US company selling to EU compliance checklist
Compliance checklist for US companies selling to EU customers: GDPR, EU representative, data transfers, AI Act, product rules, accessibility and contracts.
Direct answer
A US company selling to EU customers should check GDPR targeting and representative duties, international data transfers, processor contracts, AI Act scope, product safety rules, accessibility for covered services, consumer terms, e-invoicing exposure and customer security questionnaires. The exact list depends on product, customers and countries.
What compliance should a US company check before selling to EU customers?
A US company selling to EU customers should check GDPR targeting and representative duties, international data transfers, processor contracts, AI Act scope, product safety rules, accessibility for covered services, consumer terms, e-invoicing exposure and customer security questionnaires. The exact list depends on product, customers and countries.
- GDPR scope
- Product or SaaS scope
- Contract readiness
| Primary trigger | Targeting EU customers or processing EU personal data |
| Common first law | GDPR |
| Common buyer evidence | Privacy, transfer and security documentation |
A US company selling to EU customers should check GDPR targeting and representative duties, international data transfers, processor contracts, AI Act scope, product safety rules, accessibility for covered services, consumer terms, e-invoicing exposure and customer security questionnaires. The exact list depends on product, customers and countries.
Review EU obligations before marketing, contracting or onboarding EU customers.
US company selling to EU compliance checklist checklist
Action checklistCheck targeting, personal data processing, representative duties and transfers.
Check AI Act, CRA, GPSR, EAA and Data Act depending on product type.
Prepare DPA, SCCs where needed, subprocessors, security terms and support commitments.
Key deadlines
| Date | Requirement | Source |
|---|---|---|
| Before EU sales | Compliance launch reviewReview EU obligations before marketing, contracting or onboarding EU customers. | European Commission business in the EU guidance |
30/60/90-day action plan
First 30 days
Confirm scope and assign an owner
Evidence needed: Applicability note, business owner, systems or product list, and source links.
US-to-EU market entry
Days 31-60
Close the evidence gaps
Evidence needed: Policies, supplier records, data maps, technical notes, training records, or process owners.
US-to-EU market entry
Days 61-90
Prepare for audit or customer review
Evidence needed: Versioned compliance file, action log, exception register, and next review date.
US-to-EU market entry
Evidence to retain
Applicability decision
Shows whether US company EU compliance applies and why the SME made that decision.
Retain: Scope memo, trigger criteria, country notes, owner approval, and review date.
Action owner list
Regulators and enterprise customers expect named accountability, not generic intent.
Retain: Owner, backup owner, due date, status, and unresolved blocker notes.
Evidence folder
The fastest way to answer customer due diligence is a single audit-ready evidence file.
Retain: Policies, screenshots, registers, exports, supplier responses, and training records.
SME questions answered
Can GDPR apply to a US company?
Yes. GDPR can apply when a US company targets EU individuals or monitors their behaviour, even without an EU office.
What should a US SaaS company do first?
Map EU personal data, processors, transfers, AI features, security evidence and customer contract requirements.
Turn this guide into a tracked action plan
Start with the Regulation Checker, save the result, and import the action plan into your EuroComply dashboard when you are ready to assign owners.
Informational only. This page is not legal advice and does not replace a qualified legal review of your business, systems, products or employment practices.