Eu Country Commercial Guide
Learn about the market conditions, opportunities, regulations, and business conditions in eu, prepared by at U.S. Embassies worldwide by Commerce Department, State Department and other U.S. agencies’ professionals
Select Country Guide
Digital Economy
Last published date:

During the 2019-2024 European Commission mandate, the EU took an assertive stance toward regulating its digital economy. Based on two strategic communications, Shaping Europe’s Digital Future and Europe’s Digital Decade, the Commission set out its vision for a human-centric and sustainable digital society to empower citizens and businesses by establishing a digitally skilled population and highly skilled digital professionals, securing a sustainable digital infrastructure, digital transformation of businesses, and the digitalization of public services. Details on the progress toward achieving these digital economy objectives can be found in the Commission’s State of the Digital Decade 2024 report.

Market Challenges

Although the United States and Member States share the largest economic relationship in the world, U.S. goods and services face persistent barriers entering and maintaining access to certain sectors of the EU economy, including those in the digital economy. Additionally, the rise of a growing digital sovereignty narrative has the potential to undermine key digital economy and cybersecurity objectives by blocking access to EU markets, unduly preventing cross-border data flows, and preferencing domestic manufacturers and service providers. The United States Trade Representative’s 2025 National Trade Estimate Report on Foreign Trade Barriers outlines many of the barriers to U.S. goods and services in the EU, including in areas related to the digital economy.

Regulatory Environment and Digital Trade Barriers

The EU digital economy is highly regulated. A host of newly enacted regulations still in the early stages of implementation make the regulatory environment particularly complex, opaque, and potentially fragmented.  Startups and small- and medium-sized enterprises with limited financial resources face a disproportionate burden and often exist in a gray zone when facing regulatory compliance compared to larger companies.

General Data Protection Regulation

The General Data Protection Regulation (GDPR), which governs how personal data of individuals in the European Union may be processed, went into effect on May 25, 2018. The GDPR, which replaces the Data Protection Directive 1995/46, is comprehensive privacy legislation that applies across sectors and to companies of all sizes. Personal data is defined by the GDPR as any information that relates to an identified or identifiable living individual (a “data subject”) such as a name, e-mail address, tax ID number, or online identifier. Processing of data as defined by the Regulation includes actions such as collecting, recording, storing, or transferring data.

A company that is not established in the European Union may need to comply with the Regulation when processing personal data of residents of the European Union, the European Economic Area (i.e., Norway, Lichtenstein, and Iceland), and Switzerland if the company offers goods or services to data subjects in the European Union, or if the company is monitoring data subjects’ behavior, which is taking place in the European Union. The European data protection authorities published Guidelines 3/2018 on the territorial scope of the GDPR (see Article 3), to help companies determine whether they fall within the GDPR’s territorial scope.  For example, the mere accessibility of a company’s website in the European Union is insufficient to subject a company to the GDPR, but other evidence of the intent to offer goods or services (such as advertising) to data subjects in the European Union might mean that the Regulation is applicable.

Generally, companies that are not established in the European Union but that are subject to the GDPR must designate in writing an EU representative for purposes of GDPR compliance. There is an exception to this requirement for small scale and occasional processing of non-sensitive data. In 2025, the European Commission confirmed plans to simplify aspects of the GDPR, especially to ease the compliance burden for small and medium-sized enterprises. Fines in case of non-compliance with GDPR can reach up to four percent of the annual worldwide revenue or €20 million—whichever is higher. The European Data Protection Board has released official guidelines to help companies with their compliance process.

GDPR not only provides for the free flow of personal data within the European Union but also for its protection when it leaves the region’s borders. The Regulation sets out obligations on data controllers (those in charge of deciding what personal data is collected and how or why it is processed) and on data processors (those who act on behalf of the controller), and it gives rights to data subjects (the individuals to whom the data relates). These rules were designed to provide a high level of privacy protection for personal data and were complemented by measures to ensure that the protection is maintained when data leaves the EU, and whether it is transferred to controllers, processors, or third parties (e.g., subcontractors). In addition, restrictions on transfers of personal data outside of the European Union specify that such data can only be exported if “adequate protection” is provided. 

EU-U.S. Data Privacy Framework

The European Commission is responsible for assessing, in the form of an adequacy decision, whether a country outside the European Union has a legal framework that provides sufficient protection when transferring personal data from the EU to that country. In March 2023, the EU and the United States established the EU-U.S. Data Privacy Framework, which governs data transfers from the United States to the EU and vice versa. On July 10, 2023, the European Commission adopted an adequacy decision recognizing the United States as having sufficient protection for EU personal data under the Framework, thereby enacting the Framework, and reestablishing a legal mechanism for transfers of personal data from the EU to the United States. On September 3, 2025, the General Court of the European Union dismissed a legal challenge to the Framework, confirming that the United States ensures an adequate level of protection for personal data transferred from the EU to organizations in the United States. See the Data Privacy Framework Program website for more information.

