Europe - Country Commercial Guide
eCommerce
Last published date:

As one of the first EU member states to implement the Electronic Signatures Directive through the Electronic Commerce Act 2000 (ECA), Ireland has a progressive and facilitative attitude and approach to internet-related issues.  It has also implemented the Electronic Commerce Directive. The general legislative approach reflects the government’s stated aim of retaining a light and flexible technology-neutral regulatory regime in this area.

Ecommerce activity has experienced significant growth in Ireland with online spend estimated to have grown by 30-40% in recent years.  Market value estimates vary significantly, ranging from €4 billion to €7 billion.  Strong household internet access (94%) and smartphone usage (90%) are driving Irish online retailing activity.  Mobile commerce is becoming especially strong with consumers being particularly willing to make purchases via their smartphones.  Travel, hotel accommodation, event ticketing and apparel continue to be the primary goods and services bought online, however, the recent years have seen significant spikes in consumer online activity for Irish food retailers and vendors of electronic goods and services.

According to EuroMonitor International, eCommerce activity in Ireland continues to expand rapidly with mobile internet retailing becoming especially significant.  Retailers are launching functional mobile apps while store-based retailers are increasingly utilizing multi-channel options. Click-&-collect services have become more widely available, allowing retailers to maximize retail potential without incurring delivery fees, while the consumer has almost immediate access to purchases without having to plan for deliveries.  eCommerceDB is forecasting annual average growth of 10% until 2027.

Amazon remains the leading player in internet retailing locally, however the popularity of UK-based online marketplaces has declined since Brexit in January 2021 allied to the commencement of new EU VAT rules since July 2021.  Amazon opened its first delivery station in Ireland in October 2020 and the company has since opened its first eCommerce fulfilment center together with a second delivery station.  These investments represent the company’s first use of direct-hire staff in Ireland to handle online orders.  The Dublin facility receives shipments from Amazon’s large fulfilment centers across Europe with packages sorted for ‘last mile’ delivery to Irish customers.  UPS operates a ‘last mile’ bike delivery service in Dublin city center.

The Irish government is currently supporting SMEs in their efforts to develop online sales portals through a package of support measures.  Leading U.S. digital and fintech innovators including AWS, Google, MasterCard, Meta, Square, and Stripe are also supporting Irish SMEs with their evolution to online retailing.

In 2015, the European Union, launched the Digital Single Market Strategy, of which e-commerce was a priority area.  Since then, the Electronic Commerce Directive has provided rules for online services in the European Union, including requiring providers to abide by regulations in the country where they are established (the country of origin); to meet certain consumer protection rules, such as indicating contact details on their website, clearly identifying advertising, and protecting against spam.  The Directive also grants exemptions to liability for intermediates that transmit illegal contact by third parties and for unknowingly hosting content.

The International Trade Administration has assembled a wide range of eCommerce resources  to assist US businesses develop an understanding of digital trade and implement digital business strategies to success in international markets.

Value Added Tax (VAT)

The EU VAT system is semi-harmonized.  While the guidelines are set out at the EU level, the implementation of VAT policy is the prerogative of Member States.  The EU VAT Directive allows Member States to apply a minimum 15 percent VAT rate.  However, they may apply reduced rates for specific goods and services or temporary derogations.  Irish VAT rates are available from Irish Revenue.

In addition, the EU applies VAT to sales by non-EU based companies of Electronically Supplied Services (ESS) to EU-based non-business customers.  U.S. companies that are covered by the rule must collect and submit VAT to EU tax authorities.  Since 2015, all supplies of telecommunications, broadcasting and electronic services are taxable at the place where the customer resides.  In the case of businesses this means either the country where it is registered or the country where it has a fixed premise receiving the service. In the case of consumers, it is where they are registered, have their permanent address, or usually reside.

As part of the legislative changes of 2015, the Commission launched the Mini One Stop Shop (MOSS) scheme, the use of which is optional.  It is meant to facilitate the sales of ESS from taxable to non-taxable persons (B2C) located in Member States in which the sellers do not have an establishment to account for VAT.   In 2021, this service was extended to cover online sales of goods and services other than ESS.  For more information, please check the official guide on MOSS issued by the European Commission.

The mini One Stop Shop scheme allows taxable persons (namely, sellers) to avoid registering in each Member State where the product would be sold.  A taxable person who is registered for the mini One Stop Shop in a Member State (the Member State of identification) can electronically submit quarterly mini One Stop Shop VAT returns detailing supplies of electronically supplied services or other sales to non-taxable persons in other Member States (the Member State of consumption), along with the VAT due.  On February 12, 2020, the European Union adopted Commission Implementing Regulation (EU) 2020/194 concerning VAT on e-commerce.  This regulation provides details for the registration in the VAT One Stop Shop and the Import One Stop Shop (see below).

