NIS2 Jurisdiction and Territoriality
This new topic is needed because NIS2 has specific provisions on jurisdiction and territoriality that determine how the regulation applies across member states and to third-country entities, which is not adequately covered by existing topics.
jurisdiction territoriality territorial scope geographic applicability member state jurisdiction extraterritorial application cross-border applicability EU market access
Overview
Legal Framework
The territorial scope and jurisdictional allocation under NIS2 are governed by Chapter V (Articles 27 and 28) and clarified by Recital 113. The primary rule, articulated in Recital 113, is that entities fall under the jurisdiction of the Member State in which they are established. A critical carve-out applies to providers of public electronic communications networks or services, including DNS service providers and domain name registries; these entities fall under the jurisdiction of the Member State in which they provide their services. This distinction is fundamental for determining which national competent authority exercises supervisory and enforcement powers.
Practical Application
The NIS2 jurisdictional framework, particularly the concept of "establishment," is interpreted by reference to established EU case law on similar concepts in other regulatory domains, such as data protection. In Google LLC v CNIL, the Court of Justice of the European Union clarified that an "establishment" exists where a company exercises, through stable arrangements, a real and effective activity, even a minimal one. The activity of the local establishment must be inextricably linked to the processing or service provision in question. Similarly, the Weltimmo ruling confirms that a national authority's powers are generally confined to its own territory, but it can investigate a complaint to determine if an entity has a local establishment and thus falls under its jurisdiction. For NIS2, this means a competent authority can initiate proceedings to ascertain jurisdiction based on the entity's operational footprint.
Key Considerations
- Determine Your "Anchor" Jurisdiction: Entities must first identify their Member State of establishment based on the presence of stable arrangements and effective activity. Providers of electronic communications services must identify each Member State where they provide services, as they may have multiple jurisdictional anchors.
- Prepare for Multi-Jurisdictional Oversight: A single entity with establishments or service provision in multiple Member States may be subject to the jurisdiction of several national competent authorities. Coordination mechanisms between authorities are crucial, but entities should anticipate compliance interactions in each relevant state.
- Document Your Establishment Analysis: Maintain clear records demonstrating the location(s) of decision-making centers, staff, infrastructure, and service provision to substantiate your determination of which Member State(s) have jurisdiction. This is critical for resolving potential disputes with authorities.
Laws (11)
Case Law (4)
Google LLC, venant aux droits de Google Inc. v Commission nationale de l’informatique et des libertés (CNIL)
Google - Global De-linking
Territorial scope of EU data protection law: The present case falls within the territorial scope of GDPR because “it is apparent from the information provided in the order for reference, first, that Google’s establishment in French territory carries on, inter alia, commercial and advertising activities, which are inextricably linked to the processing of personal data carried out for the purposes of operating the search engine concerned, and, second, that that search engine must, in view of, inte
UNABHäNGIGES LANDESZENTRUM FüR DATENSCHUTZ SCHLESWIG-HOLSTEIN v. WIRTSCHAFTSAKADEMIE SCHLESWIG-HOLDSTEIN GmbH
Wirtschaftsakademie
Territorial Scope / Concept of “establishment”: Facebook Germany is responsible for promoting and selling advertising space and carries on activities addressed to persons residing in Germany. Given that a social network such as Facebook generates a substantial part of its income from advertisements posted on the web pages set up and accessed by users, and given that Facebook’s establishment in Germany is intended to ensure the promotion and sale in Germany of advertising space that makes Faceboo
WELTIMMO S.R.O. V. NEMZETI A DATVEDELMI ES INFORMACIOSZABADSAGH ATOSAG (HUNGARIAN DPA), 1.10.15 (“WELTIMMO”)
Weltimmo
Data protection authorities powers and cooperation: In the event that the Hungarian DPA should consider that Weltimmo has an establishment not in Hungary, but in another Member State, it may exercise its powers only within its own territory, and it may, irrespective of the applicable law and before even knowing which national law is applicable, thereby investigate the complaint. If it becomes apparent that it is the law of another Member State that applies, that DPA cannot impose penalties outsi
GOOGLE SPAIN SL V. AEPD (THE DPA) & MARIO COSTEJA GONZALEZ, 13.May.2014 (“GOOGLE v. Spain”)
Google Spain
Concept of ‘establishment’: An ‘establishment’ exists where an organization engages in the effective and real exercise of activity through stable arrangements in a EU Member State. It is not require that the processing be carried out by the establishment itself. The processing of personal data by the not-established controller suffices if it is “carried out in the context of the activities” of the establishment. In this case, the activities of the search engine and those of its establishment in
Guidance (24)
View all 24Guidelines 03/2022 on Deceptive design patterns in social media platform interfaces: how to recognise and avoid them
Guidelines on deceptive design patterns in social media platform interfaces: how to recognise and avoid them
These Guidelines offer practical recommendations to social media providers as controllers of social media, designers and users of social media platforms on how to assess and avoid so-called 'deceptive design patterns' in social media interfaces that infringe on GDPR requirements. To this end, the EDPB recommends that controllers make use of interdisciplinary teams, consisting, among others, of designers, data protection officers and decision-makers. It is important to note ...
