EU law for international business is the body of EU regulations and directives that governs the cross-border activities of companies within and with the European Union. At Musch Legal, we advise Dutch and foreign clients daily on EU compliance — from classic internal market freedoms to new obligations regarding AI, ESG, and carbon border taxation. This pillar page provides a complete guide to this area of law, where 2024–2026 has brought an unprecedented influx of new regulations.
What is EU law for international business? (What role does EU law play?)
For Dutch companies, EU law is not foreign law — it is primarily applicable law through direct effect (regulations) or national implementation (directives). The European Union has built up an extensive legal framework since 1957: the Treaty on European Union (TEU) and the Treaty on the Functioning of the European Union (TFEU), four internal market freedoms, competition law, consumer protection, environmental law, and sectoral regulations. Since 2022, the EU has dramatically increased the pace of regulation. The AI Act, CSDDD, CBAM, the new Product Liability Directive, NIS2, the Digital Services Act, the Digital Markets Act, the Data Act, the Data Governance Act, the Critical Raw Materials Act, and the Net Zero Industry Act — all recent or in the implementation phase. For exporters and importers, EU law presents both opportunities (access to the 27-member internal market of 450 million consumers) and obligations (compliance costs medium-sized enterprises 100,000-1,000,000 euros per year). For non-EU enterprises doing business in the EU: extraterritorial effect is the rule — the GDPR, the AI Act, and the CSDDD affect anyone targeting the EU market or EU citizens. For Dutch exporters to third countries: EU export and sanctions law also applies globally to EU persons.
The four internal market freedoms (Which fundamental freedoms apply?)
The heart of EU law for doing business consists of four freedoms from the TFEU. Free movement of goods (Articles 34-36 TFEU) prohibits quantitative import and export restrictions between Member States — the basis for imports within the EU being 30 percent cheaper than from third countries. Cassis de Dijon doctrine: mutual recognition of products lawfully marketed in the producing Member State.
Free movement of persons (Article 45 TFEU) guarantees EU citizens the right to work in other Member States without discrimination. For businesses: a free recruitment pool of 450 million EU citizens. Posting of Workers Directive 96/71/EC (amended 2018/957) regulates the conditions for temporary workers in another Member State.
Free movement of services (Article 56 TFEU) allows undertakings to provide services in other Member States without an establishment. Services Directive 2006/123/EC implemented this for B2B and B2C services (with sectoral exceptions). Essential for IT and consulting companies.
Free movement of capital (Article 63 TFEU) guarantees free investment between EU Member States and with third countries (the latter with exceptions). Crucial for M&A and direct investment. Recent trend: EU FDI Screening Regulation 2019/452 introduces screening of incoming investments from third countries on security grounds.
Freedom
Article TFEU
Application
Goods
Art 34-36
Cassis de Dijon, mutual recognition
Persons
Art 45
Freedom to work in the EU, Posting of workers 96/71/EC
Services
Art 56
Services Directive 2006/123/EC
Capital
Art 63
FDI Screening 2019/452 as a check
Establishment
Art 49-55
Cross-border conversion, SE, Mobility 2019/2121
Freedom
TFEU Article
Application
Goods
Art 34-36
Cassis de Dijon, mutual recognition
Persons
Art 45
Freedom to work in the EU, Posting of workers 96/71/EC
Services
Art 56
Services Directive 2006/123/EC
Capital
Art 63
FDI Screening 2019/452 as a check
Establishment
Art 49-55
Cross-border conversion, SE, Mobility 2019/2121
EU competition law in practice (Which rules apply to agreements?)
EU competition law regulates competitive behaviour. Article 101 TFEU prohibits agreements restricting competition (cartels, price fixing, market sharing). Article 102 TFEU prohibits abuse of a dominant position. Concentration Regulation 139/2004 regulates mergers and acquisitions above turnover thresholds (joint worldwide turnover > 2.5 billion euros, joint EU turnover > 100 million euros where two parties have > 25 million euros EU turnover).
For vertical relationships (supplier-distributor, supplier-agent): Vertical Regulation (Regulation 2022/720) since 1 June 2022 provides safe harbour where joint market share is below 30 percent. Hardcore restrictions remain prohibited: price fixing (resale price maintenance), absolute territorial exclusivity over safe harbour, restriction of online sales (with a few specific exceptions).
For technology licenses: Technology Transfer Block Exemption Regulation (TTBER, Regulation 316/2014). Safe harbour with a combined market share below 30 percent (competitors) or 30 percent individually (non-competitors). For R&D collaborations: R&D BER (Regulation 2023/1066) and Specialisation BER (Regulation 2023/1067) since 1 July 2023.
Sanctions for violation: fines of up to 10 percent of global turnover, personal liability of directors, civil claims by injured parties, leniency programs for whistleblowers. For Dutch undertakings: ACM and European Commission competent; Competitor investigations cost an average of 5-25 million euros in compliance, legal fees, and potential fines.
GDPR and EU data law (Which rules apply to personal data?)
