no AI-specific provisions in either the GDPR or the Danish Data Protection Act. However, AI as a technology incurs certain common data protection implications, which alters how organisations must approach personal data protection compliance in the context of developing and deploying AI systems. For more on these nuances, see 17.1 AI Training and Data Protection to 17.3 AI Data Governance and Cross-Border Transfers.

Intellectual Property Law and Trade Secrets

The use of AI is also subject to the Danish regulation of intellectual property rights, including but not limited to the Danish Copyright Act (Lovbekendtgørelse No 1093 of 20 August 2023) and the Danish Trade Secrets Act (Lovbekendtgørelse No 309 of 25 April 2018). For example, AI systems may potentially generate data constituting a trade secret under the Danish Trade Secrets Act, which will require the AI system to have reasonable protective measures in place to secure the necessary level of confidentiality.

Employment Law

Employers must ensure that any use of AI is in accordance with Danish employment legislation and applicable collective bargaining agreements. The latter is particularly significant in Danish law. This is relevant if a company intends to use AI tools as part of its recruitment process – eg, CV sorting tools. If AI tools are utilised in the recruiting process, the AI tool must not discriminate based on unlawful criteria, as required by the Danish Employment Non-Discrimination Act (Lovbekendtgørelse No 399 of 5 April 2024).

Generative and Agentic AI

AI is steadily becoming an integrated tool in organisations in Denmark, particularly generative AI and its various subsets. Organisations widely adopt chatbots based on large language models (LLMs). This trend is supplemented by an increase in the use of sector-specific AI tools targeted at certain businesses – especially within advisory services. AI has, however, seen rapid development since then, and agentic AI – meaning AI systems capable of (semi-)autonomously performing tasks and achieving various goals – is increasingly becoming a well-established tool in organisations as well.

The Danish government has been actively promoting AI-driven innovation in the public sector. A notable example is the Taskforce for Artificial Intelligence, a joint initiative between key public entities, including the Danish State, Local Government Denmark (Kommunernes Landsforening) and Danish Regions (Danske Regioner). One of the key purposes of the Taskforce is to identify and plan the methodologies and means to efficiently and responsibly implement AI across the public sector.

In June 2025, the Taskforce published a report setting out key findings and future initiatives. Among these is the objective of rolling out AI across the public sector to free up at least 50 million hours, equivalent to at least 30,000 full-time equivalents, by 2035 at the latest (achieving a great part of this goal by 2030).

No Widespread Danish AI-Specific Legislation Yet

Initially, it is important to note that the EU’s Regulation on Artificial Intelligence (the “AI Act”) is directly applicable in Denmark, subject to the Danish opt-out on EU justice and home affairs.

Given that the AI Act adopts a risk-based approach – whereby the higher the risk posed by an AI system, the stricter the regulatory requirements it must satisfy – the Danish approach to AI regulation is correspondingly risk-based in terms of technical compliance.

As further elaborated upon in 17.2 AI Deployment and Data Subject Rights, current Danish AI-specific legislation has been enacted primarily to enable public authorities to develop and deploy AI systems.

Specific AI Legislation

Since 2 August 2025, the Act on Supplementary Provisions to the Regulation on Artificial Intelligence (Lovbekendtgørelse No 467 of 14 May 2025) has been in force, establishing the governance framework pursuant to the AI Act, including the designation of supervisory authorities and the applicable sanctions regime. At present, the act only addresses the enforcement of the AI Act’s rules on prohibited AI practices – cf, Article 5 of the AI Act. As the remaining provisions of the AI Act become applicable, further supplementary legislation will be introduced to amend the supplementary act accordingly.

Further, more specific regulation addressing the authorities’ use of AI has been implemented. This includes amendments relating to the SU Act and the Act Amending the Working Environment Act, as further elaborated in 17.2 AI Deployment and Data Subject Rights.

See 5.2 Regulatory Directives.

Regulatory Sandboxes

The Danish authorities – the Danish Data Protection Agency (DDPA) and the Agency for Digital Government (ADG) – were early adopters of the regulatory sandbox concept, establishing their first initiative ahead of the AI Act’s requirements. The first initiative has been finalised, and the DDPA has published reports on the participating projects – however, only in the context of the GDPR. Further, the reports do not constitute binding guidance, though they highlight key GDPR considerations that organisations should be aware of when developing and deploying AI systems.

In June 2025, the DDPA and ADG launched a second regulatory sandbox initiative, and two new AI projects were selected:

• the NGO Børns Vilkår, whose AI project aims to develop a system enabling professionals working with children to practise difficult conversations through simulated AI-driven dialogues and to receive feedback on those conversations; and
• BrainCapture, whose AI project aims to develop an AI system capable of interpreting EEG measurements and classifying whether a given measurement is normal or abnormal.

As of the end of March 2026, a new round of applications has been opened for interested parties.

This topic is not applicable.

Text and Data Mining

One of the more notable amendments to copyright law has been the implementation of the DSM Directive Article 4, which allows for text and data mining without infringing copyright under certain circumstances without prior consent or otherwise agreement with the right-holder. However, right-holders to any copyrighted works have the right to reserve the work being used for text and data mining purposes, provided such a reservation is stated so in a machine-readable manner. In other words; for right-holders to prevent their works being used for text and data mining purposes, they have to actively opt out.

A significant development in this area comes from a landmark Danish court decision, BS-42485/2025-SHR, which addressed directly what constitutes a valid “machine-readable” opt-out under the DSM Directive framework. The court held that an opt-out communicated via HTML, for example, constitutes a sufficient machine-readable reservation within the meaning of Article 4.