July 1, 2021 VAT Changes

As of July 1, 2021, changes were introduced to the way that VAT is charged on online sales, whether consumers buy from traders within or outside the European Union:  Prior to these changes, goods imported into the European Union valued at less than 22 euro by non-EU companies were exempt from VAT.  This exemption has now been lifted so that VAT is charged on all goods entering the European Union – just like for goods sold by EU businesses.  (Under the previous system, certain unscrupulous sellers from outside of the EU mislabeled the consignment of goods to benefit from this exemption, which led to an estimated seven billion year in fraud annually). 

Previously, e-commerce sellers needed to have a VAT registration in each Member State in which they have a turnover above a certain overall threshold, which varies from Member State to Member State.  With these changes, these thresholds were replaced by one common threshold of 10,000 euro above which VAT must be paid in the Member State where the goods are delivered (that threshold already applied for electronic services sold online).  An online seller would register for the One Stop Shop to address all of their VAT obligations for their sales across the entire European Union.  Once registered, the seller could pay VAT in the One Stop Shop for all of their EU sales via a quarterly declaration, and the One Stop Shop system would transmit that VAT remittance to the respective Member State.  Sellers outside of the European Union can also take advantage of this system, and prices should include VAT.

From July 1, 2021, the Mini One Stop Shop (MOSS) became the One-Stop Shop (OSS). The VAT OSS simplifies Value-Added Tax (VAT) obligations for businesses selling goods and services cross border to final consumers in the European Union (EU).  Within the OSS, there are two schemes, the Union scheme, and the non-Union scheme.

Union Scheme

The Union scheme simplifies VAT obligations for businesses selling goods and services cross border to final consumers in the EU. Once registered for the Union scheme, a taxable person can:

  • declare and pay EU VAT due on supplies made under the scheme in a single electronic quarterly return
  • and
  • communicate with Revenue in relation to these returns, even where the sales are taxable in another Member State.

The following supplies can be declared in the Union scheme:

  • Cross-border supplies of telecommunications, broadcast and electronically supplied (TBE) services to non-taxable persons within the EU (as was previously the case under MOSS).
  • All other cross-border supplies of services to non-taxable persons within the EU.
  • Intra-Community distance sales of goods
  • certain domestic supplies of goods (in specific circumstances).

Union scheme registration

Where a business registers for the Union scheme, it must declare and pay all EU VAT due on all supplies covered by the Union scheme.  A taxable person currently registered for the Union scheme under MOSS will not need to register for the expanded Union scheme under OSS.  Their registration will migrate to the new OSS. It should be noted that, once registered for the Union scheme, all supplies within the scope of that scheme must be declared through the scheme. This includes registrations which have migrated from MOSS to the OSS.

A supplier established in Ireland can register for the Union scheme through the VAT OSS section in Revenue Online Services (ROS).  A non-EU established supplier can register in Ireland for the Union scheme using the non-Union registration portal.  Where a non-EU established supplier has already registered for another scheme under the OSS in Ireland, their registration for this scheme can be completed through the VAT OSS section in ROS.  A non-EU established supplier can only register in Ireland for the Union scheme where they are making intra-Community distances sales of goods from Ireland.  See Union Scheme OSS for in-depth guidance.

Non-Union scheme

The extended non-Union scheme builds on the existing legislative framework established by MOSS. From 1 July 2021, the scope of the non-Union scheme under MOSS is extended to cover all services supplied to non-taxable persons in the EU under the OSS. This scheme can be availed of by suppliers who are not established and have no fixed establishment in the EU.

Non-Union scheme registration

Taxable persons who register for the non-Union scheme will be able to pay EU VAT in a single Member State.  This registration can be used in respect of all B2C supplies of services made to consumers across the EU.  The use of the non-Union scheme is optional.  A taxable person required to be VAT registered in the EU for supplies not covered by the scheme, can still opt to apply the scheme to supplies of B2C services.

