On this page
- Regulatory map at a glance (as-of 2026-06-25)
- Directive-by-directive
- EU Omnibus Directive (Directive 2019/2161)
- Withdrawal Button — Directive (EU) 2023/2673
- Digital Services Act (DSA) — Regulation (EU) 2022/2065
- European Accessibility Act (EAA) — Directive (EU) 2019/882
- EU AI Act — Regulation (EU) 2024/1689
- Consumer Credit Directive II (CCD2) — Directive (EU) 2023/2225
- PPWR — Packaging and Packaging Waste Regulation (EU) 2025/40
- Digital Markets Act (DMA) — Regulation (EU) 2022/1925
- General Product Safety Regulation (GPSR) — Regulation (EU) 2023/988
- Green Claims Directive (EmpCo) — Directive (EU) 2024/825
- Right to Repair Directive — Directive (EU) 2024/1799
- Cross-cutting themes
- Key terms
- Active frontiers (dangling links → next research topics)
EU Ecommerce Directives
EU Ecommerce Directives
A wave of EU regulation came into force between 2024 and 2026, collectively reshaping obligations for any business selling online to EU consumers — regardless of where the seller is incorporated. This page maps the full directive landscape, enforcement dates, penalty levels, and ecommerce-specific obligations.
Regulatory map at a glance (as-of 2026-06-25)
| Directive / Regulation | Short name | Status | Key date |
|---|---|---|---|
| Directive (EU) 2019/2161 | Omnibus Directive | In force | Applied May 2022 (most member states) |
| Directive (EU) 2023/2673 | Withdrawal Button | In force | 19 June 2026 |
| Regulation (EU) 2022/2065 | Digital Services Act (DSA) | In force | Fully applicable 17 Feb 2024 |
| Directive (EU) 2019/882 | European Accessibility Act (EAA) | In force | 28 June 2025 |
| Regulation (EU) 2024/1689 | EU AI Act | Phased in | Article 50 (labelling) from 2 Aug 2026 |
| Directive (EU) 2023/2225 | Consumer Credit Directive II (CCD2) | Transposing | Application from 20 Nov 2026 |
| Regulation (EU) 2025/40 | PPWR (Packaging) | Phased in | Parcel rules from 12 Aug 2026 |
| Regulation (EU) 2022/1925 | Digital Markets Act (DMA) | In force | Applies to gatekeepers only |
| Regulation (EU) 2023/988 | GPSR | In force | 13 Dec 2024 |
| Directive (EU) 2024/825 | Green Claims (EmpCo) | In force | Most member states |
| Directive (EU) 2024/1799 | Right to Repair | Transposing | Implementation by 31 Jul 2026 |
Directive-by-directive
EU Omnibus Directive (Directive 2019/2161)
The Omnibus Directive amended the Consumer Rights Directive, the Unfair Commercial Practices Directive, and the Price Indication Directive. Three key obligations for ecommerce:
Price promotion transparency: Any announcement of a price reduction must display the lowest price charged by that trader in the prior 30 days — not the manufacturer's suggested retail price (termly.io). Non-compliance risks fines of up to 4% of annual turnover (as-of 2026, volatile) (termly.io).
Personalised pricing disclosure: Traders must disclose when prices are personalised based on consumer profiling (termly.io). Automated repricing tools must be disclosed if prices change algorithmically (price2spy.com).
Verified reviews only: Traders may not display unverified consumer reviews; only reviews from verified buyers may be shown (termly.io).
See also: CCD II (Consumer Credit Directive II) for the BNPL-specific pricing implications.
Withdrawal Button — Directive (EU) 2023/2673
Full coverage on this topic: see Withdrawal Button
The Withdrawal Button directive requires a permanently visible, labelled electronic withdrawal mechanism for all online contracts where a statutory right of withdrawal exists. Effective 19 June 2026. The vault has a dedicated concept page covering the full UX flow, exceptions, and national fine structures (Germany: up to €2M or 4%; France: up to €75,000 — as-of 2026-05-19, Greenberg Traurig). (Greenberg Traurig, gtlaw.com, 2026-05-19)
Digital Services Act (DSA) — Regulation (EU) 2022/2065
The DSA replaced the E-Commerce Directive 2000, which had pre-dated major platforms and treated them as exempt from liability. It became fully applicable to all entities on 17 February 2024 (digital-strategy.ec.europa.eu). According to Christel Schaldemose, the lead DSA negotiator in the European Parliament, the core design principle is a tiered obligation model: "the bigger a platform is, the bigger obligations are we putting on them" (CSIS, 2025-02-26).
