"We had a 02:14 CET incident on a Sunday. The early warning was filed with BSI before our CEO finished his coffee. That's the product."
Dieter Hoffmann
CISO · Cloud infrastructure, non-EU HQ
If you're a non-EU digital provider offering services to the EU — cloud, DNS, CDN, data centres, managed services, online marketplaces, search, social — NIS 2 Article 26(3) requires a designated representative. We become yours, run your 24 / 72-hour incident reporting, and keep your risk register audit-ready.
Non-EU digital service providers need an Article 26(3) representative regardless of size. In-scope EU entities are classified Essential or Important by sector and headcount — both have duties, but the fines and supervision differ.
NIS 2 scope turns on three variables: sector, size, and whether you're established in the EU. We'll point you at the right classification plus what it costs you in obligations.
Or 2% of global annual turnover, whichever is higher — for essential entities breaching risk-management or reporting duties.
Or 1.4% of global annual turnover — for important entities. Stacked with remediation orders and mandatory audits.
Art. 20 holds management bodies personally accountable for oversight of cybersecurity risk. Training is mandatory and auditable.
All member states transposed or in advanced draft as of 2025. National CAs are now issuing first-wave registration and reporting requests.
A named EU entity as your Art. 26(3) representative on record with the national competent authority in your chosen member state.
24-hour early warning, 72-hour incident notification, 30-day final report — drafted in-language, filed with the correct CSIRT and CA.
Art. 21 ten-measure framework — policies, controls, and evidence mapping — templated, adapted, and maintained to audit standard.
Annual Art. 20 board-level cybersecurity training delivered by EU-certified counsel, with attendance records for the regulator.
Art. 21(2)(d) vendor assessment — structured register of ICT suppliers with risk scores, SLAs, and sub-processor change monitoring.
Initial registration, yearly self-assessments, and responses to national CA information requests — handled end-to-end.
NIS 2 mandates three staggered reports per significant incident. Miss a window — even a weekend one — and you're personally accountable. We run the clocks and draft every filing so your team focuses on response, not paperwork.
Notify the CSIRT or CA without undue delay — even before you know the cause. We draft and file on your behalf.
Detailed report: severity assessment, IOCs, affected assets, cross-border implications. We prepare the package for sign-off.
Root cause analysis, mitigations applied, residual risk. Formal closure with the CA — archived for future audits.
Every incident lands in a single intake. We start the statutory clocks, draft the three filings from a template tuned to your sector and member state, and keep you ahead of the notification windows — no weekend scramble, no missed deadlines, no surprised directors.
60-minute call. We confirm sector (Annex I / II), entity classification (essential / important / digital provider), and pick your lead member state.
We file your Art. 26(3) appointment with the national CA, register your service, and provide the public point-of-contact for regulators.
Art. 21 risk-management policies adapted to your stack, Art. 20 board training scheduled, supply-chain register imported from your vendor list.
24 / 72 / 30-day incident workflow live — your SecOps routes events to us, we route filings to the CA. Annual self-assessments on the calendar.
// Registration with national CA (e.g. BSI in DE) Entity Acme Inc. (non-EU) Designated rep: World Presence j.d.o.o. (HR) Classification Sector: Digital infrastructure Sub-sector: Cloud computing services Category: Important entity (non-EU) Basis: NIS 2 Art. 3 + Annex II Reporting endpoints CSIRT alerts: alerts@eupresence.com CA channel: ca-nis2@eupresence.com Escalation: +49 (0) 30 ...
From cloud platforms and DNS providers to marketplaces and managed-IT operators — Article 26 appointed, incident workflow live, board trained.
"We had a 02:14 CET incident on a Sunday. The early warning was filed with BSI before our CEO finished his coffee. That's the product."
"Our board went from reading NIS 2 explainers to passing an external audit in one cycle. The training program is worth the whole engagement."
"Supply-chain assessment was the unblocker we needed. Our top 40 vendors were reviewed and risk-scored in three weeks."
"We're registered in Ireland and report through a Croatian rep. One team handles both CAs — the cross-border plumbing was invisible to us."
For non-EU cloud, DNS, CDN, or online-platform providers that need a designated representative and an incident-filing channel.
Full NIS 2 program for important entities — risk framework, supply-chain register, board training — plus the Digital Provider baseline.
For essential entities: energy, transport, banking, health, digital infrastructure at scale. Custom engagement with dedicated counsel.
The standard stack for non-EU cloud, CDN, DNS, and platform operators serving the EU. NIS 2, GDPR, and a hosted trust hub — one onboarding, one invoice, one team.
Art. 26(3) rep, 24/72/30-day incident reporting, risk framework.
Article 27 coverage, 27 member states, named EU entity on record.
Hosted trust hub, DSR inbox, policies, certifications.
For in-scope services offered from outside the EU, Article 26(3) requires a designated representative in a member state where you offer services — similar to GDPR Art. 27. For EU-established entities, you don't need a rep, but you still need CA registration and the full reporting regime.
Digital infrastructure providers (cloud, DNS, CDN, data centres, managed IT, online marketplaces, search, social) are in scope regardless of size. For other sectors, NIS 2 applies at the medium-entity threshold (50+ staff or €10M+ turnover). Below that, you're usually exempt — but expect pressure from EU customers anyway.
Essential entities (Annex I sectors at scale) are subject to ex ante supervision — proactive audits, registration checks, higher fines (€10M / 2%). Important entities (Annex II or Annex I at mid-size) are ex post — regulators act when something goes wrong, capped at €7M / 1.4%. Same duties, different enforcement posture.
Any incident that causes or is capable of causing severe operational disruption, financial loss, or material damage to affected parties. Availability outages affecting cross-border users almost always qualify. We classify on intake — if there's doubt, we file the 24-hour warning anyway.
For non-EU digital providers, Art. 26 defaults to the member state with the largest EU user base — though we often recommend DE or IE for the English-friendly CAs (BSI and NCSC-IE) with mature NIS 2 practice. We advise on the discovery call.
Legally they're different designations (Art. 27 GDPR vs Art. 26 NIS 2). Operationally, we run both under one engagement with unified correspondence routing and a single point-of-contact for both DPA and CA / CSIRT inquiries.
60-minute discovery call. Representative appointed. Incident workflow live. Board trained. All three clocks armed and ready — before your first significant event.