Regingada
Network and Information Security · Directive (EU) 2022/2555 (NIS2)

NIS2 EU Representative under Article 26(3)

Certain digital-infrastructure and digital-service entities — from DNS and cloud providers to online marketplaces — that are not established in the European Union but offer services within the Union must designate a representative in the Union, established in one of the Member States where those services are offered (Article 26(3) of Directive (EU) 2022/2555 — NIS2). Regingada UG (haftungsbeschränkt) takes on that named role under its own representation contract: reachability for competent authorities and CSIRTs, routing and documentation — not legal advice.

NIS2 EU representative service for non-EU DNS, cloud, data-centre, CDN, managed-service, marketplace, search-engine and social-networking providers.

Software & appointed EU representation: Regingada UG (haftungsbeschränkt) · Legal advice exclusively: Kanzlei Theo Funk — separate mandate

Contact Regingada — representation & product
Scope

Who must designate a NIS2 EU representative

Article 26(3) of Directive (EU) 2022/2555 (NIS2 Directive), read together with Article 26(1), point (b), addresses a closed catalogue of entity types: DNS service providers, top-level domain (TLD) name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, and providers of online marketplaces, of online search engines and of social networking services platforms.

If such an entity is not established in the Union but offers services within the Union, it must designate a representative in the Union. The representative must be established in one of the Member States where the services are offered (Article 26(3) NIS2).

One point matters for implementation: NIS2 is a directive, not a regulation. It binds the Member States, which transpose it into national law — the Directive set 17 October 2024 as the transposition deadline (Article 41 NIS2). The operative obligations for your entity therefore follow from national transposition, and details vary by Member State. In Germany, national transposition proceeds through the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz — NIS2UmsuCG).

The role

What the NIS2 representative does

The Directive defines the representative as a natural or legal person established in the Union, explicitly designated to act on behalf of one of the Article 26(1), point (b), entities not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to that entity’s obligations under the Directive (Article 6 NIS2).

  • Named EU addressee — competent authorities and CSIRTs can turn to the representative instead of the entity itself on the entity’s NIS2 obligations
  • Routing — documented, timely forwarding of authority and CSIRT correspondence to the people you designate, with a defined escalation path
  • Registration data — the representative’s address is part of your Article 27 NIS2 submission; we keep it accurate and update-ready
  • Documentation — a written record of receipt, forwarding and follow-up

Once designated, the entity is deemed to be under the jurisdiction of the Member State where its representative is established (Article 26(3) NIS2). The representative’s seat therefore becomes the supervisory anchor.

Without a designated representative, the final sentence of Article 26(3) NIS2 provides that any Member State in which the entity provides services may take legal actions against the entity for infringements of the Directive. Unlike Article 13(3) of the Digital Services Act, Article 26 NIS2 ties the designation to jurisdiction rather than to an express representative-liability rule — our representation contract still defines duties, information flows and escalation paths precisely.

Appointment

How the designation works

Three steps take you from Article 26 scoping to registration data and a documented representative function.

  1. Scoping

    A guided question set — the same wizard you can start on this page — records your entity type against the Article 26(1), point (b), catalogue, your establishment and your EU service footprint.

    Deliverablea structured self-assessment record of your Article 26(3) status — not a legal determination; for that, the law firm advises under a separate mandate.

  2. Representation contract

    We prepare the representation contract that names the role and its limits: tasks, information channels, escalation paths, response times — and records the jurisdictional consequence of the representative’s German seat.

    Deliverablea draft representation contract naming role, duties and information flows — model terms on request.

  3. Registration & handover

    We assemble the representative details for your registration under Article 27 NIS2 and put the operational contact channel for competent authorities and CSIRTs in place.

    Deliverablea registration data package for the Article 27(2) NIS2 submission to the competent national authority, plus a documented contact channel.

Two different anchors

NIS2 representative vs GDPR Article 27 representative

Both roles exist so that authorities in the Union have someone to address when the company itself sits outside it — but they are different instruments under different acts.

AspectNIS2 representativeGDPR Article 27 representative
Basis & purpose Article 26(3) of Directive (EU) 2022/2555. Cybersecurity of network and information systems: a reachable counterpart for competent authorities and CSIRTs. Article 27 of Regulation (EU) 2016/679. Protection of personal data: a contact point for supervisory authorities and data subjects.
Who designates The specific entity types listed in Article 26(1), point (b) — DNS, TLD registries, domain-registration services, cloud, data centre, CDN, managed (security) services, marketplaces, search engines, social networks — without an EU establishment, offering services within the Union. Controllers or processors without an EU establishment whose processing falls under Article 3(2) GDPR — offering goods or services to, or monitoring, data subjects in the Union — subject to the exemptions in Article 27(2) GDPR.
Jurisdiction effect The designation anchors jurisdiction: the entity is deemed to be under the jurisdiction of the Member State where the representative is established (Article 26(3) NIS2). Without a representative, any Member State where services are provided may take legal actions (the final sentence of Article 26(3) NIS2). No comparable anchor. The representative is mandated to be addressed in addition to or instead of the controller or processor, in particular by supervisory authorities and data subjects (Article 27(4) GDPR).
Registration Registration data — including the representative’s address — go to the competent national authorities and feed the registry that ENISA creates and maintains (Article 27 NIS2). No central register. The representative is named in privacy information under Articles 13(1)(a) and 14(1)(a) GDPR and appears in the records of processing activities (Article 30 GDPR).

