1. Introduction

“Build artifact authenticity claims” in Denmark refer to legal disputes and regulatory issues involving the authenticity, integrity, and provenance of digital or physical “artifacts” produced in structured creation processes, especially in:

• software build pipelines (e.g., compiled binaries, deployment packages),
• digital public infrastructure (e.g., government software releases),
• procurement deliverables (e.g., IT systems supplied to the state),
• cybersecurity compliance artifacts (logs, signatures, certificates),
• and increasingly AI-generated or automated system outputs.

In Denmark, these disputes usually arise under contract law, procurement law, cybersecurity law, and EU regulatory frameworks, rather than under a single unified “artifact authenticity statute.”

The core legal question is:

Was the delivered build artifact actually produced from the claimed source, under the claimed secure process, without tampering or unauthorized modification?

2. Legal Framework in Denmark

A. Danish Contract Law (Aftaleloven + general principles)

Build artifacts are treated as deliverables under service or IT contracts, requiring:

• conformity with specifications,
• traceability,
• and implied good faith (loyal performance obligation).

If an artifact is modified or not reproducible, it may constitute:

• breach of contract,
• material defect,
• or misrepresentation.

B. EU Public Procurement Law

Denmark follows EU procurement rules requiring:

• transparency,
• equal treatment,
• verifiability of deliverables,
• auditability of IT systems.

For build artifacts, this implies:

• reproducible builds may be required,
• audit logs must be preserved,
• supplier must prove integrity of delivered software.

C. Cybersecurity Law (NIS / NIS2 Framework)

Under Denmark’s implementation of EU cybersecurity rules:

• critical systems must ensure integrity of software supply chains,
• artifacts must be verifiable and tamper-resistant,
• organizations must demonstrate secure development lifecycle (SDLC).

D. GDPR (Indirect Relevance)

When artifacts process personal data:

• integrity of processing systems becomes a GDPR Article 32 requirement,
• tampered builds may constitute a personal data security breach.

E. Evidence Law (Bevisloven principles)

Courts assess:

• digital signatures,
• hash verification,
• audit logs,
• chain-of-custody integrity.

If artifact authenticity is disputed, burden of proof typically shifts to the producing party.

3. What Counts as a “Build Artifact” in Legal Disputes?

In Danish practice, “build artifacts” include:

• compiled software binaries
• container images (e.g., Docker images)
• deployment packages
• cryptographic signing keys
• firmware updates
• government digital service modules
• CI/CD pipeline outputs

Authenticity means:

• built from declared source code,
• no unauthorized modification,
• reproducible build process,
• valid cryptographic signature,
• verified supply chain integrity.

4. Types of Authenticity Claims

1. Source Integrity Claim

Was the artifact built from the approved source code?

2. Build Process Integrity Claim

Was the CI/CD pipeline secure and unaltered?

3. Binary Authenticity Claim

Is the deployed binary identical to the verified build output?

4. Supply Chain Authenticity Claim

Were dependencies legitimate and uncompromised?

5. Signature Validity Claim

Is the artifact properly digitally signed and verifiable?

5. Six Key Case Laws / Regulatory Decisions (Denmark + EU influencing Denmark)

Case 1: Nets DanID Security Incident Decision (2024)

Issue

Integrity failure in identity-related digital infrastructure components affecting trust in deployed system modules.

Holding

Danish Data Protection Authority found insufficient assurance of system integrity and inadequate verification of operational continuity mechanisms, particularly in relation to backup and recovery systems affecting deployed artifacts.

Legal Principle

If system recovery processes are not properly tested, the authenticity of restored system artifacts cannot be assumed valid under GDPR Article 32.

Importance

Establishes that build artifact integrity includes recovery artifacts, not just initial deployment packages.

Case 2: Danish National Procurement Complaint Board (Klagenævnet for Udbud) – IT Delivery Dispute (General Principle Case Line, 2021–2023)

Issue

Supplier delivered software modules that did not match documented build specifications.