See further in 16. Intellectual Property.

As further elaborated upon in 17.1 AI Training and Data Protection and 17.2 AI Deployment and Data Subject Rights, in the context of data protection, certain authorities rely on newly issued executive orders that directly address specific use cases of AI in order to deploy AI systems in the exercise of their statutory tasks.

Moreover, as detailed in 3.2 Jurisdictional Law, the current Danish act supplementing the AI Act is intended to be replaced with a new supplementing act, implementing the sectorial supervision of the AI Act in Denmark. The proposed supplementing act was scheduled to undergo the Danish legislative procedure in parliament on 17 March 2026; however, due to the Danish national election, the legislative process was paused.

This topic is not applicable.

The current national competent authorities and market surveillance authorities designated under the AI Act are:

• the ADG;
• the Danish Court Administration; and
• the DDPA.

Although the substance of the proposed new supplementing act – the legislative process for which has been paused due to the national election – remains largely the same as that of the current supplementing act, a sectorial model of supervision is proposed going forward. Under this model, the ADG would remain the national co-ordinating supervisory authority, and the Danish Court Administration would continue to serve as the market surveillance authority for the courts’ use of AI systems.

Both the ADG and the DDPA have issued guidelines intended to assist organisations in navigating their obligations when developing and deploying AI systems. The key guidelines are summarised below.

Guidelines on AI Literacy and Prohibited AI Practices

The ADG has published guidelines on the contents of the AI Act’s obligations to ensure that providers and deployers of AI systems are equipped with a sufficient level of AI literacy, meaning skills, knowledge and an understanding of how to make an informed deployment of AI systems, as well as to gain awareness about the opportunities and risks of AI and the possible harm that AI can cause. The ADG has also published more extensive guidelines on the AI Act’s provisions concerning prohibited AI practices.

The DDPA’s Guidelines

The DDPA has published guidelines for public authorities, specifically geared towards municipalities and the Regions (administrative units), on handling AI technology in accordance with applicable data protection legislation. The guidelines focus on ensuring compliance with data protection rules throughout the life cycle of an AI system, meaning from the development phase until the operation phase.

Different Phases

The guidelines distinguish between the public authorities’ use or development of an AI system in the following three phases:

• the design/clarification phase;
• the development/training phase; and
• the deployment phase.

It is essential to consider which phase you are in and how the personal data is incorporated into the AI system, as – in particular – the purpose, lawfulness and legal basis can change depending on the phase.

This topic is not applicable.

The ADG is currently participating in a standardisation process under the Danish Standards organisation (Dansk Standard), which serves as the national secretariat for CEN-CENELEC Joint Technical Committee 21 (JTC 21), tasked with developing European standards related to AI. The Danish contribution currently addresses standards in the areas of transparency, decision support in the public sector, bias and AI literacy.

In addition to the standards from CEN-CENELEC, other relevant international standards such as ISO and IEC will provide an important contribution in shaping local Danish standards in an operational sense, where legislative measures from the EU or government authorities and agencies do not set out norms in detail.

Denmark’s cautious approach to lawmaking in cybersecurity, technology and related fields, where the EU has set out legislation, has the implicit effect that international standards have become indirectly significant for many Danish industry actors seeking alignment with other commercial entities.

For years, Denmark has aimed to automatise and increase the efficiency of the public administration, and authorities are increasingly experimenting with and making AI-supported decisions in the exercise of their administrative functions. This development, however, raises important questions as to the legal requirements governing the use of AI in public decision-making processes.

Issues When Utilising AI in Public Administration

In addition to other applicable legislation, such as the GDPR, public authorities must adhere to the Danish Public Administration Act (Lovbekendtgørelse No 433 of 22 April 2014), including good administration practices and legal doctrines, when using AI in their administrative decisions – for example, as part of their expert assessments.

The leading opinion is that the principles of administrative law are technology-neutral, and in some cases impose high requirements on the use of AI in public administration. This includes compliance with the principles described below:

• the misuse of power doctrine (magtfordrejningslæren) – this principle relates to objective administration, meaning that an authority may not include biased considerations when making discretionary decisions and that the authority is conversely obliged to consider all relevant objective considerations when exercising its discretion; and
• the inquisitorial procedure (officialprincippet) – this principle entails that a public authority is obligated to obtain all relevant information in a case before making a decision.

According to these principles, public authorities must be able to document that an AI solution included all relevant and necessary information and has only considered fair and objective factors in its assessment.

As further elaborated in 17.1 AI Training and Data Protection to 17.3 AI Data Governance and Cross-Border Transfers, the DDPA has issued decisions and published guidelines directed at public authorities, primarily concerning the identification of lawful bases under the GDPR for public authorities’ processing of personal data.

The Danish Resilience Agency (Styrelsen for Samfundssikkerhed – SAMSIK), previously the Centre for Cyber Security, updated its threat assessment in November 2025, reiterating a number of findings from previous years. The updated assessment again focused on the potential for malicious actors to leverage generative AI to draft phishing emails or develop components of code with harmful output. While the extent to which such technology is being misused remains unclear, SAMSIK highlights its significant potential for harm. Despite the emerging threats associated with the widespread availability of generative AI, SAMSIK has not altered its overall assessment of such cyber-threats to Denmark.

Generative AI Generates (Potential) Issues

The deployment of AI systems gives rise to several issues, including in relation to transparency in decision-making (particularly for autonomous AI), IP protection, and data use. Model providers may, for instance, train models on an organisation’s data without permission, process data in prohibited jurisdictions, or lack the documentation needed for compliance with the AI Act.

