EU Compliance Checklist for Shopify Merchants (2026)
A practical EU compliance checklist Shopify merchants can use in 2026, covering GDPR, EAA, GPSR, Omnibus, DSA, VAT OSS/IOSS, EPR packaging, the 14-day right of withdrawal, and the new EU customs rules.
Selling into the EU used to mean worrying about GDPR and little else. Not anymore. Between late 2024 and mid-2025, two major laws—GPSR and the European Accessibility Act—went from "on the horizon" to fully enforceable, joining a stack of older rules (the 14-day right of withdrawal, Omnibus, DSA, VAT OSS/IOSS) that regulators are now actively auditing. And 2026 adds deadlines of its own: the €150 customs duty exemption disappeared on 1 July, and the new packaging regulation starts applying on 12 August. If you run one Shopify store, that's a serious to-do list. If you run five or ten, it multiplies. This guide is the hub: a short, honest summary of each law, what it means for your storefront, and where to go deeper.
Why 2026 is deadline-stacked for EU sellers
The timeline explains the pressure. The Consumer Rights Directive's 14-day right of withdrawal has applied since 13 June 2014, GDPR since 25 May 2018, the VAT OSS/IOSS schemes since 1 July 2021, and the Omnibus Directive's price-reduction rules since 28 May 2022. Then the pace picked up: the Digital Services Act became fully applicable on 17 February 2024, Google made Consent Mode v2 effectively mandatory for EEA ad personalization in March 2024, the General Product Safety Regulation started applying on 13 December 2024, and the European Accessibility Act kicked in on 28 June 2025. The stack keeps growing in 2026: on 1 July the EU removed the €150 customs duty exemption for imported parcels, and the new Packaging and Packaging Waste Regulation starts applying on 12 August.
That means 2026 is the first full year in which all of these regimes are live at once—and the first year in which enforcement, not transition, is the default posture. Merchants who treated 2025 as a grace period are now the ones receiving warning letters. The good news: most obligations are checklist-able. Here's the checklist.
Quick EU compliance checklist Shopify merchants can scan
| Law | In force since | What you must do | Where to read more |
|---|---|---|---|
| Right of withdrawal (Consumer Rights Directive) | 13 Jun 2014 | 14-day no-questions return right; withdrawal notice + model withdrawal form in your policies | Covered below |
| GDPR + cookie consent | 25 May 2018 | Consent banner blocking non-essential trackers, privacy policy, Consent Mode v2 | GDPR cookie consent guide |
| VAT OSS/IOSS | 1 Jul 2021 | Register for OSS (intra-EU sales) and/or IOSS (imports ≤ €150), charge destination-country VAT | VAT OSS/IOSS guide |
| Omnibus price rules | 28 May 2022 | Show the lowest price of the prior 30 days on any price reduction | Omnibus price display guide |
| DSA | 17 Feb 2024 (fully applicable) | Trader traceability info if you sell via marketplaces; transparency duties for platforms | DSA traceability guide |
| GPSR | 13 Dec 2024 | EU responsible person, safety info and manufacturer contact details on every listing | GPSR product safety guide |
| EAA | 28 Jun 2025 | Accessible checkout and storefront (EN 301 549 / WCAG-based) | EAA for Shopify guide |
| Customs duty on small parcels | 1 Jul 2026 | €150 duty exemption removed; €3 flat duty per product category on IOSS imports | VAT OSS/IOSS guide |
| EPR packaging + PPWR | National schemes; PPWR applies 12 Aug 2026 | Register with packaging EPR schemes in countries you ship to; meet PPWR packaging rules | EPR packaging guide |
Bookmark the table, then work through the sections below in whatever order matches your risk profile (there's a suggested order at the end).
Right of withdrawal & the EU withdrawal form
The oldest obligation on this list is also the most commonly missed by non-EU sellers. Under the Consumer Rights Directive (2011/83/EU), applicable since 13 June 2014, EU consumers can withdraw from a distance purchase within 14 days of delivery, without giving any reason. You must inform them of this right before they order, and you must provide the model withdrawal form from the directive's Annex I(B)—a short standard letter the customer can use to cancel. The customer isn't required to use the form, but you are required to offer it.
