Operating a website targeting European Union users means operating under one of the world's most comprehensive digital regulatory frameworks. GDPR has been in force since 2018 and is now familiar territory for most businesses. But the EU's regulatory landscape for online businesses has expanded significantly: the European Accessibility Act (EAA) came into force in June 2025, the Digital Services Act (DSA) is progressively applying to platforms of all sizes, and ePrivacy reforms continue to evolve. Here is what an EU-facing website needs to have in place.
Required legal documents and compliance mechanisms
Privacy Policy (GDPR Articles 13 and 14) — mandatory if you process personal data of EU residents. Must cover: identity and contact details of the controller; data protection officer contact if applicable; purposes and legal bases for processing; categories of data collected; recipients and third-party processors; international data transfers and safeguards; retention periods; and a full statement of individual rights including the right to lodge a complaint with a supervisory authority.
Cookie Consent Banner (ePrivacy Directive) — mandatory if you use any non-essential cookies or tracking technologies. Consent must be prior, informed, specific, and unambiguous. The banner must offer an equally prominent reject option. Implied consent through continued browsing is not valid. Cookie walls (requiring consent to access the site) are prohibited in most member states.
Cookie Policy — a separate or incorporated document listing every cookie your site sets, its purpose, duration, and whether it is first-party or third-party.
Terms of Service — not specifically mandated by EU privacy law, but required as a matter of contract law and consumer protection. The Consumer Rights Directive requires clear pre-contractual information for online sales. Unfair contract terms are prohibited under the Unfair Contract Terms Directive.
Impressum (Germany, Austria) — businesses targeting German-speaking markets must publish an Impressum: a mandatory provider identification statement including legal name, registered address, commercial register number, VAT number, and contact details. This is a specific German/Austrian legal requirement with no direct equivalent in most other EU member states, but it has become standard practice across EU business websites.
Accessibility Statement (EAA, from June 2025) — required for businesses covered by the European Accessibility Act offering digital services in the EU. See the dedicated EAA article for full details on who is covered.
GDPR record-keeping obligations
Article 30 of GDPR requires controllers with 250 or more employees (and all processors, and controllers whose processing involves risk, special category data, or criminal records data) to maintain a Record of Processing Activities (RoPA). For smaller businesses, a RoPA is not legally mandated but is strongly recommended as a practical tool for demonstrating accountability under Article 5(2). It should list: processing activity name; purposes; categories of data subjects; categories of personal data; recipients; third-country transfers; and retention periods.
The Digital Services Act for online businesses
The DSA's obligations scale with platform size. Most small businesses operating e-commerce stores, membership sites, or content platforms fall into the "micro/small enterprise" category and are exempt from the DSA's heaviest provisions (transparency reporting, risk assessment, algorithmic accountability). However, all online intermediaries — including basic hosting and e-commerce sites — must have a single point of contact for authorities and a mechanism for users to report illegal content. Review whether you qualify as an "intermediary service" under DSA definitions.