Recent EU digital laws have introduced extraterritorial obligations that require foreign companies to appoint law-specific company representatives in one or more EU member states.
Which new extraterritorial laws require representatives?
Foreign companies that profile or offer services to individuals located in the EU, Iceland, Liechtenstein or Norway are already familiar with Article 27 of the EU General Data Protection Regulation that requires them to appoint a GDPR representative. More recently, organizations outside the EU that are classified as information society and communications services, or host, store and disseminate user-generated content, offer critical infrastructures in the EU, or provide artificial intelligence systems or license general purpose AI models, need to assess whether they are bound by the new EU digital laws.
Depending on the answer, they may need to appoint multiple representatives to meet specific digital laws and deadlines. The date for the GDPR, Addressing Terror Content Online Regulation, Digital Services Act, Data Governance Act, and NIS2 Directive has already passed. The deadline to appoint AI authorized representatives for the AI Act general purpose AI models with systemic risks is 2 Aug. 2025 and 2 Aug. 2026 for high-risk AI systems. Lastly, the EU e-Evidence package includes a directive to designate "at least one legal representative by 18 August 2026."
What is the motivation behind requiring businesses to appoint representatives?
There are two primary reasons behind the legislative trend requiring foreign organizations to appoint company representatives in the EU.
The first, and most plausible explanation, is to overcome the enforcement power gap experienced by regulators against foreign entities without a physical presence in the EU. The general rhetoric leans on enabling regulators to protect the fundamental rights of millions of EU residents, regardless of the provenance of the goods and services consumed locally.
Supporting this explanation is a 2021 study highlighting the frustrations experienced by national regulators about their lack of corrective and enforcement powers over foreign companies. Some regulators said better outcomes resulted when communications began with a company's GDPR representative. This study and the GDPR extraterritorial blueprint appear to have influenced the need to appoint law-specific company representatives in the EU.
The second explanation is less tangible yet just as important. There are concerted efforts at reducing cross-border friction among the 27 member states for a successful EU digital single market and to reduce U.S. tech dominance. A thriving EU technology market can, in part, be achieved where a level playing field calls for EU rules to apply to any organization entering the EU market regardless of country of origin.
What is required of representatives?
Foreign companies will issue written mandates specifying the legal obligations and other tasks to be carried out by their appointed representatives. Mandates have a common baseline consisting of light-touch tasks, while some mandates contain more stringent obligations resulting in high-touch tasks.
For the light-touch baseline, representatives cooperate with competent authorities and provide requested compliance documents. Invariably, a representative's name, contact details, physical address and occasionally an official EU language to receive communications from authorities must be published. Depending on the law, these details are publicly disseminated or kept in nonpublic working databases. The goal is to enable regulators to address a company’s representative "in addition to, or instead of" the foreign company.
In addition to light-touch tasks, representatives may need to perform high-touch tasks like accessing a foreign company's information technology systems for specific situations. These can include a strict one-hour deadline to preserve, suspend, or delete specific content to address terror content online. Or, within six hours of receiving an e-Evidence request, representatives must preserve or disclose criminal evidence stored in a client's electronic communication, information society, or privacy proxy service that the foreign company made available to its users.
Similarly, official decisions concerning the hosting of illegal content within digital service platforms must be actioned promptly under the DSA. Authorities could require the representative to give them access to AI logs under AI Act Article 22.3.c when high-risk AI systems are deployed in the EU.
Granting systems access rights to representatives introduces nontrivial security and operational risks. Mitigation can be built into contractual obligations and guarantees, liability insurance cover, and ensuring that internal system access is limited to competent individuals. This may involve requiring representatives to pass IT security training and strict adherence with their clients' corporate policies and procedures.
Furthermore, there are three features introduced by the AI Act worth highlighting.
First, AI representatives will need to verify that their foreign business client's EU declarations of conformity and technical documentation were prepared according to appropriate conformity assessment procedures, including affixing "CE" marks on digital or paper packaging and accompanying materials.
Second, a 10-year record-keeping obligation starting from the date an AI product is placed on the market or is put into service in the EU will be imposed on the AI representative.
Third, a somewhat adversarial relationship could ensue if the AI representative feels their client allegedly breached the AI Act. In that case, the representative must immediately terminate their contract and inform the relevant authorities, such as the market surveillance authority for general-purpose AI, and the AI office for high-risk AI systems.
What does the search for qualified representatives look like?
When identifying factors for selecting qualified representatives, businesses should first determine their primary EU users' location. Generally, a representative will be selected in a member state where the majority of services are targeted or used.However, when users span several EU member states, businesses have some latitude in selecting the location of their appointed representative.
With the exception of the GDPR and e-Evidence directive, all of the laws mentioned provide a one-stop-shop EU-wide regulatory oversight benefit. That is, the location of the controlling regulator will be in the country of the representative’s business establishment or the residence of individuals providing representative services.
