The obligation exists by law, its scope is broad, and non-compliance carries structural consequences that go far beyond a single fine. A precise legal analysis.
The Digital Services Act imposes a legally mandatory obligation on every provider of intermediary services that offers its services in the European Union without having an establishment there: the designation of a legal representative in an EU Member State. This obligation is neither optional nor conditional on the provider's size, commercial prominence, or risk classification. It applies universally, with immediate effect, and the consequences of non-compliance are not simply a regulatory fine. They represent a structural shift in enforcement jurisdiction that exposes the non-compliant provider to simultaneous proceedings by every Digital Services Coordinator in the Union.
Article 13 DSA is systematically located in Chapter III of the Regulation, within the section addressing due diligence obligations applicable to all providers of intermediary services. Its position is deliberate: the obligation it creates is not a special regime for very large platforms, but a baseline requirement that precedes, and is independent of, the tiered compliance obligations that apply to hosting services, online platforms, and very large online platforms and search engines respectively.
The provision reads, in its operative core, as follows:
"Providers of intermediary services which do not have an establishment in the Union but which offer services in the Union shall designate, in writing, a legal or natural person to act as their legal representative in one of the Member States where the provider offers its services."
"Providers of intermediary services shall mandate their legal representatives for the purpose of being addressed in addition to or instead of the provider, by the Member States' competent authorities, the Commission and the Board, on all issues necessary for the receipt of, compliance with and enforcement of decisions issued in relation to this Regulation."
"It shall be possible for the designated legal representative to be held liable for non-compliance with obligations under this Regulation, without prejudice to the liability and legal actions that could be initiated against the provider of intermediary services."
Three structural elements of this provision deserve careful attention. First, the obligation is triggered solely by the combination of two facts: absence of an EU establishment and the offering of services to recipients in the Union. Nothing more is required. No minimum user number, no revenue threshold, and no prior designation as a platform of any particular category is needed. Second, the mandate of the legal representative is comprehensive: it extends to all issues necessary for the receipt of, compliance with, and enforcement of decisions under the DSA, a formulation that, as the leading commentary by Hofmann and Raue correctly notes, goes clearly beyond the narrower representative obligation under the former German NetzDG.1 Third, and most significantly for practical risk assessment, the legal representative may be held personally liable for the provider's non-compliance with the Regulation.
The DSA applies to providers of intermediary services with a "substantial connection" to the European Union, defined in Article 2 DSA by reference to either an establishment in the Union, or a significant number of recipients in the Union, or the directing of activity towards at least one Member State.2 The territorial reach of the DSA is therefore extraterritorial by design: a company incorporated in the United States, Japan, or anywhere outside the EU may be subject to the full weight of the DSA solely because it has a meaningful EU user base or targets EU consumers.
The concept of "establishment" that determines whether Article 13 is triggered is not simply a question of corporate registration. The CJEU has long interpreted establishment in the context of internal market law to require a real and stable presence, specifically a fixed place of business equipped with the necessary human and material resources to pursue an economic activity, with the appearance of permanency to the outside world.3 A letterbox address, a temporary project office, or a registered agent without operational capacity does not constitute an establishment in this sense. Conversely, a fully operational subsidiary incorporated and functioning in a Member State will typically constitute an establishment, which removes the parent company's obligation to designate a separate representative for the purposes of Article 13, though the legal relationship between the parent's DSA obligations and the subsidiary's establishment requires case-by-case assessment.
What this means in practice is that the vast majority of non-EU technology companies active in the European market, including app developers, SaaS providers, e-commerce operators, social media platforms, content networks, cloud service providers, and online marketplaces, are subject to Article 13, regardless of whether they have ever considered their position under EU law. The DSA does not await designation, registration, or regulatory notification. The obligation arises from the act of offering services.
Article 3(g) DSA defines "intermediary services" to encompass three categories: mere conduit services (simple transmission of data in a communication network), caching services (automatic, intermediate, and temporary storage of data), and hosting services (the storage of data provided by recipients of the service). Online platforms — services that store and disseminate information to the public on a substantial scale — are a subset of hosting services and, critically, they are among the most commercially significant addressees of the DSA's obligations.
