Market · European Union
The EU is more than the GDPR
The General Data Protection Regulation is the foundation, but the EU has built an entire digital rulebook around it: ePrivacy, the Data Act, the Digital Services Act, the AI Act, NIS2, and DORA. Which apply depends on what you do — and several can require their own local representative. Privello builds one program that answers all of them.
The foundation
GDPR, Regulation (EU) 2016/679
The GDPR governs any processing of EU personal data, wherever it happens. For a company with no EU establishment, Article 3(2) extends it to anyone offering goods or services to, or monitoring, people in the EU, and Article 27 then requires most of them to appoint a representative. The obligations run from lawful basis (Article 6) and records of processing (Article 30) to data-subject rights (Articles 15–22) and 72-hour breach notification (Article 33).
Enforcement carries real weight: fines reach the greater of €10 million or 2% of global turnover at the lower tier, and €20 million or 4% at the higher tier.
See the market-entry program- Extraterritorial. Article 3(2) reaches companies with no EU office.
- Representative. Article 27 requires an EU representative in most in-scope cases.
- Documented. ROPA, DPAs, DPIAs, and a working DSAR process.
- Enforced. Up to €20 million or 4% of global turnover.
The wider rulebook
The instruments around the GDPR
Which of these bite depends on your product and sector. Privello identifies the ones in scope and folds them into a single program rather than treating each as a separate project.
Directive 2002/58/EC
ePrivacy & cookies
Prior, informed consent for non-essential cookies and trackers. The most common enforcement entry point.
Reg. (EU) 2023/2854
Data Act
Access to and sharing of data from connected products and cloud services, applicable from 12 September 2025.
Reg. (EU) 2022/2065
Digital Services Act
Obligations for online intermediaries and platforms, including an EU legal representative for non-EU providers.
Reg. (EU) 2024/1689
AI Act
Risk-based rules for AI systems, with an authorised representative for non-EU providers of high-risk systems.
Directive (EU) 2022/2555
NIS2
Cybersecurity risk-management and reporting duties for essential and important entities, with a representative duty for some non-EU providers.
Reg. (EU) 2022/2554
DORA
ICT operational-resilience rules for financial entities and their critical ICT providers, applicable from 17 January 2025.
Regulation and directive references describe the instruments Privello works with. They are provided for orientation, not as legal advice.
Common questions
Questions about the EU market
Does the GDPR apply to a US company with no EU office?
Yes, under Article 3(2), if you offer goods or services to people in the EU or monitor their behaviour. In most of those cases Article 27 also requires you to appoint an EU representative. Having no EU establishment does not switch the GDPR off; it usually adds a representative obligation.
What are the GDPR fine levels?
The GDPR sets two tiers. The lower tier reaches the greater of €10 million or 2% of global annual turnover; the higher tier, for breaches of core principles and data-subject rights, reaches the greater of €20 million or 4%. Enforcement is by national supervisory authorities.
Is the GDPR the only EU rule we need to worry about?
No. The GDPR sits at the centre of a wider EU digital rulebook: ePrivacy for cookies and tracking, the Data Act for connected products, the Digital Services Act for online intermediaries, the AI Act for AI systems, NIS2 for cybersecurity, and DORA for financial-sector resilience. Which of them apply depends on what you do, and several can require their own representative.
Begin
Map your EU obligations
Tell us what you sell into the EU and what data you touch. We will identify which instruments apply and build one program that answers them.