← Thought Leadership

Compliance Guides

Non-EU company selling into the EU: what must you comply with?

EU law reaches you even without an EU office. Which requirements apply when you target the EU market — GDPR, the AI Act, DORA, and product rules — and what each one asks of you.

Jan Jensen
Co-founder
· 5 min read
A cargo ship crossing the open sea under a clear blue sky

Photo: John Simmons / Unsplash

New to the topic? Start with What sovereign compliance actually means.

If your company is based outside the EU and sells into it, EU law can apply to you without any EU office. What matters is not where you are established but whether you target the EU market — by offering goods or services to people in the EU, monitoring their behaviour, placing products on the EU market, or supplying EU-regulated firms. Any of these can pull you into GDPR, the EU AI Act, DORA, or Europe’s product-safety and cybersecurity regimes. This guide walks through the ones you are most likely to meet, and what each asks of you.

When EU law applies to a non-EU business

The starting principle is simple: EU regulation follows the activity, not the address. A company with no EU establishment can still be in scope when it does any of the following:

  • Offers goods or services to people in the EU— pricing in euro, shipping to member states, or an EU-language site can all signal that you target the market.
  • Monitors the behaviour of people in the EU— tracking, profiling, or analytics aimed at individuals located in the Union.
  • Places products on the EU market— selling physical or digital-element products to EU buyers.
  • Supplies EU-regulated entities— providing services to EU financial firms or other regulated customers, whose own requirements flow down to you.
Definition
Extraterritorial scope
The reach of a law beyond the borders of the territory that made it. Several EU regulations apply to companies with no EU establishment when their activity targets the EU market — for example offering goods or services to people in the EU, monitoring their behaviour, or placing products on the EU market.

This is the same test that decides which EU regulations apply to your company — only viewed from outside the Union looking in.

GDPR and the EU representative (Article 27)

The GDPR is the regime most non-EU companies meet first. Its territorial scope under Article 3(2) covers controllers and processors not established in the EU where their processing relates to offering goods or services to people in the EU, or to monitoring the behaviour of people in the EU. Being outside the Union does not put you outside the GDPR.

Many organisations caught this way must also designate an EU representativeunder Article 27 — a person or body established in the EU who acts as a contact point for supervisory authorities and for the individuals whose data you process. A narrow exception exists for occasional, low-risk processing, but for a business selling regularly into the EU it rarely helps.

Definition
EU representative (GDPR Article 27)
A person or organisation established in the EU that a non-EU controller or processor designates in writing to act as its point of contact for supervisory authorities and data subjects. Required for many organisations caught by GDPR Article 3(2), with narrow exceptions for occasional, low-risk processing.

The EU AI Act

The EU AI Act reaches beyond the Union too. It applies to non-EU providers who place AI systems on the EU market, and to providers and deployers whose system output is used in the EU— even where the system itself runs elsewhere. If your product uses AI and serves EU users, you should assume it is in view, then work out the risk tier that sets your requirements. We cover the scope test in does the EU AI Act apply to us.

DORA by contract

If you supply ICT services — cloud, software, data, or managed services — to EU financial entities, the Digital Operational Resilience Act reaches you through those relationships. DORA’s third-party requirements land in your customers’ contracts, so a provider based outside the EU still has to meet the terms its EU financial clients are required to impose. Being non-EU is not an exemption; being a supplier to a regulated firm is what counts. The detail is in does DORA apply to my company.

Product rules: CE marking and the Cyber Resilience Act

Placing a product on the EU market brings the CE-marking regimesinto play — the conformity-assessment and marking rules that apply to whole categories of goods before they can be sold in the Union. Where a product has digital elements — connected hardware or software — it also falls under the Cyber Resilience Act, which sets cybersecurity requirements across the product’s lifecycle. A manufacturer outside the EU must meet these to place products on the market, and will typically need an economic operator established in the Union to carry certain responsibilities.

How COMPLY.Reg helps

COMPLY.Reg is a regulatory compliance platform that uses AI to work out exactly this: it scans your business profile against European regulatory sources, identifies which requirements apply to a company in your position — wherever it is based — and turns them into audit-ready, traceable controls with a human in the loop. Your source documents stay on your own systems, and your compliance data is processed in the EU. It is built for European companies and for companies outside Europe that must meet EU requirements to do business in the Union. Not sure where to start? Begin with which EU regulations apply to your company.

Frequently asked questions

Does EU law apply if I have no office in the EU?
Yes, often. Offering goods or services to people in the EU, monitoring their behaviour, placing products on the EU market, or supplying EU-regulated firms can bring GDPR, the AI Act, DORA, or product rules into scope without any EU establishment.
Do I need an EU representative?
If GDPR Article 3(2) catches you as a non-EU controller or processor, you generally must designate an EU representative under Article 27, unless a narrow exception for occasional, low-risk processing applies.
Does the EU AI Act reach non-EU companies?
Yes. It applies to non-EU providers who place AI systems on the EU market and to providers and deployers whose system output is used in the EU.

Sources