This opens up the possibility for forum-shopping, but businesses cannot be reproached for preferring to deal with a single, efficient and business-friendly regulator. It is well-known that tech giants often base their EU operations in Ireland, and alternatively in the Netherlands.
While the Netherlands is highly rated for availability of digital skills and Information and Communications Technology infrastructure, Ireland follows closely behind. It offers English as an official language and its judicial system is based on common law, which is attractive to many foreign companies. Deciding on the country where a representative is located is a crucial consideration.
Successful contenders for this important representative role should also ensure robust security, transparent service level metrics and contractual flexibility, particularly for high-touch tasks requiring access to information systems.
What happens if a company fails to appoint a representative?
A string of poor enforcement results reported in the earlier referenced 2021 study appears to have emboldened EU lawmakers to add extraterritorial obligations with direct consequences for non-compliance, such as high fines and increased accountability. For example, a failure to register a DGA representative with the European Data Innovation Board can significantly delay the service provider’s ability to launch services within the EU.
Another novel compliance incentive to appoint a representative involves removing the one-stop-shop regulatory advantage for companies that fail to appoint one. This could require non-EU companies to answer to multiple regional authorities and open them to scrutiny from ancillary authorities. This is already the case with the GDPR, as it does not offer a one-stop-shop regulatory advantage. The GDPR is intertwined with the e-Privacy Directive, which is often overseen by telecommunications regulators rather than data protection authorities, which means foreign companies may deal with more than 40 separate authorities for privacy violations alone.
Additionally, pan-EU complexity could arise when oversight is shared with the European Commission for the DSA, and other newly minted authorities such as the AI Board and the DGA’s Data Innovation Board.
Aside from dealing with a throng of regulatory bodies, companies must prepare for a rise in collective actions from unhappy consumers. This diverts precious legal department resources and brings unwelcome media attention. Litigation for GDPR breaches has shown that non-profit organizations successfully obtained redress for alleged damages for data subjects. The most notable nonprofit privacy rights organization is NOYB, founded by Max Schrems in Austria. In addition to NOYB and the U.K. counterpart, Privacy International, more specialized collective action organizations are expected to rise to prominence by claiming violations of online platform moderation, algorithmic bias and other EU digital law breaches.
Companies that comply with EU laws do not make splashy headlines. This is good news. Perhaps, having an appointed representative will temper the desire to sensationalize confrontations against foreign companies offering services in the EU.
How does liability impact the availability of representatives?
The general expectation is that regulators will be motivated to issue sanctions against businesses that violate European values. Yet, as shown in the 2021 study, enforcement difficulties persist. Contrary to a 2021 U.K. decision that found GDPR Recital 80 does not create representative liability for a client's GDPR breach, the upcoming e-Evidence directive indicates that joint and several liability for non-compliance with legal frameworks will be against the company and representative per Recital 16.
Assigning direct liability to representatives is expected to have a chilling effect, particularly on e-Evidence representatives.
There are potential difficulties stemming from these extraterritorial EU digital laws causing representatives to worry about civil, administrative, criminal penalties or even loss of liberty when they did nothing wrong. Additionally, they may not find insurance for these new risks or be priced out of insurance coverage.
It appears EU lawmakers inadvertently created a noncompliance dilemma for foreign companies that are willing but unable to find or afford qualified representatives in the EU. The net effect of these difficulties could prevent foreign companies from entering or remaining in the EU digital marketplace. Finally, consumers may miss out on the promise of a Europe Fit for the Digital Age if foreign digital services that consumers rely on are no longer available in the EU for reasons of unavailability of specialist representatives.
Is it possible to appoint a single representative to cover all of the new laws?
It should be possible for one representative to perform the specific tasks required by diverse EU laws. Moreover, it is reasonable to consider appointing a multipurpose representative where light-touch tasks are required. For example, a GDPR representative is allowed to represent data intermediation service providers and recognized data altruism organizations per DGA Article 14.5.
However, the AI Act demands representatives immediately terminate their contract with clients when noncompliance with AI rules is suspected. Businesses seeking to appoint an all-purpose representative should query if conflict of interest issues could arise if their all-purpose representative continues to provide them with other services. A compromise solution could be to assign high-touch tasks to specialist representatives with proven IT skills, passing robust vendor due diligence, and agreeing to stronger contractual protection and assurances while assigning purely light-touch obligations to less specialized ones.
Conclusion
The complexities presented by these new EU digital laws require foreign companies to evaluate their own situation carefully. The question for companies to explore is not whether to engage representatives, but to view them as a gateway to the vibrant EU digital single market.
Karima Saini, CIPP/E, CIPP/US, CIPM, CIPT, FIP, is the director and cofounder of Lionheart Squared.
This article is not intended to provide legal advice.
