Home

Internal

Global

Contact

de|en|it

RÖDL Italy cooperates with Venturia S.p.A., the Italian venture builder that connects start-ups and SMEs to create high-growth businesses |

Worldwide

We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our data privacy statement.

Why "market presence" is being redefined in IT law – A system change

published on 28 January 2026 | reading time approx. 3 minutes

For a long time, IT law mirrored the traditional commercial world: only those who maintained a physical presence or actively "targeted" the market through language and currency were subject to national regulation. Companies could actively control their regulatory footprint through conscious sales decisions.

However, the European digital legal framework marks the end of "regulation on demand": Economic market relevance is being replaced by a functional-technical connection. It is no longer market development, but merely the systemic effect within the Union that triggers the full extraterritorial enforcement of Union law – technology is overtaking the contract.

Functional relevance instead of market development – an influence from European law

The foundation for this change was laid by Article 3 of the GDPR. Whereas data protection law before the introduction of the GDPR often referred to physical "means" within the country, the GDPR established a significantly broader scope of application:

Establishment principle: The scope of application is opened when the activities of an EU establishment are affected – this now also applies explicitly to EU processors of foreign customers;
Market location principle: This is the central innovation. European law extends to providers without an EU establishment as soon as they offer goods/services to persons in the Union (lit. a) or observe their behavior (lit. b);
The "all-or-nothing" approach: If the market location principle applies, foreign operators (such as cloud providers) must comply with the full range of obligations under the GDPR – exactly as a company based in Berlin or Paris would.

What the GDPR began in data protection is now being continued by the new digital laws for the entire IT infrastructure. Today, the obligations are linked to the actual impact of technical systems:

Art. 2(1) DSA: Like the GDPR, the Digital Services Act also establishes the market location principle. The legislator deliberately decided against the country-of-origin principle to create a level playing field and avoid distortions of competition to the detriment of European companies. This is the only way to "defend Union values in the digital space" and effectively combat illegal content. The DSA does not replace the Directive on electronic commerce but updates it (Art. 2(3)) and maintains consistency with sector-specific rules;
Art. 2(2) NIS2 follows this trend by placing systemic relevance above the location of the company's headquarters: this means that all institutions providing their services within the Union are covered. The decisive factor is the actual provision of critical functions (e.g. cloud or managed services). In practice, it has become significant that remote administration and maintenance access now establishes a de facto domestic connection because it has a direct influence on the availability, integrity and security of German systems and can be classified as "provision of digital services" within the meaning of NIS-2;
Art. 2(1)(c) of the AI-Act ultimately makes market reference almost entirely technical by setting the point of connection to the output. The AI-Act applies to providers in third countries if the output generated by the system is used in the Union. As a result, it is irrelevant whether the AI model is actively marketed in Europe. As soon as the results (decisions, predictions, content) have an effect in this country, European compliance standards must be met.

Conclusion

The new functional and technical link between the GDPR, DSA, NIS2 and AI-Act means in practice that technology is overtaking contracts. Anyone who still believes that they can operate in a "safe Harbor" by not having a German branch or refraining from targeted marketing is misjudging the extraterritorial impact of EU law.

Tech & Data Bites

Read all releases »

author

Contact Person Picture

Johannes Marco Holz, LL.M.

Attorney at law (Germany)

Partner

+49 911 9193 1511

Send inquiry

Rödl Germany

Discover more about our offices in Germany. Read more »