The penalty for skipping it is brutal in its simplicity: if you fail to inform the customer about the withdrawal right, the 14-day window extends to 12 months and 14 days. In Germany, a missing Widerrufsbelehrung is also classic bait for law-firm warning letters (Abmahnungen). When a customer does withdraw, you refund within 14 days, including the cheapest standard outbound shipping. The main exceptions worth knowing: goods made to the customer's specification (print-on-demand!), perishables, sealed hygiene products once unsealed, and digital content after download begins with consent.
What to do: add the withdrawal notice and model withdrawal form to your refund policy page (Shopify's policy settings support this), link it from the footer, and state the exceptions that apply to your catalog. It's a one-time legal template—which means on a multi-store setup it's one document rolled out N times, not N separate drafting jobs.
GDPR & cookie consent
GDPR is the oldest item on this list and still the most commonly enforced. For a Shopify storefront, the practical core is consent: non-essential cookies and tracking scripts (Meta Pixel, TikTok, analytics) must not fire for EU visitors before they opt in, and "reject" must be as easy as "accept." Since March 2024, Google also requires Consent Mode v2 signals if you want ad personalization and proper conversion measurement in the EEA—without it, your Google Ads data quietly degrades.
What to do: deploy a consent management platform integrated with Shopify's Customer Privacy API, verify no trackers fire pre-consent, update your privacy policy, and enable Consent Mode v2. The full walkthrough is in our Shopify GDPR cookie consent guide.
European Accessibility Act (EAA)
The EAA (Directive 2019/882) has applied since 28 June 2025, and it explicitly covers e-commerce services. In practice that means your storefront—product pages, cart, checkout, account flows—needs to be usable by people with disabilities, with the EN 301 549 standard (built on WCAG) as the reference benchmark. Microenterprises providing services (fewer than 10 staff and under €2 million turnover) are exempt, but check the official text and your national implementation before relying on that.
What to do: audit your theme for keyboard navigation, contrast, alt text, form labels, and focus states; fix checkout first, since it's the highest-risk flow. Our European Accessibility Act guide for Shopify breaks the audit into concrete steps.
GPSR product safety
The General Product Safety Regulation (Regulation (EU) 2023/988) has applied since 13 December 2024. It requires that most non-food consumer products sold into the EU have an economic operator ("responsible person") established in the EU, and that listings display manufacturer identity, contact details, and product identification and safety information. This hits dropshippers and non-EU brands hardest, because many have no EU entity at all.
What to do: appoint an EU responsible person (or authorised representative service), then add the required manufacturer and safety details to every product page—typically via metafields so it scales. See the GPSR guide for Shopify merchants for the implementation pattern.
Omnibus price display
The Omnibus Directive's pricing rules have applied since 28 May 2022: whenever you announce a price reduction, you must display the lowest price the product had in the 30 days before the discount. "Was €49, now €29" is only legal if €49 really was the lowest price in that window—inflating the reference price right before a sale is exactly what the rule targets. National consumer authorities have been actively fining violations, especially around Black Friday.
What to do: make sure your theme's sale display shows the prior 30-day lowest price, keep price history records, and audit any discount apps you use—many were built before this rule and display misleading "compare at" prices by default. The Omnibus price display guide walks through the theme-level fix.
DSA trader traceability
The Digital Services Act became fully applicable on 17 February 2024. A standard Shopify store selling its own products is generally not an "online platform" under the DSA, so the heaviest obligations don't apply directly. But if you sell through marketplaces (Amazon, Etsy, Zalando), those platforms are required to collect and verify your trader details—name, address, registration, bank account—and will suspend listings if you don't provide them. And if your store lets third-party sellers transact with buyers, you may cross into platform territory yourself; check the official text if that's your model.
What to do: keep your trader information complete and consistent across every marketplace account, and publish clear contact details on your own store—it overlaps with what GPSR requires anyway. Details in the DSA trader traceability guide.
VAT OSS/IOSS
Since 1 July 2021, the EU-wide distance selling threshold is €10,000 per year: above that, you charge VAT at each customer's country rate. The One Stop Shop (OSS) lets you report all intra-EU B2C sales through a single quarterly return instead of registering in every member state. For goods shipped from outside the EU in consignments up to €150, the Import One Stop Shop (IOSS) lets you collect VAT at checkout so customers aren't hit with surprise fees at delivery.