To address these risks, Danish policymakers are taking various steps, including:

• the ADG has published guides for citizens, public authorities and businesses on the responsible and safe use of generative AI; and
• a guide on data ethics for the development and use of algorithms has been published.

IP-Related Issues

The use of AI systems to generate, for example, code, images, text or designs raises questions regarding the ownership of such content and whether the user or deployer may use, publish, license and protect it. In particular, AI systems raise unique challenges in three key areas:

• the training data used;
• ownership of the rights to the content generated by the AI system; and
• potential infringement – eg, of third-party IP or trade secrets.

For further elaboration, see 16.1 IP Protection for AI Assets to 16.5 Foundation Models and Open-Source AI: IP Considerations.

Regulation of AI in Law by Local Organisations

The use of AI in the legal profession is currently subject to oversight by local organisations such as the Danish Bar and Law Society, which are tasked with ensuring that the use of AI in the legal field adheres to applicable ethical and professional standards. It remains to be seen whether the Danish Bar and Law Society will supplement the existing legal and ethical rules and obligations governing the legal profession with specific provisions addressing the use of AI.

AI Working Group

Furthermore, the Association of Danish Lawyers has established a working group that has published several guides on AI, with the aim of highlighting the potential challenges that may arise from the use of AI in the legal profession and strategies to address them – two of which have been updated in early 2026. The guides cover topics such as a general introduction to AI and algorithms, as well as points to consider when procuring and using AI.

Ethical Concerns

The use of AI in the legal profession raises significant ethical concerns, particularly with regard to the potential reduction in human judgement and accountability, which may challenge core values of the profession, including fairness and justice. In light of these developments, organisations such as the Danish Bar and Law Society are expected to continue monitoring the use of AI in the legal field to ensure adherence to ethical and professional standards.

Liability for Personal Injury and Commercial Harm Resulting From AI-Enabled Technologies

AI-enabled technologies have the potential to cause personal injury or commercial harm, raising questions about liability and responsibility. In Denmark, there is currently no specific regulation addressing liability for AI; however, the revised Product Liability Directive, which must be transposed into Danish law by 9 December 2026 at the latest, mandates that software, including AI systems, legally constitutes a “product”.

The implementation of the revised Product Liability Directive is expected to have a significant impact on the Danish legal landscape, particularly concerning fault-based liability, including the new rules on the burden of proof and the presumption of a causal link between defects and the AI system’s output. In Denmark, damages and liability in many cases of fault-based liability are determined on a non-statutory basis, a framework that may require adaptation in the context of AI.

Theories of Liability and Requirements for Imposition of Liability

The principal theories of liability for personal injury or commercial harm resulting from AI-enabled technologies include product liability, negligence and strict liability. In order to impose liability, it must generally be demonstrated that the AI technology caused the harm in question, that a duty of care was owed by the relevant operator, and that such duty was breached.

Role of Human Guidance and Allocation of Liability

The degree of human guidance is a relevant factor in determining liability arising from AI-enabled technologies. Where an operator retains a supervisory role and is merely assisted by an AI system, the operator exercises greater control over the outcome and may accordingly bear a higher degree of responsibility. Conversely, where the operator’s function has been entirely replaced by an AI system, the allocation of liability may shift towards the provider or developer of the system.

Insurance

Insurance plays a critical role in managing the risks associated with AI-enabled technologies. It is essential to determine the scope of coverage and any applicable exclusions in insurance policies for AI-related claims. Currently, the discussion of insurance coverage for AI-enabled technologies remains purely theoretical, as no publicly available information exists nor is there any practical industry discussion in Denmark.

See 10.1 General Theories of Liability.

Unlike traditional AI tools, agentic AI systems are capable of making semi-autonomous decisions, executing multi-step tasks, and interacting with external systems or documents with limited or no human intervention. This autonomy challenges the application of existing legal frameworks in several respects.

From a contract law perspective, questions of IP ownership and data protection arise, particularly where agentic AI systems autonomously generate content, process personal data, or interact with third-party systems without direct human oversight.

Furthermore, the specific context in which an agentic AI system is deployed is of particular relevance. Where such a system is generating content for commercial use, processing third-party data or content, or interacting autonomously with external parties, additional legal considerations arise, including – but not limited to – obligations under applicable data protection, IP and consumer protection frameworks. 

See 10.1 General Theories of Liability.

No Legal Definition of “Bias”

The term “bias” is not defined in Danish legislation. The AI Act refers to bias in the context of bias detection and correction measures but does not provide an independent legal definition of the term.

Bias Under the GDPR

Under the GDPR, bias in AI is indirectly addressed through several core data protection principles. The GDPR requires that personal data be:

• processed lawfully, fairly and in a transparent manner in relation to the data subject (the principle of “lawfulness, fairness and transparency”);
• adequate, relevant and limited to what is necessary in relation to the purposes (the principle of “data minimisation”); and
• accurate and, where necessary, kept up to date (the principle of “accuracy”).

If the processing of personal data in the context of the development and deployment of an AI system adheres to these principles, then – on paper, at least – no bias will be present. These principles must be kept in mind by organisations wishing to develop and deploy AI as early as the design phase of the AI system and – if relevant – the deployment phase where the AI system is intended to dynamically adapt to new input data.

