Legal Analysis · Comparative Overview

EU Representative Duties Compared: GDPR, DSA, AI Act and NIS2

Four Union instruments oblige certain non-EU businesses to designate a representative in the Union: Article 27 GDPR, Article 13 DSA, Articles 22 and 54 of the AI Act, and Article 26(3) NIS2. The architecture is shared. The triggers, task catalogues, liability profiles and timelines differ. This article compares them.

Published 15 July 2026
Reading time 11 minutes
Author Theo Funk, Rechtsanwalt
Scope Art. 27 GDPR · Art. 13 DSA · Arts. 22/54 AI Act · Art. 26(3) NIS2

A business established outside the European Union that reaches the EU market can face up to four parallel duties to designate a representative in the Union. The General Data Protection Regulation, the Digital Services Act, the Artificial Intelligence Act and the NIS2 Directive each contain such a duty, and each answers the same structural problem: a provider active on the Union market without being established there is, formally, outside the immediate reach of the authorities charged with enforcement. The legislative answer is repeated across all four instruments — a designated, addressable point of presence inside the Union. Beneath that shared architecture, however, the four duties differ in who is caught, what the representative must do, who bears which liability, how the designation becomes visible, and when each duty applies. This article compares them along those axes.

Key Takeaways
  • Art. 27 GDPR, Art. 13 DSA, Arts. 22 and 54 AI Act and Art. 26(3) NIS2 impose four legally separate designation duties, each with its own trigger, its own written mandate and its own task catalogue. Compliance with one is not evidence of compliance with the others.
  • The DSA is the outlier on liability: Art. 13(3) DSA expressly allows the legal representative to be held liable in its own right for the provider's non-compliance. No comparable clause exists in the GDPR, the AI Act or NIS2 — although the GDPR representative may face enforcement proceedings and the AI Act representative faces fines for breaches of its own duties.
  • The seat constraints differ and are jurisdiction-shaping: the GDPR representative must sit where the data subjects are; the DSA and NIS2 representatives must sit in a Member State where services are offered, and their location fixes the competent supervisory Member State; the AI Act representative may sit anywhere in the Union.
  • The temporal picture is staggered: GDPR since 25 May 2018, DSA fully since 17 February 2024, NIS2 via national transposition since 18 October 2024, and the AI Act in stages — Art. 54 (GPAI models) since 2 August 2025, Art. 22 (high-risk systems) from 2 August 2026, Art. 6(1) product-embedded high-risk classification from 2 August 2027.
  • One suitably resourced EU entity may in principle hold several of these roles at once, but each role requires a distinct written mandate; an undifferentiated single "EU representation" instrument would misstate the legal position under every one of the four regimes.

Companion analysis: this article maps all four regimes side by side. For an in-depth liability analysis of the three parallel duties under the DSA, the GDPR and the AI Act — including the doctrinal debate around Article 13(3) DSA — see the firm’s article The EU Representative: Parallel Duties Under DSA, GDPR and AI Act.

§ IWho must designate: four triggers side by side

The four duties are triggered by four different fact patterns, and the analysis for any given provider must run through all of them separately.

Article 27 GDPR attaches to controllers and processors not established in the Union whose processing falls under Article 3(2) GDPR — that is, processing which relates to offering goods or services to data subjects in the Union, irrespective of payment, or to monitoring their behaviour as far as it takes place within the Union.1 The duty is subject to an express exemption: no representative is required where the processing is occasional, does not include, on a large scale, special categories of data under Article 9 or criminal-conviction data under Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons — three cumulative conditions — or where the processor or controller is a public authority or body.2

Article 13 DSA attaches to providers of intermediary services — mere conduit, caching and hosting services within the meaning of Article 3(g) DSA — which do not have an establishment in the Union but offer services in the Union. "Offering services in the Union" presupposes a substantial connection to the Union, defined in Article 3(e) DSA by reference to an establishment, a significant number of recipients in one or more Member States, or the targeting of activities towards at least one Member State. There is no de-minimis exemption comparable to Article 27(2) GDPR: no user threshold, no revenue floor, no occasional-use carve-out.3

