Companies established outside the EU are required to appoint an EU representative according to Art. 27 of GDPR if they:

• offer goods and services to individuals in the EU (e.g. providing a website in an EU language, offering payments in EUR) or
• monitor their behaviour (e.g. cookie profiling).

According to the Guideline 3/2018 of the European Data Protection Board (EDPB) on the territorial scope of GDPR, this applies to both controllers and processors. For processors not established in the European Union the applicability of GDPR depends on what the “processing activities” are related to. If the data processing conducted for the controller is related to the offering of goods and services or to the monitoring of behaviour, GDPR applies to the processor in addition to the controller.

Case 1: Online Gaming: You are an online gaming company located outside the EU and offer your games to data subjects in the EU free of charge. When using your games you analyse the data subjects' geolocation data, web-browser data and history and show ads based on this data. As you target the EU market by offering your games and monitoring the users' behaviour you are legally required to appoint a GDPR Representative physically established in an EU member state to remain compliant. Violations of the EU GDPR can lead to substantial fines by authorities and exclusion from business activities in the EU.

Case 2: B2B SaaS: You develop CRM software and offer it as a SaaS product to companies, which are either targeting the EU without an establishment or which are located in the EU. Because your business clients are targeting EU data subjects and your CRM software product is processing and storing their data, you are also required to appoint a GDPR Representative physically established in an EU member state. It is likely that your business clients in the EU will also require you to appoint a representative and enter into a data processing agreement. You can establish trust by already being GDPR compliant during the negotiation phase with your business clients.

According to Art. 27 GDPR, controllers or processors are exempted from the regulation if ALL of the following criteria are met:

• personal data is only processed occasionally, which is only from time to time and non-systematic; AND
• data processing does not include large-scale processing of special categories of personal data or personal data relating to criminal convictions and offences; AND
• data processing is unlikely to result in a risk to the rights and freedoms of data subjects. It is hard to meet ALL of these criteria, in particular the criterion of processing data only occasionally proves to be a big hurdle for most businesses.

Your company's intention to establish commercial relations with EU customers needs to have manifested in a business activity. The mere accessibility of a website in the EU, a mention on the website of an e-mail or geographical address, or of a telephone number without an international code, does not, of itself, provide sufficient evidence to demonstrate the intention to offer goods or services to EU customers. The European Data Protection Board listed the factors to be taken into account when assessing if goods and services are offered in its Guideline 3/2018 on the territorial scope of GDPR. Some of those factors are:

• using languages of EU Member States, or offering payments in a currency of an EU Member State;
• using Google or Facebook ads to address the EU market, or any other marketing activity directed towards EU customers;
• mentioning EU references or testimonials;
• the activity at hand being of an international nature, such as certain tourist activities;
• mentioning dedicated addresses or phone numbers to be reached from an EU country;
• use of EU top-level domains;
• description of travel instructions from one or more other EU Member States to the place
where the service is provided;
• offering the delivery of goods to EU Member States;

In a nutshell, if your company has any outbound activity in the EU or if your company enables or guides EU customers to find your company's product, GDPR is likely to apply.

Case 1: A website, based and managed in Turkey, offers services for creating, editing, printing, and shipping personalised family photo albums. The website is available in English, French, Dutch, and German, and payments can be made in euros or sterling. The website indicates that photo albums can only be delivered by mail in the UK, France, Benelux, and Germany.

Case 2: A Swiss University offers summer courses in international relations and specifically advertises this offer in German and Austrian universities in order to maximise the courses’ attendance. In this case, there is a clear intention from the Swiss University to offer such services to data subjects who are in the European Union, and GDPR will apply to the related processing activities.

Not all online collection or analysis of personal data of individuals in the EU counts automatically as “monitoring”. Monitoring the behaviour of EU data subjects implies an intention to collect data for a specific purpose. Therefore, any kind of tracking of natural persons on the Internet, including the potential subsequent use of profiling techniques qualifies as 'monitoring'. Again, the EDPB gives some more guidance in the Guidelines 03/2018. According to the EDPB, monitoring may not only take place on the Internet but also through wearables and other smart devices. Monitoring activities include:

• Behavioural advertisement
• Geo-localisation activities, in particular for marketing purposes
• Online tracking using cookies or other tracking techniques such as fingerprinting
• Personalised diet and health analytics services online
• CCTV
• Market surveys and other behavioural studies based on individual profiles
• Monitoring or regular reporting on an individual’s health status

Case 1: A marketing company established in the US provides advice on retail layout to a shopping centre in France, based on an analysis of customers’ movements throughout the centre collected through Wi-Fi tracking.

Case 2: An app developer is established in Canada with no establishment in the EU. I uses a processor established in the US for optimisation and maintenance of the app, however it also monitors the behaviour of data subjects in the EU. The developer is therefore subject to GDPR, as per Art. 3(2)b.

The GDPR extends its 'territorial scope' to controllers and processors that have their registered office in a country outside of the EU. As a result, high penalties of up to €10 million or 2% of the worldwide annual turnover can apply if a processor or a controller does not comply with the obligation of appointing an EU representative. The penalties may be enforced by individual claims or by authorities. Furthermore, your partners in the EU may be obliged to stop transferring data to your company.

The representative shall act as an addressee for authorities and data subjects to facilitate the communication with processors and controllers outside the EU. The representative needs to be mandated in writing by the controller or processor to evidence the appointment. In addition, the representative shall, maintain Art 30 records of processing activities and shall make the record available to the supervisory authority on request.

