The need for the appointment of "representatives" under European digital law

Introduction

European laws increasingly contain provisions on the mandatory appointment of "representatives". Depending on the subject matter of the respective law, these representatives have different tasks and must fulfill different requirements. In this article, some of the most important (legal) representatives that exist under EU digital laws will therefore be discussed in more detail.

GDPR

The General Data Protection Regulation regulates in particular the processing of personal data.
Article 27 (1) GDPR states that a "representative in the (European) Union" needs to be appointed if personal data of data subjects who are in the EU is processed by a company not established in the EU, where the data processing activities are related to:

• the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or
• the monitoring of their behaviour as far as their behaviour takes place within the EU.

There are very limited exceptions to such obligation.

A natural or legal person may be designated. The representative must be established in one of the EU Member states where the data subjects whose personal data is processed are located. The representative's task is to serve as a point of contact for or in place of the represented company (in particular) for supervisory authorities and data subjects for questions relating to the data processing.

The representative cannot be sanctioned for violations of the GDPR by the represented company. GDPR fines can however potentially be levied for a breach of the representative’s own duties.

Failure to appoint a representative where required) can be sanctioned under Article 83(4)(a) GDPR with administrative fines of up to EUR 10,000,000 or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

NIS 2 Directive

The NIS 2 Directive pursues the goal of ensuring a high level of cybersecurity in the European Union.
Regulations on the appointment of a "representative (in the Union)" can be found in Article 26 (3) and (4) of the Directive. According to this

• DNS service providers;
• TLD Name registries;
• entities providing domain name registration services
• cloud computing service providers;
• data centre services providers;
• content delivery network providers;
• managed service providers;
• managed security service providers and
• digital services providers (i.e. of online marketplaces, online search engines or social networking services platforms),

who do not have an establishment in the European Union but offer their services within the European Union must appoint a representative in the European Union. According to Recital 116, the representative shall act on behalf of the entity and it shall be possible for competent authorities and computer security incident response teams (CSIRTs) to address the representative.

In addition, the representative shall be expressly instructed in writing by the represented entity to act on the entity's behalf within the scope of the entity's obligations arising from NIS2, which shall in particular include the reporting of security incidents.

The NIS2 Directive does not include any provisions on the liability of the representative. Rather, it is only clarified that the designation of the representative is without prejudice to legal actions that may be initiated against the represented entity itself.

The represented entity is considered to fall under the jurisdiction of the Member State where the representative is established (Article 26(3) NIS 2). Until a representative is designated, the entity is, where applicable, under the competence of all Member States for the purposes of ensuring application and enforcement.

For infringements (including failure to appoint a representative), Member States must provide for administrative fines under Article 34: for essential entities up to at least EUR 10,000,000 or 2% of worldwide turnover (whichever higher), and for important entities up to at least EUR 7,000,000 or 1.4% of worldwide turnover (whichever higher).

Terrorist Content Online Regulation

The Regulation on preventing the dissemination of terrorist content online aims to curb the spread of terrorist content and thus strengthen the public security of the European Union. To this end, it primarily sets out a series of obligations for hosting service providers. It applies to all hosting service providers that offer services in the European Union and disseminate information publicly, regardless of where they are headquartered.

For hosting service providers that do not have their main establishment in the European Union, Article 17 of the Regulation provides rules on the "legal representative". Accordingly, such a provider shall designate, in writing, a legal representative in the European Union for the receipt, compliance and enforcement of removal orders and decisions relating to terrorist content issued by the competent authorities.

The representative may be either a natural person or a legal entity and has to be provided with the necessary powers and resources to comply with the decisions and removal orders of the authorities and to cooperate with them. The competent authority in the EU Member state where the legal representative is resident or established shall be informed of the designation.

The legal representative can be held liable for violations arising from the Regulation. However, this does not affect the liability of the hosting service providers. The Regulation requires Member States to lay down penalties for infringements, expressly including Article 17 (legal representative).