With reference to the design/clarification phase as mentioned in 5.2 Regulatory Directives in the context of developing and deploying AI, the DDPA has, in line with the above considerations, expressed in its guidelines on public authorities’ use of AI that the development of an AI model must mitigate the risk of bias. The guidelines also address the risk of automation bias, meaning situations where the AI system is used as a decision-supporting tool in the hands of a person, but where the person attaches decisive weight to the system’s output, such that the AI system effectively issues the final decision.

Public Administration Law

In the context of public administration law, legal doctrines exclusive to public administration law indirectly address bias in AI systems. Public administration law is, unless otherwise explicitly stated, technology-neutral and applies to AI systems developed and deployed by public authorities. Central to the notion of bias is the misuse of power doctrine, detailed further in 7.1 Government Use of AI.

Owing to Denmark’s opt-out on justice and home affairs, certain provisions of EU law in areas such as criminal justice and police operations are not applicable in Denmark. Specifically, the following provisions of the AI Act do not apply as a consequence of the opt-out:

• Article 5(1)(d);
• Article 5(1)(g);
• Article 5(1)(h); and
• Article 5(2)–(6).

Facial Recognition

In Denmark, the DDPA has the authority to authorise the processing of biometric data by private organisations where such processing is necessary for reasons of substantial public interest. For instance, in late 2025, the Danish Football Association – on behalf of the clubs in the top-tier league (Superligaen) – obtained authorisation for all clubs in the division to use facial recognition technology during matches. Conversely, the DDPA declined to grant authorisation to the clubs in the first division, finding that the use of facial recognition technology – and the associated processing of biometric data – across that division could not be considered proportionate to the purpose of the processing and, accordingly, did not constitute processing necessary for reasons of substantial public interest.

In July 2025, a proposed amendment to the Danish Copyright Act was submitted for public consultation. The proposed amendment seeks to introduce two new provisions specifically targeting deepfakes:

• Section 65a, which would prohibit the making available to the public of deepfakes of performing artists’ artistic performances without their consent; and
• Section 73a, which would prohibit the making available to the public of deepfakes reproducing the personal, physical characteristics of natural persons without their consent.

Although these provisions are not expressly limited to AI-generated content, the preparatory works indicate that they are primarily aimed at addressing deepfakes produced by means of AI.

The bill has been the subject of considerable debate and has undergone the TRIS (Technical Regulation Information System) notification process before the European Commission. In particular, the European interest group VideoGamesEurope and the Danish think tank Justitia, among others, raised concerns that the proposed legislation is incompatible with the principles of the European internal market and that it introduces protections running parallel to existing European harmonisation rules.

Conversely, the Association of Danish Lawyers and the Danish Rights Alliance (Rettighedsalliancen) have both submitted that the bill would strengthen the legal protection of individuals by providing a clearer framework for protection against deepfakes.

Owing to the Danish national election, the legislative process has been paused.

Transparency in General

In Denmark, the use of AI technologies, including chatbots, as a replacement for services rendered by natural persons is subject to the GDPR. Articles 13, 14 and 15 of the GDPR set out the transparency rules and require data controllers to inform individuals about the processing of their personal data, including when AI is involved. The specific information to be provided depends on how personal data is collected – ie, data may be collected directly from the data subject (for example, through a job application) or the data may be collected through a third party. In both cases, the individual must be informed of the purpose and use of their data, as well as of any proposed new use of that data.

For instance, in June 2024, the DDPA found that IDA Forsikring’s use of AI to analyse recorded customer service phone calls was permissible, but their consent process was non-compliant with the GDPR. The consent was not sufficiently granular, as it bundled multiple purposes without allowing callers to choose which purposes they consented to.

Dark Patterns

The use of technology to manipulate consumer behaviour or make undisclosed suggestions – also commonly known as “dark patterns” – raises concerns as it makes it difficult for individuals to make informed choices about their personal data. Dark patterns could entail sharing personal information without clear intent or making purchases by mistake. These practices are often considered unfair under the Danish Marketing Practices Act (Lovbekendtgørelse No 1420 of 2 December 2024).

In a Danish context, contracts between AI customers and suppliers will be key to resolving several of the issues arising from the use of AI technology in a B2B context. Often, the supplier will focus on ensuring a flow-down of the terms from the model provider, whereas the customer will seek to negotiate more specific, customised terms where relevant.

A key consideration in AI procurement is the appropriate allocation of IP rights across the various categories of assets involved – in particular, input and output data.

Input and Output Data

With respect to output data, it is often essential for the customer to secure sufficient rights to use, reproduce, disclose and distribute the output generated by the AI system for its business purposes.

Input data, such as documentation and prompts, will typically constitute the customer’s proprietary or confidential information. The contractual framework should accordingly confirm the customer’s ownership of its input data and impose appropriate restrictions on the supplier’s use thereof. Conversely, the supplier would typically seek to use customer data for service improvement purposes, including training or fine-tuning of the underlying AI model – a use that may not be intended or acceptable to the customer.

Warranties and Indemnification

From the customer’s perspective, it is important to seek indemnification covering third-party claims alleging that the output generated by the AI system infringes a third party’s IP rights, as well as claims that the supplier’s use of training data was not duly authorised or licensed. Conversely, the supplier will often seek to limit its warranties to a representation that the AI system will perform materially in accordance with the applicable documentation.

Organisations procuring AI systems – particularly high-risk AI systems under the AI Act – should conduct appropriate due diligence on upstream providers. Once Article 43 of the AI Act becomes applicable on 2 August 2026, relating to the required conformity assessment and technical documentation, such due diligence will become increasingly relevant. Deployers of high-risk AI systems are directly subject to obligations under the AI Act, including registration requirements, human oversight obligations and post-market monitoring.

