EU baseline
EU-based companies are not exempt.
EU establishment, EU users, EU customers, EU market placement, or EU regulated-sector clients are direct triggers for checking the relevant framework.
Scope explainer
Inside the EU first. Outside the EU can still be in scope.
If you are established in the EU or place a product, service, platform, AI system, or connected product on the EU market, start from EU compliance by default. EU rules can also reach non-EU companies when they target EU users, data subjects, market participants, or regulated-sector clients.
Read the matrix as: first ask whether the EU rule applies because you are in the EU or sell into the EU. Then ask whether the same rule also reaches a non-EU operator.
GDPR
- Trigger
- You process personal data of EU residents
- Legal basis
- Article 3(2) targeting/monitoring clause
- Example
- A US SaaS with EU users
EU AI Act
- Trigger
- Your AI system is used by someone in the EU
- Legal basis
- Article 2 market placement or use in the EU
- Example
- An AI tool deployed by an EU company
Cyber Resilience Act
- Trigger
- You make commercial connected software or hardware available in the EU
- Legal basis
- Regulation (EU) 2024/2847 products with digital elements
- Example
- A generated desktop app, IoT device, or packaged software product sold to EU users
Digital Services Act
- Trigger
- You run hosting, marketplace, app store, social, or user-content functionality for EU users
- Legal basis
- Online intermediary and platform service rules
- Example
- A small marketplace or hosted community with EU users
Consumer Rights
- Trigger
- You sell to EU consumers online and a statutory withdrawal right exists
- Legal basis
- Directive (EU) 2023/2673 and Directive 2011/83/EU distance-contract rules
- Example
- A SaaS subscription, app purchase, digital service, or ecommerce checkout offered to EU consumers
Data Act
- Trigger
- You expose connected-product data or provide data-processing switching
- Legal basis
- Regulation (EU) 2023/2854 data access and use
- Example
- An IoT dashboard or cloud service with EU customers
DORA
- Trigger
- You provide ICT services to an EU-regulated financial entity
- Legal basis
- Articles 28-44 ICT third-party risk
- Example
- A cloud vendor serving an EU bank
NIS2
- Trigger
- You provide digital services to EU entities in covered sectors
- Legal basis
- Article 26 jurisdiction and territoriality
- Example
- A DNS provider with EU customers
ePrivacy
- Trigger
- Your site drops cookies on EU users' devices
- Legal basis
- Terminal equipment location principle
- Example
- Any website accessible from the EU
MiCA
- Trigger
- You offer crypto-asset services to EU persons
- Legal basis
- Article 2 crypto-asset services offered in the EU
- Example
- A non-EU exchange with EU clients
eIDAS 2
- Trigger
- You must accept EU wallet credentials
- Legal basis
- Relying-party obligations for regulated sectors
- Example
- A regulated service using digital identity
Product Liability
- Trigger
- Your software ships in or as a product and defects could cause damage
- Legal basis
- Directive (EU) 2024/2853 defective product liability
- Example
- A connected device update or AI-enabled product feature
Decision flow
3
Do you sell commercial software, hardware, or connected-product features into the EU?
Cyber Resilience Act4
Do EU users post, sell, host, search, or moderate content through your product?
Digital Services Act5
Do EU consumers buy, subscribe, or conclude distance contracts in your app or website?
Consumer RightsThis page explains scope as published in official legal texts. It is not legal advice. If you are uncertain whether your specific activity is in scope, consult a qualified adviser.