The General Data Protection Regulation (Regulation 2016/679) has been the framework for the processing of personal data since 25 May 2018. Extraterritorial: GDPR applies to all undertakings that target EU persons or process EU data, regardless of their establishment.
Core obligations: legal basis for processing (Article 6), duty to inform (Articles 13-14), rights of data subjects (Articles 15-22: access, rectification, erasure, data portability, objection), Data Protection Impact Assessment for high-risk processing (Article 35), data breach notification within 72 hours (Article 33), Data Protection Officer for specific categories (Article 37).
For international data transfers: Chapter V GDPR with multiple mechanisms. Adequacy decisions for specific countries (UK since 2021, Japan, South Korea, EU-US Data Privacy Framework since July 2023). Standard Contractual Clauses (SCCs) under Implementing Decision 2021/914 for other countries. For the US: following Schrems II (CJEU C-311/18, July 2020), additional measures (encryption, supplementary measures) are required.
Fines under the GDPR up to 20 million euros or 4 percent of global turnover (highest). Recent record fines: Meta 1.2 billion euros (May 2023, data transfer alongside EU-US DPF), Amazon 746 million euros (2021). For medium-sized Dutch enterprises: AP investigations typically cost 50,000-500,000 euros in compliance and remediation.
EU AI Act: new obligations (When does the EU AI Act affect you?)
The EU AI Act (Regulation 2024/1689) is the world's first comprehensive AI regulation, in force since 1 August 2024. Applies to providers and deployers of AI systems that are on the market in the EU or affect EU persons — applicable extraterritorially.
Risk-based approach in four categories. Prohibited AI (since 2 February 2025): social scoring, real-time remote biometric identification (with exceptions), exploitation of vulnerable groups, predictive policing. High-risk AI (obligations as of 2 August 2026): critical infrastructure, education, employment and HR, essential services, law enforcement, migration, justice. Limited risk: transparency obligations (chatbots, deepfakes, AI-generated content must be labeled). Minimal risk: no specific obligations.
For high-risk AI: extensive obligations — risk management system, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy and cybersecurity, conformity assessment, CE marking, registration in EU database. For providers: post-market monitoring. For deployers: appropriate use, monitoring, incident reporting.
For General Purpose AI Models (GPAI) and GPAI with systemic risk (above 10^25 FLOPS): separate obligations since 2 August 2025 — technical documentation, copyright policy under DSM Directive 2019/790, systemic risk evaluation. Fines up to 35 million euros or 7 percent of global turnover (prohibited AI), 15 million euros or 3 percent (other), 7.5 million euros or 1 percent (incorrect info).
ESG and sustainability regulations (CSRD, CSDDD and CBAM explained)
EU ESG regulations have added a new dimension since 2022. The Corporate Sustainability Reporting Directive (Directive 2022/2464) requires extensive ESG reporting in accordance with European Sustainability Reporting Standards (ESRS) since 5 January 2023. Phased implementation: large public-interest entities (>500 employees) for the 2024 financial year; large companies (>250 employees or >40M turnover) for 2025; Listed SMEs over 2026.
The Corporate Sustainability Due Diligence Directive (Directive 2024/1760) mandates due diligence on human rights and the environment in own operations, subsidiaries, and the supply chain. Phased implementation: from 26 July 2027 for the largest enterprises (5,000+ employees EU-wide or 1.5 billion euros in EU turnover); 26 July 2028 for 3,000+ employees or 900 million euros; 26 July 2029 for 1,000+ employees or 450 million euros. Obligations: risk assessment, mitigation, complaints procedure, annual report, civil liability for damages.
The Carbon Border Adjustment Mechanism (CBAM, Regulation 2023/956) levies a carbon border tax on imports of steel, aluminium, cement, fertilizer, electricity, and hydrogen. Since 1 January 2026 in the definitive period: importers must purchase CBAM certificates for embedded emissions. Prices are based on EU ETS auction prices (average 70-90 euros per tonne of CO2 in 2026). For Dutch importers, this represents a significant cost impact (5-15 percent on a cost basis for affected products).
EU Taxonomy (Regulation 2020/852) and Sustainable Finance Disclosure Regulation (SFDR, Regulation 2019/2088) affect the financial sector. For industry: also an indirect impact via investor requirements and bank financing that requires an ESG assessment.
Product and safety regulations (Which rules apply to products?)
EU has extensive product law. The General Product Safety Regulation (Regulation 2023/988) replaces the General Product Safety Directive 2001/95/EC since 13 December 2024. Direct applicability, broader scope (online sales, social media platforms), extended liability (online marketplaces, fulfilment service providers), mandatory authorised representative for non-EU producers (Article 17), enhanced traceability and safety assessment, Safety Gate notification system.
New Product Liability Directive (Directive 2024/2853) since 9 December 2024 replaces Directive 85/374/EEC after 39 years. Broader definition of 'product' (software, AI, digital services, refurbished products), parties with extended liability (online platforms, importers, fulfilment), enhanced rights of victims (disclosure, presumed defectiveness). Implementation until 9 December 2026.
