Blog · EU Compliance

Selling to European customers from outside the EU: VAT, GDPR, and the new 2026 rules

April 15, 2026 · 7 min read
Globe showing Europe with compliance icons representing VAT, GDPR, and consumer rights

Selling to customers in the European Union is a significant opportunity — over 450 million consumers with high purchasing power and strong e-commerce adoption. But it comes with a compliance layer that a lot of non-European merchants either don't know about or quietly ignore.

Ignoring it is increasingly risky. EU enforcement of consumer protection and tax rules has become more active over the past few years, and the rules themselves have expanded. If EU customers represent any meaningful share of your revenue, understanding your obligations is worth the time.

Here's a practical overview of the main areas you need to understand.

VAT: the one most merchants get wrong

VAT (Value Added Tax) is the EU equivalent of sales tax, but it works differently. In the US, sales tax obligations are triggered by physical presence (nexus) in a state. In the EU, VAT obligations for B2C e-commerce are triggered by where your customer is, not where you are.

If you're a non-EU business selling physical goods to consumers in Germany, France, Italy, or any other EU country, you may have VAT obligations in those countries. The specific threshold depends on your total EU sales volume.

The OSS scheme (One Stop Shop) is the EU's simplified system for this. Instead of registering for VAT separately in each of the 27 member states, you can register once through OSS and file a single quarterly return that covers all your EU B2C sales. This is the practical path for most cross-border e-commerce merchants.

The EU-wide threshold is €10,000 in combined annual B2C sales across all EU member states. Below this threshold, you may be able to apply your home country's rules. Above it, you need OSS or individual country registrations.

Digital products (ebooks, software, downloadable content) have different rules — VAT applies from the first sale, with no threshold. If you sell digital products to EU consumers, you need to be collecting and remitting VAT.

This is an area where getting proper accounting or legal advice pays for itself. The penalties for non-compliance can be significant, and the rules have country-by-country nuances.

GDPR: data collection and consent

The General Data Protection Regulation applies to any business that collects personal data from EU residents, regardless of where that business is based. If you have a contact form, an email list, Google Analytics running on your site, or a Meta Pixel tracking visitors, GDPR applies to you.

The practical requirements for a Shopify merchant:

Cookie consent. Before you run analytics or advertising tracking on EU visitors, you need their consent. This means a compliant cookie banner that actually gives visitors a choice — not just a banner that says "by continuing to browse, you accept cookies." The "accept by continuing" approach has been found non-compliant in multiple EU enforcement actions.

Privacy policy. Your privacy policy needs to describe what data you collect, why you collect it, how it's stored, how long you keep it, and what rights EU users have over their data (access, deletion, portability). The Shopify-generated privacy policy is a starting point but typically needs customization for GDPR compliance.

Data processor agreements. If you use third-party services that process EU customer data (email platforms, analytics tools, CRMs), you technically need Data Processing Agreements with those vendors. Most major services (Mailchimp, Klaviyo, Google) have standard DPAs available.

Subject access requests. EU residents can request a copy of all data you hold on them, or ask you to delete it. You need a process for handling these requests within 30 days.

The withdrawal directive: new in 2026

EU Directive 2023/2673, which came into force on June 19, 2026, adds a new requirement on top of the existing consumer rights framework.

EU consumers have always had the right to cancel online purchases within 14 days — no reason required. The new directive requires that merchants provide a visible, accessible electronic function (a button or link) on their store where customers can exercise this right directly, without having to email or call.

The specific requirements: - A clearly labeled withdrawal button, accessible without login - A two-step confirmation flow (customer confirms withdrawal and provides name and order details) - An automatic email confirmation to the customer after they submit

Non-compliance can result in fines of up to 4% of annual turnover in some EU member states, and automatically extends the customer's withdrawal window from 14 days to 12 months and 14 days.

If you sell physical goods, services, or digital content to EU consumers, this applies to you regardless of where your business is based.

Consumer rights: what EU shoppers expect by law

Beyond the withdrawal directive, EU consumer protection law gives online shoppers a set of baseline rights that you can't contract out of:

Pre-contract information. Before a customer completes a purchase, EU law requires you to provide clear information about the total price (including taxes and fees), delivery time, your identity and contact details, and the right of withdrawal.

Delivery time commitments. If you promise a delivery date and miss it, EU consumers have specific remedies including the right to cancel and get a full refund.

Conformity of goods. EU consumers have at least two years of legal guarantee against defective goods, regardless of what your own return policy says.

Where to start if you're not compliant

The order of priority depends on your situation, but for most non-EU merchants selling to European customers:

  1. Assess your VAT exposure. How much are you selling to EU customers? If it's above €10,000 annually, talk to an accountant about OSS registration.

  2. Fix your cookie consent. This is the most visible compliance issue and one of the most actively enforced. A proper cookie consent mechanism takes a few hours to set up.

  3. Add the EU withdrawal function. The June 2026 directive is the newest requirement and currently the most urgently needed. If you don't have a withdrawal button on your store, add one.

  4. Review and update your privacy policy. Make sure it covers the GDPR-specific requirements, not just generic privacy language.

  5. Consult a professional for your specific situation. This guide covers the main areas, but your specific obligations depend on where you're selling, what you're selling, and how much you're selling. The rules have nuances that a general overview can't fully address.

EU compliance isn't as complicated as it sounds when you break it into discrete pieces. The merchants who struggle most are the ones who treat it as a single overwhelming problem. Tackle each area separately, and most of it is manageable without expensive legal support.

More from Scurix

EU flag stars with a digital withdrawal button interface
EU Compliance The new EU withdrawal button rule — what Shopify merchants need to do before June 19
Upward trending bar chart representing improving e-commerce conversion rates
E-commerce 10 ways to improve your Shopify store's conversion rate without spending more on ads
Circuit board illustration representing AI tools for e-commerce
Shopify AI tools for Shopify stores that are actually worth using in 2026