NIS 2 when your headquarters are outside the EU
NIS 2 follows the service, not the letterhead. If you sell into the EU in one of the covered sectors, Article 26 of the directive decides which member state supervises you and whether you need a designated representative inside the Union.
The short version
Many founders assume that a US, UK or Swiss parent company puts them outside NIS 2. That is not how the directive works. Article 26 NIS 2 ties jurisdiction to where the service is offered and where the cybersecurity decisions are taken, not to where the company is incorporated.
If you are a normal sector entity (energy, water, transport, manufacturing, food, health, waste, public administration and so on), supervision follows the establishments you actually operate in the Union. If you have a German subsidiary, the BSI supervises that subsidiary. If you have offices in three member states, each one is supervised locally.
If you sit in one of the digital sectors listed in Article 26(3) (DNS, TLD registries, cloud providers, data centre providers, content delivery networks, managed service providers, managed security service providers, online marketplaces, online search engines, social networking services), the rules are stricter. One main establishment supervises you for the whole Union, and if your headquarters are outside the EU you must designate a representative inside the Union under Article 26(4).
Article 26(2) NIS 2 Directive (2022/2555)
For the purposes of this Directive, an essential or important entity shall be deemed to have its main establishment in the Union in the Member State where the decisions related to the cybersecurity risk-management measures are predominantly taken. If such Member State cannot be determined, the main establishment shall be deemed to be in the Member State where cybersecurity operations are carried out. If such Member State cannot be determined, the main establishment shall be deemed to be in the Member State where the entity concerned has the establishment with the highest number of employees in the Union.
This is the cascade that decides who supervises you when more than one member state could plausibly claim jurisdiction. It applies to entities in the digital sectors named in Article 26(3). Cybersecurity decisions come first, cybersecurity operations second, employee headcount third.
Article 26(4) NIS 2 Directive (2022/2555)
Where an entity referred to in paragraph 1, point (b), is not established in the Union but offers services within the Union, it shall designate a representative in the Union. The representative shall be established in one of those Member States where the services are offered. Such an entity shall be deemed to be under the jurisdiction of the Member State where the representative is established. In the absence of a representative within the Union designated under this Article, any Member State in which the entity provides services may take legal actions against the entity for the infringement of this Directive.
Reads as a duty for non-EU entities in the digital sectors of Article 26(3). The representative becomes the contact point and anchors jurisdiction. Article 27 then adds the registration duty: the representative submits the entity to the ENISA-operated registry on behalf of the entity.
§28 BSIG (Germany)
Wesentliche und wichtige Einrichtungen unterliegen der Aufsicht des Bundesamtes, soweit sich aus Artikel 26 der Richtlinie (EU) 2022/2555 die Zuständigkeit der Bundesrepublik Deutschland ergibt.
The BSIG mirrors the directive: BSI supervises you in Germany if Article 26 NIS 2 places jurisdiction there. There is no separate national jurisdiction test. The directive cascade is the test.
General rule: jurisdiction follows establishment
Outside the digital sectors, you are supervised in each member state where you have a legal establishment. A US group with a German GmbH and an Austrian GmbH is supervised by the BSI for the German entity and by the Austrian authority for the Austrian entity. Article 26(2) only resolves the tie-break between member states for the digital sectors covered by Article 26(3).
Special rule for digital sectors
DNS service providers, TLD registries, cloud computing services, data centre services, content delivery networks, managed service providers, managed security service providers, online marketplaces, online search engines and social networking platforms have one main establishment in the Union. That single member state supervises you across the whole EU. The cascade in Article 26(2) decides which member state that is.
Representative duty for non-EU providers
If you sit in one of the Article 26(3) digital sectors and you are not established in the Union, you must designate a representative inside the Union. The representative has to be in a member state where you actually offer the service. Jurisdiction then follows the representative. Without one, any member state where you serve customers can take legal action under the directive.
One supervisor, not five
For the digital sectors in Article 26(3), the main-establishment rule means one supervisor for the whole Union. That avoids the situation where a cloud provider with customers in every member state is audited twenty-seven times for the same controls. The cascade in Article 26(2) picks the supervisor in a predictable order: cybersecurity decisions first, cybersecurity operations second, EU-employee headcount third.
