According to the Council Directive (EU) 2017/2455 of 5 December 2017 amending Directive 2006/112/EC and Directive 2009/132/EC as regards certain value added tax obligations for supplies of services and distance sales of goods, the de minimis threshold, that is the minimum value of goods below which customs do not charge duties, is USD 174, below the 200 USD threshold recommended by the International Chamber of Commerce (ICC).

There are complaints in 2021 concerning EU product requirements regulated under the so-called “New Legislative Framework” (NLF), which replaces the Multi-Stakeholder Platform on ICT Standardisation that provides industry guidance on standardisation to the Commission. Legislation adopted under the NLF privileges European standards (EN), imposing additional costs and uncertainty on producers relying on alternative standards. The technical committees, which draft harmonized ENs, generally exclude non-EU nationals from participating in their standard-drafting process, or at least deny them a vote.

Self-certification is allowed under equal terms for foreign and domestic companies under article 14 and Annex II of the Electromagnetic Compatibility Directive 2014/30/EU.
EU legislation requires that the manufacturer of a CE marked product issues an EU Declaration of Conformity for the product and draws up technical documentation. A Declaration of Conformity (DoC) is a document signed by a manufacturer or authorised representative confirming that the product placed in the market complies with applicable EU requirements, and is required for all CE Marked products sold in the EU with few exceptions. The contents of the Declaration of Conformity shall follow the model declarations set out in Annex III to Decision 768/2008/EC or in annexes to applicable legislation. (CE-marked products signify that products sold in the EEA have been assessed to meet high safety, health, and environmental protection requirements.)
The EU has concluded a number of Mutual Recognition Agreements (MRAs) with third countries that allow national conformity assessment bodies to certify product conformity for the respective markets. The EU has signed 7 MRAs, 6 of which cover electromagnetic compatibility and interference as and/or radio and telecommunications equipment

Regulation 2021/821 establishes that the export of dual use items used for both civilian and military applications is subject to control and these goods may not leave the EU customs territory without an export authorisation. The Annex I identifies a range of dual-use items that face either authorization requirements or outright bans for exportation outside of the EU, which include electronics, computers, telecommunications and information security. The Regulation 2021/821 replaces the previous regulation on the matter (Regulation(EC) No. 428/2009), as subsequently amended and implemented by Regulation (EU) No. 1232/2011 and Delegated Regulation (EU) 2018/1922 respectively.

There are only two specific cases where the EU public procurement market can be closed to foreign bidders from third countries: the Defence Directive (not relevant for digital trade) and the Utilities Directive.
Art. 85 of the Utilities Directive (2014/25/EU) contains provisions allowing contracting public entities to reject from its tender procedures foreign goods not covered by any EU international commitments. In those cases, a tender submitted for the award of a supply contract may be rejected where the proportion of the products originating in third countries exceeds 50% of the total value of the products constituting the tender (Art. 85.2). Additionally, in cases of equivalent offers, the provisions provide for a preference for European tenders and tenders covered by EU's international obligations. In practice, this possibility has rarely been used.

Art. 17 of Directive 2019/790 on Copyright in the Digital Single Market (DSM Directive) mandates that providers of content-sharing services seek authorisation from rights holders and implement technical solutions to remove and prevent unauthorised uploads by their users (so-called upload filters), under penalty of losing their liability safe harbour. Further arrangements are envisaged for complaints and dispute resolution mechanisms. Such upload filters are reported to be a significant cost for online platforms.
Graduated exemptions are expected to be put in place for new providers, active in the EU for less than three years and with a turnover under EUR 10 million, and with fewer than five million users. The provision is subject to a challenge in the Court of Justice by Poland (C-401/19).

Through Council Regulation (EU) 2022/350 and Council Decision (CFSP) 2022/351, the EU has sanctioned a number of Russian TV channels, as a result of "Russia's actions destabilising the situation in Ukraine". The sanctions entail the suspension of broadcast licenses and distribution agreements (e.g. over cable) A wide range of operators are supposed not to enable or facilitate the broadcast of any content by these channels including through "IP-TV, internet service providers, internet video-sharing platforms or application". As a result, these channels have been delisted from online search results and their social media accounts are no longer accessible in the EU. (Some of these accounts had already been voluntarily suspended by major digital platforms). Their websites are nevertheless still accessible.

