Who should read this: International Legal Teams, Compliance Directors, Multinational Enterprise Officers, Digital Service Providers.
The question “Which regulator will supervise my compliance?” is one of the most practically important questions an international organisation can ask about NIS2. The Directive applies across all 27 EU Member States, but it does not apply equally to all of them. Article 26 establishes jurisdiction rules that determine which Member State or Member States have authority to regulate your compliance. These rules matter enormously because they determine which competent authority you report to, which legal framework applies, and which administrative fines regime governs you if things go wrong.
For multinational organisations with operations in multiple Member States, the rules are more complex than they might initially appear. A technology company providing services across Europe may fall under the jurisdiction of one Member State whilst having operations in many others. A manufacturing company with headquarters in one country, production facilities in three others, and customers in all 27 Member States must determine where its regulatory home actually is. Getting this question wrong can mean reporting incidents to the wrong authority, implementing compliance measures that do not actually satisfy your jurisdictional regulator, or discovering during a regulatory inspection that you have been non-compliant all along.
The Basic Rule: Establishment
The foundational principle in Article 26(1) is straightforward: entities fall under the jurisdiction of the Member State in which they are established. For a large proportion of organisations, this is the end of the analysis. If your company is incorporated in the Netherlands, has its registered office in Amsterdam, and operates from Amsterdam, you fall under Dutch jurisdiction. If your manufacturing facility is in Germany and that is where your primary operations occur, Germany is your jurisdictional home.
“Establishment” under NIS2 carries a specific meaning that draws on EU law conventions. An entity is established in a Member State when it has a real and effective economic presence there. This is not merely formal incorporation or a nominal office; it requires actual operations. A company that is incorporated in Belgium but conducts all its operations from an office in France, with its management decisions made in France and its employees located in France, is established in France, not Belgium, regardless of its incorporation jurisdiction.
The reasonableness of this approach becomes apparent when you consider the purpose. The Directive is designed to ensure that essential and important entities within each Member State’s territory are subject to that Member State’s cybersecurity governance. If an entity could escape regulation by being incorporated in a jurisdiction where it does no business, the Directive’s objectives would be undermined. Establishment looks to actual economic activity.
For most organisations, determining your establishment jurisdiction is therefore a practical question: where do you actually conduct your core business activities? If you are a manufacturing company, where are your main production facilities? If you are a software company, where is your development team and where are your management decisions made? If you are a service provider, where are the people and infrastructure through which you deliver your services?
The Critical Exceptions
However, Article 26(1) immediately carves out important exceptions for specific categories of entities. These exceptions exist because certain service providers operate in fundamentally different ways that make the “establishment” rule inadequate.
Providers of public electronic communications networks and providers of publicly available electronic communications services fall under the jurisdiction of the Member State in which they provide their services, not where they are established. This exception recognises that telecommunications services are inherently multi-national and that applying the basic establishment rule to telecommunications providers would create perverse outcomes. A pan-European mobile network operator provides services simultaneously across all Member States; it would be impractical to require it to comply with the jurisdiction of a single Member State. Instead, Article 26(1)(a) requires that it comply with the jurisdiction of each Member State where it provides services. This means multi-national telecommunications providers must navigate multiple regulatory relationships.
The second exception, in Article 26(1)(b), covers a large and economically significant category: DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, and providers of online marketplaces, online search engines, and social networking services platforms. For these entities, jurisdiction is determined not by where they are established, but by where their “main establishment in the Union” is located.
This distinction (between simple “establishment” and “main establishment in the Union”) requires careful unpacking. For these digital and infrastructure service providers, the main establishment is determined by a hierarchy of rules set out in Article 26(2).
Determining Main Establishment
Article 26(2) provides three sequential tests for determining where an entity’s main establishment is located.
The first test is the decision-making centre: where are the decisions related to cybersecurity risk-management measures predominantly taken? If your cloud computing provider has its global headquarters in Seattle but has established a dedicated European compliance and security operations team in Frankfurt that makes all decisions about cybersecurity measures affecting European customers, the main establishment would be in Germany. This test recognises that cybersecurity governance is the relevant function for NIS2 purposes.
The second test applies if cybersecurity decision-making cannot be located within the Union or is distributed across multiple Member States: where are your cybersecurity operations carried out? This might be a security operations centre (SOC) where your 24/7 incident monitoring and response happens. If your cloud provider’s SOC is in Ireland, but its cybersecurity decision-making is distributed across multiple locations, the main establishment would be in Ireland.
The third test applies if cybersecurity operations are also not localisable within the Union or are distributed: which Member State has the establishment with the highest number of employees? This is a fallback test that provides clarity when the first two tests do not yield a clear answer. It shifts the analysis from cybersecurity-specific functions to broader workforce presence.
