NIS 2 Directive Article 26 – Jurisdiction and Territoriality

The NIS 2 Directive, or the Second Directive on Security of Network and Information Systems, is a key legislative instrument within the European Union to enhance cybersecurity and ensure the resilience of critical infrastructure.

Article 26 of the NIS 2 Directive specifically deals with the aspect of jurisdiction and territoriality, outlining the rules regarding which Member State has jurisdiction over certain entities covered by the Directive.

• Jurisdiction Based on Establishment

• Entities covered under the NIS 2 Directive typically fall under the jurisdiction of the Member State where they are established. This principle applies to a broad range of organizations, including companies, government bodies, and other relevant entities operating within the EU.

• Providers of Public Electronic Communications

• One notable exception to the establishment-based jurisdiction rule is in the case of providers of public electronic communications. These entities are subject to the jurisdiction of the Member State where they provide their services rather than where they are established. This provision ensures that regulatory oversight aligns with the location of the services being offered.

• DNS and Online Service Providers

• Another category of entities subject to specific jurisdictional rules under Article 26 includes DNS service providers, TLD registries, cloud computing providers, data centers, content delivery networks, managed service providers, online marketplaces, search engines, and social networks. These entities are placed under the jurisdiction of the Member State, where they have their main establishment within the EU.

• Determining Main Establishment

• The concept of the main establishment is crucial in determining jurisdiction for the entities listed above. In the absence of clear criteria, the main establishment is typically considered to be where cybersecurity decisions are predominantly made. This criterion ensures that the Member State overseeing cybersecurity activities aligns with the location where strategic decisions are taken.

• Designation of EU Representative

• For entities not established in the EU but offering services within the Union, the NIS 2 Directive mandates the designation of an EU representative. This representative serves as a point of contact for regulatory authorities and legal actions, effectively establishing a nexus for jurisdiction within the EU.

• Scope of Enforcement Actions

• Member States retain the authority to take supervisory and enforcement actions against entities falling under the scope of Article 26. This includes taking legal measures to address non-compliance with the NIS 2 Directive and ensuring that cybersecurity standards and obligations are upheld across the EU.

In conclusion, NIS 2 Directive Article 26 plays a vital role in defining the jurisdictional framework for entities operating within the EU and offering essential services. By delineating clear rules based on establishment, service provision, and representation, the Directive seeks to promote cybersecurity resilience and regulatory coherence in the digital landscape. Compliance with these jurisdictional provisions is essential for entities to navigate the regulatory landscape effectively and contribute to a more secure and interconnected digital ecosystem.