Guidelines 01/2022 on data subject rights - Right of access
Guidelines on data subject rights - Right of access
The right of access of data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights. It has been a part of the European data protection legal framework since its beginning and is now further developed by more specified and precise rules in Art. 15 GDPR.
Guidelines 05/2020 on consent under Regulation 2016/679
Guidelines on consent
Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679
Guidelines on codes of conduct and monitoring bodies
Version history
Guidelines on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies
Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation
Guidelines on certification and identifying certification criteria
Guidelines 8/2022 on identifying a controller or processor's lead supervisory authority
Guidelines for identifying a controller or processor’s lead supervisory authority
Guidelines 02/2024 on Article 48 GDPR
Article 48 GDPR provides that: ' Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer...
Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications
Guidelines on processing of personal data through video devices
Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)
Guidelines on the territorial scope of the GDPR
Richtsnoeren 01/2020 inzake de verwerking van persoonsgegevens in het kader van verbonden voertuigen en mobiliteitsgerelateerde toepassingen
guidelines connected vehicles
Richtsnoeren 02/2022 voor de toepassing van artikel 60 AVG
guidelines voor de toepassing van artikel 60 AVG
Een van de belangrijkste innovaties bij de invoering van de AVG was de introductie van het concept 'één-loketmechanisme'. In gevallen van grensoverschrijdende verwerking is de toezichthoudende autoriteit in de lidstaat van de hoofdvestiging van de verwerkingsverantwoordelijke of verwerker de autoriteit die leidinggeeft aan de handhaving van de AVG met betrekking tot de grensoverschrijdende verwerkingsactiviteiten in kwestie. Daarbij wordt samengewerkt met alle autoriteiten die de gevolge...
Guidelines 04/2021 on Codes of Conduct as tools for transfers
Guidelines on codes of conduct and monitoring bodies
The GDPR requires in its Article 46 that controllers/processors shall put in place appropriate safeguards for transfers of personal data to third countries or international organisations. To that end, the GDPR diversifies the appropriate safeguards that may be used by organisations under Article 46 for framing transfers to third countries by introducing amongst others, codes of conduct as a new transfer mechanism (articles 40-3 and 46-2-e). In this respect, as provi...
Guidelines 07/2022 on certification as a tool for transfers
Guidelines on certification and identifying certification criteria
The GDPR requires in its Article 46 that data exporters shall put in place appropriate safeguards for transfers of personal data to third countries or international organisations. To that end, the GDPR diversifies the appropriate safeguards that may be used by data exporters under Article 46 for framing transfers to third countries by introducing, amongst others, certification as a new transfer mechanism (Articles 42 (2) and 46 (2) (f) GDPR). These guidelines provide guidance as to the applicati...
Richtsnoeren 3/2018 over het territoriale toepassingsgebied van de AVG (artikel 3)
guidelines territoriaal toepassingsgebied AVG
Richtsnoeren 1/2019 voor gedragscodes en toezichthoudende organen in de zin van Verordening 2016/679
guidelines gedragscodes en toezichthoudende organen
Richtsnoeren 05/2022 voor het gebruik van gezichtsherkenningstechnologie in het kader van rechtshandhaving
guidelines gebruik gezichtsherkenning bij rechtshandhaving
Steeds meer rechtshandhavingsinstanties passen gezichtsherkenningstechnologie toe of zijn voornemens deze toe te passen. De technologie kan worden gebruikt om een persoon te authenticeren of te identificeren en kan voor video's (bijv. CCTV) of foto's worden ingezet, maar ook voor andere doeleinden, waaronder het opzoeken van personen op signaleringslijsten van de politie of het volgen van de bewegingen van een persoon in de openbare ruimte. Gezichtsherkenningstechnologie is gebaseer...
VERSIEGESCHIEDENIS
binding corporate rules voor verwerkingsverantwoordelijken
Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement
Guidelines on the use of facial recognition technology in the area of law enforcement
More and more law enforcement authorities (LEAs) apply or intend to apply facial recognition technology (FRT). It may be used to authenticate or to identify a person and can be applied on videos (e.g. CCTV) or photographs. It may be used for various purposes, including to search for persons in police watch lists or to monitor a person's movements in the public space. FRT is built on the processing of biometric data , therefore, it encompasses the processing of special categories ...
