Companies established outside the EU are required to appoint an EU representative according to Art. 27 of GDPR if they:

• offer goods and services to individuals in the EU (e.g. providing a website in an EU language, offering payments in EUR) or
• monitor their behaviour (e.g. cookie profiling).

According to the Guideline 3/2018 of the European Data Protection Board (EDPB) on the territorial scope of GDPR, this applies to both controllers and processors. For processors not established in the European Union the applicability of GDPR depends on what the “processing activities” are related to. If the data processing conducted for the controller is related to the offering of goods and services or to the monitoring of behaviour, GDPR applies to the processor in addition to the controller.

Case 1: Online Gaming: You are an online gaming company located outside the EU and offer your games to data subjects in the EU free of charge. When using your games you analyse the data subjects' geolocation data, web-browser data and history and show ads based on this data. As you target the EU market by offering your games and monitoring the users' behaviour you are legally required to appoint a GDPR Representative physically established in an EU member state to remain compliant. Violations of the EU GDPR can lead to substantial fines by authorities and exclusion from business activities in the EU.

Case 2: B2B SaaS: You develop CRM software and offer it as a SaaS product to companies, which are either targeting the EU without an establishment or which are located in the EU. Because your business clients are targeting EU data subjects and your CRM software product is processing and storing their data, you are also required to appoint a GDPR Representative physically established in an EU member state. It is likely that your business clients in the EU will also require you to appoint a representative and enter into a data processing agreement. You can establish trust by already being GDPR compliant during the negotiation phase with your business clients.

According to Art. 27 GDPR, controllers or processors are exempted from the regulation if ALL of the following criteria are met:

• personal data is only processed occasionally, which is only from time to time and non-systematic; AND
• data processing does not include large-scale processing of special categories of personal data or personal data relating to criminal convictions and offences; AND
• data processing is unlikely to result in a risk to the rights and freedoms of data subjects. It is hard to meet ALL of these criteria, in particular the criterion of processing data only occasionally proves to be a big hurdle for most businesses.

Your company's intention to establish commercial relations with EU customers needs to have manifested in a business activity. The mere accessibility of a website in the EU, a mention on the website of an e-mail or geographical address, or of a telephone number without an international code, does not, of itself, provide sufficient evidence to demonstrate the intention to offer goods or services to EU customers. The European Data Protection Board listed the factors to be taken into account when assessing if goods and services are offered in its Guideline 3/2018 on the territorial scope of GDPR. Some of those factors are:

• using languages of EU Member States, or offering payments in a currency of an EU Member State;
• using Google or Facebook ads to address the EU market, or any other marketing activity directed towards EU customers;
• mentioning EU references or testimonials;
• the activity at hand being of an international nature, such as certain tourist activities;
• mentioning dedicated addresses or phone numbers to be reached from an EU country;
• use of EU top-level domains;
• description of travel instructions from one or more other EU Member States to the place
where the service is provided;
• offering the delivery of goods to EU Member States;

In a nutshell, if your company has any outbound activity in the EU or if your company enables or guides EU customers to find your company's product, GDPR is likely to apply.

Case 1: A website, based and managed in Turkey, offers services for creating, editing, printing, and shipping personalised family photo albums. The website is available in English, French, Dutch, and German, and payments can be made in euros or sterling. The website indicates that photo albums can only be delivered by mail in the UK, France, Benelux, and Germany.

Case 2: A Swiss University offers summer courses in international relations and specifically advertises this offer in German and Austrian universities in order to maximise the courses’ attendance. In this case, there is a clear intention from the Swiss University to offer such services to data subjects who are in the European Union, and GDPR will apply to the related processing activities.

Not all online collection or analysis of personal data of individuals in the EU counts automatically as “monitoring”. Monitoring the behaviour of EU data subjects implies an intention to collect data for a specific purpose. Therefore, any kind of tracking of natural persons on the Internet, including the potential subsequent use of profiling techniques qualifies as 'monitoring'. Again, the EDPB gives some more guidance in the Guidelines 03/2018. According to the EDPB, monitoring may not only take place on the Internet but also through wearables and other smart devices. Monitoring activities include:

• Behavioural advertisement
• Geo-localisation activities, in particular for marketing purposes
• Online tracking using cookies or other tracking techniques such as fingerprinting
• Personalised diet and health analytics services online
• CCTV
• Market surveys and other behavioural studies based on individual profiles
• Monitoring or regular reporting on an individual’s health status

Case 1: A marketing company established in the US provides advice on retail layout to a shopping centre in France, based on an analysis of customers’ movements throughout the centre collected through Wi-Fi tracking.

Case 2: An app developer is established in Canada with no establishment in the EU. I uses a processor established in the US for optimisation and maintenance of the app, however it also monitors the behaviour of data subjects in the EU. The developer is therefore subject to GDPR, as per Art. 3(2)b.

The GDPR extends its 'territorial scope' to controllers and processors that have their registered office in a country outside of the EU. As a result, high penalties of up to €10 million or 2% of the worldwide annual turnover can apply if a processor or a controller does not comply with the obligation of appointing an EU representative. The penalties may be enforced by individual claims or by authorities. Furthermore, your partners in the EU may be obliged to stop transferring data to your company.

The representative shall act as an addressee for authorities and data subjects to facilitate the communication with processors and controllers outside the EU. The representative needs to be mandated in writing by the controller or processor to evidence the appointment. In addition, the representative shall, maintain Art 30 records of processing activities and shall make the record available to the supervisory authority on request.

• To facilitate communication, Prighter established a network of offices all over Europe and developed high-end tech solutions for communication with both authorities and data subjects;
• A written appointment is part of the onboarding flow. Clients can sign a Power of Attorney directly online in an end-to-end digital process; and
• We assist clients in the drafting of records of processing activities by providing pre-filled templates along with extensive support and guidance.

First of all, the EDPB clarifies in its Guideline 03/2018 on territorial scope that only one representative needs to be appointed in an EU Member State, which can then serve for all other Member States. In the event that a significant proportion of the customer base is in one particular Member State it is best practice that the representative is established in this Member State. In any case, the representative will be easily accessible for data subjects in all Member States no matter where the representative is located.

How does Prighter approach these requirements?

• Prighter has offices and partner offices in all major EU Member States, this keeps you compliant and provides you with a local and easily accessible representative for all your customers, no matter where they are located; and
• Prighter is not a PO box, we have real privacy professionals in every location.