Articles 22 and 54 AI Act split the duty across two provider classes. Under Article 22(1), a provider established in a third country must, by written mandate, appoint an authorised representative established in the Union before making a high-risk AI system available on the Union market. Under Article 54(1), the same duty applies to third-country providers of general-purpose AI models before placing such a model on the Union market. Article 54(6) carves out providers of GPAI models released under a free and open-source licence — with parameters, weights, architecture and usage information publicly available — unless the model presents systemic risk.4

Article 26(3) NIS2 attaches to a closed list of entity types drawn from Article 26(1)(b) of the Directive: DNS service providers, TLD name registries, entities providing domain-name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, and providers of online marketplaces, online search engines or social networking services platforms. Where such an entity is not established in the Union but offers services within the Union, it must designate a representative in the Union, established in one of the Member States where the services are offered.5 Two structural differences follow from the instrument type: NIS2 is a directive, so the duty reaches the entity through national transposition; and the trigger is category-based — an entity outside the Article 26(1)(b) list is not caught, however large its Union footprint.

Art. 27
GDPR: non-EU controllers and processors within Art. 3(2), subject to the occasional-and-low-risk exemption
Art. 13
DSA: non-EU providers of intermediary services offering services in the Union — no de-minimis threshold
Arts. 22 · 54
AI Act: third-country providers of high-risk AI systems and of GPAI models, with an open-source carve-out below systemic risk
Art. 26(3)
NIS2: closed list of digital-infrastructure and digital-provider categories offering services in the Union

§ IITask profiles: what each representative is mandated to do

The GDPR representative is mandated to be addressed, in addition to or instead of the controller or processor, by supervisory authorities and by data subjects on all issues related to the processing (Article 27(4) GDPR). The private-facing dimension is unique among the four regimes: a data subject in the Union may approach the representative directly. The representative also maintains the record of processing activities where applicable (Article 30(1) GDPR), and its identity must appear in the transparency information given to data subjects under Articles 13(1)(a) and 14(1)(a) GDPR.6

The DSA legal representative carries the broadest mandate: it must be empowered to be addressed by the Member States' competent authorities, the Commission and the European Board for Digital Services on all issues necessary for the receipt of, compliance with and enforcement of decisions issued in relation to the Regulation (Article 13(2) DSA). The provider must give the representative the necessary powers and sufficient resources to guarantee efficient and timely cooperation — a statutory resourcing requirement the other regimes do not spell out in the same terms.7

The AI Act authorised representative bears a documentation-centred catalogue defined with product-safety precision. For high-risk systems (Article 22(3)): verify that the EU declaration of conformity and the technical documentation have been drawn up and that the conformity-assessment procedure has been carried out; keep the documentation at the disposal of the competent authorities for ten years; provide information on reasoned request; cooperate with the authorities; and comply with the registration obligations under Article 49. For GPAI models (Article 54(3)), the catalogue centres on the Annex XI technical documentation and the provider's obligations under Article 53 and, for systemic-risk models, Article 55, with the AI Office as the central counterpart. Both variants add a duty found nowhere else in the comparison: the representative must terminate the mandate and inform the competent authority — for GPAI models, the AI Office — if it considers or has reason to consider that the provider is acting contrary to its obligations (Articles 22(4), 54(5)).8

The NIS2 representative has the thinnest statutory profile of the four. Article 26(3) defines the role through its jurisdictional consequence — the entity is deemed to be under the jurisdiction of the Member State where the representative is established — rather than through a task list. The operative content of the role therefore emerges from national transposition law and from the surrounding obligations of the Directive: the registration data to be submitted under Article 27, cooperation with the competent authorities and CSIRTs, and the entity's incident-notification duties under Article 23, for which the representative functions as the addressable Union presence.9

§ IIILiability and enforcement: where the regimes separate most clearly

The DSA particularity: own liability of the representative, Art. 13(3)

Article 13(3) DSA (Wording)

"It shall be possible for the designated legal representative to be held liable for non-compliance with obligations under this Regulation, without prejudice to the liability and legal actions that could be initiated against the provider of intermediary services."

Article 13(3) DSA is the exceptional provision of the comparison: it expressly permits the legal representative to be held liable, in its own right, for the provider's non-compliance with the Regulation — additional to, not instead of, the provider's own liability. None of the other three regimes contains a comparable clause.10 The DSA adds a jurisdictional lever: under Article 56(6) DSA, the Member State where the legal representative resides or is established supplies the competent Digital Services Coordinator; where no representative has been designated, Article 56(7) makes all Member States' coordinators competent, and the failure to designate is itself an infringement subject to penalties under the national rules adopted pursuant to Article 52 DSA.

