[latk]

The text in question does define more closely what it means to offer services in the EU. To lawyers (and to anyone who has experience with GDPR compliance) this is not a particularly vague statement. Admittedly, there's no unambiguous bright line definition, but there's a lot of jurisprudence on the matter.

In reality, the question is not whether EU citizens will use these services, but whether the operator of the service is targeting people in the EU, i.e. whether the operator intends or reasonably expects for EU people to use their service. A US service will most likely be fine if their reasoning goes something like this: (1) We primarily intend to serve connections from the US. (2) This expectation is reasonable based on our network topology. (3) But we don't care if someone else connects.

It would not be appropriate to exempt specific organizations since those organizations may change their targeting in the future. It already exempts most non-EU organizations, due to the criterion that they don't target the EU.

We had the same panicking in 2018 when the GDPR came into force and – quelle surprise – there are no fines for random international websites. The EU doesn't insert itself into your affairs if you don't insert yourself into the EU market.