Our goal is to enable non-European companies to comply with GDPR through a combination of legal expertise and technology solutions. We put the practical insights we gain as a law firm (due to our role as the appointed Data Protection Officer for major banks, financial service providers, tech companies) into the development of our tools which easily handle Data Subject Requests (DSR) and data breaches, and into the management of records of processing activities. We support you in all privacy related matters, but above all we support you in growing your business by enabling you to improve customer trust by handling privacy matters in an efficient, compliant and professional way.

The core of our service is representation according to Art. 27 GDPR. Around this requirement we have built features, services and tools which enable you to leverage your compliance in order to increase efficiency and gain the trust of your customers and partners. For more information on the services offered visit “GDPR-Rep Services”:

• GDPR Representation:

By subscribing to the EU GDPR Representation Program, you appoint Prighter as your EU GDPR Representative. Our qualified team of lawyers and privacy professionals is your first line of defence to deal with requests from data subjects and data protection supervisory authorities (SA).

• Gain Trust:

We provide you with a Compliance Landing Page that you can customise for your brand, display your privacy and security related certificates, and your privacy and cookie policies. This is your window into the world of privacy-related matters which helps you increase customer trust and confidence by demonstrating your privacy regulations compliance. The Compliance Landing Page also serves as an access point for privacy related requests which you can then easily manage with your GDPR Privacy Software tools.

• GDPR Privacy Software Tools:

We have built a unique, specialised tool to manage the lifecycle of any data subject requests (DSRs) from existing or potential clients. This saves you time, internal resources, and money, and reduces your compliance risk substantially. When it comes to supervising authorities, we cover all of their standard requests (e.g. requests to submit records of processing activities). Additionally, we offer you a data breach tool that gives you access to our services in any critical situation which involves your data being compromised.

This is where our innovation comes into play. We built the Data Subject Request (DSR) management tool to channel, structure and filter all incoming privacy requests from clients and authorities. You can handle requests from millions of data subjects in one tool with the help of our proprietary AI technology. We cover and support all aspects of the formal handling of DSRs including communication with data subjects. What actually needs to be done in your database (e.g. delete a data subject), is always your own decision. The DSR tool is designed to manage the lifecycle of a data subject request to get all formal aspects right and offer you a framework of advice. Find more information on this tool here: Visit PrighterDSR 

You are obliged to appoint a data protection officer (DPO) if your company meets one of the following three criteria:

• the processing is carried out by a public authority or body (except for courts acting in their judicial capacity);
• the core activities of your company consist of processing operations which, by virtue of their nature, their scope and/or their purpose, require regular and systematic monitoring of data subjects on a large scale; or
• the core activities of your company consist of processing on a large scale of special categories of data pursuant to Art. 9 and personal data relating to criminal convictions and offences referred to in Art. 10.

More information regarding how the criteria are interpreted is outlined in the Guideline of the Art. 29 Working Party on Data Protection Officers. In comparison to the requirements for appointing a DPO, a GDPR representative is needed in case of offering goods and services or monitoring EU data subjects. In a nutshell, the criteria for the requirement of a DPO reflect a higher risk involved with certain processing activities, whereas the requirements for an EU GDPR representative are triggered when your company’s processing of personal data of individuals located in the EU is noticeable.

A Data Protection Officer (DPO) shall be involved in all issues related to the protection of personal data in a company. The role of a DPO is also to monitor the company’s compliance with GDPR, assist in data protection impact assessments, and to advise the management on privacy by design and privacy by default as well as all other privacy related matters. Hence, a DPO needs to be close to the company and needs to be involved in the day-to-day business. Whenever possible, the DPO shall be located in the region of the company’s headquarters. In comparison, the EU GDPR Representative is by nature operating at a distance when representing the company due to the lack of an establishment in the EU. The representative is therefore a substitution for a subsidiary, branch, or other establishment.

No, there is a conflict of interest between the roles of DPO and GDPR representative. The EDPB states in its Guidelines 03/2018 on the territorial scope that there is a possible conflict of obligation and interests in cases of enforcement proceedings. The EDPB does not consider the function of a representative in the EU to be compatible with the role of data processor for the same company, in particular when it comes to compliance with the respective responsibilities and compliance of a DPO and a representative.

The onboarding process is simple and can be completed in a couple of minutes.

1. We grant your company a free 14-day trial to keep the appointment completely risk-free.
2. Choose a plan. The available plans depend on your company's size. The size of the company is defined according to the Eurostat categories which measure it by the number of people employed. 'Employees' in this definition includes part-time workers and freelancers.
3. Enter your company's details.
4. After registering, download the Power of Attorney (PoA). A signed PoA is required as evidence of the appointment of Prighter as your representative in case of requests from supervisory authorities. We kindly ask you to sign and upload your PoA.
5. Our team will check and verify the provided information about your company and the PoA. This is usually done within a couple of hours.
6. After the PoA has been approved, your company has successfully appointed Prighter as your Art. 27 GDPR representative for the whole EU. You can log in to your client area where you can find templates and information on what can be included in your homepage and privacy policy.
7. Your risk-free 14-day trial period starts now.

Contrary to the appointment of a DPO, you don't need to notify a data protection authority of the representation. If a data protection authority has an inquiry about a company, they take the necessary information from the company's privacy policy. However, please note that you will need to notify the relevant authority that you have appointed Prighter as your NIS representative.

Every separate entity requires representation according to Art. 27 GDPR. Nevertheless, Prighter offers your group the option to sign up for a group package to manage the representation of your affiliates through one main account, with sub-accounts for every affiliate. You will be required to internally select a centralised point of data protection management for the group to handle both the main account and the sub-accounts with one centralised login. The number of affiliates covered depends on the package you sign up for. The "small enterprise" package includes two affiliates, the "medium enterprise" package includes up to five affiliates, and the "large enterprise' package includes an unlimited number of affiliates. All included group entities must operate in the same industry, offer the same range of products, and have the same or a linked brand.

Subscription pricing is based on your company size according to official Eurostat categories and the number of entities to be covered, starting from €39 per month. We offer a 14-day trial period on all subscriptions so that you can get to know our service before subscribing. Our pricing is transparent and there are no hidden costs as we do not charge per request from data subjects. You can choose between monthly, quarterly, or yearly payments. Your company gets a discount for quarterly payments and an even higher discount for the yearly payments option. Furthermore, you can choose between paying with credit card or via bank transfer. We accept almost all credit cards. Bank transfers are accepted in EUR, USD and GBP for annual payments. Please contact our support team should you have any further questions.