When developing AI-based recruitment and employment tools, employers must ensure that the technology complies with the GDPR as well as the Danish Employment Non-Discrimination Act (Lovbekendtgørelse No 399 of 5 April 2024) and the Danish Act on Equal Treatment Between Men and Women (Lovbekendtgørelse No 942 of 19 July 2024). Regular audits, transparency in the use of AI in the selection process and corrective action when bias is identified are crucial steps to mitigate potential liability risks. See also 1.1 General Legal Background.

In a Danish context, the GDPR imposes strict requirements on the collection, processing and storage of personal data, also for evaluation and monitoring purposes. Employers must be transparent about the purpose and extent of monitoring, as further discussed in 12.4 Transparency and Disclosure, and must implement measures to safeguard employee privacy. Failure to comply with these requirements can expose employers to potential liability. It is also important for employers to establish clear policies and guidelines regarding the use of technology for evaluating and monitoring employees.

Companies such as GoMore, a Danish mobility operator, have harnessed the power of digital platforms to facilitate private car hire, leasing and carpooling options. By utilising keyless access and real-time location tracking of available vehicles, GoMore makes it easier for platform users to plan their trips efficiently.

The food delivery sector in Denmark has also witnessed advancements due to digital platforms. Platforms such as Wolt employ algorithms to optimise the delivery experience – for example, by estimating the time required for restaurants to prepare customers’ food orders and calculating the time it will take for a courier partner to deliver it to the customer.

The financial sector is increasingly incorporating AI into its business operations, including the use of AI to automate:

• credit scoring;
• anti-money laundering practices;
• fraud prevention practices;
• marketing;
• customer support; and
• investments.

The latest report from the Danish Financial Supervisory Authority (DFSA) on the financial sector’s use of AI indicates that more than seven out of ten corporations in the financial sector utilises AI in some way.

AI in the Context of Danish Health Law

AI is increasingly being used by Danish hospitals and nursing homes to improve the general quality of healthcare provided to patients as well as to assist healthcare personnel in administrative tasks – eg, journalisation. Notable use cases of AI in the Danish healthcare sector include:

• an AI-based monitoring system deployed for the purposes of fall prevention, which monitors patients’ movements and alerts healthcare personnel, if relevant;
• an AI system used by healthcare personnel to journalise patient findings and sessions, thereby freeing up time that would otherwise be spent on manual journalisation; and
• an AI system that analyses mammograms and identifies abnormal tissue patterns, thereby assisting in the early detection of potential breast cancer.

In general, the Danish Act on the Authorisation of Healthcare Professionals and on Healthcare Practice (Lovbekendtgørelse No 1008 of 29 August 2024) Section 17 provides that healthcare professionals – eg, doctors – must exercise care and conscientiousness in the performance of their duties, including in the provision of treatment. Accordingly, doctors may deploy AI systems for medicinal and diagnostic purposes, provided that sufficient care and conscientiousness is exercised in the given use case.

A “self-driven” vehicle is a vehicle that can drive completely or partially without the assistance of a driver. In Denmark (upon prior authorisation) it is possible to experiment with small autonomous vehicles in the public space, and this has been governed by the Danish Road Traffic Act (Lovbekendtgørelse No 118 of 12 January 2026) since 2017.

One of the major challenges in autonomous vehicle navigation is the AI’s ability to understand the social codes of traffic that enable human drivers to decide whether to take evasive action or keep driving. This has been emphasised in research from 2023 by the Department of Computer Science at the University of Copenhagen (Datalogisk Institut). Danish liability law for accidents on the road is on a no-fault basis. However, if the accident involves autonomous vehicles, liability might shift to the holder of the authorisation to experiment with autonomous vehicles.

Many businesses are incorporating AI into their commercial and administrative operations – eg, customer support via AI chatbots – as well as in their products themselves, often labelling such products “AI products”.

The most relevant legal considerations arising in connection with “AI products” are the following:

• a product incorporating an AI system may be classified as a high-risk AI system pursuant to the AI Act where the AI system is intended to be used as a safety component of a product, or is itself a product, covered by the Union harmonisation legislation listed in AI Act Annex I (eg, toys, certain vehicles and machinery), and the product is required to undergo a third-party conformity assessment pursuant to such legislation; and
• general liability concerns and product liability law are also relevant, in particular as regards the degree to which the manufacturer of an AI product may be held liable for damage caused by the product.

For further discussion, see 10. Liability for AI.

This topic is not applicable.

In the absence of explicit AI legislation governing IP in Denmark, the protection of AI system components is primarily governed by established IP regimes and contractual arrangements. From a statutory perspective, several forms of IP protection may be available to AI components.

Source code, training datasets, and AI-generated input and output may qualify for copyright protection, provided they reflect a sufficient degree of human originality. Patent protection may extend to AI algorithms where they are embedded in technical inventions, although purely abstract algorithms fall outside the scope of protection under the Danish Patents Act (Lovbekendtgørelse No 90 of 29 January 2019). Substantial investments in the compilation of training datasets may attract database rights, while training methodologies and related know-how may be safeguarded as trade secrets.

AI provider terms will typically determine ownership rights and permissible use, and in this connection both users and providers of AI systems should remain alert regarding infringement risks, which may arise from training on protected works, non-compliant use of open-source components, or the generation of outputs that reproduce protected material.