The EU Data Act

The EU Data Act entered into force on January 11, 2024, and it became fully applicable on September 12, 2025. The Act aims to facilitate a fair and innovative data economy by clarifying who can access and use data generated in the EU across all economic sectors, making it easier to share data, particularly industrial data, and ensuring that users have control over the data generated by their connected devices and safeguarding the European fundamental right to privacy. The Act includes measures to allow users of connected devices to gain access to data generated by them and to share such data with third parties to provide aftermarket or other data-driven innovative services. It also includes measures to rebalance negotiation power for SMEs by preventing abuse of contractual imbalances in data sharing contracts. The Act includes mechanisms for public sector bodies to access and use data held by the private sector that is necessary for exceptional circumstances, particularly in case of a public emergency or to implement a legal mandate if data are not otherwise available. The Act also includes rules allowing customers to effectively switch between different cloud data-processing services providers and putting in place safeguards against unlawful data transfer.   

Digital Markets Act

The Digital Markets Act regulates the market power of large online platforms to achieve fairer and more open digital markets within the European Union. The Act regulates certain “gatekeeper firms” – large online platforms that impact how other companies interact with users online through digital services such as searching, social networking, cloud computing, and advertising services. It prohibits gatekeepers from engaging in self-preferencing activities, restricting access to services connected to their platforms, such as online marketplaces like an app store, and barring them from preventing users from removing pre-installed software or apps. Under the Act, EU regulators can levy fines of up to ten percent of global annual turnover of these firms, and, limitedly, break up certain parts of their corporate operations. The companies designated as gatekeepers have had to comply with the respective obligations and prohibitions since March 2024.

Digital Services Act

The Digital Services Act harmonizes mechanisms throughout the European Union for the removal of illegal content for online service providers, including internet access providers, domain name registrants, cloud and webhosting services, and online platforms. The Act bans targeted advertising aimed at children or based on sensitive data such as religion, gender, race, and political opinions, and it bans tactics that mislead people into giving personal data to companies online. It regulates “very large online platforms” – those online platforms that would reach at least ten percent of the population in the European Union. The Commission is charging these platforms a supervisory fee of up to one percent of their annual turnover. Fines can amount up to six percent of the global turnover of the conglomerate for violations of the Act. In the event of serious and repeated breaches, national courts can go as far as a ban on operating on European territory. The text has applied across the European Union since February 2024.

The Artificial Intelligence Act

The Artificial Intelligence (AI) Act is a landmark EU regulation, enacted in July 2024 and entered into force on August 1, 2024.  Its provisions will roll out over the next several years, with full applicability expected by August 2026 and for certain high-risk systems by August 2027. The proposed law defines artificial intelligence systems, employs a risk-based approach to regulating AI systems, and applies differentiated obligations to various actors, to include the AI systems’ manufacturers, importers, and users.

The Act classifies AI systems and models into four different categories according to their risk:

  • Unacceptable risk. For example, AI systems that use emotion recognition in the workplace, social scoring, or manipulative AI are prohibited.
  • High risk. For example, AI intended to be used as a product that is covered by specific EU legislation such as civil aviation, toys, and vehicle security, or AI systems such as biometric identification systems or used in education, employment, or law enforcement are subject to strict requirements like conformity assessments, transparency, or human oversight
  •  Limited risk. For example, AI systems must comply with copyright requirements, publish a training data summary, and ensure transparency.
  • Minimal risk. For example, AI used in video games or basic recommendation engines remain largely unregulated.


There is also a category for General-Purpose AI (GPAI), including large language models, which are subject to transparency rules and additional obligations.

Enforcement of the AI Act is coordinated via a European AI Office and the broader AI Board, while Member State national authorities also play a role.

The Act applies not only to EU-based entities, but also to providers outside of the European Union, including from the United States that place AI systems or GPAI models on the EU market, make them available in the EU, or to providers or developers whose AI outputs are used within the EU, even if the system itself operates entirely outside the EU. Companies are required to appoint an authorized representative within the EU for high-risk AI systems or for GPAI models.

On July 10, 2025, the Commission published the General‑Purpose AI Code of Practice, a voluntary framework that complements the EU AI Act and helps providers of GPAI models ensure compliance. The Code of Practice offers a practical, structured path for providers to demonstrate compliance, helping them navigate transparency, copyright, and safety obligations.  These rules took effect on August 2, 2025.