A taxable person who opts to register in Ireland for the non-Union scheme must register through the non-Union OSS registration portal.   Where a non-EU established supplier has already registered for another scheme under the OSS in Ireland, their registration for this scheme can be completed through the VAT OSS section in Revenue Online Service (ROS).  A taxable person currently registered for the non-Union scheme under MOSS will not need to register for the expanded non-Union scheme under OSS. Their registration will automatically migrate to the new OSS. VAT due on Telecommunications, Broadcasting and Electronic (TBE) supplied services can continue to be accounted for using the extended non-Union scheme.  It should be noted that, once registered for the non-Union scheme, all supplies within the scope of that scheme must be declared through the scheme. This includes other services supplied B2C by traders whose registrations have migrated from MOSS to the OSS.  See non-Union Scheme OSS for detailed guidance.

Data Privacy and Protection

General Data Protection Regulation

The General Data Protection Regulation (GDPR), which governs how personal data of individuals in the European Union may be processed, went into effect on May 25, 2018.  The GDPR, which replaces the Data Protection Directive 1995/46, is a comprehensive privacy legislation that applies across sectors and to companies of all sizes.  Personal data as defined by the GDPR as any information that relates to an identified or identifiable living individual (a “data subject”) such as a name, e-mail address, tax ID number, or online identifier.  Processing of data as defined by the Regulation includes actions such as collecting, recording, storing, or transferring data.

A company that is not established in the European Union may need to comply with the Regulation when processing personal data of residents of the European Union, European Economic Area residents (i.e., Norway, Lichtenstein, and Iceland), and Switzerland, if the company offers goods or services to data subjects in the European Union; or if the company is monitoring data subjects’ behavior, which is taking place within the European Union. The European data protection authorities published Guidelines 3/2018 on the territorial scope of the GDPR (see Article 3), to help companies determine whether they fall within the GDPR’s territorial scope.  For example, the mere accessibility of a company’s website in the European Union is insufficient to subject a company to the GDPR, but other evidence of the intent to offer goods or services (such as advertising) to data subjects in the European Union might mean that the Regulation is applicable.

Generally, companies that are not established in the European Union but that are subject to the GDPR must designate in writing an EU representative for purposes of GDPR compliance.  There is an exception to this requirement for small scale and occasional processing of non-sensitive data.  Fines in case of non-compliance can reach up to four percent of the annual worldwide revenue or twenty million euros – whichever is higher.  The European Data Protection Board released official guidelines to help companies with their compliance process.

Transferring Data Outside of the European Union

The GDPR not only provides for the free flow of personal data within the European Union but also for its protection when it leaves the region’s borders.  The Regulation sets out obligations on data controllers (those in charge of deciding what personal data is collected and how or why it is processed) and on data processors (those who act on behalf of the controller) and gives rights to data subjects (as mentioned, the individuals to whom the data relates).  These rules were designed to provide a high level of privacy protection for personal data and were complemented by measures to ensure that the protection is maintained when data leaves the region, and whether it is transferred to controllers, processors, or third parties (e.g., subcontractors).  In addition, restrictions on transfers of personal data outside of the European Union specify that such data can only be exported if “adequate protection” is provided.

The European Commission is responsible for assessing, in the form of an adequacy decision, whether a country outside the European Union has a legal framework that provides enough protection when transferring personal data from the EU to that country.  On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as invalid the European Commission’s Decision (EU) 2016/1250 of July 12, 2016, on the adequacy of the protection provided by the EU-U.S. Privacy Shield.  That decision invalidated the EU-U.S. Privacy Shield Framework as a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States.  After extensive consultation with stakeholders and negotiation between the European Union and the United States, in March 2023 the European Union and the United States announced the establishment of a new EU-U.S. Data Privacy Framework.  On July 10, 2023, the European Commission adopted an adequacy decision recognizing the United States as having sufficient protection for EU personal data under the Framework, thereby enacting the Framework and reestablishing a legal mechanism for transfers of personal data from the European Union to the United States.  See the  Data Privacy Framework website for more information.

Digital Economy and Society

The EU Data Act

The EU Data Act proposal is now being evaluated by co-legislators and is expected to be formally endorsed by the end of 2023.  Once passed and implemented it would set standards for data sharing and the use-reuse of data at an EU-wide level.  It covers aspects of the use of various business-to-business and government-to-business data across all sectors in relation to the use of various data.

The proposal includes measures to allow users of connected devices to gain access to data generated by them and to share such data with third parties to provide aftermarket or other data-driven innovative services.  It also includes measures to rebalance negotiation power for SMEs by preventing abuse of contractual imbalances in data sharing contracts.  The Act includes mechanisms for public sector bodies to access and use data held by the private sector that is necessary for exceptional circumstances, particularly in case of a public emergency or to implement a legal mandate if data are not otherwise available.  The Act also includes rules allowing customers to effectively switch between different cloud data-processing services providers and putting in place safeguards against unlawful data transfer.  