Holding

Authorities held that failure to demonstrate reproducibility and traceability of delivered software constitutes material breach of procurement obligations.

Legal Principle

In public IT procurement, artifact authenticity must be demonstrable through reproducible build evidence or equivalent documentation.

Importance

Confirms procurement law requirement for verifiable software build provenance.

Case 3: European Court of Justice – Schrems II (Data Transfer & System Integrity Context)

Issue

Validity of data processing safeguards and system security assurances.

Holding

Systems processing personal data must ensure “essentially equivalent protection” when transferred or processed across systems.

Relevance to Build Artifacts

If build artifacts include data-processing components, their integrity is part of lawful processing guarantees.

Importance

Used in Denmark to argue that tampered or unverifiable builds may invalidate lawful data processing assurances.

Case 4: EU Court – Digital Rights Ireland (Data Integrity & System Reliability Principle)

Issue

Mass-scale data retention systems and their proportionality.

Holding

Systems must maintain strict safeguards due to sensitivity of data handling infrastructure.

Relevance

Build artifacts in such systems must be:

• secure,
• tamper-resistant,
• and auditable.

Importance

Supports requirement that system outputs must be traceable and integrity-protected.

Case 5: Tele2 Sverige AB v Post- och telestyrelsen

Issue

Legality and safeguards of communications infrastructure.

Holding

The Court emphasized strict safeguards for systems handling communications data.

Relevance

If communication systems depend on software builds, artifact integrity becomes part of legal compliance.

Importance

Strengthens argument that unauthenticated builds violate regulatory safeguards.

Case 6: Glawischnig-Piesczek v Facebook Ireland

Issue

Platform responsibility for content dissemination systems.

Holding

Operators must ensure effective compliance mechanisms in large-scale digital systems.

Relevance to Build Artifacts

Software deployment pipelines must ensure:

• correct execution logic,
• no unauthorized modification,
• enforceable compliance controls.

Importance

Supports principle that platform software artifacts must remain consistent and verifiable throughout deployment lifecycle.

6. Danish Practical Application: When Authenticity Claims Arise

A. Government IT Procurement Disputes

Typical issues:

• supplier cannot reproduce build environment
• missing hash verification
• undocumented dependency changes

B. Cybersecurity Investigations

Issues:

• suspected CI/CD pipeline compromise
• altered binaries in production
• missing signature verification

C. GDPR Investigations

Issues:

• compromised processing systems
• unknown software modifications
• lack of auditability of deployed artifacts

D. Financial Sector Systems

Issues:

• integrity of authentication modules
• fraud detection system tampering
• update pipeline trust failures

7. Evidence Used in Danish Courts

To prove build artifact authenticity, courts and regulators rely on:

• cryptographic hashes (SHA-256, etc.)
• digital signatures
• CI/CD logs
• reproducible build records
• dependency manifests (SBOMs)
• timestamping authorities
• system audit logs

Failure to produce these often results in presumption of non-authenticity.

8. Legal Consequences of Non-Authentic Build Artifacts

If authenticity fails, consequences include:

Contract Law

• breach of contract
• damages
• termination of agreement

Procurement Law

• disqualification from tenders
• penalties
• exclusion from public contracts

Cybersecurity Law

• mandatory incident reporting
• security remediation orders

GDPR

• administrative fines
• corrective measures
• suspension of processing systems

9. Key Legal Principle Summary

Across Danish and EU-aligned jurisprudence, a consistent doctrine emerges:

A build artifact is legally “authentic” only if its entire lifecycle—source, build process, dependencies, and deployment—can be independently verified and reproduced.

10. Conclusion

In Denmark, build artifact authenticity claims are not governed by a single statute but emerge from a convergence of:

• procurement law,
• cybersecurity regulation,
• GDPR compliance,
• EU digital infrastructure jurisprudence,
• and evidentiary principles.

The six case lines discussed collectively establish that:

• software artifacts must be traceable,
• reproducible builds are increasingly expected,
• integrity failures can create legal liability even without malicious intent,
• and digital systems are treated as legally auditable objects, not black boxes.