Since May 2018, the General Data Protection Regulation (GDPR) requires that organizations conducting "regular and systematic monitoring of data subjects on a large scale" or whose activities include the processing of sensitive personal data on a large scale, must appoint a Data Protection Officer (DPO). Previously, only European institutions and bodies were required to appoint at least one person as a DPO, with some Member States imposing such requirements also on private companies. In addition, under the GDPR, Data Protection Impact Assessments (DPIAs) are mandatory for data processing activities likely to result in a high risk to the rights and freedoms of natural persons.

The European Union General Data Protection Regulation (GDPR), entered into force in 2018, considerably expands the scope of EU privacy rules. In addition to companies established in the EU, the Regulation applies extraterritorially to companies offering goods or services to data subjects in the EU and companies that monitor the behavior of EU citizens (Art. 3). In addition, there is complementary legislation such as Directive (EU) 2016/680, on the protection of natural persons regarding processing of personal data connected with criminal offences or the execution of criminal penalties, and on the free movement of such data.

The EU's General Data Protection Regulation (GDPR) considerably expands the scope of EU privacy rules. In addition to companies established in the EU, the Regulation applies extraterritorially to companies offering goods or services to data subjects in the EU and companies that monitor the behavior of EU citizens (Art. 3).
The Regulation mandates that data is allowed to flow freely outside the European Economic Area (EEA) only in certain circumstances listed in Chapter 5 of the Regulation. The main conditions for such a transfer are the following: the recipient jurisdiction has an adequate level of data protection; the controller ensures adequate safeguards (for instance, by using model contract clauses, binding corporate rules or other contractual arrangements); the data subject has given his/her consent explicitly; or, the transfer is necessary for the performance of a contract between the data subject and the controller.
The GDPR allows for data transfers to countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection. The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, and Uruguay as providing adequate protection. In addition, the EU-US Data Privacy Framework acts as a self-certification system open to certain US companies for data protection compliance since July 2023.

The European Union has joined ond agreement with binding commitments to open transfers of data across borders: the Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the One Part, and the United Kingdom of Great Britain and Northern Ireland, of the Other Part (Art. 201).

The EU has attached the WTO Telecom Reference Paper to its schedule of commitments.

Art. 3[2] of the Directive 2014/61/EU establishes that Member States shall ensure that, upon written request of an undertaking providing or authorised to provide public communications networks, any network operator has the obligation to meet all reasonable requests for access to its physical infrastructure under fair and reasonable terms and conditions, including price, with a view to deploying elements of high-speed electronic communications networks. Such written request shall specify the elements of the project for which the access is requested, including a specific time frame.

The Digital Services Act (DSA) envisages research access to data under confidentiality obligations, as well as access to algorithms and explanations by regulators. It is reported that certain requirements in the DSA create uncertainty in relation to trade secret protection as very large online platforms can be under an obligation to open access to their (confidential) data. Article 25 defines very large online platforms as those platforms which reach a number of average monthly active recipients of the service in the Union equal to or higher than 45 million.
Art. 31 of the DSA provides a framework for compelling access to data from very large online platforms to competent national authorities (“Digital Services Coordinators”) to monitor and assess compliance with the Regulation. The Digital Services Coordinator may also request large online platforms to provide access to data to vetted researchers for researching and identifying systemic risks as set out in Art. 26(1). Such a requirement may include, for example, data on the accuracy, functioning and testing of algorithmic systems for content moderation. All requirements for access to data under the framework should be proportionate and appropriately protect the rights and legitimate interests, including trade secrets and other confidential information.
Moreover, according to Art. 31(6) a platform may apply to amend the data request if it will lead to “significant vulnerabilities for the protection of confidential information.”

The Directive on the protection of undisclosed know-how and business information (trade secrets) is key in harmonising national laws concerning trade secrets by:
- ensuring an equivalent level of protection of trade secrets throughout the Union
- introducing a uniform definition of the term "trade secret"
- providing common measures against the unlawful acquisition, use, and disclosure of trade secrets.
At the same time, the Directive contains several exceptions to the protection of trade secrets, e.g. to the advantage of those who reveal misconducts, wrongdoing, or illegal activity if a disclosure of a trade secret serves the public interest.