When lawyers and policymakers speak of the Brussels Effect, they usually point to privacy law. The story is familiar: the European Union adopts the General Data Protection Regulation (GDPR), firms worldwide adjust their practices, and before long the European model becomes the global template. Yet the arrival of the EU Cyber Resilience Act (CRA) invites us to revisit the concept. Here we see a gentler, product-based Brussels Effect, less tied to rights and establishments, more grounded in supply chains, CE markings, and the technical grammar of product law.
This ‘softer’ effect deserves attention, because it shows that the reach of EU law abroad does not follow a single script. In some domains, the effect is direct, sharp, and grounded in fundamental rights. In others it is indirect, technical, and mediated through global commerce. The contrast between the CRA, GDPR and the Artificial Intelligence Act reveals the plurality of the Brussels Effect.
The CRA belongs to the long tradition of EU product regulation. Its scope is tied to products with digital elements that are made available on the Union market. Obligations arise when goods are offered to EU consumers. An EU manufacturer producing software or devices solely for export outside the Union is not subject to the Act. . The Cyber Resilience Act is the EU’s new law that requires all connected products and software placed on the Union market to meet mandatory cybersecurity and vulnerability management standards, proven through conformity assessment, harmonised standards and CE marking. The emphasis is not on rights, but on technical safety and lifecycle support.The global influence of the CRA will be real, but it will operate differently from the GDPR. A router manufacturer in East Asia that wants to sell in Europe will need to build vulnerability management and long-term update support into its devices. Once those features are engineered, it is more efficient to apply them across product lines. In this way, the Brussels Effect will spread through standards and supply chains rather than through rights and supervisory authorities.
The GDPR represents a much harder form of the Brussels Effect. Article 3 makes clear that the Regulation applies to processing carried out “in the context of the activities of an establishment” in the EU, regardless of where the processing takes place. The Court of Justice has reinforced this broad reach. In Google Spain v AEPD and González (C-131/12), the presence of Google’s Spanish advertising subsidiary was enough to bring the parent company’s search engine operations within EU law, even though the servers were in the United States. The Court held that the activities were inextricably linked, and that the establishment in Spain triggered scope. The reasoning was deepened in Weltimmo v NAIH (C-230/14). A company registered in Slovakia but operating a property website directed at Hungary, with a local representative there, was found to have an establishment in Hungary. Even minimal and effective activity sufficed. The Court preferred a functional test of establishment over a formal one, ensuring that protection could not be evaded by legal structuring. The European Data Protection Board’s Guidelines 3/2018 later confirmed that a controller or processor established in the Union is subject to the GDPR even if all data subjects are located outside the Union. The result is unmistakable. Establishment within Europe suffices, even when the output of the processing is directed abroad. This is the archetypal Brussels Effect: direct, uncompromising, and rights-driven.
The AI Act carries this approach into the realm of algorithmic systems. Its scope provision confirms that providers are bound when they place systems on the Union market or put them into service in the Union. But for deployers the test is simpler. Any deployer established in the Union is subject to the Act, even if the output is used entirely outside the Union.A financial institution in Milan deploying an AI system for credit scoring in Latin America remains bound by the Act. The rationale is that risks to safety and fundamental rights are not easily contained by borders, and that establishment provides the necessary jurisdictional hook. The structure echoes the GDPR: presence in Europe is enough.
The difference between these regimes lies in their constitutional grounding and their regulatory traditions. Data protection is entrenched as a fundamental right under EU law. The Court of Justice has consistently stretched territorial scope to give that right real effect, reasoning that data flows are borderless and that harms can be inflicted from afar. The same logic applies in the AI Act, which is framed around the prevention of risks to fundamental rights and safety. The CRA, by contrast, is a product law measure. Its lineage is the Machinery Directive, the Low Voltage Directive, and similar instruments where scope is defined by the act of placing on the market. The concern is technical safety and resilience rather than rights. It is natural that scope follows trade rather than establishment. None of this is to say that the CRA will lack global influence. Quite the contrary. Because supply chains are international and because it is often inefficient to design products differently for different regions, the CRA’s requirements may become the default standard. Software developers, component suppliers, and device makers will often choose to comply across the board rather than segment their production.The Brussels Effect here is quieter and less visible. Consumers will not see new rights notices or hear of billion-euro fines. They will instead experience longer software support, more secure devices, and products designed with vulnerability management in mind. The influence is no less significant, but it is embedded in the technical and commercial infrastructure rather than in the public vocabulary of rights.
The comparison suggests that we should stop speaking of the Brussels Effect as a singular phenomenon. There are multiple Brussels Effects. One is direct, rights-based, and establishment-driven, as seen in the GDPR and the AI Act. The other is indirect, technical, and market-based, as seen in the CRA. Both extend European law beyond its borders. Both rely on the gravitational pull of the internal market. But they operate through different channels.
Understanding these differences matters. It sharpens our picture of how the Union exercises regulatory power, and prevents us from treating a complex phenomenon as if it were a single dynamic. Europe’s influence abroad is real, but it is not uniform. It takes different forms depending on the traditions, the constitutional values, and the regulatory techniques of the field.
Author: Dr Ian Gauci
This article was first published in the Oxford Business Law Blog on the 3rd October 2025.