I'm not pretty sure about that. I get cookie banners from US companies all the time and choose to reject them.

Just visited www.vmware.com. Site is located in the US. Company is located in USA, and OneTrust's cookie banner welcomed me, and allows me to make choices.

VMware wants to sell to European clients. If they didn’t they wouldn’t have cookie banners.

Basically, if you have any tracking on your site, you either

a) Show the cookie banners if somebody is coming from a GPDR or GDPR-compliant country, since it's required by EU law and these GPDR-compliant laws.

b) You geofence your site and prevent access.

So, in practice regardless you whether sell anything or not, if your site, proverbially, touches European soil, you have to show these choices.

What’s the EU going to do to you if you don’t have operations in the EU?

That's option c, ignore EU law and forever give up the possibility of doing business there. The larger a company is the less likely it is to find that route palatable.

Why would the EU fine you for something you did before you had operations in the EU? I don’t think it works that way.

If you are taking EU citizens' data when they access your website from within the EU, then of course the EU will prosecute you for that.

Just like they will prosecute you for scamming EU citizens, for hacking EU citizens, for impersonating EU citizens, and anything else you can do to EU citizens while being located somewhere else.

Because they explicitly worded the law to threaten exactly that. It's the exact same thing the US does with the financial system. They intentionally claim extraterritorial jurisdiction; it is doubtful you would want to try calling that as a bluff.

If you market your services to EU residents, the EU will hold you subject to the GDPR (and many other EU Regulations) irrespective of your location.