Who is a VLOP? Very Large Online Platforms (VLOPs) are those with over 45 million monthly EU users. As of February 2025, approximately 23 platforms had been designated as VLOPs, including AliExpress, Temu, TikTok, and X (CSIS transcript, 2025-02-26). Standard ecommerce retailers below this threshold face lighter obligations.
Online marketplace obligations (all sizes): Marketplaces must perform "Know Your Business Customer" (KYBC) checks and list seller contact information; compliance for pre-existing traders was required by 17 February 2025 (as-of 2026, volatile) (adherent.com). Marketplaces must provide user-friendly flagging systems for illegal goods and process alerts in a timely, diligent manner (DigitalEU/EC, 2024-03-25).
VLOP-specific obligations: VLOPs must conduct annual impact assessments; if systemic risks are found (e.g., to public health or democracy), they must risk-mitigate — though the DSA does not prescribe specific mitigation methods (CSIS, 2025-02-26). EU Commission (not member states) is the enforcer for VLOPs (CSIS, 2025-02-26). As of November 2025, the Commission had opened 14 VLOP investigations (lexology.com).
Content legality: The DSA does not harmonise what is legal or illegal across EU member states — illegality is determined by national law and platforms must act on notified illegal content country by country (CSIS, 2025-02-26).
Transparency reporting: From 1 July 2025, all intermediary service providers must use standardised templates and categories for DSA transparency reports (as-of 2026, volatile) (eu-digital-services-act.com).
Penalties: Sanctions can reach up to 6% of global annual turnover; periodic penalties up to 5% of average daily turnover for delayed compliance (tipalti.com).
Schaldemose noted that GDPR fines have "not had the impact" hoped for as a deterrent, and the DSA was deliberately designed with heavy fines — modelled on US enforcement practice — to be "dissuasive" (CSIS, 2025-02-26).
European Accessibility Act (EAA) — Directive (EU) 2019/882
The EAA entered enforcement across all 27 EU member states on 28 June 2025. It applies to all online retailers and service providers selling goods or services to EU consumers — regardless of where the business is headquartered (Bird & Bird, twobirds.com, 2025-01-08).
Scope of "e-commerce services": The EAA defines e-commerce services broadly to include not just checkout but all steps that lead to the conclusion of a transaction — including product information pages and shopping cart flows (Bird & Bird, 2025-01-08). Accessibility requirements explicitly include websites and mobile apps meeting WCAG 2.1 AA (perceivable, operable, understandable, robust); accessible identification methods, electronic signatures, and payment services; and offline help desk support for accessibility queries (Bird & Bird, 2025-01-08). Checkout flows — including 2FA authentication and payment processing — must be fully accessible (Leaders for Accessibility, ~2025).
Transition period: Services already on the market before 28 June 2025 have a transition period until 28 June 2030 — but operators must still publish an accessibility statement and demonstrate progress immediately (usablenet.com, siteimprove.com).
Microenterprise exemption: Businesses with fewer than 10 employees and annual turnover below €2 million are partially exempt (siteimprove.com, Skills Singh, ~2025).
Harmonised standard gap: No harmonised standard (EN 301 549 update) had been adopted under the EAA as of January 2025; an updated version was expected in early 2025 but not yet published (Bird & Bird, 2025-01-08).
Penalties (as-of 2025, volatile, country-specific):
- Germany: up to €100,000 per violation (usablenet.com)
- France: €5,000–€250,000 plus €25,000/year for missing accessibility statements (siteimprove.com)
- Italy: up to 5% of annual revenue (usablenet.com)
- Most other EU countries: €10,000–€100,000 per infringement ceiling (usablenet.com)
Early enforcement signal: Within days of the 28 June 2025 enforcement date, French disability advocacy organisations issued formal legal notices to four major grocery retailers demanding EAA compliance, with emergency injunctions filed in November 2025 when compliance proved insufficient (Leaders for Accessibility, ~2025).
