NIS-2: Obligation to designate a representative for entities in third countries

Within the scope of the NIS-2 Directive (NIS-2-RL), situations may arise in which providers of certain NIS-2-relevant services, such as managed service providers, are based solely in a third country but offer services within the EU. According to Art. 2 (1) NIS-2 Directive, the territorial scope of application applies as soon as a company provides a service or carries out activities in the EU. Art. 26 NIS-2 Directive specifies this scope of application to the effect that, in principle, the Member State in which the entity is located and thus its respective implementing law is applicable. We have already written an article on this subject.

However, if the entity does not have an establishment in the EU, a special rule applies under Article 26 (3) NIS 2 Directive, which we are already familiar with from the GDPR: certain entities must appoint a representative if they offer services in the EU. This applies to the following entities listed in Art. 26 (1) (b) NIS-2 Directive:

• DNS service providers;
• TLD name registries;
• entities providing domain name registration services;
• cloud computing service providers;
• data centre service providers;
• content delivery network providers;
• managed service providers;
• managed security service providers;
• providers of online marketplaces;
• providers of online search engines;
• providers of social networking services platforms.

A practical example would be a company that offers the operation of the entire workplace IT (e.g., software distribution, remote support, and troubleshooting) and can therefore be classified as a managed service provider. If this company is based in India, for example, and offers its services to companies in the EU, but is not established there, the requirement of Art. 26 (3) NIS-2 Directive applies. If one of the aforementioned entities established solely in a third country does not designate a representative, any Member State in which the entity provides services may take legal actions against the entity for the infringement of the NIS-2 Directive. This is particularly disadvantageous for the third-country company concerned, as the NIS 2 Directive only prescribes minimum harmonization under Article 5 NIS-2 Directive and individual Member States may lay down stricter rules to ensure a higher level of cybersecurity. Without the designation of a representative, the above-mentioned entities would then have to comply with all implementing acts of the Member States in which they provide their services. In this respect, the designation of a representative has the advantage that the entity can choose the applicable Member State law if it provides its services in several Member States. However, neither the NIS-2 Directive nor the BSIG contain a penalty-imposed obligation to designate a representative. The latter only sanctions a violation of Section 34 (2) BSIG in Section 65 (2) No. 8 BSIG if the German Federal Office for Information Security (BSI) is not informed correctly, completely, or in a timely manner about changes in connection with a designated (!) representative.

According to Art. 6 (34) NIS-2 Directive, the representative may be a natural or legal person established in the EU. There are no further requirements, such as special knowledge. The representative must simply be explicitly designated by the entity and reported to the competent authority, e.g., pursuant to Section 34 (1) No. 3 and 4 BSIG, with their contact details as part of the registration requirement for certain types of entities. The representative's main task is to act as a contact person for authorities or CSIRTs. In addition, Recital 116, Sentence 6 of the NIS-2 Directive stipulates that the representative must also report security incidents.

With regard to liability, Article 26 (4) NIS-2 Directive stipulates that the entity cannot exempt itself from liability by designating a representative. This is because the representative acts in addition to the entity. Accordingly, the representative cannot be held liable for breaches of duty by the entity.

Conclusion and recommendation

The role of representative only becomes relevant if one of the above-mentioned entities is not established in the EU but offers its services there. Due to the advantages mentioned above, it is recommended that the above-mentioned entities designate a representative. Since the figure of the representative is also mentioned in other European digital laws, such as the GDPR, the AI Act, or the Digital Services Act, albeit with slightly different requirements in some cases, it is generally possible to designate one representative for several digital legal acts.