• To facilitate communication, Prighter established a network of offices all over Europe and developed high-end tech solutions for communication with both authorities and data subjects;
• A written appointment is part of the onboarding flow. Clients can sign a Power of Attorney directly online in an end-to-end digital process; and
• We assist clients in the drafting of records of processing activities by providing pre-filled templates along with extensive support and guidance.

First of all, the EDPB clarifies in its Guideline 03/2018 on territorial scope that only one representative needs to be appointed in an EU Member State, which can then serve for all other Member States. In the event that a significant proportion of the customer base is in one particular Member State it is best practice that the representative is established in this Member State. In any case, the representative will be easily accessible for data subjects in all Member States no matter where the representative is located.

How does Prighter approach these requirements?

• Prighter has offices and partner offices in all major EU Member States, this keeps you compliant and provides you with a local and easily accessible representative for all your customers, no matter where they are located; and
• Prighter is not a PO box, we have real privacy professionals in every location.

Our goal is to enable non-European companies to comply with GDPR through a combination of legal expertise and technology solutions. We put the practical insights we gain as a law firm (due to our role as the appointed Data Protection Officer for major banks, financial service providers, tech companies) into the development of our tools which easily handle Data Subject Requests (DSR) and data breaches, and into the management of records of processing activities. We support you in all privacy related matters, but above all we support you in growing your business by enabling you to improve customer trust by handling privacy matters in an efficient, compliant and professional way.

The core of our service is representation according to Art. 27 GDPR. Around this requirement we have built features, services and tools which enable you to leverage your compliance in order to increase efficiency and gain the trust of your customers and partners. For more information on the services offered visit “GDPR-Rep Services”:

• GDPR Representation:

By subscribing to the EU GDPR Representation Program, you appoint Prighter as your EU GDPR Representative. Our qualified team of lawyers and privacy professionals is your first line of defence to deal with requests from data subjects and data protection supervisory authorities (SA).

• Gain Trust:

We provide you with a Compliance Landing Page that you can customise for your brand, display your privacy and security related certificates, and your privacy and cookie policies. This is your window into the world of privacy-related matters which helps you increase customer trust and confidence by demonstrating your privacy regulations compliance. The Compliance Landing Page also serves as an access point for privacy related requests which you can then easily manage with your GDPR Privacy Software tools.

• GDPR Privacy Software Tools:

We have built a unique, specialised tool to manage the lifecycle of any data subject requests (DSRs) from existing or potential clients. This saves you time, internal resources, and money, and reduces your compliance risk substantially. When it comes to supervising authorities, we cover all of their standard requests (e.g. requests to submit records of processing activities). Additionally, we offer you a data breach tool that gives you access to our services in any critical situation which involves your data being compromised.

This is where our innovation comes into play. We built the Data Subject Request (DSR) management tool to channel, structure and filter all incoming privacy requests from clients and authorities. You can handle requests from millions of data subjects in one tool with the help of our proprietary AI technology. We cover and support all aspects of the formal handling of DSRs including communication with data subjects. What actually needs to be done in your database (e.g. delete a data subject), is always your own decision. The DSR tool is designed to manage the lifecycle of a data subject request to get all formal aspects right and offer you a framework of advice. Find more information on this tool here: Visit PrighterDSR 

You are obliged to appoint a data protection officer (DPO) if your company meets one of the following three criteria:

• the processing is carried out by a public authority or body (except for courts acting in their judicial capacity);
• the core activities of your company consist of processing operations which, by virtue of their nature, their scope and/or their purpose, require regular and systematic monitoring of data subjects on a large scale; or
• the core activities of your company consist of processing on a large scale of special categories of data pursuant to Art. 9 and personal data relating to criminal convictions and offences referred to in Art. 10.

More information regarding how the criteria are interpreted is outlined in the Guideline of the Art. 29 Working Party on Data Protection Officers. In comparison to the requirements for appointing a DPO, a GDPR representative is needed in case of offering goods and services or monitoring EU data subjects. In a nutshell, the criteria for the requirement of a DPO reflect a higher risk involved with certain processing activities, whereas the requirements for an EU GDPR representative are triggered when your company’s processing of personal data of individuals located in the EU is noticeable.

A Data Protection Officer (DPO) shall be involved in all issues related to the protection of personal data in a company. The role of a DPO is also to monitor the company’s compliance with GDPR, assist in data protection impact assessments, and to advise the management on privacy by design and privacy by default as well as all other privacy related matters. Hence, a DPO needs to be close to the company and needs to be involved in the day-to-day business. Whenever possible, the DPO shall be located in the region of the company’s headquarters. In comparison, the EU GDPR Representative is by nature operating at a distance when representing the company due to the lack of an establishment in the EU. The representative is therefore a substitution for a subsidiary, branch, or other establishment.

No, there is a conflict of interest between the roles of DPO and GDPR representative. The EDPB states in its Guidelines 03/2018 on the territorial scope that there is a possible conflict of obligation and interests in cases of enforcement proceedings. The EDPB does not consider the function of a representative in the EU to be compatible with the role of data processor for the same company, in particular when it comes to compliance with the respective responsibilities and compliance of a DPO and a representative.

The onboarding process is simple and can be completed in a couple of minutes.

1. We grant your company a free 14-day trial to keep the appointment completely risk-free.
2. Choose a plan. The available plans depend on your company's size. The size of the company is defined according to the Eurostat categories which measure it by the number of people employed. 'Employees' in this definition includes part-time workers and freelancers.
3. Enter your company's details.
4. After registering, download the Power of Attorney (PoA). A signed PoA is required as evidence of the appointment of Prighter as your representative in case of requests from supervisory authorities. We kindly ask you to sign and upload your PoA.
5. Our team will check and verify the provided information about your company and the PoA. This is usually done within a couple of hours.
6. After the PoA has been approved, your company has successfully appointed Prighter as your Art. 27 GDPR representative for the whole EU. You can log in to your client area where you can find templates and information on what can be included in your homepage and privacy policy.
7. Your risk-free 14-day trial period starts now.