One big change landed on 1 July 2026: the €150 customs duty exemption for parcels imported into the EU is gone. In its place, a transitional flat duty of €3 per product category (tariff sub-heading) applies to IOSS consignments valued up to €150—so a parcel with three distinct product types pays €9—until the EU's Customs Data Hub goes live on 1 July 2028 and regular tariff-based duties take over. A separate EU-wide handling fee on low-value parcels has been proposed on top. If you dropship or fulfil EU orders from outside the bloc, your landed-cost math and checkout messaging need updating now.
What to do: register for OSS (and IOSS if you ship from outside the EU), configure Shopify's tax settings to charge destination-country VAT, factor the €3-per-category duty into your pricing for imported parcels, and reconcile your quarterly returns against actual store data. The VAT OSS/IOSS guide covers setup and common mistakes.
EPR packaging
Extended Producer Responsibility means whoever first places packaged products on a country's market pays for the packaging's end-of-life. Today this runs through national registers—Germany's LUCID is the best-known example, and shipping there without registration can get your listings blocked. On top of the national schemes, the new Packaging and Packaging Waste Regulation (Regulation (EU) 2025/40) applies from 12 August 2026. The first requirements that bite for e-commerce: parcels may not contain more than 40% empty space unless technically unavoidable, and packaging you place on the market needs a declaration of conformity backed by technical documentation. Further rules on reuse, recycled content, and labelling phase in between 2027 and 2030. Textiles are next in line too: the revised Waste Framework Directive (in force since October 2025) makes EPR for clothing and footwear mandatory EU-wide, with national schemes due by 2027–2028—including for non-EU sellers shipping direct to consumers.
What to do: list every EU country you ship to, register with each one's packaging EPR scheme (directly or via a compliance service), and report your packaging volumes on schedule. The EPR packaging guide covers LUCID, Triman, WEEE, and textiles.
The real cost across multiple stores
Here's the part most compliance guides skip: every obligation above scales with your store count. A cookie consent app at €10–20 per month is tolerable on one store and a four-figure annual line item across ten. The same goes for accessibility apps, GPSR metafield tools, and agency fees quoted per storefront. Multi-store merchants end up paying for the same fix five, ten, twenty times—we've broken down the math in our guide to the cost of EU compliance for multi-store merchants.
This is where StoreFleet takes a different approach: instead of renting per-store apps forever, you hire a developer once, own the source code, and that developer rolls out each compliance fix—consent banner, accessibility corrections, GPSR product fields, Omnibus price display—across all your Shopify stores at the same time. One implementation, every storefront, no recurring per-store subscription. If you're comparing this model against the app-stacking approach, our roundup of the best tools to manage multiple Shopify stores shows where each option fits.
Where to start: the EU compliance checklist Shopify sellers should prioritize
If the full list feels overwhelming, work by risk:
- GPSR — enforcement is active and non-compliant listings can be removed from sale. If you have no EU responsible person, fix this first.
- GDPR & cookie consent — the most mature enforcement regime, and Consent Mode v2 gaps are also costing you ad performance right now.
- Omnibus pricing — quick to audit, quick to fix, and a favorite target of national consumer authorities during sale seasons.
- Right of withdrawal — a ten-minute policy fix; leaving out the model withdrawal form silently extends your return window to 12 months.
- EAA accessibility — newly enforceable, with the first court orders against retailers already issued; start with checkout and work outward.
- VAT OSS/IOSS, customs, and EPR — administrative rather than storefront work, but 2026 stacks two hard dates here: the €3 parcel duty since 1 July and PPWR from 12 August.
- DSA — mostly a marketplace-hygiene item unless you operate a platform.
Then read the deep-dive guides linked above for each law that applies to you—each one turns the summary here into a concrete implementation plan.
Working through this checklist across several stores at once is exactly the kind of project StoreFleet was built for. Schedule a free 1-on-1 demo on your own Shopify stores and we'll walk through which obligations apply to your setup, what a one-time, all-stores rollout looks like in practice, and answer questions specific to your store count and markets.
This article is for general information only and is not legal advice. Verify requirements with official EU sources or a qualified advisor.