London and Washington executives often treat EU regulation as someone else's problem. NIS2, the AI Act, the DMA and the DSA say otherwise — and the compliance bill lands whether you have a Brussels office or not. Three things to internalise before the next regulatory cycle hits.
The term "Brussels Effect" was coined by Columbia law professor Anu Bradford to describe a quiet but consequential phenomenon: the European Union's ability to set de facto global standards through the sheer gravity of its single market. GDPR is the textbook case — Silicon Valley didn't lobby for it, but every US company serving European users now lives by it. What was once an obscure academic concept is now central to how comms and government-affairs teams should think about regulation, regardless of where they're headquartered.
Three recent texts have sharpened the stakes considerably.
NIS2: extraterritorial cyber obligations
NIS2 (in force across the EU since October 2024) widens the definition of "essential" and "important" entities to a much broader sweep of sectors — energy, transport, healthcare, digital infrastructure, public administration, food, manufacturing of medical devices. Critically, the directive applies to any entity providing services in the EU, regardless of corporate domicile. A UK-headquartered logistics group, a US SaaS company processing data on European customers, a Japanese chip manufacturer with EU clients — all in scope.
The communications angle is the often-overlooked layer. NIS2 obliges in-scope entities to notify the relevant authority of a significant incident within 24 hours (early warning) and 72 hours (incident notification). That clock is also the public-perception clock. Companies without a pre-drafted crisis communications playbook will spend those hours making it up — usually badly.
The AI Act: explainability, not just compliance
The EU AI Act, in force from August 2024, classifies AI systems by risk and imposes documentation, transparency and conformity-assessment obligations on "high-risk" deployments — recruitment, credit scoring, healthcare diagnostics, education, law enforcement, critical infrastructure. Again, the obligations apply to any provider placing such a system on the EU market, US tech firms included.
Beyond the legal compliance, the practical communications challenge is real: how does a US enterprise software vendor explain to a Berlin or Paris procurement officer what its recruitment-screening AI actually does, on what data it was trained, and what bias-mitigation steps are in place? That conversation is no longer optional. It is a procurement gate.
The DMA/DSA: the platform reckoning
The Digital Markets Act and Digital Services Act have already produced visible behavioural shifts at the largest US platforms — Apple opening up to alternative app stores in the EU, Google labelling sponsored results differently, Meta's data-portability commitments. The European Commission's enforcement track record under these regulations is the most assertive in a generation. Whatever your sector, the Commission's appetite for cross-Atlantic regulatory intervention has changed.
What this means for comms and public-affairs teams
1. Stop treating Brussels as someone else's problem
If your products or services touch EU customers — directly or through partners — Brussels is part of your regulatory perimeter. A London or Washington-based comms function that doesn't know who handles its EU regulatory exposure is operating blind.
2. Build a Brussels-aware crisis playbook
The 24/72-hour clocks under NIS2, GDPR (still 72 hours), and DORA are real. They require pre-approved messaging, a clear chain of command, and named spokespersons. Drafting at 2 a.m. on a Sunday night never produces good copy.
3. Translate compliance into narrative
Procurement officers, journalists, regulators and customers will all ask the same question, in their own way: "What is this company actually doing about [NIS2 / AI Act / DSA]?" Having a one-page narrative — clear, verifiable, non-defensive — is now table stakes for any organisation operating in the EU.
The bottom line
The Brussels Effect is not a transient compliance burden. It is the regulatory grammar of the world's largest single market, and it travels well past the EU's borders. Comms teams that internalise that reality early will save themselves the cost of catching up under pressure.