Art. 85 of the Utilities Directive (2014/25/EU) contains provisions allowing contracting public entities to reject foreign goods not covered by any EU international commitments from its tender procedures. In these cases, a tender submitted for the award of a supply contract may be rejected where the proportion of the products originating in third countries exceeds 50% of the total value of the products constituting the tender (Art. 85.2). Additionally, in cases of equivalent offers, the provisions provide for a preference for European tenders and tenders covered by EU's international obligations. In practice, this possibility has rarely been used.
In Poland, the Directive has been transposed with the publication of the consolidated text of the Act - Public Procurement Law.

Poland promotes the establishment and ownership of business enterprises by both domestic and international entities, encouraging participation across diverse economic sectors. This framework is governed by the Entrepreneurship Act, effective since April 2018, which outlines legal provisions for business activities under the Commercial Companies Code. However, the government imposes restrictions on foreign ownership and equity investments in certain strategic sectors, including air transport, radio and television broadcasting, and airport and seaport operations. These restrictions do not apply to sectors relevant to digital trade.

According to the Council Directive (EU) 2017/2455 of 5 December 2017, amending Directive 2006/112/EC and Directive 2009/132/EC as regards certain value-added tax obligations for supplies of services and distance sales of goods, the de minimis threshold, that is the minimum value of goods below which customs do not charge duties, is USD 174, below the 200 USD threshold recommended by the International Chamber of Commerce (ICC).

Art. 18 (2) of Directive (EU) 2016/1148 establishes a local presence requirement, through the designation of a representative, for digital services providers not established in the Union but offering digital services within the Union. The types of digital services for the purposes of Art. 18 (2), referred to in Annex III, are online marketplace, online search engine and cloud computing services.

Art. 27 of the General Data Protection Regulation (EU) 2016/679 requires a local representative for data controllers or processors not established in the EU.

According to Art. 13 of Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act), providers of intermediary services that do not have an establishment in the Union but offer services within the Union must designate, in writing, a legal or natural person as their legal representative in one of the Member States where they operate.
This obligation applies to providers of certain information society services, as defined in Directive (EU) 2015/1535, meaning any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient. In particular, it concerns providers of intermediary services, including services commonly referred to as ‘mere conduit’, ‘caching’, and ‘hosting’ services.

Regulation 2021/821 establishes that the export of dual-use items used for both civilian and military applications is subject to control, and these goods may not leave the EU customs territory without an export authorisation. Annex I identifies a range of dual-use items that face either authorisation requirements or outright bans for exportation outside of the EU, which include electronics, computers, telecommunications and information security. Regulation 2021/821 replaces the previous regulation on the matter (Regulation (EC) No. 428/2009), as subsequently amended and implemented by Regulation (EU) No. 1232/2011 and Delegated Regulation (EU) 2018/1922, respectively.

The European Union enforces export and import controls on Russia since 2014, with the implementation of Council Regulation (EU) No. 833/2014, and more extensively since the 2022 invasion of Ukraine. A key element of these measures is Council Regulation (EU) No. 2022/328, adopted in February 2022, which prohibits the export, sale, supply, or transfer of various goods and technologies to Russia. Effective from 26 February 2022, this regulation specifically bans:
- The export of dual-use goods and technologies listed in Annex of Regulation (EU) 2021/821, affecting 6,251 goods under 929 six-digit tariff subheadings.
- The export of goods and technologies suited for use in aviation or the space industry, outlined in Annex XI, covering all products in tariff chapter 88.
This Regulation has been further complemented by several additional packages of sanctions on Russia, including measures such as bans on ICT goods—covering semiconductors, telecommunications equipment, and software—and restrictions on digital services like cloud computing. These sanctions also extend to the sale, licensing, transfer, or sharing of intellectual property rights and trade secrets that could benefit prohibited sectors or entities in Russia. Furthermore, the EU has imposed prohibitions on specific professional services, including business consultancy, legal advisory, and IT consultancy, significantly limiting Russia's access to critical expertise and resources essential for its economic and technological capabilities.
The last sanctions package ("Twelfth Package") was implemented by Council Regulation (EU) No.2023/2878, amending the Council Regulation (EU) No. 833/2014.

According to Art. 2 of Council Regulation (EU) No. 2023/1529 of 20 July 2023 Concerning Restrictive Measures in View of Iran’s Military Support of Russia’s War of Aggression Against Ukraine, it is prohibited to sell, supply, transfer, or export, directly or indirectly, goods and technology that might contribute to Iran’s capability to manufacture Unmanned Aerial Vehicles (UAVs), as listed in Annex II, whether or not originating in the Union, to any natural or legal person, entity, or body in Iran, or for use in Iran.
Initially, the only relevant products included in Annex II were electronic integrated circuits, processors, and controllers (HS 854231 and HS 854239). However, the Regulation was amended in May 2024 to expand the list of restricted products, adding monolithic microwave integrated circuits, amplifiers, and devices (HS 854233) used in 5G, 4G/LTE, Wi-Fi, and satellite communication systems; fixed capacitors (HS 853221, HS 853222, and HS 853224); and memory integrated circuits (HS 854232), which are semiconductor devices designed to store data or program code.