Since GDPR is an EU regulation, it will generally no longer be applicable in the UK after Brexit. However, the UK government has incorporated GDPR into UK data protection law. So, from 1st January 2021 onwards, the UK version of GDPR, the “UK GDPR”, will be effective and companies will have to comply with it. Most requirements remain the same as in the EU GDPR, so companies that are already compliant with the EU GDPR will not have to make major amendments to comply with the UK GDPR. However, doing transborder business might lead to additional requirements such as appointing a UK representative or ensuring compliance regarding international data transfers to and from the UK.

The UK government have stated that from 1st January 2021 onwards, companies who are located outside of the UK, whether in the EU or in a third country, and have no offices, branches, or other establishments in the UK, will have to appoint a UK representative, if they are processing personal data of individuals in the UK that relates to either:

• offering goods or services to individuals in the UK; or
• monitoring the behaviour of individuals in the UK.

Resources: ICO FAQs UK representatives

The EDPB has published guidelines on the territorial scope of the GDPR and appointing a representative (Guideline 3/2018). Even though these guidelines will not be directly relevant to the UK law anymore, the ICO stated that they still provide helpful guidance when dealing with specific issues. Hence, when determining the territorial scope of the GDPR the EDPB guidelines can help, as long as the UK government does not adopt new regulations concerning this topic. According to these guidelines, different factors are considered when determining if a company is offering their goods or services to individuals in the EU. Some factors to be considered, adjusted to a UK-only application, would be:

• using language that is used in the UK and offering the UK currency GBP;
• using ads to address UK individuals or other marketing tools directed towards UK customers;
• mentioning addresses or phone numbers to be reached from the UK;
• use of UK top-level domains;
• offering delivery of goods to the UK.

Again, the guidelines of the EDPB can help to assess whether a company is monitoring the behaviour of UK individuals, as long as the UK government does not adopt new regulations (Guideline 3/2018). According to the EDPB guidelines, monitoring can take place both on the internet and through wearables and other smart devices. Some examples of monitoring activities would be:

• behavioural advertisement
• geo-localisation activities
• online tracking by using cookies or other tracking technologies
• market surveys and other behavioural studies based on individual profiles
• CCTV

If you are a public authority, there is no need for you to appoint a representative. Also, if your company fulfils all of the following criteria, there is no obligation to appoint a UK representative:

• You are processing personal data only on an occasional basis; and
• the data processing is of low risk to the data protection rights of the data subjects; and
• there is no great extent of processing special categories of data or data concerning criminal offences.

Generally speaking, it is hard for companies to fulfil all criteria mentioned above which is why they are hardly ever able to take advantage of this exemption.

Resources: ICO FAQs UK representatives

If your company is obligated to appoint a representative but fails to do so, fines of up to GBP 8.7 million or 2% of your annual global turnover (whichever is higher) can be issued.

Since your UK privacy representative should be able to represent you regarding your legal obligations under the UK GDPR, make sure the representative is not a PO tbox but a qualified privacy professional located in the UK. The representative should be appointed in writing and will act on your behalf regarding your compliance with UK GDPR, as well as functioning as a local contact point for UK data subjects and the UK supervisory authority, ICO.

How does Prighter match these requirements?

• The UK privacy representation is provided by Prighter Ltd, a UK company which is part of Prighter Group powered by Maetzler Rechtsanwalts GmbH & Co KG;
• With Prighter Ltd, trained lawyers and privacy professionals are available to support you in all UK related privacy matters and even beyond; and
• A written appointment is part of the onboarding flow. Clients can sign a Power of Attorney directly online in an end-to-end digital process.

Resources: ICO FAQs UK representatives

Our goal is to enable companies without a subsidiary, branch or other establishment in the UK to comply with the UK privacy framework through a combination of legal expertise and technology to deliver this expertise. We put the practical insights we gain as a law firm (due to our role as the appointed Data Protection Officer for major banks, financial service providers, tech companies) into the development of our tools for handling Data Subject Requests (DSR) and data breaches, and for the management of records of processing activities. We support you in all privacy related matters, but above all we help your business to grow by enabling you to improve customer trust by handling privacy matters in an efficient and professional way.

The core of our service is representation according to Art. 27 UK-GDPR. Around this requirement we have built features, services, and tools which enable you to leverage your compliance in order to increase efficiency and gain trust with your customers and partners. For more information about the services offered visit “UK-Rep Services”:

• UK Representation:

By subscribing to the UK Privacy Representation Program, you appoint us as your certified UK Privacy Representative. Our highly professional team of lawyers and privacy professionals will give you the support you need to deal with requests from data subjects and data protection supervisory authorities.

• Gain Trust:

We provide you with a Compliance Landing Page that you can customise for your brand and to include privacy and security related certificates as well as your privacy and cookie policies. This is your window to the world of privacy-related matters which helps you increase customer trust and confidence by demonstrating your privacy regulations readiness. The Compliance Landing Page also serves as an access point for privacy related requests which you can then easily manage with your GDPR Privacy Software tools.

• Privacy Software Tools:

For any data subject requests (DSRs) from existing or potential clients we have built a tool to manage the lifecycle of such privacy requests. This saves you time, internal resources, and money, and reduces your compliance risk substantially. Furthermore, all standard requests from the ICO are covered (e.g. requests to submit records of processing activities).

This is where our innovation comes into play. We built the Data Subject Request (DSR) management tool to channel, structure, and filter all incoming privacy requests from clients and authorities. You can handle requests from millions of data subjects in one tool with the help of our proprietary AI technology. We cover and support all aspects of the formal handling of DSRs including the communication with data subjects. What actually needs to be done in your database (e. g. delete a data subject), is always your own decision. The DSR tool is designed to manage the lifecycle of a data subject request to get all formal aspects right and offer you a framework of advice.

Visit Prighter DSR

Generally, companies which have no offices, branches or other establishments in the EU/EEA need an Art 27 EU GDPR representative if they are:

• offering goods or services to individuals in the EU/EEA; or
• monitoring the behaviour of individuals in the EU/EEA.

After Brexit, the UK is no longer a Member State of the EU and consequently an establishment in the UK does not count as an EU/EEA establishment anymore, therefore this general rule will oblige UK companies, who fulfil the above criteria, to appoint an Art. 27 GDPR representative. So, if you are an UK company that reaches out to the EU/EEA market without having an establishment within the EU/EEA, you will be required to appoint an Art. 27 representative.