New vs existing services transition: Bird & Bird (twobirds.com, 2025-01-08) states that existing services have until 28 June 2030 for full compliance; some vendor sources (e.g. Consentmo) framed June 2025 as a hard deadline for all. The Bird & Bird primary-source reading is: new services must comply from 28 June 2025; existing services have until 2030 but must publish accessibility statements and show progress immediately.
EU AI Act — Regulation (EU) 2024/1689
The EU AI Act entered into force 1 August 2024 in a phased rollout (digital-strategy.ec.europa.eu):
| Obligation | Applicable from |
|---|---|
| Prohibited AI practices + AI literacy | 2 February 2025 |
| GPAI model obligations | 2 August 2025 |
| Article 50 transparency (AI content labelling) | 2 August 2026 |
| Full applicability | 2 August 2026 |
Article 50 — ecommerce implications: From August 2026, retailers using AI-generated product photography, chatbots, recommendation engines, or personalisation must disclose to consumers that they are interacting with AI (metaprice.io). Retailers using AI-modified product images must add "AI-generated image" labelling; C2PA metadata embedding is emerging as the technical standard (rewarx.com). This obligation was confirmed by Christel Schaldemose in a February 2025 CSIS interview: "there is also a provision in the EU AI Act about this, about making AI-generated content labeled as such. And this will apply from August... of next year" (2026) (CSIS, 2025-02-26).
AI literacy obligation (since Feb 2025): Companies must ensure staff are trained in the use of AI systems. Most ecommerce brands have not yet begun their compliance journey (as-of publication date, volatile) (carbon6.io).
Penalties: Maximum fine for violations of prohibited AI use rules: the higher of €35 million or 7% of worldwide annual turnover (rewarx.com).
Consumer Credit Directive II (CCD2) — Directive (EU) 2023/2225
Related coverage: see BNPL
Member states must transpose CCD2 by 20 November 2025 and apply measures from 20 November 2026 (DWF Group, dwfgroup.com, 2025-07). CCD2 explicitly captures Buy Now Pay Later as consumer credit and expands scope from credits of €200+ to smaller amounts — meaning webshops offering instalment plans (including deferred payment after 30 days) must conduct creditworthiness assessments on consumers prior to every contract (signicat.com).
Pre-contractual information must be provided at least one day before agreement; if not, the lender or intermediary must inform the consumer of their right of withdrawal within seven days (DWF Group, 2025-07).
PPWR — Packaging and Packaging Waste Regulation (EU) 2025/40
The PPWR took effect 11 February 2025 with an 18-month transition period (natlawreview.com):
- From 12 August 2026: Ecommerce packaging must comply with space efficiency rules — empty space in parcels must not exceed 40% (as-of publication, volatile) (natlawreview.com).
- From 2027: Packaging must carry digital identifiers (e.g. QR codes) linking to structured environmental information (as-of publication, volatile) (natlawreview.com).
- From 2030: Online sellers must offer a reusable shipping option at checkout (as-of publication, volatile) (natlawreview.com).
Digital Markets Act (DMA) — Regulation (EU) 2022/1925
The DMA applies specifically to "gatekeepers" — platforms designated by the Commission with over 45 million monthly EU users and over €7.5 billion annual revenue. Standard ecommerce retailers are not directly obligated as gatekeepers; however, they may be affected as business users of gatekeeper platforms (e.g., Apple App Store, Google Search, Meta Ads) (digital-strategy.ec.europa.eu).
General Product Safety Regulation (GPSR) — Regulation (EU) 2023/988
The GPSR came into force on 13 December 2024, replacing the General Product Safety Directive. It covers products sold online including new, used, repaired, and reconditioned goods (EU Justice and Consumers channel, ~2024). Under the GPSR, a responsible economic operator in the EU — manufacturer, importer, authorised representative, or fulfilment service provider — must be designated for each product sold in the EU. The GPSR incorporates cybersecurity and AI-related product safety requirements for products with learning or predictive AI capabilities (EU Justice and Consumers channel, ~2024).