Contrary to the appointment of a DPO, you don't need to notify a data protection authority of the representation. If a data protection authority has an inquiry about a company, they take the necessary information from the company's privacy policy. However, please note that you will need to notify the relevant authority that you have appointed Prighter as your NIS representative.

Every separate entity requires representation according to Art. 27 GDPR. Nevertheless, Prighter offers your group the option to sign up for a group package to manage the representation of your affiliates through one main account, with sub-accounts for every affiliate. You will be required to internally select a centralised point of data protection management for the group to handle both the main account and the sub-accounts with one centralised login. The number of affiliates covered depends on the package you sign up for. The "small enterprise" package includes two affiliates, the "medium enterprise" package includes up to five affiliates, and the "large enterprise' package includes an unlimited number of affiliates. All included group entities must operate in the same industry, offer the same range of products, and have the same or a linked brand.

Subscription pricing is based on your company size according to official Eurostat categories and the number of entities to be covered, starting from €39 per month. We offer a 14-day trial period on all subscriptions so that you can get to know our service before subscribing. Our pricing is transparent and there are no hidden costs as we do not charge per request from data subjects. You can choose between monthly, quarterly, or yearly payments. Your company gets a discount for quarterly payments and an even higher discount for the yearly payments option. Furthermore, you can choose between paying with credit card or via bank transfer. We accept almost all credit cards. Bank transfers are accepted in EUR, USD and GBP for annual payments. Please contact our support team should you have any further questions.

Since GDPR is an EU regulation, it will generally no longer be applicable in the UK after Brexit. However, the UK government has incorporated GDPR into UK data protection law. So, from 1st January 2021 onwards, the UK version of GDPR, the “UK GDPR”, will be effective and companies will have to comply with it. Most requirements remain the same as in the EU GDPR, so companies that are already compliant with the EU GDPR will not have to make major amendments to comply with the UK GDPR. However, doing transborder business might lead to additional requirements such as appointing a UK representative or ensuring compliance regarding international data transfers to and from the UK.

The UK government have stated that from 1st January 2021 onwards, companies who are located outside of the UK, whether in the EU or in a third country, and have no offices, branches, or other establishments in the UK, will have to appoint a UK representative, if they are processing personal data of individuals in the UK that relates to either:

• offering goods or services to individuals in the UK; or
• monitoring the behaviour of individuals in the UK.

Resources: ICO FAQs UK representatives

The EDPB has published guidelines on the territorial scope of the GDPR and appointing a representative (Guideline 3/2018). Even though these guidelines will not be directly relevant to the UK law anymore, the ICO stated that they still provide helpful guidance when dealing with specific issues. Hence, when determining the territorial scope of the GDPR the EDPB guidelines can help, as long as the UK government does not adopt new regulations concerning this topic. According to these guidelines, different factors are considered when determining if a company is offering their goods or services to individuals in the EU. Some factors to be considered, adjusted to a UK-only application, would be:

• using language that is used in the UK and offering the UK currency GBP;
• using ads to address UK individuals or other marketing tools directed towards UK customers;
• mentioning addresses or phone numbers to be reached from the UK;
• use of UK top-level domains;
• offering delivery of goods to the UK.

Again, the guidelines of the EDPB can help to assess whether a company is monitoring the behaviour of UK individuals, as long as the UK government does not adopt new regulations (Guideline 3/2018). According to the EDPB guidelines, monitoring can take place both on the internet and through wearables and other smart devices. Some examples of monitoring activities would be:

• behavioural advertisement
• geo-localisation activities
• online tracking by using cookies or other tracking technologies
• market surveys and other behavioural studies based on individual profiles
• CCTV

If you are a public authority, there is no need for you to appoint a representative. Also, if your company fulfils all of the following criteria, there is no obligation to appoint a UK representative:

• You are processing personal data only on an occasional basis; and
• the data processing is of low risk to the data protection rights of the data subjects; and
• there is no great extent of processing special categories of data or data concerning criminal offences.

Generally speaking, it is hard for companies to fulfil all criteria mentioned above which is why they are hardly ever able to take advantage of this exemption.

Resources: ICO FAQs UK representatives

If your company is obligated to appoint a representative but fails to do so, fines of up to GBP 8.7 million or 2% of your annual global turnover (whichever is higher) can be issued.

Since your UK privacy representative should be able to represent you regarding your legal obligations under the UK GDPR, make sure the representative is not a PO tbox but a qualified privacy professional located in the UK. The representative should be appointed in writing and will act on your behalf regarding your compliance with UK GDPR, as well as functioning as a local contact point for UK data subjects and the UK supervisory authority, ICO.

How does Prighter match these requirements?

• The UK privacy representation is provided by Prighter Ltd, a UK company which is part of Prighter Group powered by Maetzler Rechtsanwalts GmbH & Co KG;
• With Prighter Ltd, trained lawyers and privacy professionals are available to support you in all UK related privacy matters and even beyond; and
• A written appointment is part of the onboarding flow. Clients can sign a Power of Attorney directly online in an end-to-end digital process.