Sectoral product law: Medical Devices Regulation 2017/745 (medical devices), In Vitro Diagnostic Regulation 2017/746 (IVD), Toy Safety Directive 2009/48/EC, Machinery Regulation 2023/1230 (from 14 January 2027), Construction Products Regulation 305/2011. Specific rules for CE marking for various product categories.
For digital products: Cyber Resilience Act (Regulation 2024/2847) since 10 December 2024 with essential cybersecurity requirements for products with digital elements. Phased implementation: vulnerability reporting from 11 September 2026, full implementation 11 December 2027.
Sanctions and export control (Which EU rules affect exports?)
EU sanctions have seen unprecedented expansion since 2022, particularly against Russia. Regulation 833/2014 regulates sanctions against Russia — sectoral restrictions (oil price cap, dual-use, technology, financial services, transport, media), expanded via 16 sanctions packages until 2024. Regulation 269/2014 lists targeted persons and entities (Specially Designated). Other sanctions regimes: Regulation 2010/204 Iran, Regulation 2017/2063 Venezuela, Regulation 2007/329 North Korea.
For dual-use goods: Regulation 2021/821 requires a license for the export of dual-use items in the EU Control List (Annex I). For Dutch exporters: a license from the Central Office for Import and Export (CDIU). For military items: separate Common Position 2008/944/CFSP with the EU Common Military List.
The EU Blocking Statute (Regulation 2271/96) prohibits EU persons from complying with certain US secondary sanctions (Cuba, Iran). Conflict with US OFAC rules. For Dutch enterprises with a US link: catch-22, authorization from the European Commission sometimes possible in exceptional cases.
Anti-money laundering: 6th Anti-Money Laundering Directive (Directive 2018/1673) and new AML Regulation 2024/1624 (since 9 July 2024, applicable 10 July 2027). For Dutch enterprises under the Wwft: KYC, ultimate beneficial owner (UBO) registration, suspicious transactions reporting. Fines under the Sanctions Act 1977 up to 870,000 euros or capital gains.
Cybersecurity and data: NIS2 and more (Which cyber regulations affect you?)
Network and Information Security Directive 2 (NIS2, Directive 2022/2555) has replaced NIS1 since 16 January 2023; Member States have until 17 October 2024 for implementation (NL: Cyber Security Act in 2025). Applicable to essential and significant entities in 15 sectors — energy, transport, banking, drinking water, digital infrastructure, public administration, food, postal services, and more.
NIS2 obligations: cybersecurity risk management (10 minimum measures), incident reporting (24-hour early warning, 72-hour incident notification, 1-month final report), supply chain security, board accountability (directors personally liable for gross negligence). Fines up to 10 million euros or 2 percent of global turnover (essential) and 7 million or 1.4 percent (major).
Digital Services Act (Regulation 2022/2065) since 17 February 2024 regulates online intermediaries. Digital Markets Act (Regulation 2022/1925) since 2 May 2023 regulates gatekeepers (Alphabet, Amazon, Apple, ByteDance, Meta, Microsoft, Booking — the latter since 13 May 2024). Data Act (Regulation 2023/2854) since 11 January 2024 regulates data access and cloud switching. Data Governance Act (Regulation 2022/868) regulates data intermediaries since 24 September 2023.
ePrivacy Regulation (under negotiation since 2017) would replace ePrivacy Directive 2002/58/EC — not yet adopted. Cyber Resilience Act (Regulation 2024/2847) for products with digital elements — see product section.
FDI Screening and Foreign Subsidies (How does the EU regulate inbound investments?)
The EU has had an active policy to screen inbound investments from third countries since 2019. Foreign Direct Investment Screening Regulation (Regulation 2019/452) requires national FDI screening systems since 11 October 2020. The Netherlands has implemented this via the Investment, Mergers and Acquisitions Safety Test Act (Vifo Act) since June 1, 2023.
The Vifo Act applies to vital providers (energy, water, transport, financial), sensitive technology (dual-use, quantum, biotech, AI sub-technologies), and highly sensitive sectors. Screening by the Investment Review Agency (BTI). For M&A: 3-9 months delay possible; blocking possible. Pre-deal screening is essential for cross-border deals with non-EU investors.
Foreign Subsidies Regulation (Regulation 2022/2560) in effect since January 12, 2023, fully applicable since July 12, 2023. Regulates unfair subsidies from third countries that distort competition in the EU. Mandatory notification for M&A above thresholds (concentrations with >€500M EU turnover target and >€50M foreign subsidies to parties) and large public procurement (>€250M plus >€4M foreign subsidies). Fines for non-notification up to 10 percent of global turnover.
For Dutch companies: dual compliance required for Chinese, Russian, or other state-linked investors. The Foreign Subsidies Regulation also affects EU companies receiving state aid from third countries.
Pillar: International trade law
Pillar: International commercial contracts
CSDDD due diligence supply chain
GDPR and international data transfers
EU competition law and distribution
Sanctions and export control 2026