Compliance🇪🇺EU

EU eCommerce Legal Requirements in 2026: The Complete Checklist

13 min read

Selling online to EU customers in 2026 means navigating GDPR, the Consumer Rights Directive, the Digital Services Act, EU VAT OSS, the European Accessibility Act, and more. This checklist covers every legal requirement your store must meet.

EU eCommerce Legal Requirements in 2026: The Complete Checklist

Selling Online in the EU Has Never Been More Regulated

The EU's digital regulatory framework has expanded dramatically between 2022 and 2026. An eCommerce store that was fully compliant in 2022 may be non-compliant today across several different regulatory areas — many of which carry their own independent fine regimes.

This checklist covers every legal requirement your EU eCommerce business must meet in 2026.

---

1. Data Protection — GDPR

Status: In force since 2018. Fully enforced.

Every eCommerce store that collects data from EU customers must comply with GDPR. For eCommerce specifically, this means:

Required documents:

  • ✅ Privacy Policy — must disclose all data collected, lawful basis, retention periods, third-party sharing (payment processors, shipping providers, marketing platforms), and data subject rights
  • ✅ Cookie Policy — separate document detailing all cookies used, categories, and duration
  • ✅ Cookie Consent Banner — must appear before any non-essential cookies load; must offer an equally prominent Reject option; no pre-ticked boxes
  • ✅ Data Processing Agreements with all processors (payment gateway, email platform, shipping software, CRM, analytics)
  • Key obligations for eCommerce:

  • Email addresses collected at checkout require a lawful basis — typically contract (for transactional emails) or consent (for marketing emails). These are legally distinct. Do not conflate them.
  • Abandoned cart emails require prior consent — you cannot rely on soft opt-in for abandoned cart retargeting without complying with ePrivacy rules
  • Customer data retention periods must be defined and documented
  • Fines: Up to €20 million or 4% of global annual turnover

    ---

    2. Consumer Rights Directive — 14-Day Right of Withdrawal

    Status: In force. Updated by Omnibus Directive from 2022.

    Every eCommerce store selling to EU consumers must provide:

  • 14-day right of withdrawal — consumers can return most goods within 14 days without giving any reason
  • ✅ Clearly displayed return and refund policy before purchase is completed
  • ✅ Model withdrawal form available (consumers can use their own words but the form must be accessible)
  • ✅ Refunds processed within 14 days of receiving returned goods (or proof of return)
  • ✅ Disclosure if the consumer pays return shipping costs — if not disclosed, the seller bears the cost
  • ✅ No hidden fees — all costs (including taxes and delivery) must be shown before checkout confirmation
  • Exceptions to withdrawal right: Customised products, perishables, digital content once download begins (with prior consent), sealed hygiene products once opened.

    Fines: Vary by member state but typically €10,000-€500,000 per violation depending on severity and turnover.

    ---

    3. Digital Services Act (DSA)

    Status: Applicable to all online platforms and intermediaries since February 2024.

    The DSA applies at different levels depending on your platform size. For most eCommerce businesses, the basic obligations are:

  • Single point of contact for authorities — a designated contact for regulatory communications
  • Transparent terms of service — clear explanation of content moderation policies, restrictions on products/services sold, and enforcement mechanisms
  • Notice and action mechanism — if you operate a marketplace with third-party sellers, you must have a system for reporting illegal content or products
  • Know Your Business Customer (KYBC) — if you operate a marketplace, you must verify that traders on your platform are who they say they are before allowing them to sell
  • For marketplaces specifically: you must clearly indicate whether a seller is a trader or a private individual, as consumer protection rights differ.

    ---

    4. VAT — One-Stop-Shop (OSS)

    Status: Required for cross-border EU digital and physical sales above €10,000 per year.

    If your eCommerce store sells goods or digital services to customers in multiple EU member states and your cross-border sales exceed €10,000 per year, you must register for the EU VAT One-Stop-Shop (OSS).

    Without OSS:

  • You would need to register for VAT in every EU member state where you sell
  • Each country has different VAT rates and filing requirements
  • Non-compliance carries penalties in each member state
  • With OSS:

  • Register once in your home member state
  • File a single quarterly OSS return covering all EU cross-border sales
  • Pay VAT for all EU countries in one payment
  • eCommerce-specific VAT rates (2026 indicative):

    | Country | Standard VAT | Digital Services VAT |

    |---------|-------------|---------------------|

    | Cyprus | 19% | 19% |

    | Germany | 19% | 19% |

    | France | 20% | 20% |

    | Italy | 22% | 22% |

    | Ireland | 23% | 23% |

    You must apply the VAT rate of the customer's country, not your own.