The breadth of this definition is a deliberate legislative choice. Infrastructure providers, marketplace operators, social media platforms, review aggregators, file storage services, and countless other digital business models fall within one or more of these categories. If a service stores or transmits user-generated content and makes it accessible to others, the probability that it qualifies as an intermediary service under the DSA is high. The Terharen commentary on the DSA confirms that this categorisation is the starting point for any compliance assessment — because it determines not only whether Article 13 applies, but also which tier of obligations follows from it.4
Article 13(1) DSA permits the designation of either a natural or a legal person as legal representative. Recital 44 DSA explicitly mentions as a suitable model a subsidiary of the intermediary services provider, or the parent company, where either is established in the Union. This provides a clear pathway for corporate groups: an EU-incorporated subsidiary can, in principle, serve as legal representative for a non-EU parent, provided it meets the substantive requirements the provision imposes.
Those requirements are substantive, not merely formal. The legal representative must have a physical location in the EU. Recital 42(3) DSA expressly states this requirement, and it is reinforced by Article 13(4) DSA's requirement that the representative have a postal address.5 More importantly, the representative must be equipped with the necessary powers and sufficient resources to guarantee efficient and timely cooperation with competent authorities. The Hofmann/Raue commentary notes, with practical precision, that a representative in insolvency proceedings cannot function as legal representative under Article 13, since a company undergoing corporate restructuring cannot reliably ensure compliance and enforcement of DSA decisions.6
Article 13(1) DSA requires that the designation be made "in writing" (French: par écrit). This requirement is to be interpreted autonomously under EU law and does not necessarily require satisfaction of strict national formal requirements, such as the handwritten signature required under § 126 BGB in German law. What is required is a written declaration by the parties, which may be expressed in different documents and transmitted by modern means of communication.7 However, because Article 13(3) DSA creates the possibility of holding the representative liable for the provider's non-compliance, the designation requires, as the Terharen Praxishandbuch correctly emphasises, the acceptance of the designated person. A unilateral declaration is insufficient; the designation is a bilateral legal transaction that requires the consent of the designee.8
Article 13(2) DSA requires that the provider mandate its legal representative to act as addressee of all decisions and communications from the competent authorities of the Member States, the European Commission, and the Board of Digital Services Coordinators. This mandate covers "all issues necessary for the receipt of, compliance with and enforcement of decisions" — a formulation that encompasses not only initial notification of proceedings, but subsequent procedural steps, interim measures under Article 26 DSA, compliance orders under Article 51 DSA, and fines or periodic penalty payments under Article 52 DSA.
The representative may be mandated either "in addition to" or "instead of" the provider itself. In practice, most commercial arrangements will designate the representative as the primary addressee for EU regulatory communications, with appropriate contractual mechanisms to ensure rapid relay of all relevant communications to the provider's internal compliance function. The intermediary service remains obligated to provide the representative with the necessary powers and sufficient resources to discharge this role effectively.
The question whether Article 13 DSA also creates a basis for private parties, such as recipients of the service, competitors, or consumer associations, to address legally relevant statements to the legal representative, rather than only public authorities, is doctrinally contested. The text of Article 13(2) DSA refers expressly to the competent authorities, the Commission, and the Board, which could suggest a limitation to public enforcement. However, the Hofmann/Raue commentary offers compelling counter-arguments: Article 13(3) DSA imposes liability on the representative for all infringements under the Regulation; Recital 44(3) speaks of the "enforcement" (not merely "oversight") of the Regulation; and the DSA's own damages provision in Article 54 DSA is a private-law mechanism that recipients of the service may invoke. A restrictive interpretation that confines the representative's mandate exclusively to public enforcement would impair the effectiveness of private DSA enforcement vis-à-vis non-EU providers, contrary to the general principle of effectiveness under EU law.
