Regingada
EU Representation · Four regimes, four designations

Which EU representative does your company need?

Four EU digital acts require companies without an establishment in the Union to designate a representative there — each under its own conditions, with its own tasks and its own name for the role: the GDPR and NIS2 speak of a representative, the DSA of a legal representative, the AI Act of an authorised representative (US spelling: authorized representative). Use this overview to compare the four duties side by side, then open the service page for the designation — or combination of designations — that matches your setup.

Software & appointed EU representation: Regingada UG (haftungsbeschränkt) · Legal advice exclusively: Kanzlei Theo Funk — separate mandate

Comparison

The four representative duties at a glance

Criterion GDPR DSA AI Act NIS2
Legal act & norm Article 27, Regulation (EU) 2016/679 (GDPR) Article 13, Regulation (EU) 2022/2065 (Digital Services Act) Articles 22 & 54, Regulation (EU) 2024/1689 (AI Act) Article 26(3), Directive (EU) 2022/2555 (NIS2)
Who must appoint Controllers and processors without an EU establishment whose processing falls under Article 3(2) GDPR — offering goods or services to, or monitoring the behaviour of, people in the Union (exemptions in Article 27(2)) Providers of intermediary services — mere conduit, caching, hosting, including online platforms and online search engines — with no EU establishment that offer services in the Union Providers established in third countries: of high-risk AI systems, before making them available on the Union market (Article 22(1)); of general-purpose AI models, before placing them on the Union market (Article 54(1)) Entities of the kinds listed in Article 26(1)(b) — DNS service providers, TLD name registries, domain name registration services, cloud computing, data centres, CDNs, managed (security) service providers, online marketplaces, online search engines, social networking platforms — not established in the Union but offering services within it
Core tasks Addressee — in addition to or instead of the controller or processor — for supervisory authorities and data subjects on all issues related to processing (Article 27(4)); maintains the record of processing activities (Article 30) Addressee for Member State authorities, the Commission and the Board on all issues necessary for the receipt of, compliance with and enforcement of decisions (Article 13(2)); contact details notified to the Digital Services Coordinator (Article 13(4)) Performs the tasks in the provider's written mandate: verifies the EU declaration of conformity and technical documentation, keeps documentation at the disposal of authorities, cooperates with them (Article 22(3); for general-purpose AI models: Article 54(3)) Acts on the entity's behalf and can be addressed by competent authorities or CSIRTs in place of the entity; the entity is deemed to be under the jurisdiction of the Member State where the representative is established (Article 26(3))
Applies since 25 May 2018 Fully applicable since 17 February 2024 Article 54 (general-purpose AI models) applies since 2 August 2025 — models placed on the market before that date: transition until 2 August 2027 (Article 111(3)); Article 22 (high-risk) applies from 2 August 2026; for high-risk systems under Article 6(1) (Annex I products) from 2 August 2027 Directive — Member States had to transpose it by 17 October 2024; the duty applies through national implementing law
Service page GDPR Article 27 representative → DSA legal representative → AI Act authorised representative → NIS2 EU representative →