Resources: ICO FAQs UK representatives

Our goal is to enable companies without a subsidiary, branch or other establishment in the UK to comply with the UK privacy framework through a combination of legal expertise and technology to deliver this expertise. We put the practical insights we gain as a law firm (due to our role as the appointed Data Protection Officer for major banks, financial service providers, tech companies) into the development of our tools for handling Data Subject Requests (DSR) and data breaches, and for the management of records of processing activities. We support you in all privacy related matters, but above all we help your business to grow by enabling you to improve customer trust by handling privacy matters in an efficient and professional way.

The core of our service is representation according to Art. 27 UK-GDPR. Around this requirement we have built features, services, and tools which enable you to leverage your compliance in order to increase efficiency and gain trust with your customers and partners. For more information about the services offered visit “UK-Rep Services”:

• UK Representation:

By subscribing to the UK Privacy Representation Program, you appoint us as your certified UK Privacy Representative. Our highly professional team of lawyers and privacy professionals will give you the support you need to deal with requests from data subjects and data protection supervisory authorities.

• Gain Trust:

We provide you with a Compliance Landing Page that you can customise for your brand and to include privacy and security related certificates as well as your privacy and cookie policies. This is your window to the world of privacy-related matters which helps you increase customer trust and confidence by demonstrating your privacy regulations readiness. The Compliance Landing Page also serves as an access point for privacy related requests which you can then easily manage with your GDPR Privacy Software tools.

• Privacy Software Tools:

For any data subject requests (DSRs) from existing or potential clients we have built a tool to manage the lifecycle of such privacy requests. This saves you time, internal resources, and money, and reduces your compliance risk substantially. Furthermore, all standard requests from the ICO are covered (e.g. requests to submit records of processing activities).

This is where our innovation comes into play. We built the Data Subject Request (DSR) management tool to channel, structure, and filter all incoming privacy requests from clients and authorities. You can handle requests from millions of data subjects in one tool with the help of our proprietary AI technology. We cover and support all aspects of the formal handling of DSRs including the communication with data subjects. What actually needs to be done in your database (e. g. delete a data subject), is always your own decision. The DSR tool is designed to manage the lifecycle of a data subject request to get all formal aspects right and offer you a framework of advice.

Visit Prighter DSR

Generally, companies which have no offices, branches or other establishments in the EU/EEA need an Art 27 EU GDPR representative if they are:

• offering goods or services to individuals in the EU/EEA; or
• monitoring the behaviour of individuals in the EU/EEA.

After Brexit, the UK is no longer a Member State of the EU and consequently an establishment in the UK does not count as an EU/EEA establishment anymore, therefore this general rule will oblige UK companies, who fulfil the above criteria, to appoint an Art. 27 GDPR representative. So, if you are an UK company that reaches out to the EU/EEA market without having an establishment within the EU/EEA, you will be required to appoint an Art. 27 representative.

If you are a public authority, you do not need to appoint a representative. Also, if you meet all the following criteria you are exempted from this obligation:

• You are processing personal data only on an occasional basis; and
• the processing is of low risk to the rights of the data subjects; AND
• the processing does not involve large-scale usage of special categories of data or criminal offence data.

For any further questions concerning the appointment of an Art. 27 GDPR representative please see our Art. 27 EU GDPR FAQ.

Companies which are established outside the UK and the EU/EEA and neither have an establishment within the UK nor the EU/EEA but are

• offering goods or services to individuals in the EU/EEA; or
• monitoring the behaviour of individuals in the EU/EEA.

will have to appoint two representatives, in both the EU and the UK, in order to comply with EU regulations on one hand, and UK regulations on the other.

Since Prighter has offices in the EU as well as in the UK, we are able to offer you EU representation as well as UK representation.

The onboarding process is simple and can be completed in a couple of minutes, but the best part is:

1. We grant your company a risk-free 14 day trial to make the appointment completely risk-free.
2. Choose a plan. The available plans depend on your company's size. The size of the company is defined according to the Eurostat categories and thereforeby the number of persons employed. 'Employees' includes part-timeworkers and freelancers.
3. Enter your company's details. Your risk-free 14 day trial period starts when you complete this step.
4. After registering, you will find a download button for the Power of Attorney (PoA). A signed PoA is required as evidence of the appointment of Prighter as your representative in case of requests by supervisory authorities. We kindly ask you to sign and upload your PoA.
5. Our team will check and verify the provided information on your company and the PoA. This is usually done within a couple of hours.
6. After the PoA has been approved, your company has successfully appointed Prighter as it's UK privacy representative. You can log in to your client area where you can find templates and information on what you can include in your homepage and privacy policy.

Contrary to the appointment of a DPO, you don't need to notify the ICO of the representation. In the event that the ICO has an inquiry about a company, they take the necessary information from the company's privacy policy.

Please note that contrary to UK privacy representation, a NIS representation needs to be notified to the ICO.

Every separate entity requires representation according to Art 27 UK GDPR. Nevertheless, Prighter offers your group the option to sign up for a group package to manage the representation of your affiliates through one main account, with sub-accounts for every affiliate. You will be required to internally select a centralised point of data protection management for the group to handle both the main account and the sub-accounts with one centralised login. The number of affiliates covered depends on the package you signed up for. The "small enterprise" package includes two affiliates, the "medium enterprise" package includes up to 5 affiliates, and the "large enterprise' package includes an unlimited number of affiliates. All included group entities must operate in the same industry, offer the same range of products, and have the same or a linked brand.

Subscription pricing is based on your company size according to official Eurostat categories and the number of entities to be covered, starting from €19 per month. We offer a 14-day trial period on all subscriptions so that you can get to know our service without any risk. All of our pricing is transparent and there are no hidden costs as we do not charge per request from data subjects. You can choose between monthly, quarterly, or yearly payments. Your company gets a discount for quarterly payments and an even higher discount for the yearly payments option.

