EU Compliance for E-commerce & Retail
EU regulations directly affecting E-commerce & Retail organisations — including obligations, deadlines, and maximum fines. Use our regulation checker to map your exact exposure.
Which EU regulations apply to E-commerce & Retail businesses?
E-commerce & Retail organisations operating in the EU are subject to 8 key regulations, including ePrivacy, DSA, eIDAS 2.0 and 5 more. The most significant obligations cover Obtain consent for cookies and tracking; Remove illegal content upon valid notice. Use the regulation checker to map your exact exposure in under 2 minutes.
- ePrivacy: max fine Per member state (GDPR rates of €20M/4% apply where violation also breaches GDPR) — Obtain consent for cookies and tracking
- DSA: max fine Up to 6% of global turnover (VLOPs/VLOSEs); per member state for others — Remove illegal content upon valid notice
- eIDAS 2.0: max fine Per member state — Accept EU Digital Identity Wallet (very large platforms)
- PLD: max fine No cap — civil liability for all damage caused — Ensure products are free from safety defects
| Regulations applicable | 8 |
| Key regulations | ePrivacy, DSA, eIDAS 2.0 |
| Highest fine | Per member state (GDPR rates of €20M/4% apply where violation also breaches GDPR) |
Regulations that apply to E-commerce & Retail
ePrivacy
The ePrivacy Directive governs electronic communications privacy, covering cookies, email marketing, and confidentiality of communications. Its replacement (ePrivacy Regulation) is pending but the Directive remains law.
Max fine: Per member state (GDPR rates of €20M/4% apply where violation also breaches GDPR)
DSA
The DSA creates obligations for online platforms and search engines to tackle illegal content, protect users, and ensure algorithmic transparency. Very large platforms face enhanced obligations.
Max fine: Up to 6% of global turnover (VLOPs/VLOSEs); per member state for others
eIDAS 2.0
eIDAS 2.0 updates the framework for electronic identification and trust services, introducing the EU Digital Identity Wallet. It enables cross-border digital identity verification and expands recognised trust services.
Max fine: Per member state
PLD
The revised PLD modernises liability rules for defective products, extending coverage to software, AI systems, and digital services. Shifts some burden of proof to manufacturers for complex cases.
Max fine: No cap — civil liability for all damage caused
CSRD
CSRD expands mandatory sustainability reporting to large companies and listed SMEs. Companies must report according to European Sustainability Reporting Standards (ESRS) covering environment, social, and governance matters.
Max fine: Per member state (audit-based enforcement)
CS3D
CS3D requires large companies to conduct due diligence on actual and potential adverse impacts on human rights and the environment in their operations and supply chains.
Max fine: At least 5% of net worldwide turnover (member state minimum floor, Art. 27)
Green Claims
The Green Claims Directive requires companies to substantiate and verify environmental claims before using them in marketing, combating greenwashing across the EU market.
Max fine: 4% of annual turnover per member state
EAA
The EAA sets harmonised accessibility requirements across the EU for key products and services, ensuring people with disabilities have equal access to the digital economy and essential services.
Max fine: Per member state
Which regulations apply to your E-commerce & Retail business?
Answer 5 questions and get a personalised compliance map — free.
Run the regulation checkerExplore by regulation
- EU AI Act
- General Data Protection Regulation
- NIS2 Directive
- Cyber Resilience Act
- Digital Operational Resilience Act
- EU Data Act
- ePrivacy Directive
- Digital Services Act
- Digital Markets Act
- Pay Transparency Directive
- Whistleblower Directive
- Markets in Crypto-Assets Regulation
- eIDAS 2.0 Regulation
- Product Liability Directive (Revised)
- Corporate Sustainability Reporting Directive
- Corporate Sustainability Due Diligence Directive
- Green Claims Directive
- European Accessibility Act
- EU Machinery Regulation
Frequently asked questions
Which EU regulations apply to my sector?
EU compliance depends on your specific sector, company size, and activities. Horizontal regulations that apply across most sectors include: GDPR (personal data processing, fines up to €20M or 4% turnover); NIS2 (cybersecurity for essential and important entities in 18+ sectors, fines up to €10M or 2% turnover); EU AI Act (AI systems, phased 2024–2027, fines up to €35M or 7% turnover for prohibited systems); and the CRA (products with digital elements from 2027). Sector-specific regulations — DORA for financial services, MDR for medical devices, EHDS for healthcare — apply in addition.
What is the difference between an essential and important entity under NIS2?
NIS2 Annex I lists essential entity sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space. Annex II lists important entity sectors including manufacturing, food, chemicals, postal services, digital providers, and research. Essential entities face proactive ex ante supervision; important entities face reactive ex post supervision. Both are subject to NIS2 Article 21 security measures and incident reporting requirements if they meet the size thresholds (medium: 50+ employees or €10M+ turnover).
What is the EU AI Act risk classification and does it apply to my product?
The EU AI Act classifies AI systems into four risk levels: prohibited (e.g. social scoring by governments, subliminal manipulation); high-risk (Annex III categories: biometrics, critical infrastructure, employment, education, essential services, law enforcement, migration, justice); limited-risk (chatbots, deepfakes — transparency obligations only); and minimal-risk (most AI systems — no mandatory requirements). High-risk AI systems require conformity assessment, Annex IV technical documentation, registration in the EU AI database, and ongoing post-market monitoring.
What GDPR obligations apply to EU companies processing personal data?
GDPR (Regulation (EU) 2016/679) applies to all organisations processing personal data of EU residents, regardless of where the organisation is located. Core obligations include: lawful basis for processing (Article 6); transparency via privacy notices (Articles 13-14); data subject rights (Articles 15-22: access, erasure, portability, objection); technical and organisational security measures (Article 32); 72-hour breach notification to supervisory authority (Article 33); Data Protection Impact Assessments for high-risk processing (Article 35); and DPO appointment for public authorities and organisations processing special-category data at scale (Article 37).
How long does an EU compliance assessment take?
A basic EU compliance exposure scan — identifying which regulations apply to your organisation and where your most significant gaps are — can be completed in 30-60 minutes using EuroComply's regulation checker and workspace tools. A comprehensive compliance programme covering GDPR, NIS2, and the AI Act for a mid-size SaaS company typically takes 3-6 months of structured work including a ROPA, DPIA review, NIS2 Article 21 gap analysis, and AI inventory. Initial evidence exports suitable for investor or client due diligence can be generated within minutes once the workspace assessment is complete.
For informational purposes only. This is not legal advice — consult qualified legal counsel.