In February 2022, the European Union (EU) published the European Standardization Strategy, which, among other things, introduced amendments to Regulation 1025/2012 on European Standardization Organizations (ESOs). The amendment requires that ESOs limit the involvement of non-EU stakeholders in the development of harmonised European standards (EN). This change has a significant impact on the European Telecommunications Standards Institute (ETSI), which specialises in information and communications technologies (ICT) and has historically allowed direct participation from foreign firms. Additionally, it has been reported that certain policies implemented by the European Commission, such as the refusal to reference standards developed outside Europe and the imposition of new restrictions on participation in expert advisory groups (including the newly established High-Level Forum on European Standardization), indicate a broader strategy to exclude non-EU participants, challenge the recognition of international standards developed in the United States, and promote European regional standards globally.

Self-certification is allowed under equal terms for foreign and domestic companies under Art. 14 and Annex II of the Electromagnetic Compatibility Directive 2014/30/EU.
EU legislation requires that the manufacturer of a CE-marked product issues an EU Declaration of Conformity for the product and draws up technical documentation. A Declaration of Conformity (DoC) is a document signed by a manufacturer or authorised representative confirming that the product placed in the market complies with applicable EU requirements and is required for all CE Marked products sold in the EU with few exceptions. The contents of the Declaration of Conformity shall follow the model declarations set out in Annex III to Decision 768/2008/EC or in annexes to applicable legislation. (CE-marked products signify that products sold in the EEA have been assessed to meet high safety, health, and environmental protection requirements.)
The EU has concluded a number of Mutual Recognition Agreements (MRAs) with third countries that allow national conformity assessment bodies to certify product conformity for the respective markets. The EU has signed 7 MRAs, 6 of which cover electromagnetic compatibility and interference as and/or radio and telecommunications equipment.

Through the amendment of Council Regulation (EU) No. 833/2014 and Council Decision (CFSP) 2014/512/CFSP by Council Regulation (EU) 2022/350 and Council Decision (CFSP) 2022/351, the European Union imposed sanctions on a number of Russian television channels in response to “Russia’s actions destabilising the situation in Ukraine.” These measures entailed the suspension of broadcasting licences and distribution agreements, including cable distribution. The legal acts prohibit operators from enabling or facilitating the broadcasting of content by the sanctioned channels through any means, including IP-TV, internet service providers, video-sharing platforms, and applications. As a result, these channels were delisted from online search results and their social media accounts rendered inaccessible within the EU.
The EU has progressively expanded its list of sanctioned media outlets since the introduction of broadcasting bans under Art. 2f of Council Regulation (EU) No 833/2014, included by Council Regulation (EU) 2022/350 of 1 March 2022. The first restrictions were imposed in March 2022, when RT (Russia Today) and Sputnik, along with their subsidiaries, were prohibited from broadcasting or distributing content within the EU. The measures were extended in June 2022 to include Rossiya RTR (RTR Planeta), Rossiya 24 (Russia 24), and TV Centre International. In December 2022, the ban was broadened to cover NTV, NTV Mir, Rossiya 1, REN TV, and Pervyi Kanal (Channel One). Following the tenth sanctions package of 25 February 2023, which entered into force in April 2023, the EU added RT Arabic and Sputnik Arabic. The eleventh package, adopted in June 2023, further expanded the list to include RT Balkan, Oriental Review, Tsargrad TV Channel, New Eastern Outlook, and Katehon. In May 2024, the Council announced the inclusion of Voice of Europe, RIA Novosti, Izvestia, and Rossiyskaya Gazeta, measures formally tied to the fourteenth sanctions package of June 2024.

The EU has attached the WTO Telecom Reference Paper to its schedule of commitments.

The Directive (EU) 2016/681 establishes that passenger name record (PNR) data must be handled under strict territorial and organisational conditions. Each Member State is required by Art. 4.1 to designate a Passenger Information Unit (PIU), which is the authority responsible for collecting PNR data from air carriers, storing and processing those data, and sharing them with competent authorities and other PIUs for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. Art. 6.8 provides that “the storage, processing and analysis of PNR data by the PIU shall be carried out exclusively within a secure location or locations within the territory of the Member States.” PNR data, defined in Art. 3.5 as a record of each passenger’s travel requirements contained in reservation or departure control systems, therefore remains under the jurisdiction of the Union once transferred to the PIU.

The EU's General Data Protection Regulation (GDPR) considerably expands the scope of EU privacy rules. In addition to companies established in the EU, the Regulation applies extraterritorially to companies offering goods or services to data subjects in the EU and companies that monitor the behavior of EU citizens (Art. 3).
The Regulation mandates that data is allowed to flow freely outside the European Economic Area (EEA) only in certain circumstances listed in Chapter 5 of the Regulation. The main conditions are the following: the recipient jurisdiction has an adequate level of data protection; the controller ensures adequate safeguards (for instance, by using model contract clauses, binding corporate rules or other contractual arrangements); the data subject has given his/her consent explicitly; or, the transfer is necessary for the performance of a contract between the data subject and the controller.
The GDPR allows for data transfers to countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection. The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, and Uruguay as providing adequate protection. In addition, the EU-US Data Privacy Framework acts as a self-certification system open to certain US companies for data protection compliance since July 2023.