The safer and legally more robust position is therefore to ensure that the legal representative is also accessible and appropriately mandated for private enforcement purposes. This has direct consequences for how the representative's mandate should be drafted.
Article 13(3) DSA is exceptional in EU regulatory law: it creates the express possibility of holding the legal representative liable for non-compliance with the provider's obligations under the Regulation. The provision specifies that this is "without prejudice to the liability and legal actions that could be initiated against the provider" — meaning the representative's liability is additional to, not a substitute for, the provider's own liability. Both the provider and the representative may simultaneously face enforcement action.
The practical consequence is significant. A natural person or legal entity that agrees to act as legal representative under Article 13 is not merely performing an administrative notification function. It is accepting a position of legal exposure. The competent authorities may impose the penalties provided for in Article 52 DSA, including fines of up to 6% of the provider's global annual turnover and periodic penalty payments, against the legal representative directly, for infringements committed by the provider. This creates a genuine risk allocation question that any prudent party entering a legal representation agreement must address through carefully drafted contractual indemnification and liability limitations.
For providers, this liability structure creates a further consideration: the legal representative must be an entity or individual with sufficient understanding of the DSA's requirements, sufficient resources to discharge the mandate competently, and sufficient organisational capacity to process and relay regulatory communications without undue delay. A nominal or passive designation, meaning a name and address provided to satisfy a formal obligation without substantive capability behind it, is both legally insufficient and practically dangerous, since the representative's inability to respond effectively to authority communications may compound the provider's non-compliance.
Article 56 DSA establishes the general rule for jurisdiction among Digital Services Coordinators: the DSC of the Member State in which the provider's main establishment is located has primary competence. For providers established outside the Union, Article 56(6) DSA adapts this rule: the competent DSC is the one of the Member State in which the legal representative resides or is established. This is a structurally important provision, and its implications for non-EU providers are considerable.
The practical significance of Article 56(6) DSA cannot be overstated. When a non-EU provider designates a legal representative in a Member State, the result is a concentration of supervisory jurisdiction: only the DSC of the state where the representative is established has primary competence for oversight and enforcement. The provider benefits from a structural advantage equivalent, in functional terms, to having a single main establishment, with one primary regulator, one set of procedural rules, and one point of contact for all supervisory communications.
This is directly confirmed by the Terharen Praxishandbuch on the DSA: the non-EU provider with a designated legal representative "benefits from a basic concentration of jurisdiction with one coordinator, analogously to the situation of a provider with a main establishment in the EU."9 This structural benefit represents one of the most compelling practical reasons to designate a legal representative promptly — not merely to satisfy a formal compliance obligation, but to actively manage the provider's regulatory risk profile.
If a non-EU provider fails to designate a legal representative, Article 56(7) DSA applies. The consequence is the precise opposite of the concentration that Article 56(6) creates: all Digital Services Coordinators in the Union are competent for oversight and enforcement against the provider. Twenty-seven national enforcement authorities, each with their own administrative procedures, investigative powers, and sanction regimes, each entitled to initiate proceedings independently.
The DSA provides, in Article 56(7), specific cooperation and coordination mechanisms between DSCs in such cases, and it requires respect for the ne bis in idem principle to protect the provider against multiple sanctions for the same infringement. But the practical consequences of multi-jurisdictional exposure remain severe: parallel investigations, divergent procedural timelines, inconsistent demands for information, and the burden of managing regulatory correspondence across multiple Member States simultaneously. The ne bis in idem protection addresses double punishment. It does not prevent multiple simultaneous investigations.
One primary DSC has jurisdiction, providing a predictable regulatory contact point and a single, consistent set of procedural rules. Enforcement follows a coordinated pathway, the Article 13 obligation is satisfied, and exposure to infringement fines under Art. 52 and 73 DSA is avoided.
All 27 EU Digital Services Coordinators are simultaneously competent, creating exposure to parallel proceedings across jurisdictions and multiple, potentially conflicting procedural demands. The failure constitutes a structural violation of Art. 13 DSA, triggers fines under Arts. 52 and 73 DSA, and carries significant reputational and operational disruption risk.