Furthermore, you can choose between paying with credit card, or via bank transfer. We accept almost all credit cards. Bank transfers are acceptable in EUR, USD and GBP for annual payments. Please contact our support team should you have any further questions!

The DSA is aimed against illegal and harmful content and goods as well as the spread of disinformation in the digital world. It shall ensure user safety, protect fundamental rights, and create a fair and open online platform environment.

The DSA is an EU regulation and therefore directly applicable in all EU Member States without any additional transposition into national law. The regulation was established on the Union level to harmonise diverging national law and to avoid regulatory fragmentation which adversely affects the single market.

On a national level there is not one competent authority, but multiple authorities may be granted competences for subjects matters covered by the DSA under national law. To streamline and coordinate these authorities each Member State designates a Digital Services Coordinator as the single point of contact (for a list see here).

On an EU level the European Commission as well as the European Board for Digital Services have a broad set of competences under the DSA which range from issuing implementation guidelines to supervisory functions.

The DSA together with the Digital Markets Act (DMA) forms part of the Digital Services Act package (learn more) which again is embedded in the Digital Agenda for Europe (learn more).

The DSA applies to online intermediary services with additional rules for hosting services, online platforms and very large online platforms and search engines (VLOPs and VLOSEs) when offering intermediary services, irrespective of where the providers have their place of establishment.

The DSA applies irrespective of where the providers have their place of establishment. This means that also non-EU providers are caught by the extra-territorial scope of the DSA when offering intermediary services to business users, consumers and other users (recipients of the service).

To qualify as an "offering", an intermediary service needs to be accessible by EU recipients and needs to have a substantial connection to the EU. Besides an establishment a substantial connection results from specific factual criteria such as:

• a significant number of recipients of the service in the EU;
• the targeting of activities towards the EU.

Whether the number of recipients in one or more Member States is significant depends on the relation to the whole population.

To determine, if a provider is targeting its activities towards recipients in the EU, all circumstances are relevant. Especially the use of a language or a currency generally or the possibility of ordering products or services, or the use of a relevant top-level domain indicate the targeting of recipients. Furthermore, the availability of an application in the relevant national application store, local advertising or advertising in a language used in that Member State, or the handling of customer relations in such language are factors which may result in a targeting. In contrast, mere technical accessibility of a website from the Union cannot, on that ground alone, be considered as establishing a substantial connection to the Union.

Regardless of any additional classification under another type of business regulated by the DSA Intermediary Services include “Mere Conduit” Services (e.g. Internet Service Provider „ISP“), "Caching” Services (e.g. Content Delivery Networks "CDNs"), “Hosting” Services (e.g. cloud computing, web hosting, paid referencing services or services enabling sharing information and content online, including file storage and sharing.)

Hosting Services involve the storage of information provided by users (e.g. cloud computing, web hosting, paid referencing services or services enabling sharing information and content online, including file storage and sharing.)

Online Platforms bring together sellers and consumers. (e.g. online marketplaces, app stores, collaborative economy platforms and social media platforms).

Online platforms and search engines reaching more than 10% of 450 million consumers in Europe are classified as very large. Because of the particular risks associated with the dissemination of illegal content and societal harms, specific rules apply for VLOPs and VLOSEs.

First and foremost the legal representative shall facilitate the communication with competent national authorities, the European Commission as well as the European Board for Digital Services. The legal representative can also act as the point of contact for recipients of the service and trusted flaggers. For operational purposes the legal representative can also act as the electronic point of contact which again facilitates the communication with the various stakeholders.

The obligation to appoint a legal representative should allow for the effective oversight and, where necessary, enforcement of the DSA. This is the reason that the legal representative may be held liable for non-compliance with obligations under the DSA, without affecting the liability and legal actions that could be initiated against the provider of intermediary services.

Providers of intermediary services should ensure that the designated legal representative has the necessary powers and resources to cooperate with the relevant authorities. This also means that the legal representative needs to have sufficient qualifications and experience to handle proceeding with national and European authorities.

The Directive on Security of Network and Information Systems (NIS2) updates the original NIS 1 to improve cybersecurity across essential and important sectors in the EU, expanding its scope to more industries and introducing stricter requirements.

It addresses:

• Operators of Essential Services (OES) e.g. in the energy, banking, transport, digital infrastructure, ICT service management (B2B) sectors; and
• Operators of Important Services e.g. postal services, waste management, research, digital providers.

It applies to companies that:

• Meet the thresholds
• Have an establishment in the EU
• Are established outside the EU but are offering their services within the EU.

A Digital Service Provider is any legal person that offers a digital service.

• Online Marketplaces:  An online marketplace is a platform facilitating sales or contracts (e.g. app stores). The term does not include online services that function only as an intermediary to third-party services through which a contract can be ultimately concluded.
• Online Search Engines:  An online search engine allows website searches. Search functions that are limited to the content of a specific website, even if the function is provided by an external search engine, are not included in the NIS-Directive. Online services that compare the price of particular products or services from different traders, and then redirect the user to the preferred trader to purchase the product, are also not included.
• Providers of social networking platforms: A social networking platform that enables communication and content sharing among users across multiple devices.