If you are a public authority, you do not need to appoint a representative. Also, if you meet all the following criteria you are exempted from this obligation:

• You are processing personal data only on an occasional basis; and
• the processing is of low risk to the rights of the data subjects; AND
• the processing does not involve large-scale usage of special categories of data or criminal offence data.

For any further questions concerning the appointment of an Art. 27 GDPR representative please see our Art. 27 EU GDPR FAQ.

Companies which are established outside the UK and the EU/EEA and neither have an establishment within the UK nor the EU/EEA but are

• offering goods or services to individuals in the EU/EEA; or
• monitoring the behaviour of individuals in the EU/EEA.

will have to appoint two representatives, in both the EU and the UK, in order to comply with EU regulations on one hand, and UK regulations on the other.

Since Prighter has offices in the EU as well as in the UK, we are able to offer you EU representation as well as UK representation.

The onboarding process is simple and can be completed in a couple of minutes, but the best part is:

1. We grant your company a risk-free 14 day trial to make the appointment completely risk-free.
2. Choose a plan. The available plans depend on your company's size. The size of the company is defined according to the Eurostat categories and thereforeby the number of persons employed. 'Employees' includes part-timeworkers and freelancers.
3. Enter your company's details. Your risk-free 14 day trial period starts when you complete this step.
4. After registering, you will find a download button for the Power of Attorney (PoA). A signed PoA is required as evidence of the appointment of Prighter as your representative in case of requests by supervisory authorities. We kindly ask you to sign and upload your PoA.
5. Our team will check and verify the provided information on your company and the PoA. This is usually done within a couple of hours.
6. After the PoA has been approved, your company has successfully appointed Prighter as it's UK privacy representative. You can log in to your client area where you can find templates and information on what you can include in your homepage and privacy policy.

Contrary to the appointment of a DPO, you don't need to notify the ICO of the representation. In the event that the ICO has an inquiry about a company, they take the necessary information from the company's privacy policy.

Please note that contrary to UK privacy representation, a NIS representation needs to be notified to the ICO.

Every separate entity requires representation according to Art 27 UK GDPR. Nevertheless, Prighter offers your group the option to sign up for a group package to manage the representation of your affiliates through one main account, with sub-accounts for every affiliate. You will be required to internally select a centralised point of data protection management for the group to handle both the main account and the sub-accounts with one centralised login. The number of affiliates covered depends on the package you signed up for. The "small enterprise" package includes two affiliates, the "medium enterprise" package includes up to 5 affiliates, and the "large enterprise' package includes an unlimited number of affiliates. All included group entities must operate in the same industry, offer the same range of products, and have the same or a linked brand.

Subscription pricing is based on your company size according to official Eurostat categories and the number of entities to be covered, starting from €19 per month. We offer a 14-day trial period on all subscriptions so that you can get to know our service without any risk. All of our pricing is transparent and there are no hidden costs as we do not charge per request from data subjects. You can choose between monthly, quarterly, or yearly payments. Your company gets a discount for quarterly payments and an even higher discount for the yearly payments option.

Furthermore, you can choose between paying with credit card, or via bank transfer. We accept almost all credit cards. Bank transfers are acceptable in EUR, USD and GBP for annual payments. Please contact our support team should you have any further questions!

The DSA is aimed against illegal and harmful content and goods as well as the spread of disinformation in the digital world. It shall ensure user safety, protect fundamental rights, and create a fair and open online platform environment.

The DSA is an EU regulation and therefore directly applicable in all EU Member States without any additional transposition into national law. The regulation was established on the Union level to harmonise diverging national law and to avoid regulatory fragmentation which adversely affects the single market.

On a national level there is not one competent authority, but multiple authorities may be granted competences for subjects matters covered by the DSA under national law. To streamline and coordinate these authorities each Member State designates a Digital Services Coordinator as the single point of contact (for a list see here).

On an EU level the European Commission as well as the European Board for Digital Services have a broad set of competences under the DSA which range from issuing implementation guidelines to supervisory functions.

The DSA together with the Digital Markets Act (DMA) forms part of the Digital Services Act package (learn more) which again is embedded in the Digital Agenda for Europe (learn more).

The DSA applies to online intermediary services with additional rules for hosting services, online platforms and very large online platforms and search engines (VLOPs and VLOSEs) when offering intermediary services, irrespective of where the providers have their place of establishment.

The DSA applies irrespective of where the providers have their place of establishment. This means that also non-EU providers are caught by the extra-territorial scope of the DSA when offering intermediary services to business users, consumers and other users (recipients of the service).

To qualify as an "offering", an intermediary service needs to be accessible by EU recipients and needs to have a substantial connection to the EU. Besides an establishment a substantial connection results from specific factual criteria such as:

• a significant number of recipients of the service in the EU;
• the targeting of activities towards the EU.

Whether the number of recipients in one or more Member States is significant depends on the relation to the whole population.

To determine, if a provider is targeting its activities towards recipients in the EU, all circumstances are relevant. Especially the use of a language or a currency generally or the possibility of ordering products or services, or the use of a relevant top-level domain indicate the targeting of recipients. Furthermore, the availability of an application in the relevant national application store, local advertising or advertising in a language used in that Member State, or the handling of customer relations in such language are factors which may result in a targeting. In contrast, mere technical accessibility of a website from the Union cannot, on that ground alone, be considered as establishing a substantial connection to the Union.

Regardless of any additional classification under another type of business regulated by the DSA Intermediary Services include “Mere Conduit” Services (e.g. Internet Service Provider „ISP“), "Caching” Services (e.g. Content Delivery Networks "CDNs"), “Hosting” Services (e.g. cloud computing, web hosting, paid referencing services or services enabling sharing information and content online, including file storage and sharing.)

Hosting Services involve the storage of information provided by users (e.g. cloud computing, web hosting, paid referencing services or services enabling sharing information and content online, including file storage and sharing.)

Online Platforms bring together sellers and consumers. (e.g. online marketplaces, app stores, collaborative economy platforms and social media platforms).

Online platforms and search engines reaching more than 10% of 450 million consumers in Europe are classified as very large. Because of the particular risks associated with the dissemination of illegal content and societal harms, specific rules apply for VLOPs and VLOSEs.

First and foremost the legal representative shall facilitate the communication with competent national authorities, the European Commission as well as the European Board for Digital Services. The legal representative can also act as the point of contact for recipients of the service and trusted flaggers. For operational purposes the legal representative can also act as the electronic point of contact which again facilitates the communication with the various stakeholders.