No escape route through a foreign headquarters
Article 26(4) closes the loop. A non-EU provider in the covered digital sectors cannot offer services into the Union without a designated representative inside it. Without one, any member state where the service is sold can bring legal action. Incorporating in the US, the UK or Switzerland does not move you out of scope if the service touches the Union.
BSI / §28 and §33 BSIG
The BSI is the supervisory authority for entities whose main establishment or German subsidiary places them under German jurisdiction. Registration goes through the BSI's national portal, which feeds the ENISA registry under Article 27. For digital-sector entities with their main establishment in Germany, the BSI is the single point of contact for the whole Union.
ENISA registry under Article 27
ENISA operates the central registry for the digital sectors named in Article 27(2): DNS providers, TLD registries, cloud, data centres, content delivery networks, managed service providers, managed security service providers, online marketplaces, online search engines, social networking services. Member states feed entity data into it. The registry is what makes cross-border supervision practical.
National transposition laws
Every member state has a transposition law (Netherlands: Cyberbeveiligingswet, Austria: NISG, Belgium: NIS2-Wet) and a national competent authority. The Article 26 cascade is identical across the Union because it sits in the directive. What differs is the portal, the language and the local supervisor you actually talk to.
We are a US company, so NIS 2 does not apply to us.
NIS 2 follows the service into the Union, not the letterhead. If you are in one of the digital sectors named in Article 26(3) and you offer the service to customers in the EU, Article 26(4) requires you to designate a representative in the Union. If you operate through an EU subsidiary in any other covered sector, the subsidiary itself is in scope. The parent's incorporation is not the test.
We have offices in six member states, so we register six times.
For the digital sectors in Article 26(3), you have one main establishment and one supervisor across the whole Union. The Article 26(2) cascade picks it: where cybersecurity decisions are taken first, where cybersecurity operations sit second, the EU establishment with the most employees third. Outside those digital sectors, you do register per member state where you are established, but inside them you do not.
We are based in Switzerland, so we are out of NIS 2 because Switzerland is not in the EU.
Switzerland is not an EU member state, but the directive still reaches Swiss companies that sell into the Union in a covered sector. A Swiss MSP serving German customers either operates through an EU subsidiary that becomes the regulated entity, or, for the Article 26(3) digital sectors, must designate a representative in the EU under Article 26(4). The same logic applies to UK, US and other third-country providers.
The clean pattern: figure out whether your sector is on the Article 26(3) list before you do anything else. If it is, your job is to pick one main establishment, document the Article 26(2) cascade in writing (decisions, operations, headcount), and either register through that member state's portal or designate a representative if you are non-EU. If it is not, you map your EU establishments and register each one with its national authority.
The messy pattern we see most often is parent companies trying to keep all cybersecurity decision-making at headquarters outside the Union while claiming the EU subsidiary is autonomous. The Article 26(2) cascade does not care about org charts. It looks at where the decisions are actually taken. If the answer is 'at headquarters in Boston', the EU subsidiary is still in scope through its own establishment, and the digital-sector entities still need the Article 26(4) representative. The cleanest path is to decide where in the Union the decisions sit, document it, and stop running parallel control structures.
We capture the Article 26 cascade as part of the applicability and registration workflow. The platform asks the questions in the directive's own order: which sector, which member states with establishments, where cybersecurity decisions are taken, where cybersecurity operations sit, EU headcount. The output is a documented main establishment with the reasoning written down once, not re-derived in every audit.
For non-EU groups in the Article 26(3) sectors, the platform tracks the designated representative as a separate entity with its own contact data and country of establishment. Article 27 registration data flows out of the same record, so the national portal submission and the ENISA registry feed from the same source rather than from a parallel spreadsheet.
- Directive (EU) 2022/2555 (NIS 2), Articles 26 and 27 — eur-lex.europa.eu/eli/dir/2022/2555/oj
- BSI Act (BSIG), §28 and §33 as amended by the NIS2 Implementation and Cybersecurity Strengthening Act
- Commission Implementing Regulation (EU) 2024/2690 (CIR) on sector-specific technical and methodological requirements — eur-lex.europa.eu/eli/reg_impl/2024/2690/oj
- ENISA registry under Article 27(2) NIS 2 — enisa.europa.eu
- BSI Infopakete on NIS 2 scope and registration — bsi.bund.de/dok/nis-2-infopakete