    ---

    5. European Accessibility Act (EAA)

    Status: In force from June 28, 2025. Enforcement begins June 28, 2025.

    The EAA requires eCommerce websites and apps to be accessible to people with disabilities, aligned with WCAG 2.1 Level AA standards.

    What this means practically:

  • ✅ Images must have descriptive alt text
  • ✅ Videos must have captions and transcripts
  • ✅ Website must be navigable by keyboard alone (for users who cannot use a mouse)
  • ✅ Sufficient colour contrast ratios throughout the site
  • ✅ Forms must have clear labels and error messages
  • ✅ Checkout process must be fully accessible
  • Who must comply: All eCommerce businesses with more than 10 employees OR more than €2 million annual turnover. Micro-enterprises are exempt but should assess voluntarily.

    Fines: Set by each member state — expected to range from €10,000 to €100,000 per violation.

    ---

    6. Product Safety and Consumer Protection

    Status: EU General Product Safety Regulation (GPSR) applies from December 13, 2024.

    If you sell physical goods to EU consumers, the GPSR replaces the old General Product Safety Directive and introduces:

  • Responsible person obligation — non-EU manufacturers must appoint an EU-based Responsible Person to handle product safety compliance
  • Traceability — products must be traceable throughout the supply chain
  • Online marketplace transparency — product listings must include manufacturer details, country of origin, and relevant safety information
  • Post-market surveillance — ongoing obligation to monitor products already sold and report serious risks
  • ---

    7. Pre-Contractual Information Requirements

    Before a consumer completes a purchase, EU law requires disclosure of:

  • ✅ Full legal identity of the seller (company name, registration number, registered address)
  • ✅ Total price including all taxes and delivery costs
  • ✅ Payment methods accepted
  • ✅ Delivery timeframe
  • ✅ Withdrawal rights and return policy (with model withdrawal form link)
  • ✅ Duration of the contract for subscriptions
  • ✅ Complaint handling procedure
  • ✅ Existence of any applicable codes of conduct
  • This information must be provided before the order confirmation — not buried in a PDF or hidden in a footer link.

    ---

    8. The Dark Patterns Ban

    Status: Enforceable under the DSA and Omnibus Directive.

    The EU has moved aggressively against "dark patterns" — user interface designs that manipulate consumers into unintended choices. Banned practices include:

  • ❌ Pre-ticked boxes for marketing consent or add-on products
  • ❌ Making cancellation or unsubscribe options harder to find than sign-up options
  • ❌ Creating false urgency ("Only 1 left!" when stock is plentiful)
  • ❌ Hiding total costs until the final checkout step
  • ❌ Making the "reject cookies" button smaller or less prominent than "accept"
  • The EU's DPAs and national consumer protection authorities are actively investigating and fining platforms for dark patterns. CNIL (France), the ICO (UK), and the Irish DPC have all issued specific guidance on dark patterns in 2024-2025.

    ---

    The 2026 eCommerce Legal Checklist Summary

    | Area | Key Requirement | Fines |

    |------|----------------|-------|

    | GDPR | Privacy Policy, Cookie Policy, Consent Banner, DPAs | Up to €20M / 4% turnover |

    | Consumer Rights | 14-day withdrawal, transparent pricing | Up to €500K |

    | DSA | ToS transparency, KYBC for marketplaces | Up to 6% global turnover |

    | VAT OSS | Register if cross-border sales >€10K | Per-country penalties |

    | Accessibility (EAA) | WCAG 2.1 AA compliance | Up to €100K per violation |

    | GPSR | Product safety, traceability | Varies by member state |

    | Dark Patterns | No manipulative UX design | Included in DSA/consumer law fines |

    Need a full compliance review or the legal documents your eCommerce store is missing? Our team provides eCommerce compliance bundles covering GDPR documentation, Terms and Conditions, Refund Policy, and Cookie Compliance — ready in 48-72 hours.

    Need Legal Documents?

    Get expert-drafted legal documents customized for your business. From NDAs to GDPR policies, we've got you covered.