In February 2022, the European Union (EU) published the European Standardization Strategy, which, among other things, introduced amendments to Regulation 1025/2012 on European Standardization Organizations (ESOs). The amendment requires that ESOs limit the involvement of non-EU stakeholders in the development of harmonised European standards (EN). This change has a significant impact on the European Telecommunications Standards Institute (ETSI), which specialises in information and communications technologies (ICT) and has historically allowed direct participation from foreign firms. Additionally, it has been reported that certain policies implemented by the European Commission, such as the refusal to reference standards developed outside Europe and the imposition of new restrictions on participation in expert advisory groups (including the newly established High-Level Forum on European Standardization), indicate a broader strategy to exclude non-EU participants, challenge the recognition of international standards developed in the United States, and promote European regional standards globally.

Self-certification is allowed under equal terms for foreign and domestic companies under Art. 14 and Annex II of the Electromagnetic Compatibility Directive 2014/30/EU.
EU legislation requires that the manufacturer of a CE-marked product issues an EU Declaration of Conformity for the product and draws up technical documentation. A Declaration of Conformity (DoC) is a document signed by a manufacturer or authorised representative confirming that the product placed in the market complies with applicable EU requirements and is required for all CE Marked products sold in the EU with few exceptions. The contents of the Declaration of Conformity shall follow the model declarations set out in Annex III to Decision 768/2008/EC or in annexes to applicable legislation. (CE-marked products signify that products sold in the EEA have been assessed to meet high safety, health, and environmental protection requirements.)
The EU has concluded a number of Mutual Recognition Agreements (MRAs) with third countries that allow national conformity assessment bodies to certify product conformity for the respective markets. The EU has signed 7 MRAs, 6 of which cover electromagnetic compatibility and interference as and/or radio and telecommunications equipment.

The Directive (EU) 2016/681 establishes that passenger name record (PNR) data must be handled under strict territorial and organisational conditions. Each Member State is required by Art. 4.1 to designate a Passenger Information Unit (PIU), which is the authority responsible for collecting PNR data from air carriers, storing and processing those data, and sharing them with competent authorities and other PIUs for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. Art. 6.8 provides that “the storage, processing and analysis of PNR data by the PIU shall be carried out exclusively within a secure location or locations within the territory of the Member States.” PNR data, defined in Art. 3.5 as a record of each passenger’s travel requirements contained in reservation or departure control systems, therefore remains under the jurisdiction of the Union once transferred to the PIU.

The EU's General Data Protection Regulation (GDPR) considerably expands the scope of EU privacy rules. In addition to companies established in the EU, the Regulation applies extraterritorially to companies offering goods or services to data subjects in the EU and companies that monitor the behavior of EU citizens (Art. 3).
The Regulation mandates that data is allowed to flow freely outside the European Economic Area (EEA) only in certain circumstances listed in Chapter 5 of the Regulation. The main conditions are the following: the recipient jurisdiction has an adequate level of data protection; the controller ensures adequate safeguards (for instance, by using model contract clauses, binding corporate rules or other contractual arrangements); the data subject has given his/her consent explicitly; or, the transfer is necessary for the performance of a contract between the data subject and the controller.
The GDPR allows for data transfers to countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection. The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, and Uruguay as providing adequate protection. In addition, the EU-US Data Privacy Framework acts as a self-certification system open to certain US companies for data protection compliance since July 2023.

Art. 32.1 of the Data Act stipulates that providers of data processing services shall take all adequate technical, organisational and legal measures, including contracts, in order to prevent international and third-country governmental access and transfer of non-personal data held in the EU where such transfer or access would create a conflict with EU law or with the national law of the relevant Member State. Certain exceptions to this obligation are envisaged, such as compliance with a binding court order issued in the receiving country under existing mutual legal assistance agreements to which the EU is a party.
It is reported that this provision may place onerous obligations on non-EU service providers and could potentially hinder their capacity to compete effectively within the European market. A particularly complex issue arises in relation to cloud service providers handling mixed data sets, as they must navigate the constraints imposed by Art. 32 of the Data Act alongside the limitations on personal data transfers set out in Chapter V of the EU General Data Protection Regulation (GDPR). In practice, cloud providers may be required to conduct a separate risk assessment under the Data Act, in addition to any transfer impact assessment necessitated by the GDPR.

The European Union has joined agreements with binding commitments to open transfers of data across borders: the Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the One Part, and the United Kingdom of Great Britain and Northern Ireland, of the Other Part (Art. 201), the Agreement between the European Union and Japan for an Economic Partnership (Art. 8.81), and the EU-New Zealand Free Trade Agreement (Chapter 12, Art. 12.4).

Since May 2018, the General Data Protection Regulation (GDPR) requires that organisations conducting "regular and systematic monitoring of data subjects on a large scale" or whose activities include the processing of sensitive personal data on a large scale must appoint a Data Protection Officer (DPO). Previously, only European institutions and bodies were required to appoint at least one person as a DPO, with some Member States also imposing such requirements on private companies. In addition, under the GDPR, Data Protection Impact Assessments (DPIAs) are mandatory for data processing activities that are likely to result in a high risk to the rights and freedoms of natural persons.

