Market · European Union

The EU is more than the GDPR

The General Data Protection Regulation is the foundation, but the EU has built an entire digital rulebook around it: ePrivacy, the Data Act, the Digital Services Act, the AI Act, NIS2, and DORA. Which apply depends on what you do — and several can require their own local representative. Privello builds one program that answers all of them.

The foundation

GDPR, Regulation (EU) 2016/679

The GDPR governs any processing of EU personal data, wherever it happens. For a company with no EU establishment, Article 3(2) extends it to anyone offering goods or services to, or monitoring, people in the EU, and Article 27 then requires most of them to appoint a representative. The obligations run from lawful basis (Article 6) and records of processing (Article 30) to data-subject rights (Articles 15–22) and 72-hour breach notification (Article 33).

Enforcement carries real weight: fines reach the greater of €10 million or 2% of global turnover at the lower tier, and €20 million or 4% at the higher tier.

See the market-entry program
  • Extraterritorial. Article 3(2) reaches companies with no EU office.
  • Representative. Article 27 requires an EU representative in most in-scope cases.
  • Documented. ROPA, DPAs, DPIAs, and a working DSAR process.
  • Enforced. Up to €20 million or 4% of global turnover.

The wider rulebook

The instruments around the GDPR

Which of these bite depends on your product and sector. Privello identifies the ones in scope and folds them into a single program rather than treating each as a separate project.

Directive 2002/58/EC

ePrivacy & cookies

Prior, informed consent for non-essential cookies and trackers. The most common enforcement entry point.

Reg. (EU) 2023/2854

Data Act

Access to and sharing of data from connected products and cloud services, applicable from 12 September 2025.

Reg. (EU) 2022/2065

Digital Services Act

Obligations for online intermediaries and platforms, including an EU legal representative for non-EU providers.

Reg. (EU) 2024/1689

AI Act

Risk-based rules for AI systems, with an authorised representative for non-EU providers of high-risk systems.

Directive (EU) 2022/2555

NIS2

Cybersecurity risk-management and reporting duties for essential and important entities, with a representative duty for some non-EU providers.

Reg. (EU) 2022/2554

DORA

ICT operational-resilience rules for financial entities and their critical ICT providers, applicable from 17 January 2025.

Regulation and directive references describe the instruments Privello works with. They are provided for orientation, not as legal advice.

Common questions

Questions about the EU market

Does the GDPR apply to a US company with no EU office?

Yes, under Article 3(2), if you offer goods or services to people in the EU or monitor their behaviour. In most of those cases Article 27 also requires you to appoint an EU representative. Having no EU establishment does not switch the GDPR off; it usually adds a representative obligation.

What are the GDPR fine levels?

The GDPR sets two tiers. The lower tier reaches the greater of €10 million or 2% of global annual turnover; the higher tier, for breaches of core principles and data-subject rights, reaches the greater of €20 million or 4%. Enforcement is by national supervisory authorities.

Is the GDPR the only EU rule we need to worry about?

No. The GDPR sits at the centre of a wider EU digital rulebook: ePrivacy for cookies and tracking, the Data Act for connected products, the Digital Services Act for online intermediaries, the AI Act for AI systems, NIS2 for cybersecurity, and DORA for financial-sector resilience. Which of them apply depends on what you do, and several can require their own representative.

Scope. Privello LLC is a data-regulation consultancy and is not a law firm. Patrick Smith is a U.S.-licensed attorney (State of Texas); his bar admission is stated as a credential only. Where a matter requires formal legal advice under the law of an EU member state, Privello coordinates qualified local counsel.

Begin

Map your EU obligations

Tell us what you sell into the EU and what data you touch. We will identify which instruments apply and build one program that answers them.