Digital Services Act

The Digital Services Act is a regulation that aims at ensuring a safe digital space free of illegal content and the protection of users' fundamental rights. Article 13 contains provisions concerning a "legal representative", which stipulates that providers of intermediary services (the scope includes certain mere conduit, caching and hosting services) who do not have an establishment in the European Union but offer their services in the European Union must appoint a legal representative. Here, too, the designation must be made in writing. A legal entity or a natural person can be appointed.

The legal representative shall be mandated by the intermediary service providers in such a way that it may be called upon, in addition to or instead of the service provider, by the EU Member state authorities, the Commission and the European Board for Digital Services in all matters necessary for the receipt, compliance and enforcement of decisions related to the Regulation.

Providers must notify the name and contact details of their legal representative to the Digital Services Coordinator of the Member State where the representative resides or is established, and ensure those details are public, easily accessible, accurate and kept up to date (Article 13(4) DSA). The representative shall be provided with the necessary powers and resources to cooperate with the authorities of the EU Member states, the Commission and the Board. The regulatory authority of the Member State where the representative resides is the one that is primarily responsible for enforcing the DSA requirements vis á vis the represented entity.

The legal representative may also be held liable for breaches of (the intermediary service providers’) obligations under the Regulation, without this affecting the liability of intermediary service providers. Member States must provide for penalties that may include fines up to the maximums set by the DSA (for infringements, up to 6% of annual worldwide turnover).

Data Act

Under Article 37 of the Data Act, entities within scope that are not established in the EU but make connected products available or offer covered services in the EU must, by 12 September 2025, designate a legal representative established in one Member State.

The representative shall:

• be addressable by competent authorities, in addition to or instead of the non‑EU entity, on all matters relating to that entity under the Data Act;
• cooperate with competent authorities and, upon reasoned request, comprehensively demonstrate the measures put in place by the entity to ensure compliance with the Regulation;
• respond, where applicable, to proportionate and reasoned information requests from competent authorities concerning users, data holders or data recipients.

The represented entity is considered to be under the competence of the Member State in which its legal representative is located. Until a representative is designated, the entity may be under the competence of all Member States for the purposes of ensuring application and enforcement. The designation of a representative is without prejudice to the entity’s own liability. The Data Act requires Member States to lay down effective, proportionate and dissuasive penalties.

Data Governance Act

The Data Governance Act attempts to promote free availability and exchange of data. Both (so called) non‑EU data intermediation service providers and recognised data altruism organisations must designate a legal representative in a Member State where their services are offered (Articles 11(3) and 19(3) DGA). The representative serves as the point of contact alongside or instead of the entity and must cooperate with competent authorities and provide, upon request, comprehensive information on compliance measures; failure to provide information may lead to postponement or suspension of the service (Article 14(5) DGA).

For non‑EU providers, the entity is deemed to be under the jurisdiction of the Member State where the legal representative is located. The designation is without prejudice to any legal actions against the entity.

AI Act

The aim of the AI Act is to create a uniform legal framework for artificial intelligence.

Regulations concerning an "authorised representative" are found in Articles 22 and 54 of the AI Act. The Act states that providers of high-risk AI systems or of general-purpose AI models established outside the European Union must appoint an authorized representative established in the European Union by written mandate before making their systems available on the European Union market. The AI Act also specifies a minimum scope of the representative's mandate, which must at least empower them to:

• keep a copy of the EU declaration of conformity and the technical documentation at the disposal of the competent authorities;
• provide a competent authority, upon a reasoned request, with all the information and documentation necessary to demonstrate the conformity of a high-risk AI system with specific requirements, including access to the logs automatically generated by the high-risk AI system to the extent such logs are under the control of the provider and
• cooperate with competent national authorities, upon a reasoned request, on any action the latter takes in relation to the high-risk AI system.
  Representatives of general-purpose AI model providers need to verify further compliance obligations of the model providers.

If the provider does not comply with its AI Act obligations, the representative may need to terminate the mandate. The representative will have liability of its own and may be subject to fines of up to 15 Mio. EUR/3% of worldwide turnover, whichever is higher.

European Health Data Space Regulation

The objective of the European Health Data Space Regulation is to strengthen the linkage of national health systems across the European Union through secure, efficient access to and exchange of health data. The Regulation entered into force on 26 March 2025 and will apply from 26 March 2027, although the obligation to appoint a representative for systems mentioned in Art. 26(2) EHDS will apply only from 2031 on.