The GDPR position is narrower and partly contested. Recital 80 states that the designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor; the representative is a point of accountability, not a mailbox. Whether administrative fines under Article 83 GDPR can be directed at the representative for the provider's breaches is debated in the literature and has been answered divergently in national practice; what is settled is that the designation is without prejudice to actions against the controller or processor itself.11

The AI Act representative does not answer for the provider's substantive violations, but its own task catalogue is fine-armoured: Article 99(4)(b) AI Act attaches administrative fines to the authorised representative's non-compliance with its obligations under Article 22. Combined with the termination-and-alert duty, the AI Act turns its representative into an actively supervised compliance node rather than a passive contact point.

Under NIS2, the representative itself bears no express liability provision. The Directive's enforcement instruments — supervisory measures and administrative fines under Articles 32 to 34, applied through national law — are directed at the essential or important entity. Article 26(4) confirms that the designation of a representative is without prejudice to legal actions against the entity itself, and the final sentence of Article 26(3) supplies the sanction for omission: absent a designated representative, any Member State in which the entity provides services may take legal action against it for infringements of the Directive — a decentralised exposure functionally similar to the DSA's Article 56(7) scenario.12

"Three of the four regimes discipline the provider through the representative. Only the DSA also disciplines the representative for the provider."

§ IVRegistration and notification pathways

How the designation becomes visible to authorities and to the public differs markedly.

  • GDPR: no register and no notification to a supervisory authority. The designation must be made in writing, and it surfaces through documentation: the representative's identity and contact details belong in the Article 13/14 transparency information addressed to data subjects and in the Article 30 records of processing.
  • DSA: Article 13(4) requires the provider to notify the name, postal address, email address and telephone number of the legal representative to the Digital Services Coordinator of the Member State where the representative resides or is established, and to make that information publicly available, easily accessible, accurate and up to date — in practice on the provider's website.
  • AI Act: for high-risk systems within Annex III, the registration obligation of Article 49 leads into the EU database established under Article 71; compliance with the registration duties is part of the authorised representative's verified catalogue under Article 22(3). For GPAI models there is no database registration; the representative acts as the documented contact point towards the AI Office.
  • NIS2: Article 27 requires the entity types listed there — matching the Article 26(1)(b) categories — to submit their name, address, contact details, the Member States where they provide services and their IP ranges to the competent authority, which forwards the data to ENISA for a Union-level registry; the initial submissions were due by 17 January 2025, and the information must be kept current.13

A common feature sits behind these differences: under none of the four regimes does the designation of a representative constitute an establishment of the provider in the Union. The DSA states this expressly in Article 13(5); for the GDPR, the AI Act and NIS2 the same conclusion follows from the systematics of each instrument — the representative creates addressability and, under the DSA and NIS2, supervisory jurisdiction, but no establishment.14

§ VTemporal application: four clocks, one of them staged

The four duties did not arrive together, and one of them is still phasing in.

  • GDPR: Article 27 has applied since 25 May 2018 (Article 99(2) GDPR).
  • DSA: the Regulation has applied in full since 17 February 2024 (Article 93(2) DSA); for designated very large online platforms and search engines, obligations began four months after their designation, in 2023.
  • NIS2: Member States had to transpose the Directive by 17 October 2024 and to apply the transposing measures from 18 October 2024 (Article 41 NIS2); several Member States completed transposition only after that deadline, so the operative national law must be checked in each case.
  • AI Act: the timeline is staged by Article 113. The Regulation entered into force on 1 August 2024. Chapters I and II (including the prohibitions) have applied since 2 February 2025. The general-purpose AI provisions of Chapter V — including the Article 54 authorised-representative duty — have applied since 2 August 2025. The Regulation applies generally, including Article 22 for high-risk AI systems, from 2 August 2026. The classification rule of Article 6(1) for high-risk systems embedded in Annex I product legislation, with its corresponding obligations, follows from 2 August 2027.15

For AI Act planning, the sequence matters in practice: a third-country GPAI-model provider has been under the Article 54 duty since August 2025, while the Article 22 duty for high-risk systems becomes operative in August 2026 — and is a precondition to lawful market access, since the appointment must precede the making available of the system. Legislative proposals to adjust parts of the AI Act timeline were under discussion at Union level at the time of writing; until any such amendment is adopted, the dates of Article 113 govern.

