Directive (EU) 2022/2555 · In force since 17 Oct 2024

Your NIS 2 representative, on the hook with every CSIRT.

If you're a non-EU digital provider offering services to the EU — cloud, DNS, CDN, data centres, managed services, online marketplaces, search, social — NIS 2 Article 26(3) requires a designated representative. We become yours, run your 24 / 72-hour incident reporting, and keep your risk register audit-ready.

Book a demo Are we in scope?
Are we in scope?

NIS 2 classifies by sector and size. Let's find your bucket.

Non-EU digital service providers need an Article 26(3) representative regardless of size. In-scope EU entities are classified Essential or Important by sector and headcount — both have duties, but the fines and supervision differ.

Awaiting input

Tap what's true — we'll classify you.

NIS 2 scope turns on three variables: sector, size, and whether you're established in the EU. We'll point you at the right classification plus what it costs you in obligations.

    The cost of missing NIS 2

    Fines escalate fast. So does personal director liability.

    ESSENTIAL MAX1
    €10M

    Or 2% of global annual turnover, whichever is higher — for essential entities breaching risk-management or reporting duties.

    IMPORTANT MAX1
    €7M

    Or 1.4% of global annual turnover — for important entities. Stacked with remediation orders and mandatory audits.

    DIRECTOR LIABILITY2
    Personal

    Art. 20 holds management bodies personally accountable for oversight of cybersecurity risk. Training is mandatory and auditable.

    TRANSPOSITION3
    27 / 27

    All member states transposed or in advanced draft as of 2025. National CAs are now issuing first-wave registration and reporting requests.

    1. 1. NIS 2 Art. 34(4)–(5) — administrative-fine ceilings for essential vs important entities.
    2. 2. NIS 2 Art. 20 — management-body approval and oversight of cybersecurity risk-management measures.
    3. 3. European Commission NIS 2 transposition tracker, 2024–2025; national publication status per member state.
    What you get

    Every NIS 2 duty, in one engagement.

    01

    Designated representative

    A named EU entity as your Art. 26(3) representative on record with the national competent authority in your chosen member state.

    02

    Incident reporting

    24-hour early warning, 72-hour incident notification, 30-day final report — drafted in-language, filed with the correct CSIRT and CA.

    03

    Risk management framework

    Art. 21 ten-measure framework — policies, controls, and evidence mapping — templated, adapted, and maintained to audit standard.

    04

    Management body training

    Annual Art. 20 board-level cybersecurity training delivered by EU-certified counsel, with attendance records for the regulator.

    05

    Supply-chain register

    Art. 21(2)(d) vendor assessment — structured register of ICT suppliers with risk scores, SLAs, and sub-processor change monitoring.

    06

    CA registration & filings

    Initial registration, yearly self-assessments, and responses to national CA information requests — handled end-to-end.

    Incident reporting

    Three clocks. One workflow.

    NIS 2 mandates three staggered reports per significant incident. Miss a window — even a weekend one — and you're personally accountable. We run the clocks and draft every filing so your team focuses on response, not paperwork.

    Article 23 reporting windows

    Significant incident · clock started
    T+0
    24 hEarly warning

    Notify the CSIRT or CA without undue delay — even before you know the cause. We draft and file on your behalf.

    T+72
    72 hIncident notification

    Detailed report: severity assessment, IOCs, affected assets, cross-border implications. We prepare the package for sign-off.

    T+30d
    30 dFinal report

    Root cause analysis, mitigations applied, residual risk. Formal closure with the CA — archived for future audits.

    Incident intake · Art. 23 NIS 2

    INCIDENT ID
    NIS2-2026-04-09-0037 OPEN · 02:14 CET
    CATEGORY
    Availability — outage affecting production API SIGNIFICANT
    LEAD CA
    BSI (Germany) Primary · cross-border: FR, NL
    24 h CLOCK
    21 h 46 m remaining for early warning
    AFFECTED
    ~ 48 k EU users · 3 member states
    DRAFT STATUS
    Awaiting technical input from Acme CISO
    ROUTING
    secops@acme.tech + EU Presence cyber counsel

    Every incident lands in a single intake. We start the statutory clocks, draft the three filings from a template tuned to your sector and member state, and keep you ahead of the notification windows — no weekend scramble, no missed deadlines, no surprised directors.

    • 24 / 72 / 30-day clocks auto-started
    • Cross-border CA routing (BSI, ANSSI, NCSC-NL, etc.)
    • In-language filings in 24 EU languages
    • Director-ready briefing one-pager per incident
    • Full archive for audit & future disclosures
    How it works

    Registered and reporting-ready in 14 days.

    1. Scope & sector mapping

      60-minute call. We confirm sector (Annex I / II), entity classification (essential / important / digital provider), and pick your lead member state.

    2. Representative appointed

      We file your Art. 26(3) appointment with the national CA, register your service, and provide the public point-of-contact for regulators.

    3. Framework deployed

      Art. 21 risk-management policies adapted to your stack, Art. 20 board training scheduled, supply-chain register imported from your vendor list.

    4. Reporting on standby

      24 / 72 / 30-day incident workflow live — your SecOps routes events to us, we route filings to the CA. Annual self-assessments on the calendar.

    Your CA registration (first filing)
    // Registration with national CA (e.g. BSI in DE)

Entity
Acme Inc. (non-EU)
Designated rep: World Presence j.d.o.o. (HR)

Classification
Sector:        Digital infrastructure
Sub-sector:    Cloud computing services
Category:      Important entity (non-EU)
Basis:         NIS 2 Art. 3 + Annex II

Reporting endpoints
CSIRT alerts:  alerts@eupresence.com
CA channel:    ca-nis2@eupresence.com
Escalation:    +49 (0) 30 ...
    The first filing is the representative appointment and sector classification — tunable as your stack evolves. We maintain the record at the CA so you don't re-register each time your product surface expands.
    Proof

    Cyber-accountable teams, audit-ready.

