EU e-commerce rules: a merchant map of the big compliance pillars

European compliance is not a single “checklist law”. It is a stack: EU regulations that apply directly, directives that Member States transpose into national rules (sometimes stricter), and sector-specific product laws on top. If you sell online to consumers in the EU, you are expected to respect consumer protection, marketing honesty, data protection, payment rules, and product-safety obligations, even when you are not based inside the EU but target EU consumers.

This post is a plain-language map for operators of typical webshops (especially WooCommerce). It is not legal advice, not a complete inventory of every Act and Annex, and not a substitute for advice in your country. Use it to know what topics to bring to counsel, accountants, and product-safety specialists.

Background: how EU rules actually bind your store

• Many famous EU “directives” (consumer rights, unfair commercial practices, e-commerce) are implemented in national law. You often comply with Dutch, German, or Polish rules that carry the same EU minimum, plus local nuance.
• Some newer files are regulations (for example parts of the digital acquis, product-safety tools) with more direct, uniform effect. Still read national guidance where it exists.
• Enforcement sits with national authorities. Maximum fines and priorities differ country by country.

Consumer contracts: information, delivery, and the 14-day withdrawal right

The Consumer Rights Directive framework (look up the latest consolidated text for Directive 2011/83/EU as amended) is the backbone of B2C distance selling. In practice regulators expect clear pre-contract information: who you are, what the customer pays, how delivery works, whether after-sales service exists, and how complaints are handled.

For many goods and services sold online, consumers retain a 14-day cooling-off period for distance contracts, with familiar exceptions (custom goods, perishables, sealed audio/video/software once opened where the law allows, etc.; always verify the current detailed list in the law that applies to you). You must explain the right, provide a model withdrawal form where required, and refund within the statutory period once conditions are met.

Rules on delivery time, passing of risk, and extra charges (for example unchecked pre-ticked paid extras) are part of the same consumer-contract universe. Your checkout must show the total price and major characteristics of the goods or service before the order is placed.

Digital content, streaming, SaaS, and “pay with data”

Directive (EU) 2019/770 on digital content and digital services adds a dedicated contract layer when you supply apps, files, streaming access, hosting, or similar. Consumers are entitled to receive what you promised, with updates and security where applicable, and clear remedies when things are defective. Many of the familiar withdrawal complexities for digital goods (delivery before the cooling-off period ends, express consent and acknowledgment of loss of right) sit in this area; again, verify exact mechanics under the national implementation you rely on.

From 19 June 2026, many businesses must also surface a withdrawal or stop experience that is as easy as ordering; we unpack that in a separate post for WooCommerce merchants. un-order exists specifically to make that storefront requirement workable.

Fair marketing: Omnibus updates, dark patterns, reviews, and pricing

Directive (EU) 2019/2161 (the “Omnibus” directive) modernised several consumer files. For e-commerce operators the headline themes are: honest commercial practices (no misleading claims, tighter rules around manipulative interface patterns often discussed as “dark patterns”), transparent consumer reviews (you should not publish fake reviews; you must be clear how reviews are sourced or verified), and price reduction transparency (when you advertise a prior price, the law expects discipline around the reference price; implementations vary, but “fake strikethrough” promotions are a known enforcement focus).

Marketplace operators face extra transparency duties: making clear whether the third party is a trader, how search ranking or sponsored placement works, and similar disclosures. Pure single-merchant WooCommerce stores still care about the Unfair Commercial Practices logic for their own ads, influencers, countdown timers, and scarcity claims.

Terms and conditions: not a free pass

The Unfair Contract Terms framework protects consumers against one-sided boilerplate. Clauses that shift statutory rights in impermissible ways can be struck down or unenforceable. If your T&Cs have not been reviewed since you added subscriptions, marketplaces fees, or digital bundles, schedule a refresh.

Websites, ordering, and commercial communications

Historic Directive 2000/31/EC (the E-Commerce Directive) shaped what a compliant site looks like: identify the business, give reachable contact routes, describe the technical steps to contract, acknowledge receipt of orders, and label commercial communications as such. Much platform-focused law now sits in the Digital Services Act (Regulation (EU) 2022/2065), but ordinary traders still live with the consumer-transparency expectations those older layers helped normalize.

Marketplaces and platforms: Digital Services Act snapshot

If you operate a marketplace (matching third-party sellers to consumers), the DSA adds serious operational duties: illegal product risk processes, traceability of traders (“know your business customer” style expectations), notice-and-action channels, reporting, and bans on certain manipulative designs in prescribed contexts. If you only sell your own stock on WooCommerce, many DSA platform duties do not apply in the same way, but consumer law still does.

Personal data, cookies, and newsletters

• The GDPR and UK GDPR (if you target the UK) govern lawful processing, privacy notices, processors, DPIAs where needed, breach notification, and cross-border transfers.
• Cookie banners and tracking still turn on the ePrivacy layer national laws plus GDPR consent/legitimate-interest analysis; abolishing “pretend-consent” UX is an enforcement theme.
• Email and SMS marketing generally need a valid permission route or other legal basis; corporate opt-in rules have been tightened in several Member States.

Payments and checkout

PSD2 (and the standards built on it) drives Strong Customer Authentication for many card payments, shapes how you work with gateways, and informs refund timing conversations with your acquirer. Currency presentation, surcharges on certain payment brands, and gift-card rules can also interact with national consumer laws.

Product safety, labelling, and market surveillance

Selling physical goods online is not “only” consumer contract law. Regulation (EU) 2023/988 (General Product Safety Regulation) has applied since 13 December 2024, modernising obligations around unsafe products, incident reporting, and online channel risks for economic operators and, where relevant, marketplaces. Many categories also sit under sectoral EU harmonisation (toys, electrical equipment, machinery, batteries, textiles with specific rules, etc.) with CE marking, technical files, warnings, and local language labelling expectations.

Regulation (EU) 2019/1020 on market surveillance frames how authorities check compliance at borders and online. Non-EU sellers often need an economic operator or responsible person inside the EU for certain goods. Electronics, supplements, cosmetics, and food each add their own regimes.

Other files that regularly touch cross-border e-commerce

• Geo-blocking and discrimination rules (Regulation (EU) 2018/302) for unjustified payment or audience discrimination.
• Accessibility: the European Accessibility Act (Directive (EU) 2019/882) tightens expectations for products and services in its scope, worth tracking with your theme and checkout refresh cycles.
• Alternative dispute resolution / ODR: providing dispute links or participating in ADR may be required or strategically sensible depending on jurisdiction.
• Sector-specific advertising (for example financial promotions, alcohol, minors) if applicable.
• Waste, packaging, textile, and battery rules expanding producer responsibility (more operations than marketing, but still “must ship legally”).

How to work with a list this long

• Group tasks by owner: storefront/UX (legal + product), privacy (DPO or counsel), catalogue/compliance (technical + suppliers), finance (tax/VAT specialist), payments (PSP + accountant).
• Re-run the review after every major plugin, checkout, marketplace, or international expansion.
• Keep evidence: screenshots of disclosures, flows for withdrawal/stop once June 2026 applies, ticket logs for safety issues, and versioned T&Cs.

If WooCommerce is your system of record, un-order focuses on the upcoming withdrawal and stop-function surface area so you are not duct-taping PDFs and support tickets at the deadline. For everything else on this map (privacy programme, GPSR conformity, marketplace DSA duties), bring in the right professionals early; the EU rulebook only grows more interconnected.