Regulations on the "authorised representative" are laid down in Article 31: a manufacturer of an EHR (electronic health record) system – an information system used in the health domain – established outside the Union must, by written mandate, appoint an authorised representative established in the Union before making an EHR system available on the EU market.

However, the Regulation specifies certain minimum content of the mandate. It should allow the representative to, inter alia, the following:

• keep the EU declaration of conformity and the technical documentation at the disposal of market surveillance authorities for 10 years after the last EHR system covered by the EU declaration of conformity has been placed on the market;
• inform the manufacturer about complaints by users;
• further to a reasoned request from a market surveillance authority, provide that authority with all the information and documentation necessary to demonstrate the conformity of an EHR system with essential requirements and
• cooperate with the market surveillance authorities, at their request, on any corrective action taken in relation to the EHR systems covered by their mandate.

Where the manufacturer has not complied with its obligations, the authorised representative is jointly and severally liable for non-compliance on the same basis as the manufacturer (Article 31(4) EHDS). If the manufacturer does not comply with its EHDS obligations, the representative needs to terminate the mandate. Member States provide penalties under their market‑surveillance frameworks.

E-Evidence

Directive (EU) 2023/1544 requires service providers offering certain electronic services in the EU to designate a “designated establishment” (if established in a participating Member State) or appoint a representative (if not established in the Union) to receive, comply with and enforce so-called European Production and Preservation Orders and other decisions falling within scope.

Non-EU service providers offering services in the EU on 18 February 2026 must appoint the representative by 18 August 2026; providers that start offering services thereafter must do so within six months of starting.

The representative shall

• act as the addressee for orders and decisions within scope and cooperate with competent authorities in accordance with the applicable instruments;
• be reachable in specified Union languages and ensure effective internal procedures to enable timely compliance.

The representative must reside in a Member State where the provider offers its services. The provider must notify the central authority of the Member State where the designated legal representative resides. The authorities of that Member State are primarily responsible for coordinating and enforcing the eEvidence obligations. This does, however, not limit other Member States’ ability to issue orders under those instruments. Member States shall provide for penalties for non-compliance.

Regulations on representatives in other (legal) areas

Both at European and EU Member State level, there are further regulations on the obligation to appoint a representative.

For example, in the Regulation on Clinical Trials of Medicinal Products for Human Use, ((EU) No. 536/2014), there is a requirement to appoint a legal representative if the sponsor of a clinical trial is not established in the European Union, Article 74. This representative is responsible for ensuring that the sponsor's obligations under this Regulation are met and is the addressee of all notifications to the sponsor provided for in this Regulation. Any communication to that legal representative shall be deemed to be a communication to the sponsor.

The Regulation on Medical Devices ((EU) 2017/745) contains regulations on an authorised representative in its Article 11. The designation shall constitute the authorised representative's mandate, it shall be valid only when accepted in writing by the representative and shall be effective at least for all devices of the same generic device group. The Regulation also specifies a minimum content of the mandate.

At e.g. the German level, an appointment obligation can be found, for example, in Section 25b of the German Banking Act (KWG). According to this provision, when using outsourcing companies with a registered office in a third country, it must be contractually ensured that the outsourcing company appoints a domestic delivery agent to whom notifications and deliveries can be made by the competent federal institution.

Outlook

Overall, it can be said that the EU legislature regards the representative as an important component of its (digital) regulations. Whereas initially there was hardly any provision for the representative's own liability, in more recent laws there has been an increasing number of provisions which also stipulate the representative's liability. Also, increasingly, the place where the representative resides decides upon the applicable Member State law/competent Member State authority. Thus, the appointment of a representative may in some cases serve to determine a “one stop shop” within the EU, whereas a lack of an appointment would often-times mean that all regulators in the EU could consider themselves competent.
You have further questions regarding the appointment of a representative in the EU? Feel free to reach out!

Update of the insight: The need for the appointment of "representatives" under European digital law, 17 June 2024