It does if said companies plan on being acquired, which is precisely what happened here:
> It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016
Starwood is by far big enough to have the GDPR apply to it independently.
Starwood was well beyond the "move fast and break things" phase of companies. Many companies aren't, and if you're trying to say all startups have to comply with GDPR on day 1, you are wrong.
OK - so basically, if you don't knowingly provide (or envisage providing) goods or services to EU customers.
This is a very different situation from your original statements based on size and maturity of a company - but I'll concede that the EU reach clearly only applies to EU interests .
> It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016