• Internet Exchange Point providers: Networks for interconnection of autonomous systems.
• DNS service providers, excluding operators of root name servers: Service providers offering domain name resolution.
• TLD name registries: is an entity which has been delegated a specific TLD and is responsible for administering the TLD including the registration of domain names under the TLD and the technical operation of the TLD.
• Cloud computing service providers: Cloud computing services allow access to a scalable and elastic pool of shareable computing resources such as networks, servers or other infrastructure, storage, applications, and services. Three properties qualify a cloud computing service as a cloud service:
  • Scalable Resources
  • Elastic Pool of Resources
  • Shareable
• Different business models such as IaaS (Infrastructure as a Service), PaaS (Platform as a Service) or SaaS (Software as a Service) are included in the NIS2.
• Data centre service providers: A data centre is a facility that houses IT and network equipment for data storage, processing, and transport, along with infrastructure for power distribution and environmental control.
• Content delivery network provider is a network of geographically distributed servers for the purpose of ensuring high availability, accessibility or fast delivery of digital content and services to internet users on behalf of content and service providers.
• Trust service providers: Offers electronical services for remuneration that includes the creation, verification, and validation of electronical signatures, seals, time stamps, registered delivery services, and related certificates; or creation, verification, and validation of certificates for website authentication; or the preservation of electronic signatures, seals, or related certificates.
• Providers of public electronic communications networks: Offers transmission systems, including infrastructure, switching, routing, and resources that convey signals via wire, radio, optical, or other electromagnetic means, such as satellite, internet, mobile, and cable networks. This includes systems used for radio, television, and broadcasting.
• Providers of publicly available electronic communications services: Is a service normally provided for remuneration via electronic communications networks, which encompasses, with the exception of services providing, or exercising editorial control over, content transmitted using electronic communications networks and services, the following types of services:
  • internet access service
  • interpersonal communications service; and
  • services consisting wholly or mainly in the conveyance of signals such as transmission services used for the provision of machine-to-machine services and for broadcasting.

• Managed service provider: Provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely.
• Managed security provider: A provider that carries out or provides assistance for activities relating to cybersecurity risk management.

When determining whether a company offers their service within the EU, the important information is which markets the company is planning to offer its services to. In order to determine the intention, different factors are considered. The mere accessibility of either the entity's or an intermediary’s website or of an email address or other contact details, or the use of a language which is generally used in the region where the entity is established, is insufficient to ascertain such intention. Instead, factors such as the use of a language or a currency generally used in one or more Member States , and the possibility of ordering services in that other language, or the mentioning of customers or users who are in the Union may be an indicator that the entity is intending to offer their services within a region where it doesn’t have its main establishment.

If your company does not have an establishment in the EU but offers the mentioned digital services in these regions, you are generally obliged to appoint a NIS representative. However, the obligation to comply with the NIS2 and to appoint a representative does not apply to companies that do not exceed a certain company size. Excluded are:

• Small Enterprises, which are defined as enterprises which employ less than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed 10 million; and
• Microenterprises, which are defined as enterprises which employ less than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed 2 million

All in all, this means that if your company has less than 50 employees and the annual turnover and/or annual balance sheet total is less than 10 million, you do not have to appoint a representative.

When it comes to entities falling under the scope of the NIS2, the main obligations are the following:

• Cybersecurity risk-management measures: DSPs must identify and take appropriate and proportionate technical and organisational measures to manage risks posed to the security of network and information systems which they use in the context of offering their services within the EU.
   Reporting Obligation: Entities are required to follow specific reporting timelines in the event of a significant cybersecurity incident. The key obligations include:
• Early Warning: Report within 24 hours of becoming aware of a significant incident, indicating whether it may involve unlawful acts or have cross-border impact.
• Incident Notification: Submit a detailed incident notification within 72 hours, providing an initial assessment, severity, impact, and available indicators of compromise.
• Intermediate Report: Provide status updates upon request from the relevant authority or CSIRT.
• Final Report: Submit a detailed final report within one month, covering the incident description, root cause, mitigation measures, and potential cross-border impact.
• Representative:  Entities that are not established in the EU but offer certain services within the EU are required to appoint a representative who acts on behalf of the entity. These entities include:
  • DNS service providers
  • Top-level domain (TLD) registries
  • Entities providing domain name registration services
  • Cloud computing service providers
  • Data centre service providers
  • Content delivery network (CDN) providers
  • Managed service providers
  • Managed security service providers
  • Providers of online marketplaces
  • Online search engines
  • Social networking services platforms

Unlike the GDPR, which is a uniform law across all EU Member States, the NIS2 has been individually implemented by every Member State into national laws. The applicable national law for your company, qualifying as an essential or important company and exceeding the relevant thresholds:

• If your company has one or more establishments within the EU, then it is governed by the jurisdiction of the Member State where its main establishment is located (i.e. where your head office is);
• If your company is not established within the EU, but provides ICT services, digital infrastructure or digital services within the EU, you must appoint a representative in the a Member State where you offer your services. Your company will then be governed by the jurisdiction of that.

According to Art. 26 (3) of the NIS2-Directive (and most transpositions in national law), Digital Service Providers that:

• are not established in the EU; and
• offer certain digital services within the EU must designate a representative in the EU who is established in one of the Member States in which the services are being offered.

Since NIS2 law is an EU directive implemented differently by each Member State, penalties vary. However, the law lays down some fine frameworks for Member States for non-compliance with the requirement of implementing security measures and incident responses. Following the law, essential entities may be fined up to EUR 10 million or 2% of their total worldwide annual turnover. Important entities may face fines up to EUR 7 million or 1,4% of their total worldwide annual turnover.

The representative should be explicitly designated through a written mandate by the Providers of Digital Services Provider, Digital Infrastructures and ICT Service Managements. It should be possible for the relevant authorities or the Computer Security Incident Response Team (CSIRT) to contact the representative as the representative will act as a local contact point. The representative acts on behalf of the DSP Providers regarding the legal obligations under the NIS law, including incident reporting. The representative will have to comply with the local national laws of where they are established.