Guidelines 07/2020 on the concepts of controller and processor in the GDPR
Guidelines on the concepts of controller and processor in the GDPR
The concepts of controller, joint controller and processor play a crucial role in the application of the General Data Protection Regulation 2016/679 (GDPR), since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice. The precise meaning of these concepts and the criteria for their correct interpretation must be sufficiently clear and consistent throughout the European Economic Area (EEA). The conc...
News (64)
View all 64Tietosuojavaltuutetun toimisto (Finland) - TSV/112/2022 (9079/152/22)
Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland) |Case_Number_Name=TSV/112/2022 (9079/152/22) |ECLI= |Original_Source_Name_1=Finlex |Original_Source_Link_1=https://www.finlex.fi/fi/viranomaiset/tietosuojavaltuutettu/2025/2487#OT0_OT0 |Original_Source_Language_1=Finnish |Original_Source_Language__Code_1=FI |Original_Source_Name_2= |Origina..." New
DSB (Austria) - 2024-0.199.724
Created page with "{{DPAdecisionBOX |Jurisdiction=Austria |DPA-BG-Color= |DPAlogo=LogoAT.png |DPA_Abbrevation=DSB |DPA_With_Country=DSB (Austria) |Case_Number_Name=2024-0.199.724 |ECLI=ECLI:AT:DSB:2024:2024.0.199.724 |Original_Source_Name_1=RIS |Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=01.01.1990&BisDatum=&Norm=&ImRisSeitVonDatum
LG Hildesheim - 3 O 26/24
Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=LG Hildesheim |Court_Original_Name=Landgericht Hildesheim |Court_English_Name=Regional Court Hildesheim |Court_With_Country=LG Hildesheim (Germany) |Case_Number_Name=3 O 26/24 |ECLI= |Original_Source_Name_1=VORIS |Original_Source_Link_1=https://voris.wolterskluwer-online.de/browse/document/3127a423-2bba-4db6-a6e8-001e4189e040 |Original_Source_Language_1=German |Ori..." New
ÚS SR - PL. ÚS 11/2025-116
Created page with "{{COURTdecisionBOX |Jurisdiction=Slovakia |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=ÚS SR |Court_Original_Name=Ústavný súd Slovenskej republiky |Court_English_Name=Constitutional Court of the Slovak Republic |Court_With_Country=ÚS SR (Slovakia) |Case_Number_Name=PL. ÚS 11/2025-116 |ECLI= |Original_Source_Name_1=ÚS SR |Original_Source_Link_1=https://www.ustavnysud.sk/en/rozhodnutia |Original_Source_Language_1=Slovak |Original_Source_Languag..." New page{{C
Garante per la protezione dei dati personali (Italy) - 10213894
Created page with "{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=10213894 |ECLI= |Original_Source_Name_1=Garante per la protezione dei dati personali |Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/10213894 |Original_Source_Language_1=I..." New p
TI - 9/2026
Created page with "{{COURTdecisionBOX |Jurisdiction=Romania |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=TI |Court_Original_Name=Tribunalul Ilfov |Court_English_Name=Ilfov Tribunal |Court_With_Country=TI (Romania) |Case_Number_Name=9/2026 |ECLI= |Original_Source_Name_1=Rejust |Original_Source_Link_1=https://www.rejust.ro/juris/84284d3g4 |Original_Source_Language_1=Romanian |Original_Source_Language__Code_1=RO |Original_Source_Name_2= |Original_Source_Link_2= |Original..." Show
ICO (UK) - Allay Claims Ltd
Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO |DPA_With_Country=ICO (UK) |Case_Number_Name=Allay Claims Ltd |ECLI= |Original_Source_Name_1=ICO |Original_Source_Link_1=https://ico.org.uk/media2/mrwhxwoe/monetary-penalty-notice-allay-claims-ltd.pdf |Original_Source_Language_1=Estonian |Original_Source_Language__Code_1=ET |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Lan..." New
ANSPDCP (Romania) - 03.02.2026
Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_Name=03.02.2026 |ECLI= |Original_Source_Name_1=ANSPDCP |Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_03_02_2026&lang=ro |Original_Source_Language_1=Romanian |Original_Source_Language__Code_1=RO |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language..."