Digital Markets Act

The Digital Markets Act regulates the market power of large online platforms to achieve fairer and more open digital markets within the European Union.  The Act regulates certain “gatekeeper firms” – large online platforms that impact how other companies interact with users online through digital services such as searching, social networking, cloud computing, and advertising services.  It prohibits gatekeepers from engaging in self-preferencing activities and restricting access to services connected to their platforms, such as online marketplaces like an app store, and be barred from preventing users from removing pre-installed software or apps.  Under the Act, EU regulators can levy fines of up to ten percent of global annual turnover of these firms, and, limitedly, break up certain parts of their corporate operations.  The companies designated as gatekeepers will have to comply with the respective obligations and prohibitions by March 2024.

Digital Services Act

The Digital Services Act will harmonize mechanisms throughout the European Union for the removal of illegal content for online service providers, including internet access providers, domain name registrants, cloud and webhosting services, and online platforms.  The Act bans targeted advertising aimed at children or based on sensitive data such as religion, gender, race, and political opinions, and it bans tactics that mislead people into giving personal data to companies online.  It regulates “very large online platforms” – those online platforms that would reach at least ten percent of the population in the European Union.  The Commission would be able to charge them a supervisory fee of up to one percent of their annual turnover.  Sanctions would be gradual and unprecedented in their scope.  Fines will amount to up to six percent of the global turnover of the conglomerate for violations of the Act.  In the event of serious and repeated breaches, national courts can go as far as a ban on operating on European territory.  The text will be in force across the European Union from February  2024.

Cyber-security

Network and Information Systems (NIS) Directive

The Directive on security of network and information systems (NIS), applicable since 2016, sets baseline requirements to ensure better protection of critical infrastructures in the European Union.  The NIS Directive sets basic principles for Member States for common minimum capacity building and strategic cooperation.  It also directs operators of essential services and digital service providers to ensure that they apply basic common security requirements.  Obligations for operators of both groups include taking technical and organizational measures for risk management; to prevent and minimize the impact of security incidents; and to notify, without undue delay, incidents having a significant impact on the continuity of the essential services they provide.  The Network and Information Systems Directive 2016/1148 was signed into Irish law in September 2018 by way of Statutory Instrument No. 360 of 2018.

Member States have implemented this directive in different ways, particularly with respect to operators of essential services, which led to a proposed legislative modification of the NIS Directive (the NIS 2 Directive) in December 2020.  NIS 2 Directive obligates more entities and sectors to strengthen security requirements, addresses the security of supply chains, streamlines reporting obligations, and introduces more stringent supervisory measures and stricter enforcement requirements.  A political agreement was adopted in November 2022 and the directive entered into force in January 2023.  Like all EU member states, Ireland has until October 2024 to bring the rules into their national law.

Cybersecurity Act

The March 2019 Cybersecurity Act set up a mechanism to develop a voluntary certification scheme for information and communications technology security products, processes, and services.  The European Commission has not yet proposed the specific areas that would benefit from certification schemes, and the European Union Agency for Cybersecurity has created ad-hoc stakeholder groups to help it create certification schemes, which includes industry participation in accordance with the Act.

The Data Governance Act

The Data Governance Act focuses on providing a legal framework, processes, and structures to promote data sharing.  While the General Data Protection Regulation regulates international transfers of personal data, the Data Governance Act regulates international transfers of non-personal data by a user who was granted access to such data by the public sector.  The Data Governance Act focuses on the transfer of non-personal data, rules around the reuse of public sector data, and introduces a regime for data intermediaries, it also facilitates the collection and processing of data made available through a voluntary registration system for “data altruism organizations” and creates a European Data Innovation Board to enable the sharing of best practices by Member States as well as to advise the Commission on cross-sector interoperability standards.  The Data Governance Act is applicable across all 27 Member States since September 2023.

Cyber Resilience Act

The EU Cyber Resilience Act is proposed legislation, first published on September 15, 2022, that introduces common cybersecurity rules for products with digital elements, covering both hardware and software.  It is part of a larger cybersecurity framework that includes other regulations such as the EU Cybersecurity Act and the NIS2 Directive.  The legislation would, for the first time, apply the CE mark to software, and create approval processes for a wide range of digital products and services required to receive the mark and become eligible to be sold and used on the EU market.  The Act is currently undergoing negotiations between the European Parliament, Council and Commission.