The designation of a legal representative does not take effect in a regulatory vacuum. Article 13(4) DSA requires that the intermediary service notify the following information to the Digital Services Coordinator of the Member State where the representative resides or is established:
Specifically, the notification must cover the representative's name, postal address, email address, and telephone number.
In addition to notifying the relevant DSC, Article 13(4) requires that this information be made publicly available, easily accessible, accurate, and kept up to date. In practical terms, this information should be prominently included in the provider's imprint (Impressum) or legal notice on its website, and updated promptly whenever the representative changes. The Terharen commentary recommends making this information available on the imprint page of the intermediary service's website, a practice that satisfies the accessibility and transparency requirements simultaneously.10
The transparency obligation reflects a broader architectural principle of the DSA: public authorities, private parties, and recipients of the service should always be able to identify a legal point of contact within the EU for any provider offering services there. The designation is not merely an internal compliance measure. It is a publicly registered and verifiable legal status.
Article 13(5) DSA provides an express clarification that carries significant importance for tax law, data protection law, and other areas of EU and Member State law: the designation of a legal representative "shall not constitute an establishment in the Union." This provision ensures that compliance with the DSA's representative obligation does not inadvertently trigger additional consequences under other legal frameworks — for example, the creation of a permanent establishment for VAT or corporate tax purposes, or the triggering of a main establishment for GDPR purposes. The DSA applies when the intermediary service offers its services to recipients in the Union, regardless of establishment status; and the legal representative enables enforcement of that application without altering the provider's establishment status under other rules.
A legally compliant designation under Article 13 DSA requires attention to several layers of legal and operational detail that are frequently underestimated when providers approach the obligation as a simple administrative formality.
The designation agreement between the provider and the representative must address, at minimum: the scope of the mandate (whether the representative is authorised in addition to or instead of the provider for public enforcement purposes, and whether private enforcement is also covered); the resources to be provided to the representative to ensure effective and timely cooperation; the information flow obligations, covering how regulatory communications received by the representative are to be transmitted to the provider's compliance function; the contractual indemnification structure, given that the representative bears personal liability under Article 13(3) DSA; and the governance of updates to the publicly notified information, including arrangements for prompt re-notification to the DSC if the representative changes.
The choice of Member State in which to locate the representative merits deliberate consideration rather than default selection. Factors relevant to this choice include the procedural tradition and enforcement posture of the Member State's DSC, the availability of qualified legal counsel with DSA expertise in the jurisdiction, the language of regulatory proceedings, and the logistical ease of managing authority correspondence from the representative's location. Recital 44 DSA notes explicitly that the same legal person may act as representative for multiple intermediary services — a commercially sensible arrangement that specialist counsel can structure appropriately, provided the representative retains sufficient resources to act for all represented services simultaneously.
A regulated law firm with specific expertise in the Digital Services Act provides a structurally sound basis for the legal representation mandate. Beyond formal compliance with Article 13's physical presence and resource requirements, specialist legal counsel brings a critical operational advantage: the capacity to assess the legal significance of incoming authority communications immediately, to advise on response strategies in real time, and to coordinate with the provider's internal compliance teams on the basis of direct legal analysis. This is materially different from a nominal designation that satisfies the form of Article 13 without delivering its substance.
From a risk allocation perspective, a specialist law firm also offers professional liability coverage and the structural continuity necessary to ensure that the representative designation remains effective across changes in personnel, insolvency events, or corporate restructurings that might otherwise interrupt the operational capacity of a corporate designee.
At the time of the DSA's entry into force, some commentators characterised the Article 13 obligation as one of the less pressing items on a non-EU provider's compliance agenda, reasoning that national DSCs were newly established, enforcement capacity was developing, and attention would initially focus on very large platforms. That assessment is no longer tenable.
