Door three

Representation Advisory

A company that sells into Europe without an establishment there can be required to appoint a local representative four separate times: once under the GDPR, once under the Digital Services Act, once under the EU AI Act, and once under NIS2. Each is a distinct legal duty. Privello scopes which duties you actually trigger, puts the right appointments in place with established European providers, and keeps the records behind all four reconciled in one file.

Do you need this

You likely need a representative if

  • You have no office, branch, or subsidiary in the EU or EEA, but you sell to, market to, or monitor people there.
  • You process EU personal data on more than an occasional basis and no Article 27 exemption applies.
  • You run an online platform, intermediary, or marketplace reaching EU users (DSA), place an AI system on the EU market (AI Act), or provide an in-scope essential or important service (NIS2).
  • An enterprise buyer or app store has asked for the name and address of your EU representative before onboarding.

What it covers

Four duties, one scoping

Each regime creates its own representative or point-of-contact duty. Handled ad hoc, that is four scoping exercises, four contracts, and four sets of records. Privello scopes and coordinates them as one.

GDPR · Article 27

Data-protection representative

The mandated EU presence for a non-EU controller or processor that offers goods or services to, or monitors, people in the EU. Addressable by supervisory authorities and data subjects on all questions relating to processing, and named in your privacy notice.

DSA · Article 13

Digital Services Act representative

Providers of intermediary services with no EU establishment must designate a legal representative in a member state where they operate, addressable by the authorities and the Commission on DSA compliance.

EU AI Act · Regulation (EU) 2024/1689

AI Act authorised representative

A provider of a high-risk AI system established outside the EU must, by written mandate, appoint an authorised representative in the Union to hold the technical documentation and interface with authorities as the Act phases in.

NIS2 · Directive (EU) 2022/2555

NIS2 representative

Certain entities providing services in the EU without being established there — such as DNS, cloud, and digital-platform providers — must designate a representative in a member state where they offer the service, for cybersecurity supervision.

Article and regulation references describe the instruments Privello works with. They are provided for orientation, not as legal advice.

Why one advisor

Four duties, one file, one advisor

The four duties overlap in practice. They point regulators to the same company, they rely on the same underlying records, and they are triggered by the same fact: no establishment in the EU. Handled separately, that means four scoping exercises, four provider contracts negotiated blind, and four sets of records that never reconcile.

A statutory representative must be established in the EU or EEA — Privello, a U.S. consultancy, does not act as one. What Privello does is scope all four duties in a single analysis, select and appoint established European representatives on your behalf, negotiate the mandates, and keep one reconciled register behind everything. Each appointment is made on its own legal footing, but you manage one advisory relationship instead of four vendor relationships.

Discuss your duties
  • One scoping across GDPR, DSA, AI Act, and NIS2 — which duties you trigger and which you don't.
  • One advisor selecting, appointing, and managing the European representatives on your behalf.
  • One register of the records each regime expects, kept current and reconciled.
  • Norway included. As an EEA state, Norway carries the GDPR representative duty too — a market most representation advisors do not cover.

Common questions

Questions about European representation

When does a company need a GDPR Article 27 representative?

When it has no establishment in the EU but processes EU personal data because it offers goods or services to, or monitors, people in the EU. Article 27 requires such controllers and processors to designate a representative in writing in one of the member states where the data subjects are, with narrow exceptions for occasional, low-risk processing.

Does Privello act as our representative itself?

No. A statutory representative under the GDPR, the DSA, the AI Act, or NIS2 must be established in the EU or EEA, and Privello LLC is a U.S. consultancy. Privello determines which duties you trigger, selects and appoints an established European representative on your behalf, and manages the appointments and their records as part of your compliance file — one relationship for you instead of four.

Is one appointment enough for all four regimes?

No — the GDPR, the Digital Services Act, the EU AI Act, and NIS2 each impose their own representative or point-of-contact duty, and they are legally distinct. Privello scopes all four in one pass and coordinates the appointments so each is made on its own legal footing, without four providers producing four contradictory sets of records.

What does a representative actually do?

It is the addressable European presence a regulator or a data subject can contact, and it maintains the records the relevant regime expects. Under the GDPR, the representative is mandated in addition to the controller and can be addressed by supervisory authorities and individuals on all compliance questions.

What is the difference between a DPO and an Article 27 representative?

They answer different questions. A data protection officer (Articles 37–39) is an internal oversight role that monitors compliance and advises the business; a representative (Article 27) is the external, addressable EU presence of a company established outside the EU. Some companies need both, some need one, some need neither — establishing which is part of the scoping.

Does any of this make Privello our lawyer?

No. Representation advisory is a consulting function, not legal representation, and it does not create an attorney–client relationship. Where a matter needs formal legal advice, Privello coordinates qualified counsel in the relevant member state.

Scope. Privello LLC is a data-regulation consultancy and is not a law firm. Privello does not itself act as a statutory representative — a representative under the GDPR, the DSA, the AI Act, or NIS2 must be established in the EU or EEA. Privello's role is advisory: scoping the duties, arranging the appointments with established European providers, and maintaining the records behind them. This is a consulting function, not legal representation, and it does not create an attorney–client relationship. Patrick Smith is a U.S.-licensed attorney (State of Texas); his bar admission is stated as a credential only. Where a matter requires formal legal advice under the law of a member state, Norway, or Switzerland, Privello coordinates qualified local counsel.

Begin

Find out which duties you trigger

Tell us where you sell, what you operate, and which duties have been raised with you. We will confirm which appointments you actually need — and which you don't — and put the right ones in place.