Your company is in Seoul. No office in Europe, no server there, no European subsidiary — and your product already has users in Germany and France. It's easy to think that "EU law doesn't affect me", but Europe's digital rulebook was written with exactly this kind of setup in mind. After the success of the GDPR, Europe lawmakers are more eager than ever to make the rest of the World adapt to their standards. They want everyone in.

The assumption that feels safe
Most law is territorial, so "we have no eu entity, so no EU rules" is a reasonable instinct. A company with no European footprint expects to answer to its home regulator. However, EU digital law was written to close that exact gap.
Scope turns on who your users are
Scope turns on who your users are. If people in the EU are among them — you offer them goods or services, or you watch what they do online — you can be pulled in from an office thousands of kilometres away, whatever your company's address.
The same test, three different laws
The pattern repeats across the rulebook:
- GDPR, Article 3(2) reaches a company with no EU establishment when it offers goods or services to people in the EU, or monitors their behaviour.
- The AI Act, Article 2(1)(c) reaches a provider or a deployer outside the EU when the output of its AI system is used in the Union.
- The Cyber Resilience Act, Article 2 reaches any product with digital elements made available on the EU market, wherever it was built.
In every case, the thing that pulls you in is an EU user.

Why this lands on Korean exporters
A Korean company selling into the EU is the textbook example. Korea's Personal Information Protection Commission illustrates GDPR's reach with a Korean hotel chain that sells European packages online with no EU office, and concludes the law may still apply through Article 3(2).
The reach is enforced: in 2024 a Dutch regulator fined Clearview AI — a US company with no EU establishment — €30.5 million.
"How did they apply that fine?" You may ask. Collecting from a firm with no European assets is the harder part, so the regulator added leverage: a further penalty of up to €5.1 million if Clearview keeps ignoring the order, and an investigation into holding its directors personally liable for knowingly letting the violations run.
If you want EU customers, you might be far more exposed than Clearview ever was — EU revenue, EU partners, and EU payment flows, all answer to the same regulators.
Find out what may reach you
Before asking "are we compliant?", take a step back to think about this: which regulations even apply to us? We built a free tool to help you answer it: the EU Regulation Scoper. You answer a few straightforward questions about your company, and it lists the EU digital regulations that may apply to you — each with the article that sets its scope, the dates, and a link to the official text.
- 100% free
- Runs in your browser
- Stores nothing
- Needs no account
Do you know which EU rules could reach your company?
References
- EUR-Lex — GDPR, Article 3 (territorial scope)
- EUR-Lex — AI Act, Article 2 (scope)
- EUR-Lex — Cyber Resilience Act, Article 2 (scope)
- 개인정보보호위원회 — 우리 기업을 위한 EU 일반 개인정보보호법(GDPR) 가이드북
- Autoriteit Persoonsgegevens — Dutch DPA imposes €30.5m fine on Clearview AI