Under both the Danish Copyright Act and the Danish Patents Act, authorship and inventorship are reserved for natural persons. This position is consistent with prevailing international jurisprudence, including the widely cited DABUS decisions across multiple jurisdictions, and was reaffirmed in a report titled “Recommendations from the Danish Expert Group on Copyright and Artificial Intelligence”, issued in September 2025 by the Danish Expert Group on Copyright and Artificial Intelligence. The expert group was established in 2024 by the Danish Ministry of Culture, with the aim of identifying the challenges that AI poses to copyright and gathering informed proposals on how to address them, and comprises representatives from rights-holder organisations and industry associations, as well as technical and legal experts.

That said, the involvement of AI in the creative or inventive process does not in itself preclude protection. Where a natural person exercises genuine creative direction – whether by selecting and curating outputs, steering the generative process, or conceiving the underlying inventive concept – the resulting work or invention may satisfy the applicable originality or inventive step thresholds. 

Notably, the AI Act does not resolve questions of IP ownership in AI-generated or AI-assisted works, leaving a significant gap in the regulatory landscape. Therefore, the issue seems most likely to be answered by the courts instead of through regulation.

The Danish Expert Group’s September 2025 report advocates for a number of clarifications and harmonising initiatives to be pursued at EU level. As AI capabilities continue to advance, the allocation of IP rights in this domain is expected to remain a subject of active policy debate and legislative development.

The process of training an AI model on copyrighted works entails – even if only at a technical level – the reproduction of those works, and the resulting output may bear a close resemblance to existing protected material. This gives rise to potential copyright concerns, including risks relating to attribution and integrity, particularly where a licence for such use has not been obtained.

The DSM Directive, transposed into Danish law in 2021, sought to address part of this challenge by introducing two text and data mining (TDM) exceptions. Of relevance is the provision permitting TDM of lawfully accessed works, provided that rights-holders have not expressly reserved their rights.

Licensing frameworks are gradually evolving to accommodate these developments. Collective management organisations (CMOs), for instance, are adjusting the scope of the rights they are managing.  As an example, the Danish CMO Tekst & Node is entering into the first agreements regarding the use of lyrics and sheet music in AI tools on behalf of the rights-holders it represents.

At the regulatory level, the AI Act imposes an obligation on providers of general-purpose AI models to publish summaries of their training data, thereby enabling rights-holders to identify unauthorised use and pursue licensing or enforcement measures. Meanwhile, significant litigation is advancing across several jurisdictions, and the resulting decisions may potentially inform the interpretative approach of Danish courts on questions that domestic case law has not yet addressed.

In Denmark, KODA, the CMO for composers and songwriters, has initiated proceedings against Suno, the AI music generation platform, alleging that Suno trained its model on protected musical works without authorisation or remuneration. Similarly, the Danish publishers’ CMO DPCMO has filed claims against both OpenAI and LinkedIn, targeting the use of Danish publishers’ content in AI training datasets. These Danish proceedings, which remain ongoing, are among the first domestic cases to squarely address the question of copyright infringement in the context of AI training data and, once resolved, are expected to yield significant guidance on the matter.

Fully autonomous AI-generated works, where the system’s output is produced with no meaningful human creative input beyond an initial prompt, do not satisfy this threshold for obtaining copyright protection and accordingly fall outside the scope.

A more nuanced question arises in relation to AI-assisted works, where a human creator employs generative AI as a tool while exercising genuine creative direction over the output – for instance, by selecting, iterating, curating or editing the material in ways that reflect the creator’s own artistic vision. In such cases, copyright protection for the human contribution may be justified, but the analysis is inherently fact-specific, and no bright-line rule currently exists. The closer the AI operates autonomously in response to a minimal prompt, the weaker the case for human authorship becomes.

Where copyright does subsist in an AI-assisted work, ownership vests in the human author or, where the work is created in the course of employment, in the employer pursuant to applicable provisions of the Danish Copyright Act. AI provider terms frequently purport to assign output rights to the user, though such assignment is only meaningful to the extent that copyright actually subsists in the output – a question the terms themselves cannot resolve. Moral rights, being personal and inalienable under Danish law, follow the human author where authorship is established and do not arise at all where it is not, leaving fully AI-generated works without the attribution and integrity protections that would otherwise apply.

Licensing models – eg, proprietary, open-weight and fully open-source models – each carry IP implications as to the scope of permissible use, rights in derivative outputs, and enforceability. Open-weight models, in particular, frequently impose bespoke licence terms that do not conform to established open-source definitions, creating uncertainty as to the scope of permitted commercial exploitation.

Open-source AI inevitably entails IP risks, including potential infringement through outputs resembling copyrighted training data, conflicts arising from open-source licence obligations, and latent IP encumbrances introduced through third-party components.

AI and Data Protection – a Natural Overlap

Datasets used to train AI models often include personal data within the meaning of applicable data protection legislation in Denmark, as mentioned in 1.1 General Legal Background. Providers and suppliers of AI systems generally have a strong incentive to use “real” personal data – as opposed to synthetic data – as training on realistic datasets tends to produce more consistent and reliable outputs.

Development of AI – Public Authorities

The DDPA has issued guidelines and decisions in the context of developing AI, albeit mostly in the context of public authorities’ development of AI models. In its guidelines, as also described in 5.2 Regulatory Directives, the DDPA describes that public authorities’ processing of personal data, including training AI models with personal data, requires a supplementary legal basis in either EU law or national law as a rule. This is because the processing of personal data for the purpose of developing an AI model is considered a separate purpose from the initial purpose of collecting the personal data, such as the issuance of administrative decisions concerning benefits or similar matters.