    From cloud platforms and DNS providers to marketplaces and managed-IT operators — Article 26 appointed, incident workflow live, board trained.

    Cloud provider · Series C
    "We had a 02:14 CET incident on a Sunday. The early warning was filed with BSI before our CEO finished his coffee. That's the product."
    Dieter Hoffmann CISO · Cloud infrastructure, non-EU HQ
    "Our board went from reading NIS 2 explainers to passing an external audit in one cycle. The training program is worth the whole engagement."
    Marta Costa General Counsel · Managed IT services
    "Supply-chain assessment was the unblocker we needed. Our top 40 vendors were reviewed and risk-scored in three weeks."
    Jonah Traut VP Security · SaaS marketplace
    "We're registered in Ireland and report through a Croatian rep. One team handles both CAs — the cross-border plumbing was invisible to us."
    Aisha Farouk COO · DNS / CDN provider
    180+Art. 26 appointments filed
    24 / 72 / 30Clocks never missed
    4 h avgEarly-warning draft to CA
    100%Audit-ready archive
    Pricing

    Priced by NIS 2 tier, not by headcount.

    Digital Provider
    $599/month
    Non-EU digital services · Art. 26(3)

    For non-EU cloud, DNS, CDN, or online-platform providers that need a designated representative and an incident-filing channel.

    Included
    • Art. 26(3) designated representative
    • 24 / 72 / 30-day incident reporting
    • Initial CA registration
    • Annual self-assessment filing
    • Up to 25 CA inquiries / yr
    Start here →
    Most chosen
    Important Entity
    $1,299/month
    Mid-size EU entity · Annex I or II

    Full NIS 2 program for important entities — risk framework, supply-chain register, board training — plus the Digital Provider baseline.

    Everything in Digital Provider, plus
    • Art. 21 risk-management framework
    • Art. 20 management body training (annual)
    • Art. 21(2)(d) supply-chain register
    • Incident playbooks, sector-tuned
    • Cross-border CA routing (all 27)
    • Unlimited CA inquiries
    Book a demo →
    Essential Entity
    Custom
    Critical sectors · Annex I · CA-led

    For essential entities: energy, transport, banking, health, digital infrastructure at scale. Custom engagement with dedicated counsel.

    Everything in Important, plus
    • Dedicated cybersecurity counsel
    • On-site incident response drills
    • ENISA coordination & audit prep
    • Sector-specific compliance program
    • 24/7 incident hotline · 1-hour SLA
    • Custom MSA & DPA
    Talk to sales →
    Often purchased together

    Teams who take NIS 2 Rep also take.

    Digital Infrastructure Bundle

    Three products. One engagement. 15% off.

    The standard stack for non-EU cloud, CDN, DNS, and platform operators serving the EU. NIS 2, GDPR, and a hosted trust hub — one onboarding, one invoice, one team.

    You save $2,706 / yr
    THIS PAGE

    NIS 2 Representative

    Art. 26(3) rep, 24/72/30-day incident reporting, risk framework.

    Important$1,299 / mo
     ADD

    GDPR Representative

    Article 27 coverage, 27 member states, named EU entity on record.

    Flat$127 / mo
     ADD

    Privacy Center

    Hosted trust hub, DSR inbox, policies, certifications.

    Plus$57 / mo
    BUNDLE TOTAL
    $1,483 / mo $1,261/ mo · 15% off Book a bundle call
    Common questions

    Security & legal leaders ask us these.

    Does NIS 2 actually require a representative?

    For in-scope services offered from outside the EU, Article 26(3) requires a designated representative in a member state where you offer services — similar to GDPR Art. 27. For EU-established entities, you don't need a rep, but you still need CA registration and the full reporting regime.

    We're a small SaaS. Are we in scope?

    Digital infrastructure providers (cloud, DNS, CDN, data centres, managed IT, online marketplaces, search, social) are in scope regardless of size. For other sectors, NIS 2 applies at the medium-entity threshold (50+ staff or €10M+ turnover). Below that, you're usually exempt — but expect pressure from EU customers anyway.

    Essential vs important — what's the real difference?

    Essential entities (Annex I sectors at scale) are subject to ex ante supervision — proactive audits, registration checks, higher fines (€10M / 2%). Important entities (Annex II or Annex I at mid-size) are ex post — regulators act when something goes wrong, capped at €7M / 1.4%. Same duties, different enforcement posture.

    What counts as a "significant incident"?

    Any incident that causes or is capable of causing severe operational disruption, financial loss, or material damage to affected parties. Availability outages affecting cross-border users almost always qualify. We classify on intake — if there's doubt, we file the 24-hour warning anyway.

    Which member state do we register in?

    For non-EU digital providers, Art. 26 defaults to the member state with the largest EU user base — though we often recommend DE or IE for the English-friendly CAs (BSI and NCSC-IE) with mature NIS 2 practice. We advise on the discovery call.

    Do we need a separate representative from our GDPR one?

    Legally they're different designations (Art. 27 GDPR vs Art. 26 NIS 2). Operationally, we run both under one engagement with unified correspondence routing and a single point-of-contact for both DPA and CA / CSIRT inquiries.

    NIS 2-ready in two weeks.

    60-minute discovery call. Representative appointed. Incident workflow live. Board trained. All three clocks armed and ready — before your first significant event.

    Book a discovery call Also see GDPR Representative