The EU has attached the WTO Telecom Reference Paper to its schedule of commitments.

In January 2022, the European Commission imposed a minimum import price and anti-dumping duties on flat-rolled products of grain-oriented silicon magnetic steel, which is an important material in the production of energy-efficient transformers and large high-performance generators. The measures apply to imports from China, Japan, the Republic of Korea, the Russian Federation, and the United States of America. This is a continuation of measures first introduced in May 2015 by Implementing Regulation (EU) 2015/1953. The minimum import prices (MIPs) currently in force range between 1,536 EUR/tonne to 2,043 EUR/tonne. They apply to the individually named exporting producers for which individual dumping margins were established from all the countries concerned. If the CIF Union border price is equal to or above the MIP, no duty is payable. Only if import prices are below this level are anti-dumping duties imposed, set at the difference between the import price and the minimum import price, up to a maximum ranging from 21.5% to 39% of the import price. The system of minimum import prices and anti-dumping duties was introduced in 2015, while the level of duties was adjusted in 2022.

In July 1990, the European Commission imposed a definitive anti-dumping duty on imports of silicon metal (HS Code: 280469) from China, which is also used in the production of silicon compounds and silicon wafers for electronic semiconductors. This measure was first extended to imports from the Republic of Korea, regardless of their declared origin, under Council Regulation (EC) No 42/2007. In 2013, it was further extended to imports from Taiwan, again irrespective of their declared origin, by Council Implementing Regulation (EU) No 311/2013. This measure was last extended in August 2022. The rate of duty is 16.8% of the net free-at-Union-frontier price, with the exception of the company Datong Jinneng Industrial Silicon Co., whose exports are subject to a duty of 16.3% of the net free-at-Union-frontier price.

In December 2024, the European Commission adopted Implementing Regulation (EU) 2024/3014, thereby imposing a definitive anti-dumping duty on imports of optical fibre cables (CN code ex 8544 70 00) originating from India. The applicable duties range from 6.9% to 11.4%, with two categories of products explicitly excluded from the scope of the measure:
- cables shorter than 500 metres in which all optical fibres are individually equipped with operational connectors at one or both ends, and
- submarine-use cables, plastic-insulated, containing a copper or aluminium conductor, with fibres enclosed in metal modules.
This definitive measure followed the imposition of provisional anti-dumping duties in June 2024, which applied to single-mode optical fibre cables imported from India. The provisional duties ranged from 8.7% to 11.4% and covered cables exceeding 500 metres in length, while similarly excluding cables fitted with connectors and submarine cables.
The European Commission initiated its investigation in November 2023 in response to a complaint lodged by Europacable, the industry association representing European cable producers, alleging that Indian exporters were engaging in dumping practices that caused material injury to the Union industry.

The International Procurement Instrument (IPI) introduces measures limiting the access to open EU public procurement tenders of non-EU companies from countries that do not offer similar access to EU companies. The measures apply to tenders worth at least 15 million Euros for works and concessions and 5 million Euros for goods and services, such as the purchasing of computers.
Pursuant to Art. 5, the IPI enables the Commission to investigate third-country measures or practices adopted or maintained by public authorities or individual contracting authorities, which result in a serious and recurrent impairment of access of Union economic operators, goods or services to the public procurement or concession markets of that third country. When the Commission finds that a third-country measure or practice exists, it may adopt an IPI measure that requires contracting authorities or contracting entities to impose a score adjustment on tenders submitted by economic operators originating in that third country or exclude tenders submitted by economic operators originating in that third country.
The Regulation is yet to be implemented by EU Member States. Typically, the implementation by Member States takes 18–24 months on average after adoption.

Although the European Union is a signatory to the WTO Government Procurement Agreement (GPA), its coverage schedules do not include "telecommunications-related services" (CPC 754), which is an important sector for digital trade.

The Trade Secrets Directive (EU) 2016/943 protects trade secrets while also allowing for disclosure of trade secrets for reasons of public interest, either to the public or to public authorities in the performance of their duties. Art. 1.2 states that "this Directive shall not affect: [..] (b) the application of Union or national rules requiring trade secret holders to disclose, for reasons of public interest, information, including trade secrets, to the public or to administrative or judicial authorities for the performance of the duties of those authorities."
Moreover, Art. 5 stipulates that Member States shall ensure that an application for the measures, procedures and remedies provided for in this Directive is dismissed where the alleged acquisition, use or disclosure of the trade secret was carried out in any of the following cases for revealing misconduct, wrongdoing or illegal activity, provided that the respondent acted for the purpose of protecting the general public interest.

Regulation EU 2019/1150 on promoting fairness and transparency for business users of online intermediation services (the Platform to Business Regulation) requires the disclosure of certain features of algorithms, which may constitute trade secrets. Art. 5 stipulates that online intermediation services must disclose the main ranking parameters and their relative importance to business users through terms of service, while online search engines need to make similar disclosures publicly. The Commission's December 2020 guidance on ranking (§82) argues that providers cannot refuse to disclose the main parameters based on the sole argument that these constitute a trade secret.