Prighter has an end-to-end digital onboarding process in which a Power of Attorney is generated and can be signed online or in paper. Prighter provides dedicated communication channels with the relevant data protection authorities.

Yes, the Network and Information Systems (NIS) Regulations remain fully applicable in the United Kingdom. Originally based on the European NIS Directive, the UK transposed these requirements into its own national legislation as the UK NIS Regulations 2018. Despite Brexit, these regulations have been retained and continue to ensure robust network and information system security within the UK. Therefore, the UK NIS Regulations remain in effect and enforceable post-Brexit.

The UK Network and Information Systems (NIS) Regulations 2018 apply to:

• Operators of Essential Services (OES): Organizations in sectors such as energy, banking, transport, health, water, and digital infrastructure.
• Digital Service Providers (DSPs): Including online search engines, online marketplaces, and cloud computing services.

These regulations apply to DSPs that:

• Provide at least one of the following services: an online search engine, an online marketplace, or cloud computing services.
• Do not meet the definition of a micro or small enterprise, meaning they have 50 or more employees and an annual turnover or balance sheet exceeding €10 million.

Note that if the DSP's head office is outside the UK, it is required to appoint a UK-based representative to comply with these regulations.

By ensuring these organizations implement robust security measures and report significant incidents, the UK NIS Regulations help maintain the resilience and security of critical services across the United Kingdom.

A Digital Service Provider (DSP) is any legal entity that offers digital services subject to the UK Network and Information Systems (NIS) Regulations 2018. It is important to note that not all digital services are subject to these obligations—only specific services are covered.

Online Marketplaces: An Online Marketplace is a platform that allows consumers and traders to conduct online sales or service contracts with traders. These marketplaces serve as the final destination for the conclusion of these contracts. For example, application stores that enable the digital distribution of applications or software programs from third parties are considered online marketplaces. However, the term does not include online services that function solely as intermediaries to third-party services through which a contract can ultimately be concluded.

Online Search Engines: An Online Search Engine allows users to perform searches of websites based on queries on any subject. This includes search engines that operate across all languages. However, search functions that are limited to the content of a specific website, even if provided by an external search engine, are not included under the UK NIS Regulations. Additionally, online services that compare the prices of particular products or services from different traders and then redirect users to preferred traders to purchase the product are also excluded.

Cloud Computing Services: Cloud Computing Services enable access to a scalable and elastic pool of shareable computing resources such as networks, servers, storage, applications, and services. To qualify as a cloud computing service under the UK NIS Regulations, the service must exhibit the following three properties:

• Scalable Resources: Resources can be flexibly allocated by the cloud service provider, regardless of their geographical location, to handle fluctuations in demand.
• Elastic Pool of Resources: Computing resources are provisioned and released according to demand, allowing for rapid increases or decreases in available resources based on workload.
• Shareable: Computing resources are provided to multiple users who share common access to the service. However, the processing is carried out separately for each user, even though the service is provided from the same electronic equipment.

Different business models such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) are included under the UK NIS Regulations. Additionally, hybrid models and other variations that meet the definition of enabling access to scalable, elastic, and shareable computing resources are also covered.

Exemptions: Small and Micro Businesses

There is a general exemption for micro and small businesses under the UK NIS Regulations. If your digital service provider has:

• Fewer than 50 staff, and
• An annual turnover and/or balance sheet below €10 million,

you are not classified as a DSP and are exempt from NIS obligations.
This exemption also includes sole traders. However, if your service is part of a larger group, you must assess whether the total staffing numbers and financial thresholds of the entire group exceed the small business exemption criteria.

Determining whether your company offers services in the UK involves assessing the markets you intend to target. Simply having a website accessible in English is not sufficient to establish this intent. Instead, consider the following factors:

• Use of UK-Specific Language or Currency: Offering services priced in GBP or providing content tailored to British English indicates an intention to serve UK customers.
• Ordering Capabilities: Allowing customers to place orders or access services specifically designed for the UK market suggests service provision within the UK.
• Marketing and Targeting Efforts: Directing marketing campaigns towards the UK or establishing customer support based in the UK are strong indicators of offering services in the region.

Yes, there are exemptions. If your company does not have an establishment in the UK but offers digital services within the UK, you are generally obliged to appoint a UK NIS representative under the UK Network and Information Systems (NIS) Regulations 2018. However, this obligation does not apply to:

• Small Enterprises: Companies employing fewer than 50 persons and with an annual turnover and/or annual balance sheet total not exceeding €10 million.
• Microenterprises: Companies employing fewer than 10 persons and with an annual turnover and/or annual balance sheet total not exceeding €2 million.

Therefore, if your company has fewer than 50 employees and an annual turnover and/or annual balance sheet total below €10 million, you are exempt from the requirement to appoint a UK NIS representative.

Under the UK Network and Information Systems (NIS) Regulations 2018, Digital Service Providers (DSPs) have several key obligations to ensure the security and resilience of their network and information systems when offering services within the United Kingdom:

Technical and Organisational Measure
DSPs must identify and implement appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems they use.

These measures should:

• Manage Risks: Address risks that could compromise the availability, authenticity, integrity, or confidentiality of data and services.
• Proportionality: Be appropriate to the potential impact of the risk, considering the state of the art and cost of implementation.
• Preventive Actions: Include measures to prevent cybersecurity incidents where possible.

Incident Management and Impact Minimisation
DSPs are required to:

• Prevent Incidents: Take steps to prevent incidents that could affect the security of their network and information systems.
• Minimise Impact: Implement measures to minimize the impact of any incidents that do occur, with the goal of ensuring the continuity of their digital services.
• Recovery Plans: Develop and maintain incident response and recovery plans to restore services promptly.

