Beyond GDPR: DSA and AI Act Representative Requirements for Non-EU Companies

The Representative Landscape Is Expanding

GDPR Article 27 was the first EU regulation to require non-EU companies to appoint a representative in the EU. But the concept is now being replicated across new EU regulatory frameworks. If you already need a GDPR representative, you should be aware of these emerging obligations.

Digital Services Act (DSA) — Article 13

The DSA, fully applicable since February 17, 2024, requires providers of intermediary services not established in the EU to designate a legal representative in one of the EU Member States where they offer their services.

This applies to:

• Hosting providers and cloud services
• Online platforms (marketplaces, social networks, app stores)
• Search engines
• Any intermediary service accessible to EU users

The DSA representative must have sufficient powers and resources to cooperate with authorities and ensure compliance with the regulation.

EU AI Act — Article 54

The EU AI Act, which is phasing in between 2025 and 2027, introduces representative requirements for non-EU providers of AI systems:

• Providers of high-risk AI systems must appoint an authorized representative established in the EU before placing their systems on the market
• General-purpose AI model providers must also designate an authorized representative
• The representative must be empowered to verify conformity assessments, cooperate with authorities, and provide documentation

This is particularly relevant for US-based AI companies serving EU customers, including SaaS providers with AI features.

Swiss FADP — Article 14

The revised Swiss Federal Act on Data Protection (FADP), effective since September 1, 2023, introduces its own representative requirement under Article 14:

• Private controllers domiciled outside Switzerland must designate a representative in Switzerland
• Applies when processing personal data of persons in Switzerland
• The representative serves as the contact point for data subjects and the FDPIC (Federal Data Protection and Information Commissioner)

Strategic Implications

If your company already needs a GDPR Article 27 representative, you should:

• Audit your full regulatory exposure — GDPR is no longer the only EU regulation requiring representation
• Consider a single provider — Working with one attorney-led service across multiple regulations reduces complexity
• Plan for AI Act compliance — If you're deploying AI features in the EU market, start the representative designation process early
• Monitor DSA obligations — If you provide any digital services to EU users, assess your DSA compliance status

At rep4eu, our licensed attorneys track these regulatory developments and can advise on multi-regulation representation strategies. Contact us to discuss your specific situation.