§ VICumulation: one provider, several duties — one entity, several roles?

The four triggers overlap easily. A third-country provider operating an online marketplace processes personal data of Union users at scale (Article 27 GDPR), provides a hosting-type intermediary service (Article 13 DSA), and belongs to the "online marketplaces" category of Article 26(1)(b) NIS2 (Article 26(3) NIS2); if it additionally places a general-purpose AI model on the Union market or makes a high-risk AI system available, Articles 54 or 22 AI Act join the set. Each duty must be assessed and satisfied separately; none absorbs another, and the regimes contain no mutual-recognition clause.

May the same Union entity hold several of the roles? None of the four instruments forbids it, and the practice of consolidated representation is well established. Three constraints shape the arrangement:

  • Seat compatibility. The GDPR representative must be established in a Member State where the relevant data subjects are (Article 27(3)); the DSA representative in a Member State where the provider offers its services; the NIS2 representative in a Member State where the services are offered. The AI Act representative may be established anywhere in the Union. For a provider active in Germany, a German representative entity can satisfy all four seat rules at once — and, because the DSA and NIS2 tie supervisory jurisdiction to the representative's seat, the choice concentrates oversight in one Member State.
  • Separate mandates. Each role rests on its own written designation with its own statutory task catalogue: the GDPR mandate includes data-subject addressability; the DSA mandate covers receipt, compliance and enforcement of decisions and requires powers and resources; the AI Act mandate is documentation- and verification-centred and includes the termination duty; the NIS2 role anchors jurisdiction and registration. A single undifferentiated instrument covering "EU representation" across the regimes would misstate the legal position under each of them.
  • Divergent risk positions. The entity accepting the DSA role accepts potential own liability under Article 13(3); the entity accepting the AI Act role accepts fine-armoured duties of its own plus the obligation to disengage and alert the authorities; the GDPR role imports possible enforcement proceedings. Prudent parties reflect these asymmetries in the contractual architecture — scope clauses, information flows, indemnities — rather than treating the four roles as one.

§ VIIThe four regimes at a glance

Comparison — EU representative duties under GDPR, DSA, AI Act and NIS2
Criterion GDPR — Art. 27 DSA — Art. 13 AI Act — Arts. 22/54 NIS2 — Art. 26(3)
Instrument Regulation (EU) 2016/679 Regulation (EU) 2022/2065 Regulation (EU) 2024/1689 Directive (EU) 2022/2555 (national transposition)
Who designates Non-EU controllers/processors within Art. 3(2); exemption Art. 27(2) Non-EU providers of intermediary services offering services in the Union Third-country providers of high-risk AI systems (Art. 22) and of GPAI models (Art. 54); open-source carve-out Art. 54(6) Non-EU entities of the Art. 26(1)(b) categories offering services in the Union
Addressed by Supervisory authorities and data subjects Member State authorities, Commission, Board Market-surveillance authorities; AI Office (GPAI) Competent authorities/CSIRTs of the jurisdiction Member State
Core tasks Addressability on all processing issues; Art. 30 records Receipt, compliance and enforcement of decisions; powers and resources required Verify conformity documentation; 10-year retention; cooperation; registration; termination duty Union presence anchoring jurisdiction; registration and incident-related cooperation via national law
Own liability of the representative Enforcement proceedings possible (Recital 80); fine exposure contested Express own-right liability, Art. 13(3) Fines for breaches of the representative's own duties, Art. 99(4)(b) No express provision; enforcement targets the entity
Consequence of omission Infringement, enforcement against controller/processor Infringement (Art. 52); all 27 DSCs competent, Art. 56(7) Market access barred for the system/model; fines Any Member State where services are provided may take legal action, Art. 26(3)
Seat of the representative Member State where the data subjects are (Art. 27(3)) Member State where the provider offers services; seat fixes the competent DSC (Art. 56(6)) Anywhere in the Union Member State where services are offered; seat fixes jurisdiction
Registration / publicity No register; Arts. 13/14 information, Art. 30 records Notification to the DSC; public contact details (Art. 13(4)) EU database for Annex III high-risk systems (Arts. 49, 71); AI Office contact for GPAI ENISA registry via national authority (Art. 27)
Applicable since 25 May 2018 17 Feb 2024 (fully) Art. 54: 2 Aug 2025 · Art. 22: 2 Aug 2026 · Art. 6(1) classification: 2 Aug 2027 18 Oct 2024 via national transposition

