Do you have any references/citations for this?

Would help me out! I'm trying to put together a one-pager for my team.

When the regulation does not apply

Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.

https://ec.europa.eu/info/law/law-topic/data-protection/refo...

IANAL etc

I recently wrote about this subject (with sources). See these:

https://www.joyfulbikeshedding.com/blog/2018-04-17-should-no...

https://news.ycombinator.com/item?id=17058645

And “target” is such an arbitrary idea. Just existing could be argued as trying to target.

The standard should be: “do you have a physical nexus in the EU.” That’s it.

It's either "target", or it apples to all EU customers. "target" is far less of a problem for companies that don't consider their customers data to be important.