The DDPA’s guidelines emphasise that the level of clarity of the supplementary legal basis depends on the intrusiveness of the data processing, meaning that the legal basis must be specific concerning the processing of personal data if the processing activity is intrusive for the data subjects and vice versa.

The DDPA has stated that training AI models with personal data in general does not constitute intrusive processing for data subjects whose personal data is used in the training process, as there are no direct consequences for those citizens whose personal data is used to develop the AI system.

Development of AI – Private Organisations

The principles described above apply equally to private organisations. Hence, development of AI also constitutes a purpose separate from the initial purpose of collecting the personal data, and that training AI models is generally not considered intrusive processing for the data subjects concerned.

However, unlike public authorities, private organisations can – and often will – rely on other legal bases under the GDPR for the processing of personal data, such as the organisation’s legitimate interests in developing an AI model. As a general rule, private organisations are accordingly not limited to the provisions of EU law or national law in the context of developing AI models.

As stated in 17.1 AI Training and Data Protection, the DDPA’s guidelines and decisions have primarily concerned public authorities, in particular in the context of identifying a lawful basis under the GDPR for processing personal data. This focus extends to public authorities’ deployment of AI systems as well where a supplementary legal basis often must also be identified for deploying the AI system. 

Deployment of AI

In the context of public authorities’ deployment of AI, the DDPA has detailed that deploying AI systems does not, as a rule, constitute intrusive processing. However, where the AI system is used to generate outputs such as draft administrative decisions or predictions, the deployment will, as a rule, be considered intrusive. Correspondingly, a supplementary legal basis for deploying the AI system must be sufficiently clear and precise to cover such processing.

Consequently, an increasing number of administrative executive orders are being issued to provide sufficiently clear legal bases for public authorities to process personal data in the context of deploying AI systems. As highlighted in 1.1 General Legal Background, the SU AI Executive Order is an example thereof. The purpose of the SU AI Executive Order was to provide a legal basis for deploying an AI system to assess whether an application for a disability allowance was accompanied by sufficient supporting documentation.

The DDPA concluded in its opinion (DDPA journal No 2024-212-0371) that the deploying authority could lawfully deploy the AI system, notwithstanding that the processing was considered intrusive, on the basis that the SU AI Executive Order provided a sufficiently clear supplementary legal basis, as the executive order set out the following:

• a clear purpose for the processing of personal data;
• categories of personal data to be processed;
• the sources from which the personal data must be collected;
• data retention periods; and
• general provisions on accountability and security measures, including data protection by design and by default, and data protection impact assessments (DPIAs).

Another example is the Danish Working Environment Authority’s use of AI in relation to its tasks as the supervisory authority overseeing compliance with work environment regulation. The Danish Working Environment Authority’s development and deployment of AI has similarly been regulated via an executive order that follows the same structure as the SU AI Executive Order, listing, for example, clear purposes for the data processing and categories of personal data to be processed.

As the development and deployment of AI systems is likely to trigger the GDPR’s requirements for DPIAs, the DDPA has published a template for DPIAs specifically tailored to developing and deploying AI systems.

The DDPA has also stressed the importance of complying with transparency obligations – ie, informing data subjects that their data will be used for the development and deployment of AI systems.

A New Proposed General Legal Basis for All Public Authorities

The ADG has proposed legislation intended to provide a general supplementary legal basis for all public authorities’ development and deployment of AI, provided that no sensitive data and no information relating to criminal convictions and offences are processed in the AI system.

It is, however, doubtful whether such a general legal basis – intended to apply to all public authorities’ processing of personal data in the context of developing and deploying AI – is sufficiently clear and specific in line with the DDPA’s practice. In particular, as noted in the preparatory works of the proposal, the law is intended to, inter alia, allow AI systems to evaluate certain personal aspects relating to individuals, which is generally considered an intrusive form of processing, thus necessitating a sufficiently clear and precise supplementary legal basis.

At the time of writing, the legislative process for formally adopting the proposal into Danish law has been halted due to the Danish national election.

Privacy by Design

The GDPR requires for certain design choices to be integrated into AI systems from the earliest stages of development. Examples include:

• data minimisation considerations where an AI model is trained via web-scraping techniques – eg, how to correctly integrate and scope only the necessary and relevant (categories of) data;
• how to ensure that generative AI systems provide accurate outputs and how to rectify inaccurate (input) data; and
• where an AI system issues fully automated decisions without meaningful human involvement that produces either legal effects or similar decisions for individuals, technical integrations that enable an explanation of the AI system’s output and rationalisation thereof that was used in the decision.

A String of Processing Chains

Most organisations will look to off-the-shelf “AI solutions offered as a Service” (AIaaS) rather than developing AI models and systems from scratch in-house. As many AIaaS providers base their solutions on fine-tuned AI models – often LLMs, whose business models often require consistent (re-)training of said models – it is important for the purchasing organisation to keep in mind the flow of personal data to be input in the AI system and what the roles of the involved parties are. 

It is, however, important to assess whether the provider of the AIaaS uses the data provided by the deploying organisation for their own purposes, as the AIaaS provider will, as a general rule, be considered an independent data controller under the GDPR, which triggers further compliance requirements under the GDPR for the deploying data controller. This includes, for example, identifying a sufficient legal basis for the disclosure of personal data under the GDPR Article 6.

The DDPA deploys a strict approach concerning controllers’ documentation for engaging (sub-)processors and third-country transfers, either directly via the initial processor or sub-processors. As there often are many suppliers involved in the AI supply chain and these data processing agreements (DPAs) are often non-negotiable, controllers must assess whether the active DPA includes clauses that can be seen as an instruction for any (sub-)processors to transfer personal data to third countries, and must identify the relevant transfer mechanism pursuant to the GDPR Chapter V.