Incident Reporting
DSPs must notify the relevant authority when an incident occurs that has a substantial impact on the provision of their services within the UK:

• Notification Duty: Report incidents without undue delay to the Information Commissioner's Office (ICO).
• Content of Notification: Provide sufficient information to enable the ICO to determine the significance of the incident, including the nature of the incident, its impact, and any remedial actions taken.
• Collaboration: Cooperate with the ICO and the National Cyber Security Centre (NCSC) as necessary during investigations and incident management.

Appointment of a UK Representative Under the UK NIS regulations, organizations that operate in the UK but do not have their head office located within the UK are required to appoint a UK NIS representative to ensure compliance with the regulations. This representative is responsible for:

• Liaison Role: Serving as the point of contact for the ICO and other relevant UK authorities.
• Compliance Assurance: Ensuring the DSP meets all obligations under the UK NIS Regulations.
• Availability: Being accessible to the UK authorities for any inquiries or enforcement actions.

If your company is a Digital Service Provider (DSP) and exceeds the relevant thresholds, the applicable law under the UK Network and Information Systems (NIS) Regulations 2018 depends on where your company is established and where you offer your services:

• If your company has its head office in the UK: You are governed by the UK NIS Regulations 2018.
• If your company does not have its head office in the UK but offers services there: You are governed by the UK NIS Regulations 2018 and you must appoint a representative in the UK who will act on your behalf under UK jurisdiction.

In both cases, your company must comply with the UK NIS Regulations, implementing appropriate security measures and fulfilling all reporting obligations.

If your company is a Digital Service Provider (DSP) without its head office in the United Kingdom but offers certain digital services within the UK, you are required to appoint a UK representative under the UK Network and Information Systems (NIS) Regulations 2018.

According to the regulations:

• Designation of a Representative: Companies without a head office in the UK but offering certain digital services in the UK must designate a representative based in the UK. This representative will act on your company’s behalf to ensure compliance with the UK NIS Regulations.
• Impact of Brexit: Since Brexit, the European Union (EU) is now considered a "third country" from a UK perspective. As a result, if you are an EU-based company offering services in the UK but without a head office in the UK, you will need to appoint a UK representative.

Role of the Representative:

• Acts on behalf of your company regarding compliance with the UK NIS Regulations.
• Serves as the point of contact for relevant UK authorities.

By appointing a UK representative, your company ensures compliance with the UK NIS Regulations, contributing to the security and resilience of network and information systems within the United Kingdom.

If your company is a Digital Service Provider (DSP) without its head office in the United Kingdom but offers digital services within the UK, you are required under the UK Network and Information Systems (NIS) Regulations 2018 to appoint a representative in the UK. The requirements for appointing a UK NIS representative include:

• Confirmation in Writing: You must confirm the appointment of your UK representative in writing after completing the registration process with the Information Commissioner's Office (ICO).
• Representative's Compliance: Your representative must comply with UK law and act on your behalf in fulfilling your legal obligations under the UK NIS Regulations, including incident reporting.
• Accessibility: The representative should be readily contactable by the ICO and the National Cyber Security Centre (NCSC).

When nominating your UK representative, you should provide the ICO with information about:

• Your Company's Head Office: Whether you have a head office located outside the UK.
• Other Representatives: Whether you have nominated a representative in another country.
• Compliance with Other Legislation: Whether you are complying with equivalent network and information systems legislation in another country.
• Location of Systems: Whether you are operating network and information systems located outside the UK.

By providing this information, you help the ICO understand your company's structure and ensure effective communication. Appointing a UK representative ensures that your company adheres to the UK NIS Regulations, contributing to the security and resilience of essential digital services within the United Kingdom.

If your company does not have an establishment within either the EU or the UK but is offering their services to individuals in both regions, you will have to appoint both an EU and a UK representative in order to comply with all relevant legislation, which consists of EU law and its implementation in the Member States on one hand, and UK law on the other hand. Please note that your EU representative must be established in one of the Member States your services are being offered to. Your UK representative must be established in the UK.

Under the UK Network and Information Systems (NIS) Regulations 2018, organizations that fail to comply with their obligations can face substantial penalties. Non-compliant companies may be fined up to £17 million. The exact amount depends on factors such as the severity of the breach, the extent of the negligence, and the potential impact on network and information system security. Failure to appoint a UK NIS representative when required is also a serious offense. Organisations that operate in the UK but do not have their head office located within the UK are required to appoint a UK NIS representative to ensure compliance with the regulations.

When appointing a representative under the UK Network and Information Systems (NIS) Regulations 2018, a Digital Service Provider (DSP) must explicitly designate the representative through a written mandate. This representative should be established in the United Kingdom and act as a local contact point, being readily accessible to relevant UK authorities like the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC). The representative acts on behalf of the DSP regarding all legal obligations under the UK NIS Regulations, including incident reporting and liaising with authorities. They must comply with UK law and assist with any investigations or requests related to NIS compliance. By appointing a UK NIS representative, Digital Service Providers (DSPs) that do not have their head office in the UK ensure that they fulfil their legal obligations and contribute to the security and resilience of network and information systems within the United Kingdom.

Prighter ensures compliance by offering an end-to-end digital onboarding process where a Power of Attorney is generated and can be signed either online or on paper. We provide dedicated communication channels with the relevant UK authorities, such as the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC), acting on your behalf to fulfill all legal obligations under the UK Network and Information Systems (NIS) Regulations 2018, including incident reporting and liaising with authorities.