The table condenses; it does not decide. Whether a specific provider is caught by one, several or none of the four duties turns on service categorisation under the DSA, the processing analysis under Article 3(2) GDPR, the risk classification of any AI system or model, and the entity-category test of NIS2 — four assessments that reward being run together, on one set of facts.

References and Sources

1. Art. 3(2)(a)–(b) GDPR; Recitals 23–24 GDPR; Art. 27(1) GDPR.

2. Art. 27(2)(a)–(b) GDPR (cumulative conditions of the exemption; public authorities and bodies).

3. Art. 13(1) DSA; Art. 3(d), (e) and (g) DSA (offering of services in the Union; substantial connection; intermediary services); Hofmann/Raue, Digital Services Act (Commentary), Art. 13.

4. Art. 22(1) AI Act and Art. 54(1) AI Act, Regulation (EU) 2024/1689; Art. 54(6) AI Act (open-source exemption unless systemic risk).

5. Art. 26(1)(b) and Art. 26(3) NIS2, Directive (EU) 2022/2555 (entity categories; representative established in a Member State where the services are offered; deemed jurisdiction).

6. Art. 27(4) GDPR (mandate towards supervisory authorities and data subjects); Art. 30(1) GDPR; Arts. 13(1)(a), 14(1)(a) GDPR.

7. Art. 13(2) DSA (scope of the mandate; necessary powers and sufficient resources).

8. Art. 22(3)–(4) AI Act (task catalogue and termination duty for high-risk systems); Art. 54(3)–(5) AI Act (task catalogue, contact point and termination duty for GPAI models); Art. 49 AI Act (registration).

9. Art. 26(3) NIS2 (jurisdictional consequence of the representative's seat); Art. 23 NIS2 (incident notification); Art. 27 NIS2 (registry of entities).

10. Art. 13(3) DSA; Hofmann/Raue, Art. 13 (on the exceptional character of the representative's own liability).

11. Recital 80 GDPR ("The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor."); on the contested reach of Art. 83 GDPR fines against the representative, see the divergent national practice discussed in the literature.

12. Arts. 32–34 NIS2 (supervision and enforcement, applied through national law); Art. 26(3), final sentence, and Art. 26(4) NIS2.

13. Art. 13(4) DSA; Art. 49 and Art. 71 AI Act (EU database); Art. 27(1)–(2) NIS2 (information to be submitted; deadline of 17 January 2025; ENISA registry).

14. Art. 13(5) DSA ("The designation of a legal representative [...] shall not constitute an establishment in the Union.").

15. Art. 113(a)–(c) AI Act (staged application: 2 February 2025; 2 August 2025 for, inter alia, Chapter V; general application 2 August 2026; Art. 6(1) and corresponding obligations 2 August 2027); Art. 93(2) DSA; Art. 99(2) GDPR; Art. 41 NIS2 (transposition by 17 October 2024, application from 18 October 2024).

Kanzlei Theo Funk — Counsel on EU Representative Obligations

Rechtsanwalt Theo Funk advises international technology companies on the representative obligations under Article 27 GDPR, Article 13 DSA, Articles 22 and 54 of the AI Act and Article 26(3) NIS2: applicability analysis across all four regimes, mandate structuring, and the related notification, registration and transparency requirements. Whether one or more of these duties applies to your company depends on your service type, your processing, any AI system or model category involved, and your entity category under NIS2.

Get in touch → info@kanzlei-theofunk.de

This article is provided for general informational and educational purposes only and does not constitute legal advice. It reflects the legal framework as of 15 July 2026. Companies subject to the GDPR, the DSA, the AI Act or the NIS2 Directive should seek tailored legal advice in relation to their specific circumstances. © 2026 Kanzlei Theo Funk, Bamberg. All rights reserved.