The Network and Information Systems Directive 2

The EU proposed its Network and Information Systems Directive 2 (NIS2) in December 2020 to update its earlier NIS directive. NIS2 requires Member States to pass national laws obligating companies operating in eighteen critical sectors to ensure that they adhere to basic cybersecurity requirements.  Requirements for companies include taking technical and organizational measures for risk management; preventing and minimizing the impact of security incidents; and notifying, without undue delay, incidents having a significant impact on the continuity of the essential services they provide. NIS2 covers more sectors, increases security requirements, addresses the security of supply chains, streamlines reporting obligations, and introduces more stringent supervisory measures and stricter enforcement requirements. It entered into force in January 2023, and Member States had until October 2024 to transpose the directive into their national laws (although as of November 2025, many Member States have yet to fully transpose the directive.) Many organizations in critical sectors, including healthcare, space, and transportation, are struggling with NIS2 compliance due to outdated systems and fragmented transpositions of NIS2 among Member States.  Fines under NIS2 can reach up to €10 million or 2% of global turnover, whichever is higher. 

Cybersecurity Act

The EU Cybersecurity Act, adopted in March 2019, establishes a mechanism to develop a voluntary certification scheme for information and communications technology (ICT) security products, processes, and services.  In January 2025, the EU adopted an amendment to the Cybersecurity Act, enabling the future adoption of European certification schemes for managed security services covering areas such as incident response, penetration testing, security audits, and consultancy. The first scheme under the Cybersecurity Act certification framework, the EU Cybersecurity Certification Scheme on Common Criteria, entered into force on February 27, 2025. It applies EU-wide, on a voluntary basis, and certifies the cybersecurity of ICT products in their lifecycle, including biometric systems, firewalls, detection, and response platforms.  On April 11, 2025, the Commission launched a public consultation for a review of the Act. This review focuses on simplification, addressing areas such as the mandate of the European Union Agency for Cybersecurity, the European cybersecurity certification frameworks, and ICT supply chain security challenges. The results of the review are expected in January 2026.    

The Data Governance Act

The Data Governance Act focuses on providing a legal framework, processes, and structures to promote data sharing. While GDPR regulates international transfers of personal data, the Data Governance Act regulates international transfers of non-personal data by a user who was granted access to such data by the public sector. The Data Governance Act focuses on the transfer of non-personal data, rules around the reuse of public sector data, and introduces a regime for data intermediaries. It also aims to facilitate the collection and processing of data made available through a voluntary registration system for so-called data altruism organizations and it creates a European Data Innovation Board to enable the sharing of best practices by Member States and to advise the Commission on cross-sector interoperability standards.  The Data Governance Act went into force in September 2023.

Cyber Resilience Act

The Cyber Resilience Act sets mandatory cybersecurity standards for products with digital elements, including connected hardware and software. It requires these products to be secure by design, with obligations to handle vulnerabilities and report serious incidents. It entered into force on December 10, 2024.  Member State conformity assessment bodies should be designated by June 2026, the reporting obligations should be in place by September 2026, and full compliance should be enforced by December 11, 2027. The law covers all products with digital elements, such as smart home devices, wearable technologies, apps, operating systems, and routers. The Act exempts products already regulated under other EU laws, including medical, automotive, aviation, and marine equipment; non-commercial open-source software; and cloud services or cloud-based software as a service.

The Cyber Resilience Act, for the first time, applied the CE mark to software, and created approval processes for a wide range of digital products and services that are required to receive the CE mark before the product can be sold in the EU. 

Proposed Legislation

EU Digital Simplification Package

The draft EU Digital Simplification Package was published in November 2025, with the goal of reducing red tape, reducing costs, and modernizing EU rules for the digital sector.  The digital proposes legislative amendments in the areas of cybersecurity, data, and AI. The draft bill now moves to the European Parliament where it will undergo further amendments and changes before becoming law, and additional changs are expected. 

Digital Networks Act

The Digital Networks Act (DNA) seeks to reform the EU’s telecommunications framework. The proposal is expected to be published in January 2026 and will likely replace the European Electronic Communication Code. The DNA is expected to cover infrastructure development, cybersecurity, data transmission and interoperability, market regulation and competition, EU-wide digital governance, as well as 5G and emerging wireless technologies. It will also address other stakeholder demands, such as copper decommissioning, spectrum harmonization, submarine cables, and network costs.  Overall, it will aim to harmonize the still fragmented European telecommunications framework that continues to hinder cross-border operations. 