The obligation to appoint a legal representative should allow for the effective oversight and, where necessary, enforcement of the DSA. This is the reason that the legal representative may be held liable for non-compliance with obligations under the DSA, without affecting the liability and legal actions that could be initiated against the provider of intermediary services.

Providers of intermediary services should ensure that the designated legal representative has the necessary powers and resources to cooperate with the relevant authorities. This also means that the legal representative needs to have sufficient qualifications and experience to handle proceeding with national and European authorities.

Die Richtlinie über die Sicherheit von Netz- und Informationssystemen (NIS2) aktualisiert die ursprüngliche NIS 1, um die Cybersicherheit in wichtigen Sektoren der EU zu verbessern, erweitert ihren Anwendungsbereich auf weitere Branchen und führt strengere Anforderungen ein.

Es handelt sich um:

• Betreiber von wesentlichen Diensten (OES) z.B. in den Bereichen Energie, Bankwesen, Transport, digitale Infrastruktur, ICT-Service-Management (B2B); und
• Betreiber wichtiger Dienste wie Postdienste, Abfallwirtschaft, Forschung, digitale Anbieter.

Es gilt für Unternehmen, die:

• Erreichen Sie die Schwellenwerte
• Ein Unternehmen in der EU haben.
• Sind außerhalb der EU ansässig, bieten jedoch ihre Dienstleistungen innerhalb der EU an.

Ein Digitaler Dienstleister ist jede juristische Person, die einen digitalen Dienst anbietet.

• Online-Marktplätze: Ein Online-Marktplatz ist eine Plattform, die den Verkauf oder Verträge erleichtert (z. B. App-Stores). Der Begriff umfasst nicht Online-Dienste, die nur als Vermittler für Drittanbieterdienste fungieren, über die letztendlich ein Vertrag abgeschlossen werden kann.
• Online-Suchmaschinen: Eine Online-Suchmaschine ermöglicht die Suche auf Websites. Suchfunktionen, die auf den Inhalt einer bestimmten Website beschränkt sind, auch wenn die Funktion von einer externen Suchmaschine bereitgestellt wird, sind nicht in der NIS-Richtlinie enthalten. Online-Dienste, die den Preis bestimmter Produkte oder Dienstleistungen von verschiedenen Händlern vergleichen und den Benutzer dann zum bevorzugten Händler weiterleiten, um das Produkt zu kaufen, sind ebenfalls nicht enthalten.
• Anbieter von sozialen Netzwerkplattformen: Eine soziale Netzwerkplattform, die Kommunikation und Inhaltsfreigabe zwischen Benutzern auf verschiedenen Geräten ermöglicht.

• Internet Exchange Point Anbieter: Netzwerke zur Verbindung von autonomen Systemen.
• DNS-Dienstanbieter, mit Ausnahme von Betreibern von Root-Nameservern: Dienstanbieter, die Domainnamenauflösung anbieten.
• TLD-Namenregistrierungen: ist eine Einrichtung, der ein bestimmtes TLD delegiert wurde und die für die Verwaltung des TLD, einschließlich der Registrierung von Domainnamen unter dem TLD und dem technischen Betrieb des TLD, verantwortlich ist.
• Cloud-Computing-Service-Anbieter: Cloud-Computing-Dienste ermöglichen den Zugriff auf einen skalierbaren und elastischen Pool von gemeinsam nutzbaren Rechenressourcen wie Netzwerken, Servern oder anderen Infrastrukturen, Speicher, Anwendungen und Diensten. Drei Eigenschaften qualifizieren einen Cloud-Computing-Dienst als Cloud-Service:
  • Skalierbare Ressourcen
  • Elastischer Pool von Ressourcen
  • Teilbar
• Verschiedene Geschäftsmodelle wie IaaS (Infrastructure as a Service), PaaS (Platform as a Service) oder SaaS (Software as a Service) sind in der NIS2 enthalten.
• Rechenzentrumsdienstleister: Ein Rechenzentrum ist eine Einrichtung, die IT- und Netzwerkgeräte zur Datenspeicherung, -verarbeitung und -übertragung sowie Infrastruktur für die Stromverteilung und Umweltkontrolle beherbergt.
• Ein Content Delivery Network-Anbieter ist ein Netzwerk von geografisch verteilten Servern, das darauf abzielt, eine hohe Verfügbarkeit, Zugänglichkeit oder schnelle Bereitstellung von digitalen Inhalten und Diensten für Internetnutzer im Auftrag von Inhalt- und Diensteanbietern sicherzustellen.
• Vertrauensdiensteanbieter: Bietet elektronische Dienste gegen Entgelt an, die die Erstellung, Überprüfung und Validierung von elektronischen Signaturen, Siegeln, Zeitstempeln, registrierten Zustelldiensten und zugehörigen Zertifikaten umfassen; oder die Erstellung, Überprüfung und Validierung von Zertifikaten für die Website-Authentifizierung; oder die Aufbewahrung von elektronischen Signaturen, Siegeln oder zugehörigen Zertifikaten.
• Anbieter öffentlicher elektronischer Kommunikationsnetze: Bietet Übertragungssysteme einschließlich Infrastruktur, Umschaltung, Routing und Ressourcen, die Signale über Draht, Funk, optische oder andere elektromagnetische Mittel wie Satellit, Internet, Mobil- und Kabelnetze übertragen. Dies umfasst Systeme, die für Radio, Fernsehen und Rundfunk verwendet werden.
• Anbieter von öffentlich zugänglichen elektronischen Kommunikationsdiensten: Ein Dienst, der in der Regel gegen Entgelt über elektronische Kommunikationsnetze angeboten wird und mit Ausnahme von Diensten, die Inhalte über elektronische Kommunikationsnetze und -dienste übertragen oder redaktionelle Kontrolle ausüben, die folgenden Arten von Diensten umfasst:
  • Internetzugangsdienst
  • zwischenmenschlicher Kommunikationsdienst; und
  • Dienstleistungen, die ganz oder hauptsächlich in der Übermittlung von Signalen bestehen, wie Übertragungsdienste, die für die Bereitstellung von Maschine-zu-Maschine-Diensten und für Rundfunkdienste verwendet werden.

