The concept of a “main establishment” under the GDPR, the NIS Directive and beyond...
Browse this blog post
One of the key changes proposed by the European Commission four years ago in its revised data protection framework was its vision of a “One Stop Shop”. This is the idea that a single authority in one Member State has responsibility for a company or group of companies’ data processing activities and compliance across the EU. Over years of discussion, the regime has evolved somewhat into what now appears in the agreed text of the resulting General Data Protection Regulation (GDPR), but the principle still remains largely intact. Key to the regime is identification of a lead data protection authority, which hinges on where the “main establishment” of a company/group is located.
As companies grapple with this, the Network and Information Security Directive (NIS Directive), the text of which has also recently been agreed, introduces a similar concept for regulation of the networks and information systems of digital services providers. This means identifying a lead authority for those digital services providers which operate across the EU.
As the criteria for identifying a “main establishment” differs across the two pieces of legislation, and the relevant authorities are likely to be separate in each Member State, this raises the questions: how will this work in practice and should we expect more “one stop shop” regimes to spring up in other pieces of legislation being reviewed at an EU level using different criteria?