Digital Services Coordinators are now operational across all 27 Member States. Germany's Bundesnetzagentur has received over 1,700 complaints since assuming its role as DSC, has recognised Trusted Flaggers under Article 22 DSA, and has certified the Union's first DSA dispute resolution body. The European Commission's formal proceedings against TikTok, Temu, and AliExpress have demonstrated that enforcement extends well beyond Article 13 to the full range of DSA obligations, and that the Commission is prepared to act against non-EU platforms specifically. The enforcement architecture is operational. The question for any non-EU intermediary service is no longer whether oversight will develop, but when it will arrive.
The failure to designate a legal representative is itself an infringement of the DSA, subject to the penalty regime in Articles 52 and 73 DSA. Member State law implementing these provisions can impose fines on the provider for this structural violation, entirely independently of any substantive breach of the DSA's content moderation, transparency, or due diligence obligations. The failure to designate is itself the infringement.
For providers that have not yet addressed their position, the window for proactive compliance, as opposed to reactive compliance driven by a regulator's inquiry, remains open. But it is narrowing as enforcement capacity across the Union matures and as the volume of DSA proceedings, both by national DSCs and by the Commission, increases.
Kanzlei Theo Funk, Article 13 DSA Legal Representative Services
Rechtsanwalt Theo Funk advises international technology companies on the full scope of their obligations under the Digital Services Act, the AI Act, and EU digital regulation more broadly. The firm provides Article 13 DSA legal representative services for non-EU providers offering intermediary services in the Union, including formal designation, DSC notification, public imprint requirements, mandate structuring, and ongoing compliance support as the enforcement landscape develops. If your company serves EU users and has not yet designated a legal representative, the obligation already applies. We are available for an initial consultation to assess your company's position and structure a compliant solution.
Get in touch → info@kanzlei-theofunk.de1. Hofmann/Raue, Digital Services Act (Commentary), Art. 13 mn. 18: "The powers of the legal representative under the DSA thus go clearly beyond those of the representative under the former German NetzDG (see § 5 NetzDG)."
2. Art. 2(1) DSA; Art. 3(e) DSA (definition of "substantial connection"); Hofmann/Raue, Art. 2 mn. 11 et seqq., mn. 15 et seqq.
3. CJEU, 17.7.2017, C-533/15 (Hummel Holding), ECLI:EU:C:2017:541 mn. 37; Hofmann/Raue, Art. 13 mn. 9 (on the concept of establishment in the DSA context).
4. Terharen (ed.), Praxishandbuch DSA, Linde Verlag, Chapter 5.2.1.2 (on the general structure of due diligence obligations as the analytical starting point for service provider categorisation).
5. Art. 13(4) DSA; Recital 42(3) DSA; Hofmann/Raue, Art. 13 mn. 14 (on physical presence).
6. Hofmann/Raue, Art. 13 mn. 19: "Therefore, as a reconstruction proceeding or corporate insolvency cannot act as legal representative, vacating a person in this situation."
7. Hofmann/Raue, Art. 13 mn. 11 (on the autonomous interpretation of the written form requirement under EU law); Terharen, Praxishandbuch DSA, Chapter 5.2.1.2 (on the written form and absence of mandatory handwritten signature requirement).
8. Terharen, Praxishandbuch DSA, Chapter 5.2.1.2: "Da es sich bei der Beauftragung um eine annahmebedürftige Willenserklärung handelt, ist eine einseitige Erklärung unwirksam." (The designation requires acceptance; a unilateral declaration is ineffective.)
9. Terharen, Praxishandbuch DSA, Chapter 9.6.2: providers with a designated legal representative "benefit from a basic concentration of jurisdiction with one coordinator, analogously to the case of a main establishment in the EU" (free translation); Art. 56(6) DSA.
10. Terharen, Praxishandbuch DSA, Chapter 5.2.1.2 (Praxistipp): "Die Informationen über den gesetzlichen Vertreter können auf der jeweiligen Impressumsseite der Website des Anbieters von Vermittlungsdiensten platziert werden."