AKI (Estonia) - 2.1.-4/25/1239-2660-6
Created page with "{{DPAdecisionBOX |Jurisdiction=Estonia |DPA-BG-Color= |DPAlogo=LogoEE.png |DPA_Abbrevation=AKI |DPA_With_Country=AKI (Estonia) |Case_Number_Name=2.1.-4/25/1239-2660-6 |ECLI= |Original_Source_Name_1=AKI |Original_Source_Link_1=https://www.aki.ee/sites/default/files/documents/2026-01/Ettekirjutus-hoiatus%20isikuandmete%20kaitse%20asjas%20nr%202.1.-4%2025%201239-2660-6%20Zu%20Disain%20O%C3%9C.pdf |Original_Source_Language_1=Estonian |Original_Source_Language__Code_1=ET |..." New
APD/GBA (Belgium) - 28/2026
Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=28/2026 |ECLI= |Original_Source_Name_1=APD |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/bevel-nr.-28-2026.pdf |Original_Source_Language_1=French |Original_Source_Language__Code_1=FR |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Lan..." New
AEPD (Spain) - EXP202410843
Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202410843 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00476-2024.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code..." Show
AEPD (Spain) - EXP202408793
Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202408793 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00279-2024.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code..." Show
ECtHR - GREEN ALLIANCE v. BULGARIA - 6580/22
Created page with "{{COURTdecisionBOX |Jurisdiction=European Union |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=ECtHR |Court_Original_Name=European Court of Human Rights |Court_English_Name=European Court of Human Rights |Court_With_Country=ECtHR (European Union) |Case_Number_Name=GREEN ALLIANCE v. BULGARIA - 6580/22 |ECLI= |Original_Source_Name_1=Bailii |Original_Source_Link_1=https://www.bailii.org/cgi-bin/format.cgi?doc=/eu/cases/ECHR/2026/30.html&query=(GDPR)#_Toc..."
Tribunale di Roma - N. R.G. 54031/2025
Created page with "{{COURTdecisionBOX |Jurisdiction=Italy |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Tribunale di Roma |Court_Original_Name=Tribunale di Roma |Court_English_Name=Court of Rome |Court_With_Country=Tribunale di Roma (Italy) |Case_Number_Name=N. R.G. 54031/2025 |ECLI= |Original_Source_Name_1=Il Corriere del Giorno |Original_Source_Link_1=https://www.ilcorrieredelgiorno.it/wp-content/uploads/2026/01/CdG-REPORT_PRIVACY.pdf |Original_Source_Language_1=Ital..." Show
OLG Bamberg - 10 U 61/25 e
Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=OLG Bamberg |Court_Original_Name=Oberlandesgericht Bamberg |Court_English_Name=Higher Regional Court Bamberg |Court_With_Country=OLG Bamberg (Germany) |Case_Number_Name=10 U 61/25 e |ECLI= |Original_Source_Name_1=REWIS |Original_Source_Link_1=https://rewis.io/urteile/urteil/uaf-21-01-2026-10-u-6125-e/ |Original_Source_Language_1=German |Original_Source_Language__Co..." New
VDAI (Lithuania) - Nr. 3R-219 (2.13-1.E)
Created page with "{{DPAdecisionBOX |Jurisdiction=Lithuania |DPA-BG-Color= |DPAlogo= |DPA_Abbrevation=VDAI |DPA_With_Country=VDAI (Lithuania) |Case_Number_Name=Nr. 3R-219 (2.13-1.E) |ECLI= |Original_Source_Name_1=VDAI |Original_Source_Link_1=https://vdai.lrv.lt/public/canonical/1770722929/1274/2026-02-06%20Sprendimas%20Nr.%203R-219%20(2.13-1.E).pdf |Original_Source_Language_1=Lithuanian |Original_Source_Language__Code_1=LT |Original_Source_Name_2= |Original_Source_Link_2= |Original_Sour..." Show
APD/GBA (Belgium) - 23/2026
Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=23/2026 |ECLI= |Original_Source_Name_1=APD |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/bevel-nr.-23-2026.pdf |Original_Source_Language_1=French |Original_Source_Language__Code_1=FR |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Lan..." New
APD/GBA (Belgium) - 25/2026
Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=25/2026 |ECLI= |Original_Source_Name_1=APD |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/waarschuwing-en-berisping-nr.-25-2026.pdf |Original_Source_Language_1=French |Original_Source_Language__Code_1=FR |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2=..." New p
ANSPDCP (Romania) - 04.02.2026
Created page with "{{DPAdecisionBOX |Jurisdiction=Romania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoRO.jpg |DPA_Abbrevation=ANSPDCP |DPA_With_Country=ANSPDCP (Romania) |Case_Number_Name=04.02.2026 |ECLI= |Original_Source_Name_1=ANSPDCP |Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_04_02_2026&lang=ro |Original_Source_Language_1=Romanian |Original_Source_Language__Code_1=RO |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language..."
CC - 04.02.2026
Created page with "{{COURTdecisionBOX |Jurisdiction=Romania |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=CC |Court_Original_Name=Curtea Constituțională |Court_English_Name=Constitutional Court |Court_With_Country=CC (Romania) |Case_Number_Name=04.02.2026 |ECLI= |Original_Source_Name_1=Constitutional Court |Original_Source_Link_1=https://www.ccr.ro/comunicat-de-presa-iii-4-februarie-2026/ |Original_Source_Language_1=Romanian |Original_Source_Language__Code_1=RO |Orig..." New pa