• Managed Service Provider: Bietet Dienstleistungen im Zusammenhang mit der Installation, Verwaltung, Betrieb oder Wartung von ICT-Produkten, Netzwerken, Infrastrukturen, Anwendungen oder anderen Netzwerk- und Informationssystemen an, entweder durch Unterstützung oder aktive Verwaltung, die entweder beim Kunden vor Ort oder remote durchgeführt wird.
• Managed Security Provider: Ein Anbieter, der Aktivitäten im Zusammenhang mit dem Risikomanagement für Cybersicherheit durchführt oder Unterstützung dabei bietet.

Bei der Feststellung, ob ein Unternehmen seine Dienstleistungen innerhalb der EU anbietet, ist die wichtige Information, welche Märkte das Unternehmen plant, seine Dienstleistungen anzubieten. Um die Absicht festzustellen, werden verschiedene Faktoren berücksichtigt. Die bloße Zugänglichkeit der Website des Unternehmens oder eines Vermittlers oder einer E-Mail-Adresse oder anderer Kontaktdaten oder die Verwendung einer Sprache, die im Allgemeinen in der Region verwendet wird, in der das Unternehmen ansässig ist, reicht nicht aus, um eine solche Absicht festzustellen. Stattdessen können Faktoren wie die Verwendung einer Sprache oder einer Währung, die im Allgemeinen in einem oder mehreren Mitgliedstaaten verwendet wird, und die Möglichkeit, Dienstleistungen in dieser anderen Sprache zu bestellen, oder die Erwähnung von Kunden oder Benutzern, die sich in der Union befinden, ein Hinweis darauf sein, dass das Unternehmen beabsichtigt, seine Dienstleistungen in einer Region anzubieten, in der es seinen Hauptsitz nicht hat.

Wenn Ihr Unternehmen keinen Sitz in der EU hat, aber die genannten digitalen Dienste in diesen Regionen anbietet, sind Sie in der Regel verpflichtet, einen NIS-Vertreter zu benennen. Die Verpflichtung zur Einhaltung des NIS2 und zur Benennung eines Vertreters gilt jedoch nicht für Unternehmen, die eine bestimmte Unternehmensgröße nicht überschreiten. Ausgenommen sind:

• Kleine Unternehmen, die als Unternehmen definiert sind, die weniger als 50 Personen beschäftigen und deren jährlicher Umsatz und/oder jährliche Bilanzsumme 10 Millionen nicht übersteigt; und
• Kleinunternehmen, die als Unternehmen definiert sind, die weniger als 10 Personen beschäftigen und deren jährlicher Umsatz und/oder jährliche Bilanzsumme 2 Millionen nicht überschreiten.

Alles in allem bedeutet dies, dass Sie keinen Vertreter bestellen müssen, wenn Ihr Unternehmen weniger als 50 Mitarbeiter hat und der jährliche Umsatz und/oder die jährliche Bilanzsumme weniger als 10 Millionen beträgt.

Was die Einrichtungen betrifft, die in den Anwendungsbereich der NIS2 fallen, sind die Hauptverpflichtungen wie folgt:

• Cybersicherheitsrisikomanagementmaßnahmen: DSPs müssen angemessene und angemessene technische und organisatorische Maßnahmen identifizieren und ergreifen, um Risiken für die Sicherheit von Netzwerken und Informationssystemen zu bewältigen, die sie im Rahmen der Erbringung ihrer Dienste innerhalb der EU nutzen.
  Meldepflicht: Unternehmen sind verpflichtet, spezifische Meldefristen im Falle eines bedeutenden Cyber-Sicherheitsvorfalls einzuhalten. Zu den wichtigsten Verpflichtungen gehören:
• Frühwarnung: Bericht innerhalb von 24 Stunden nach Kenntnisnahme eines bedeutenden Vorfalls, der darauf hinweist, ob es sich um rechtswidrige Handlungen handeln könnte oder grenzüberschreitende Auswirkungen haben könnte.
• Vorfallbenachrichtigung: Reichen Sie innerhalb von 72 Stunden eine detaillierte Vorfallbenachrichtigung ein, die eine erste Bewertung, Schweregrad, Auswirkungen und verfügbare Kompromittierungsindikatoren enthält.
• Zwischenbericht: Geben Sie Statusaktualisierungen auf Anfrage der zuständigen Behörde oder des CSIRT.
• Abschlussbericht: Reichen Sie innerhalb eines Monats einen detaillierten Abschlussbericht ein, der die Beschreibung des Vorfalls, die Ursache, die Maßnahmen zur Minderung und mögliche grenzüberschreitende Auswirkungen umfasst.
• Vertreter: Unternehmen, die nicht in der EU ansässig sind, aber bestimmte Dienstleistungen innerhalb der EU anbieten, müssen einen Vertreter ernennen, der im Namen des Unternehmens handelt. Diese Unternehmen umfassen:
  • DNS-Dienstanbieter
  • Top-Level-Domain (TLD)-Registrierungen
  • Anbieter von Domain-Namen-Registrierungsdiensten
  • Cloud-Computing-Service-Anbieter
  • Rechenzentrumsdienstleister
  • Content Delivery Network (CDN) Anbieter
  • Verwaltete Dienstleister
  • Verwaltete Sicherheitsdienstleister
  • Anbieter von Online-Marktplätzen
  • Online Suchmaschinen
  • Soziale Netzwerkdienste Plattformen

Im Gegensatz zur DSGVO, die ein einheitliches Gesetz in allen EU-Mitgliedstaaten ist, wurde die NIS2 von jedem Mitgliedstaat individuell in nationales Recht umgesetzt. Das anwendbare nationale Recht für Ihr Unternehmen, das als wesentliches oder wichtiges Unternehmen gilt und die relevanten Schwellenwerte überschreitet:

• Wenn Ihr Unternehmen eine oder mehrere Niederlassungen innerhalb der EU hat, unterliegt es der Rechtsprechung des Mitgliedstaats, in dem sich seine Hauptniederlassung befindet (d. h. wo sich Ihr Hauptsitz befindet);
• Wenn Ihr Unternehmen nicht innerhalb der EU ansässig ist, aber ICT-Dienstleistungen, digitale Infrastruktur oder digitale Dienste innerhalb der EU anbietet, müssen Sie einen Vertreter in einem Mitgliedstaat ernennen, in dem Sie Ihre Dienste anbieten. Ihr Unternehmen unterliegt dann der Gerichtsbarkeit dieses Staates.

Gemäß Art. 26 Abs. 3 der NIS2-Richtlinie (und den meisten Umsetzungen im nationalen Recht) müssen digitale Diensteanbieter:

• sind nicht in der EU ansässig; und
• Anbieter bestimmter digitaler Dienste innerhalb der EU müssen einen Vertreter in der EU benennen, der in einem der Mitgliedstaaten ansässig ist, in dem die Dienste angeboten werden.