For multinational digital service providers, these tests can produce outcomes that differ substantially from where the company is incorporated or where its global headquarters is located. A European cloud provider might have global headquarters in London, but if its main cybersecurity decisions are made in Brussels and its SOC is in Dublin, its main establishment under NIS2 would likely be in one of those two Member States. This matters because it determines which Member State’s competent authority supervises NIS2 compliance.
The Non-Established Provider Rule
Article 26(3) addresses a critical scenario: what if you provide services within the EU but are not established in any Member State? A US-based technology company or a Chinese cloud provider offering services to European customers might not have any permanent establishment in the EU. NIS2 does not allow such providers to escape regulation.
Article 26(3) requires that if you are not established in the Union but provide services within it, you must designate a representative in the Union. That representative must be established in one of the Member States where you provide services. Once you have designated a representative, you fall under the jurisdiction of the Member State where your representative is established.
This is a significant provision because it extends NIS2 jurisdiction to companies that are not EU-based, as long as they provide services to essential or important entities within the EU. A US cloud provider offering infrastructure services to a European bank must either establish some presence in the EU or designate an EU-based representative. Without such a presence or representation, the provider cannot legally provide those services to NIS2-regulated entities.
In practice, designating a representative can mean several things. It might mean establishing a subsidiary in an EU Member State and designating that subsidiary as your representative. It might mean appointing a service provider in one Member State to act as your representative for NIS2 purposes. The key is that you need an identifiable, reachable legal entity established within the Union that can receive regulatory communications and can be held accountable for your compliance.
If you fail to designate a representative, Article 26(3) provides a fallback: any Member State where you provide services may take legal action against you for NIS2 infringements. This creates potentially problematic scenarios where multiple Member States might assert jurisdiction over a non-represented provider, leading to conflicting compliance requirements. Designating a single representative before you reach that point is vastly preferable.
Member State Enforcement Rights
Article 26(5) preserves Member States’ enforcement authority beyond the basic jurisdiction rules. If a Member State receives a request for mutual assistance regarding an entity as referred to in Article 26(1)(b), namely the digital and infrastructure service providers, that Member State may take supervisory and enforcement measures against the entity in relation to the entity’s activities on its territory. This means that even if your main establishment is in Germany, France could take enforcement action against you if you are operating networks or systems on French territory and infringing NIS2.
This provision prevents entities from claiming that a single jurisdictional relationship means they can ignore compliance in other Member States. Your primary regulator is the Member State where your main establishment is located, but other Member States retain authority to supervise and enforce in relation to activities on their territory.
Practical Implications for Compliance
Understanding your jurisdiction under Article 26 has several practical consequences. First, you must identify which Member State or Member States regulate you. For most organisations, this is straightforward. For multinational or international service providers, this requires careful analysis, often with legal advice.
Second, you must engage with the competent authority in your jurisdictional Member State. This authority is your primary regulatory relationship. You report significant incidents to the CSIRT of that Member State. You respond to information requests from that Member State’s competent authority. You engage with that Member State’s regulator about your compliance programme.
Third, you should document your jurisdictional analysis. If you are a digital service provider determining your main establishment, record the facts that support your conclusion. If you are designating a representative, ensure that designation is formal and clearly documented. This documentation protects you if your regulator later questions whether you are subject to its jurisdiction.
Fourth, for multinational organisations, consider how jurisdictional questions affect your compliance structure. If you have operations in multiple Member States and are regulated by the Member State where your main establishment is located, you still need to implement measures that are appropriate to all your operations. A data centre operator might be regulated by the Netherlands, but if it operates data centres in Poland, Germany, and Spain, its cybersecurity measures must be appropriate to operations across all four countries.
Key Takeaways
-
The basic rule: entities fall under the jurisdiction of the Member State in which they are established and conduct their core business activities. Establishment requires actual economic presence, not merely formal incorporation.
-
Critical exception: certain digital and infrastructure service providers (cloud providers, CDN providers, DNS operators, domain registries, online platforms) fall under the jurisdiction of the Member State where their “main establishment in the Union” is located, determined by the location of cybersecurity decision-making, then cybersecurity operations, then workforce presence.
-
Non-established providers must designate a representative in the Union. Failure to designate a representative exposes you to enforcement action by any Member State where you provide services.
-
Your Member State of jurisdiction determines which competent authority supervises your compliance and which CSIRT receives your incident notifications. Identify this relationship early and document it clearly.
-
Even if regulated by one Member State, you may be subject to enforcement action by other Member States in relation to activities on their territory. Your compliance programme should address operations across all Member States where you conduct business.