GDPR News » GDPR + AI Act + DSA: What It Means For Non-EU Companies

If your product relates to artificial intelligence, personal data, and user-generated content, you are rarely dealing with one compliance lane. If you are not established in the EU, you may have to pay attention to the ‘representative’ obligation.

Three EU regimes increasingly overlap:

• GDPR: still the backbone for personal data, with extraterritorial reach. For many non-EU organisations, if they are offering goods or services, or monitoring the behaviour of individuals in the EU, Article 3(2) is triggered, which in turn activates Article 27: the EU representative requirement. 
  
• EU AI Act: rolling into application in stages (with key milestones on 2 August 2025, 2 August 2026, and 2 August 2027). This legislation sets out risk-based rules for AI developers and deployers, and it likewise includes a representative figure, both for companies making high-risk AI systems available in the EU (Article 22), as well as companies placing a general-purpose AI model in the EU (Article 54).

• Digital Services Act (DSA): generally applicable from 17 February 2024, with extra duties for designated Very Large Online Platforms (VLOPs) or Very Large Online Services (VLOSEs). The DSA becomes particularly relevant if you are a provider of intermediary services (e.g. hosting services, online platforms, online marketplaces, online search engines, etc.). Similar to the regulations above, for non-EU companies there may be an obligation to appoint a representative (Article 13).

This overlap hits many non-EU businesses, but from our experience we typically see it is especially common in fast-scaling SaaS businesses (often US-based). 

Below is a practical “map” of (a few of) the obligations to keep in mind. It is not legal advice, but it will help you organise the work.

1) Start With Your Role Per Regime

Your first step is to determine how your organization fits within these regulatory frameworks, as this will clarify the scope of the law that applies to you.

• Under GDPR, are you a controller, processor, or both (depending on features)?
• Under the AI Act, are you a provider, deployer, importer, or distributor? Is your AI general-purpose, or “high-risk”?
• Under the DSA, are you a mere conduit, caching service, hosting service, online platform, online marketplace, VLOP/VLOSE?
  

2) The Representative Role

As explained above, non-EU companies often underestimate how much EU compliance relies on reachable contacts:

• Under GDPR, many non-EU organisations in scope must appoint an EU representative under Article 27, unless an exception applies. 
• Under the DSA, providers of intermediary services with no EU establishment must designate an EU legal representative under Article 13(1). 
• Under the EU AI Act, third-country providers must appoint an EU authorised representative before placing certain AI on the EU market. For example, for general-purpose AI models under Article 54 and for high-risk AI systems under Article 22.

These roles create a reliable channel for regulators (and under the GDPR, users) to reach you.

3) Prepare For Timelines

The EU AI Act is explicitly phased, with a full roll-out foreseen by 2 August 2027, and major milestones in 2025–2026.
Even if your high-risk obligations apply later, your planning should start earlier.

EDPO supports organisations that require a representative presence under the GDPR and related frameworks in the EU, the UK, and Switzerland.

EDSR, our sister company, provides representative services exclusively under the EU Digital Services Act, and other digital services frameworks.

Here is what sets us apart:

• Focused and dedicated: Our sole activity is acting as a Representative. We offer the services described in this post, as well as representative services under multiple other legislations containing this requirement.
• Strategic locations: Coverage across the EU/EEA, the UK, and Switzerland, with headquarters in Brussels close to EU institutions and stakeholders.
• All-in transparent and tailored fees: Flat, all-inclusive pricing with no hidden charges; packages aligned to employee numbers and the type/volume of personal data processed.
• More than a messaging hub: Full handling of requests from (and responses to) data subjects (when applicable) and regulators, including translation.
• Recognized professionals: Multilingual, multidisciplinary team (legal, IT, security, risk), including certified privacy professionals. We are also on the official vendor list of the IAPP (International Association of Privacy Professionals).
• Top-level security with ISO 27001 certification: EDPO is proud to be ISO 27001 certified, which is the latest, highest and most comprehensive in-depth security certification.
• Compliant and ethical contract: Clear mandate and obligations, with continued support and no automatic termination if you experience a data breach.
• Easy client onboarding: Simple, friendly, fully digital onboarding designed to get you compliant quickly.
• Top-notch services in our DNA: High responsiveness and professionalism as a core service principle for clients, individuals, and authorities.
• Worldwide knowledge network: Ongoing monitoring of data protection, AI and digital services developments, with regular insights and updates shared with clients (including newsletter content, where relevant).
• Extensive insurance coverage: Robust insurance in place so an incident affecting one client does not jeopardise service delivery to others.

EDPO and its sister company EDSR are only and exclusively acting as representatives under certain legal frameworks. We do not operationalize compliance obligations or provide consultancy or legal advice.

• If your product uses artificial intelligence, processes personal data, and hosts or shapes user content, you may trigger GDPR + AI Act + DSA at the same time.
• The EU AI Act is phased through to 2 August 2027, so planning matters more than last-minute policy updates. 
• The DSA has a clear enforcement toolbox and meaningful penalty exposure for certain services, so “we’re not EU-based” is not a strategy. 
• For many non-EU organisations in scope, a representative appointment is a practical cornerstone, and commonly forgotten.

Stay ahead of EU rules.
Subscribe for weekly briefings.

Need a single, reliable EU contact-point layer across GDPR/DSA/AI Act scenarios? Request a quote