Da das NIS2-Gesetz eine EU-Richtlinie ist, die von jedem Mitgliedstaat unterschiedlich umgesetzt wird, variieren die Strafen. Das Gesetz legt jedoch einige Geldbußenrahmen für Mitgliedstaaten fest, die den Anforderungen zur Umsetzung von Sicherheitsmaßnahmen und Incident-Responses nicht nachkommen. Gemäß dem Gesetz können wesentliche Einrichtungen mit Geldstrafen von bis zu 10 Millionen Euro oder 2 % ihres weltweiten Jahresumsatzes belegt werden. Wichtige Einrichtungen können mit Geldstrafen von bis zu 7 Millionen Euro oder 1,4 % ihres weltweiten Jahresumsatzes konfrontiert werden.

Der Vertreter sollte durch einen schriftlichen Auftrag der Anbieter von digitalen Diensten, digitalen Infrastrukturen und ICT-Service-Managements ausdrücklich benannt werden. Es sollte für die zuständigen Behörden oder das Computer Security Incident Response Team (CSIRT) möglich sein, den Vertreter zu kontaktieren, da der Vertreter als lokaler Ansprechpartner fungiert. Der Vertreter handelt im Namen der DSP-Anbieter in Bezug auf die gesetzlichen Verpflichtungen nach dem NIS-Gesetz, einschließlich der Vorfallmeldung. Der Vertreter muss die lokalen nationalen Gesetze einhalten, in dem Land, in dem er ansässig ist.

Prighter verfügt über einen digitalen End-to-End-Onboarding-Prozess, bei dem eine Vollmacht generiert und online oder auf Papier unterzeichnet werden kann. Prighter bietet dedizierte Kommunikationskanäle mit den relevanten Datenschutzbehörden.

Yes, the Network and Information Systems (NIS) Regulations remain fully applicable in the United Kingdom. Originally based on the European NIS Directive, the UK transposed these requirements into its own national legislation as the UK NIS Regulations 2018. Despite Brexit, these regulations have been retained and continue to ensure robust network and information system security within the UK. Therefore, the UK NIS Regulations remain in effect and enforceable post-Brexit.

The UK Network and Information Systems (NIS) Regulations 2018 apply to:

• Operators of Essential Services (OES): Organizations in sectors such as energy, banking, transport, health, water, and digital infrastructure.
• Digital Service Providers (DSPs): Including online search engines, online marketplaces, and cloud computing services.

These regulations apply to DSPs that:

• Provide at least one of the following services: an online search engine, an online marketplace, or cloud computing services.
• Do not meet the definition of a micro or small enterprise, meaning they have 50 or more employees and an annual turnover or balance sheet exceeding €10 million.

Note that if the DSP's head office is outside the UK, it is required to appoint a UK-based representative to comply with these regulations.

By ensuring these organizations implement robust security measures and report significant incidents, the UK NIS Regulations help maintain the resilience and security of critical services across the United Kingdom.

A Digital Service Provider (DSP) is any legal entity that offers digital services subject to the UK Network and Information Systems (NIS) Regulations 2018. It is important to note that not all digital services are subject to these obligations—only specific services are covered.

Online Marketplaces: An Online Marketplace is a platform that allows consumers and traders to conduct online sales or service contracts with traders. These marketplaces serve as the final destination for the conclusion of these contracts. For example, application stores that enable the digital distribution of applications or software programs from third parties are considered online marketplaces. However, the term does not include online services that function solely as intermediaries to third-party services through which a contract can ultimately be concluded.

Online Search Engines: An Online Search Engine allows users to perform searches of websites based on queries on any subject. This includes search engines that operate across all languages. However, search functions that are limited to the content of a specific website, even if provided by an external search engine, are not included under the UK NIS Regulations. Additionally, online services that compare the prices of particular products or services from different traders and then redirect users to preferred traders to purchase the product are also excluded.

Cloud Computing Services: Cloud Computing Services enable access to a scalable and elastic pool of shareable computing resources such as networks, servers, storage, applications, and services. To qualify as a cloud computing service under the UK NIS Regulations, the service must exhibit the following three properties:

• Scalable Resources: Resources can be flexibly allocated by the cloud service provider, regardless of their geographical location, to handle fluctuations in demand.
• Elastic Pool of Resources: Computing resources are provisioned and released according to demand, allowing for rapid increases or decreases in available resources based on workload.
• Shareable: Computing resources are provided to multiple users who share common access to the service. However, the processing is carried out separately for each user, even though the service is provided from the same electronic equipment.

Different business models such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) are included under the UK NIS Regulations. Additionally, hybrid models and other variations that meet the definition of enabling access to scalable, elastic, and shareable computing resources are also covered.

Exemptions: Small and Micro Businesses

There is a general exemption for micro and small businesses under the UK NIS Regulations. If your digital service provider has:

• Fewer than 50 staff, and
• An annual turnover and/or balance sheet below €10 million,

you are not classified as a DSP and are exempt from NIS obligations.
This exemption also includes sole traders. However, if your service is part of a larger group, you must assess whether the total staffing numbers and financial thresholds of the entire group exceed the small business exemption criteria.

Determining whether your company offers services in the UK involves assessing the markets you intend to target. Simply having a website accessible in English is not sufficient to establish this intent. Instead, consider the following factors:

• Use of UK-Specific Language or Currency: Offering services priced in GBP or providing content tailored to British English indicates an intention to serve UK customers.
• Ordering Capabilities: Allowing customers to place orders or access services specifically designed for the UK market suggests service provision within the UK.
• Marketing and Targeting Efforts: Directing marketing campaigns towards the UK or establishing customer support based in the UK are strong indicators of offering services in the region.

Yes, there are exemptions. If your company does not have an establishment in the UK but offers digital services within the UK, you are generally obliged to appoint a UK NIS representative under the UK Network and Information Systems (NIS) Regulations 2018. However, this obligation does not apply to:

• Small Enterprises: Companies employing fewer than 50 persons and with an annual turnover and/or annual balance sheet total not exceeding €10 million.
• Microenterprises: Companies employing fewer than 10 persons and with an annual turnover and/or annual balance sheet total not exceeding €2 million.

Therefore, if your company has fewer than 50 employees and an annual turnover and/or annual balance sheet total below €10 million, you are exempt from the requirement to appoint a UK NIS representative.

