Compliance Guides
Which EU regulations does my company need to comply with?
A practical way to scope which EU regulations apply to your business — by sector, size, data, and activity — with a business-type-to-regulation map.

Photo: Christian Lue / Unsplash
New to the topic? Start with What sovereign compliance actually means.
Which EU regulations apply to your company depends on four things: your sector, your size, the data you handle, and the activities you carry out. Almost every business in the EU shares a common core — data protection, employment, consumer, and product rules — and then picks up sector-specific regimes on top. This guide gives you a way to scope it yourself, a table mapping common business types to the regulations they usually trigger, and a note on when EU law reaches companies based outside the EU.
Scope it with four questions
- Sector— Are you in a regulated industry (finance, insurance, health, energy, telecoms)? Regulated sectors carry the heaviest, most specific requirements.
- Size— Headcount and turnover decide whether thresholds bite; many regimes exempt or simplify for micro and small enterprises.
- Data— Do you process personal data? Special-category data? Large-scale monitoring? This pulls in GDPR and, increasingly, the AI Act.
- Activity— Do you sell to consumers? Build or deploy AI? Run essential digital services? Place products on the EU market? Each activity triggers its own regime.
A map from business type to likely EU regulations
| Business type | Regulations it usually triggers |
|---|---|
| Any company processing personal data | GDPR; ePrivacy (cookies / marketing) |
| Company building or deploying AI | EU AI Act (risk tier depends on use) + GDPR |
| Bank, insurer, investment or payment firm | DORA, plus sector rules (CRR/CRD, Solvency II, PSD2/3, MiCA for crypto) |
| Operator of essential / important digital or infrastructure services | NIS2 |
| Manufacturer placing products on the EU market | Product-specific rules (e.g. MDR for medical devices, CE-marking regimes), plus the Cyber Resilience Act for products with digital elements |
| Anyone selling to EU consumers | Consumer-protection and distance-selling rules; accessibility (EAA) |
This is a starting map, not a determination — the exact list turns on the specifics of each of the four questions above.
The horizontal rules almost everyone should check
- GDPR— if you process personal data of people in the EU, in almost any capacity.
- EU AI Act— if you build, sell, or use AI systems; your requirements scale with the system’s risk tier. See does the EU AI Act apply to us.
- NIS2 / DORA— cybersecurity and operational-resilience regimes for in-scope sectors and their IT suppliers. See does DORA apply to my company and does NIS2 apply to my business.
- Consumer, employment, and accessibility law— broad-based and easy to overlook.
Sector-specific regimes
Regulated sectors layer specific regimes on top of the horizontal ones — for example financial services (DORA, MiCA, PSD2/3, Solvency II), health (MDR/IVDR), and energy or telecoms rules. If you are in one of these, the sector regime is usually where most of your requirements live.
If your company is outside the EU
EU law reaches non-EU companies more often than many expect. If you offer goods or services to people in the EU, monitor their behaviour, place products on the EU market, or supply IT services to EU financial entities, you can fall directly within GDPR, the AI Act, the Cyber Resilience Act, or DORA’s third-party provisions — without any EU establishment. Doing business in Europe generally means meeting European requirements, wherever you are based. We cover this in detail in non-EU company selling into the EU.
Keeping the list current — and where COMPLY.Reg fits
The hard part is not reading one regulation; it is working out whichapply to your specific business, breaking each into concrete requirements, and keeping that current as laws change. That work is slow and error-prone by hand — and it was never really a spreadsheet job.
COMPLY.Reg is a regulatory compliance tool that uses AI to do exactly this: it scans your business profile against European regulatory sources, identifies which requirements apply to you, and turns them into audit-ready, traceable controls. Your source documents stay on your own systems, and your compliance data is processed in the EU. It is built for European companies and for companies outside Europe that need to do business in the EU.
Frequently asked questions
- Do EU regulations apply to companies outside the EU?
- Yes, frequently. If you offer goods or services to people in the EU, monitor their behaviour, place products on the EU market, or supply EU financial entities, EU rules such as GDPR, the AI Act, or DORA can apply without any EU establishment.
- What is the difference between a regulation and a directive?
- A regulation applies directly across the EU as written; a directive is transposed into each member state’s national law, so the detail can vary by country.
- Which EU regulation applies to almost every business?
- The GDPR — nearly any organisation handling personal data of people in the EU falls within it.