One provider can hold both roles — each requires its own designation. See the GDPR Article 27 representative service.

Why Regingada

A named role, held by a registered company.

Portrait of Theo Funk, Rechtsanwalt, founder of Regingada UG (haftungsbeschränkt)
“Under NIS2 the seat of the representative is not a formality — the entity is deemed subject to the jurisdiction of the Member State where its representative sits. That anchor, plus reliable reachability for authorities and CSIRTs, is what Regingada holds under its own contract. Legal judgment stays with my firm, under a separate mandate.”
Rechtsanwalt Theo Funk · Rechtsanwaltskammer Bamberg

Regingada UG (haftungsbeschränkt), HRB 12595, AG Bamberg

Appointed EU representative & software: Regingada UG (haftungsbeschränkt) — wholly owned by German attorney Theo Funk, no legal advice · Legal advice: independent law firm Kanzlei Theo Funk (RAK Bamberg) — separate mandate.

The same regulatory corpus powers the Regingada Compliance Suite — digital-twin software that maps NIS2 alongside the GDPR, the DSA, the AI Act and the DMA.

From the Regingada Radar — we track what we represent

  • DSADSA — clarification on points of contact (Art. 11)Concerns the authority-facing point of contact under Art. 11 DSA and its public information.
  • AI ActAI Act — prohibited practices (Chapter II)Relates to the catalogue of prohibited AI practices under Chapter II of the AI Act.
  • GDPRGDPR — Data Protection Impact Assessment (Art. 35)Concerns the thresholds and mandatory elements of the DPIA under Art. 35 GDPR.
All entries →

Orientation, not legal advice.

Cost

What determines the cost

The engagement is priced by what the role actually has to carry: your entity type and the scope of your services, the Member States where you offer them, the expected volume of contacts from competent authorities and CSIRTs, registration and update duties under Article 27 NIS2, whether the role is combined with Article 27 GDPR, DSA or AI Act representation (multi-regime setups reduce coordination overhead), and the response times we commit to.

Engagement terms on request.

FAQ

Frequently asked questions

Who must designate an EU representative under Article 26(3) NIS2?

Entities listed in Article 26(1), point (b), of Directive (EU) 2022/2555 (NIS2): DNS service providers, top-level domain (TLD) name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, and providers of online marketplaces, of online search engines and of social networking services platforms — where the entity is not established in the European Union but offers services within the Union.

In which Member State must the NIS2 representative be established?

In one of the Member States where the services are offered (Article 26(3) NIS2). The choice carries more weight than under other regimes: the entity is deemed to be under the jurisdiction of the Member State where its representative is established. Regingada UG (haftungsbeschränkt) is established in Bamberg, Germany — with Regingada as representative, that anchor is Germany.

What is the jurisdictional effect of designating a representative?

Under Article 26(3) NIS2, an entity that has designated a representative is deemed to be under the jurisdiction of the Member State where the representative is established. Supervision then follows that Member State’s transposition of the Directive — one anchor instead of a patchwork.

What happens if we do not designate a representative?

the final sentence of Article 26(3) NIS2 provides that, in the absence of a designated representative in the Union, any Member State in which the entity provides services may take legal actions against the entity for infringements of the Directive. Instead of one jurisdiction anchor, the entity then faces potentially as many jurisdictions as there are Member States in which it provides services.

How does registration under Article 27 NIS2 work?

ENISA creates and maintains a registry of the entity types listed in Article 26(1), point (b). Member States require those entities to submit information to the competent authorities — including the entity’s name, its sector and type, the address of its main establishment or, for entities not established in the Union, of its representative designated pursuant to Article 26(3), up-to-date contact details, the Member States where it provides services, and its IP ranges (Article 27(2) NIS2). The information is forwarded to ENISA for the registry, and changes must be notified (Article 27(3) NIS2).

NIS2 is a directive — what does that mean for the representative duty?

Directive (EU) 2022/2555 binds the Member States, which transpose it into national law; the Directive set 17 October 2024 as the transposition deadline (Article 41 NIS2). The operative obligations for your entity therefore follow from national transposition, and details vary by Member State. In Germany, national transposition proceeds through the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz — NIS2UmsuCG).

Is this legal advice?

Regingada UG (haftungsbeschränkt) is the software and EU-representation company, wholly owned by attorney Theo Funk. It does not provide legal advice. For legal advice under a separate mandate, please see the independent law firm Kanzlei Theo Funk.

What does it cost?

The engagement depends on your entity type and the scope of your services, the Member States where you offer them, the expected volume of contacts from competent authorities and CSIRTs, registration and update duties under Article 27 NIS2, whether the role is combined with Article 27 GDPR, DSA or AI Act representation (multi-regime setups reduce coordination overhead), and agreed response times. Engagement terms on request.

Designate your Article 26(3) EU representative.

Start with the scoping check — it records your Article 26(3) status and leads straight into the representation request.

Legal advice on representative obligations — Kanzlei Theo Funk (separate mandate)