Practitioner signal indicates Shopify provided no native tooling for GPSR compliance and merchants had to self-solve with metafields and third-party apps while Amazon and Etsy had already sent compliance notices to sellers (Shopify Community, 2024-11).
Green Claims Directive (EmpCo) — Directive (EU) 2024/825
The EmpCo Directive bans generic sustainability claims ("eco-friendly," "carbon neutral," "sustainable") unless independently certified and verifiable. Enforcement is live in most member states (as-of 2025–2026, volatile) (trustedshops.com). Directly relevant to fashion ecommerce brands making environmental claims in product listings.
Right to Repair Directive — Directive (EU) 2024/1799
Adds obligations for manufacturers and distributors to offer repair over replacement. Implementation deadline 31 July 2026. Affects product categories including electronics and appliances sold to EU consumers (univio.com).
Cross-cutting themes
Extra-territorial reach is the norm, not the exception. The EAA, DSA, Omnibus, and Withdrawal Button all apply to non-EU-incorporated businesses that sell to EU consumers. Platform incorporation in a non-EU country does not create an exemption.
DSA vs AI Act on synthetic content: The DSA (Article 35) includes separate obligations for VLOPs on deepfake and synthetic media labelling; the AI Act Article 50 creates a parallel obligation on AI content labelling applicable more broadly. These are distinct instruments with overlapping scope — legal analysis is needed to identify cumulative obligations for any retailer deploying AI-generated imagery or chatbots.
GDPR reform under consideration: On 19 November 2025, the European Commission presented a formal proposal to reform GDPR as part of its "Digital Omnibus" initiative with planned changes to cookie banner rules (2b-advice.com, 2025-11-13).
GDPR reform status: The Digital Omnibus GDPR reform (November 2025) is a Commission proposal, not yet a directive. Treat all claims about cookie banner rule changes as provisional.
ePrivacy Regulation withdrawn: The proposed ePrivacy Regulation was withdrawn by the European Commission in February 2025; the 2002 ePrivacy Directive remains in force, and national regulators continue enforcing existing cookie rules (verasafe.com). EDPB guidance requires "reject all" to be as easy to activate as "accept all" — enforced in 2025 with CNIL fining Google €325M and Shein €150M on a single day for cookie consent violations (as-of 2026, volatile) (consenteo.com, 2026).
Key terms
| Term | Meaning |
|---|---|
| VLOP | Very Large Online Platform — >45M monthly EU users; subject to full DSA tier |
| WCAG 2.1 AA | Web Content Accessibility Guidelines 2.1, Level AA — operative EAA standard |
| C2PA | Coalition for Content Provenance and Authenticity — emerging AI content metadata standard |
| KYBC | Know Your Business Customer — marketplace due diligence under DSA |
| EmpCo | Short name for Directive (EU) 2024/825 (Green Claims / anti-greenwashing) |
| PPWR | Packaging and Packaging Waste Regulation (EU) 2025/40 |
| GPSR | General Product Safety Regulation (EU) 2023/988 |
Active frontiers (dangling links → next research topics)
- EU Green Claims Directive (EmpCo) — fashion-specific implications for sustainability marketing; no standalone page
- DSA Compliance for Ecommerce Marketplaces — KYBC checks, illegal product flagging, complaint mechanisms; no standalone page
- EU AI Act Article 50 — AI content labelling obligations; C2PA implementation; no standalone page
- WCAG 2.1 AA Ecommerce Audit — EAA-driven technical audit requirements for checkout flows; no standalone page
- EN 301 549 — harmonised EAA standard; adoption status post-Jan 2025 unconfirmed; no standalone page
- Right to Repair — frontend/PDP implications for repairability information; no standalone page
- PPWR Reusable Packaging at Checkout — checkout UX obligation from 2030; no standalone page
- EU Digital Omnibus (GDPR Reform) — cookie consent rule changes under proposal; no standalone page
- Product Liability Directive (PLD 2024) — identified as applicable from end-2026; no standalone page