The AI and Cloud Development Act

The AI and Cloud Development Act is part of the AI Continent Action Plan, unveiled by the European Commission in April 2025, which aims to boost the EU’s AI and cloud infrastructure to achieve technological sovereignty and global competitiveness. The proposal for the Act is expected to be published in early 2026 and is intended to mobilize public and private investment to triple EU datacenter capacity over the next five to seven years and focusing on AI “gigafactories” (i.e., large-scale hubs dedicated to AI workloads).

The Act’s goals are to scale up Europe’s AI and cloud capabilities; enhance security, sustainability, and sovereignty of computing infrastructure; and avoid reliance on external providers for critical digital infrastructure. The Act includes options from soft coordination (i.e., voluntary alignment) to full regulation, possibly establishing an EU-level authority to oversee enforcement and joint infrastructure investments.  The Act compliments the EU AI Act by ensuring the infrastructure readiness needed for compliant, sovereign AI development.

Digital Trade Opportunities

The EU’s advanced economies provide a wide range of opportunities for providers of U.S. digital technologies. For specific opportunities in each Member State, please consult the relevant Member States’ Country Commercial Guide. Opportunities at an EU-level include the following.

AI and Cloud Computing

The European Commission is making substantial investments to meet the EU’s growing demand for artificial intelligence and high-performance computing. This creates a significant opening for sovereign cloud solutions that align with the EU’s strict data sovereignty and compliance requirements. Opportunities for U.S. companies may be available pursuant to the EU’s AI Continent Action Plan, which aims to make the EU a global leader in AI.  The Plan focuses on five pillars: large-scale computing infrastructure, access to high-quality data, fostering AI innovation and adoption in strategic sectors, strengthening AI skills and talent, and regulatory simplification. The Act should further drive the demand for data centers and data center components from U.S. companies. Additionally, surging AI usage and adoption of the Internet of Things create strong demand for high-performance, low-latency infrastructure, including edge data centers (i.e., a smaller, distributed computing facility placed physically closer to end-users or data sources.)

Cybersecurity

U.S. cybersecurity services are on demand due to the need for increased cybersecurity solutions across virtually all Member States at a consumer, enterprise, and public level.

Quantum Technologies  

On July 2, 2025, the European Commission published the Quantum Europe Strategy. Building on the 2023 European Declaration on Quantum Technologies, it focuses on creating a resilient, sovereign quantum ecosystem to boost startups and convert scientific breakthroughs into market-ready solutions. The strategy notes five priority areas to address research and innovation; quantum infrastructures; the quantum ecosystem; space and dual use potential quantum technologies; and quantum skills.  It specifies concrete early-stage actions, totaling €50 million in public investment. 

×

Global Business Navigator Chatbot Beta

Welcome to the Global Business Navigator, an artificial intelligence (AI) Chatbot from the International Trade Administration (ITA). This tool, currently in beta version testing, is designed to provide general information on the exporting process and the resources available to assist new and experienced U.S. exporters. The Chatbot, developed using Microsoft’s Azure AI services, is trained on ITA’s export-related content and aims to quickly get users the information they need. The Chatbot is intended to make the benefits of exporting more accessible by understanding non-expert language, idiomatic expressions, and foreign languages.

Limitations

As a beta product, the Chatbot is currently being tested and its responses may occasionally produce inaccurate or incomplete information. The Chatbot is trained to decline out of scope or inappropriate requests. The Chatbot’s knowledge is limited to the public information on the Export Solutions web pages of Trade.gov, which covers a wide range of topics on exporting. While it cannot provide responses specific to a company’s product or a specific foreign market, its reference pages will guide you to other relevant government resources and market research. Always double-check the Chatbot’s responses using the provided references or by visiting the Export Solutions web pages on Trade.gov. Do not use its responses as legal or professional advice. Inaccurate advice from the Chatbot would not be a defense to violating any export rules or regulations.

Privacy

The Chatbot does not collect information about users and does not use the contents of users’ chat history to learn new information. All feedback is anonymous. Please do not enter personally identifiable information (PII), sensitive, or proprietary information into the Chatbot. Your conversations will not be connected to other interactions or accounts with ITA. Conversations with the Chatbot may be reviewed to help ITA improve the tool and address harmful, illegal, or otherwise inappropriate questions.

Translation

The Chatbot supports a wide range of languages. Because the Chatbot is trained in English and responses are translated, you should verify the translation. For example, the Chatbot may have difficulty with acronyms, abbreviations, and nuances in a language other than English.

Privacy Program | Information Quality Guidelines | Accessibility