The Danish Competition and Consumer Authority (DCCA) is monitoring developments closely, with a focus on three main areas.

• Merger control: innovative ways of acquiring influence over AI companies – such as acquihiring or securing board seats post-investment – may trigger notification requirements under Danish merger control rules. These transactions are under increased scrutiny.
• Exclusivity and collaborations: agreements involving exclusivity or strategic partnerships between major players and AI developers are assessed under Danish rules on anti-competitive agreements and abuse of dominance. Companies should exercise caution when entering such arrangements.
• Algorithmic collusion: Danish competition law prohibits price co-ordination via algorithms just as it does traditional collusion. Use of shared pricing algorithms that align competitors’ pricing may constitute illegal concerted practices, and Danish authorities are aligned with international enforcement trends in this area.

Currently, only the AI Act – specifically Article 15 thereof – regulates AI-specific cybersecurity measures. Article 15 requires providers of high-risk AI systems to design and develop such systems with an appropriate level of accuracy, robustness and cybersecurity throughout the AI system’s life cycle. In particular, Article 15 requires providers to address AI-specific vulnerabilities, including, where relevant:

• data poisoning;
• model poisoning;
• adversarial examples/model evasion;
• confidentiality attacks; and
• model flaws.

Providers of high-risk AI systems are also subject to reporting obligations under AI Act Article 73, which requires that serious incidents caused by an AI system be reported to the national market surveillance authorities no later than 15 days after the provider becomes aware of the serious incident. A serious incident includes, for example, an incident or malfunction of an AI system that leads to serious and irreversible disruption of the management or operation of critical infrastructure. 

As AI Act Article 15 only applies to AI systems that qualify as high-risk – ie, those covered by the AI Act’s Annex I or III – not all providers of AI systems are required to implement the above cybersecurity measures. By way of example, an AI chatbot deployed on a website for customer support purposes would not constitute a high-risk AI system and would accordingly fall outside the scope of these requirements.

In addition to the AI-specific cybersecurity measures set out in AI Act Article 15, other non-AI-specific cybersecurity legislation applies to the extent relevant, such as the requirements under NIS2 concerning policies on risk analysis, information system security and supply chain security.

ESG Requirements Mandated by Legislation

Currently, there is no Danish AI-specific legislation in the context of ESG. In general, ESG-based legislation in Denmark is derived from EU legislation, primarily in the form of corporate reporting obligations.

Under the Danish Financial Statements Act (Lovbekendtgørelse No 402 of 23 March 2026) which implements the Corporate Sustainability Reporting Directive (CSRD), large companies are required to include a statement detailing their efforts and performance in relation to ESG criteria. Therefore, if a company implements AI in its daily operations, and this integration affects its ESG performance, it should be included in the company’s report – for example, if such initiatives are making its business processes more efficient and reducing energy consumption.

AI ESG Regulation by Other Means Than Law

Although AI is not specifically regulated by relevant ESG legislation, ESG considerations can still potentially alter the way organisations must approach the development, deployment and procurement of AI. For example, in the context of public procurement, a given procurement procedure may impose specific ESG requirements, such as greenhouse gas emission thresholds, to which the tenderers’ use of AI may be directly relevant. Tenderers must therefore carefully consider whether their deployment of AI affects compliance with any such requirements.

AI-Specific Governance

The principal legislation mandating AI governance is the AI Act.

The AI Act requires providers of high-risk AI systems – meaning AI systems listed in Annex I or Annex III to the AI Act – to implement a risk management system which must be documented and maintained throughout the high-risk AI system’s entire life cycle. Such risk management systems must enable the provider to, inter alia, identify and analyse reasonably foreseeable risks that the high-risk AI system may pose to health, safety or fundamental rights when used in accordance with its intended purpose.

The AI Act also introduces an obligation of AI literacy, which applies to all providers and deployers of AI systems. AI literacy refers to the skills, knowledge and understanding that allow providers, deployers and affected persons to make informed use of AI systems, and to gain awareness of the opportunities and risks of AI and the possible harm it can cause. It is essential for providers and deployers, in their work with AI governance, to equip their personnel with a sufficient level of AI literacy to comply with the AI Act.

Impact Assessments

Both the AI Act and the GDPR impose requirements relating to impact assessments. The AI Act requires deployers of high-risk AI systems to carry out fundamental rights impact assessments (FRIAs) pursuant to AI Act Article 27, while the GDPR requires DPIAs pursuant to the GDPR Article 35.

• FRIAs require, inter alia, an assessment of the risks that the high-risk AI system may pose to the fundamental rights of affected persons, as well as the identification of mitigating measures in relation thereto, such as measures to prevent discrimination.
• DPIAs require an assessment and mapping of, inter alia, the risks to the rights and freedoms of individuals where data processing is likely to result in a high risk thereto, as well as the mitigating measures adopted to address such risks, including security measures and safeguards. Notably, pursuant to Article 27(4) of the AI Act, where any of the obligations under Article 27 is already met through a DPIA conducted under GDPR Article 35, the FRIA shall complement that DPIA.

Danish Guidance on AI as Tools for Governance

As the relevant Danish authorities – eg, the ADG and the DDPA – continue to release guidance on key legal topics pertaining to their respective areas of supervision in the context of AI, organisations may look to such guidance as a practical tool in their work with AI governance.