Under the UK Network and Information Systems (NIS) Regulations 2018, Digital Service Providers (DSPs) have several key obligations to ensure the security and resilience of their network and information systems when offering services within the United Kingdom:

Technical and Organisational Measure
DSPs must identify and implement appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems they use.

These measures should:

• Manage Risks: Address risks that could compromise the availability, authenticity, integrity, or confidentiality of data and services.
• Proportionality: Be appropriate to the potential impact of the risk, considering the state of the art and cost of implementation.
• Preventive Actions: Include measures to prevent cybersecurity incidents where possible.

Incident Management and Impact Minimisation
DSPs are required to:

• Prevent Incidents: Take steps to prevent incidents that could affect the security of their network and information systems.
• Minimise Impact: Implement measures to minimize the impact of any incidents that do occur, with the goal of ensuring the continuity of their digital services.
• Recovery Plans: Develop and maintain incident response and recovery plans to restore services promptly.

Incident Reporting
DSPs must notify the relevant authority when an incident occurs that has a substantial impact on the provision of their services within the UK:

• Notification Duty: Report incidents without undue delay to the Information Commissioner's Office (ICO).
• Content of Notification: Provide sufficient information to enable the ICO to determine the significance of the incident, including the nature of the incident, its impact, and any remedial actions taken.
• Collaboration: Cooperate with the ICO and the National Cyber Security Centre (NCSC) as necessary during investigations and incident management.

Appointment of a UK Representative Under the UK NIS regulations, organizations that operate in the UK but do not have their head office located within the UK are required to appoint a UK NIS representative to ensure compliance with the regulations. This representative is responsible for:

• Liaison Role: Serving as the point of contact for the ICO and other relevant UK authorities.
• Compliance Assurance: Ensuring the DSP meets all obligations under the UK NIS Regulations.
• Availability: Being accessible to the UK authorities for any inquiries or enforcement actions.

If your company is a Digital Service Provider (DSP) and exceeds the relevant thresholds, the applicable law under the UK Network and Information Systems (NIS) Regulations 2018 depends on where your company is established and where you offer your services:

• If your company has its head office in the UK: You are governed by the UK NIS Regulations 2018.
• If your company does not have its head office in the UK but offers services there: You are governed by the UK NIS Regulations 2018 and you must appoint a representative in the UK who will act on your behalf under UK jurisdiction.

In both cases, your company must comply with the UK NIS Regulations, implementing appropriate security measures and fulfilling all reporting obligations.

If your company is a Digital Service Provider (DSP) without its head office in the United Kingdom but offers certain digital services within the UK, you are required to appoint a UK representative under the UK Network and Information Systems (NIS) Regulations 2018.

According to the regulations:

• Designation of a Representative: Companies without a head office in the UK but offering certain digital services in the UK must designate a representative based in the UK. This representative will act on your company’s behalf to ensure compliance with the UK NIS Regulations.
• Impact of Brexit: Since Brexit, the European Union (EU) is now considered a "third country" from a UK perspective. As a result, if you are an EU-based company offering services in the UK but without a head office in the UK, you will need to appoint a UK representative.

Role of the Representative:

• Acts on behalf of your company regarding compliance with the UK NIS Regulations.
• Serves as the point of contact for relevant UK authorities.

By appointing a UK representative, your company ensures compliance with the UK NIS Regulations, contributing to the security and resilience of network and information systems within the United Kingdom.

If your company is a Digital Service Provider (DSP) without its head office in the United Kingdom but offers digital services within the UK, you are required under the UK Network and Information Systems (NIS) Regulations 2018 to appoint a representative in the UK. The requirements for appointing a UK NIS representative include:

• Confirmation in Writing: You must confirm the appointment of your UK representative in writing after completing the registration process with the Information Commissioner's Office (ICO).
• Representative's Compliance: Your representative must comply with UK law and act on your behalf in fulfilling your legal obligations under the UK NIS Regulations, including incident reporting.
• Accessibility: The representative should be readily contactable by the ICO and the National Cyber Security Centre (NCSC).

When nominating your UK representative, you should provide the ICO with information about:

• Your Company's Head Office: Whether you have a head office located outside the UK.
• Other Representatives: Whether you have nominated a representative in another country.
• Compliance with Other Legislation: Whether you are complying with equivalent network and information systems legislation in another country.
• Location of Systems: Whether you are operating network and information systems located outside the UK.

By providing this information, you help the ICO understand your company's structure and ensure effective communication. Appointing a UK representative ensures that your company adheres to the UK NIS Regulations, contributing to the security and resilience of essential digital services within the United Kingdom.

If your company does not have an establishment within either the EU or the UK but is offering their services to individuals in both regions, you will have to appoint both an EU and a UK representative in order to comply with all relevant legislation, which consists of EU law and its implementation in the Member States on one hand, and UK law on the other hand. Please note that your EU representative must be established in one of the Member States your services are being offered to. Your UK representative must be established in the UK.

Under the UK Network and Information Systems (NIS) Regulations 2018, organizations that fail to comply with their obligations can face substantial penalties. Non-compliant companies may be fined up to £17 million. The exact amount depends on factors such as the severity of the breach, the extent of the negligence, and the potential impact on network and information system security. Failure to appoint a UK NIS representative when required is also a serious offense. Organisations that operate in the UK but do not have their head office located within the UK are required to appoint a UK NIS representative to ensure compliance with the regulations.

When appointing a representative under the UK Network and Information Systems (NIS) Regulations 2018, a Digital Service Provider (DSP) must explicitly designate the representative through a written mandate. This representative should be established in the United Kingdom and act as a local contact point, being readily accessible to relevant UK authorities like the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC). The representative acts on behalf of the DSP regarding all legal obligations under the UK NIS Regulations, including incident reporting and liaising with authorities. They must comply with UK law and assist with any investigations or requests related to NIS compliance. By appointing a UK NIS representative, Digital Service Providers (DSPs) that do not have their head office in the UK ensure that they fulfil their legal obligations and contribute to the security and resilience of network and information systems within the United Kingdom.

Prighter ensures compliance by offering an end-to-end digital onboarding process where a Power of Attorney is generated and can be signed either online or on paper. We provide dedicated communication channels with the relevant UK authorities, such as the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC), acting on your behalf to fulfill all legal obligations under the UK Network and Information Systems (NIS) Regulations 2018, including incident reporting and liaising with authorities.