They could run a relay and get the statistics from that.

Simple. Once we get close to the threshold. Fork the protocol. Just slap a new name on it, but make it backwards compatible. People can just flock over to the new protocol if they want to. Not like they can stop the Nostr protocol anyway, but this would be a nice little fuck you to the eu.

With nostr, who would they even contact? Each client dev? Good luck with that. The relay operators? Duh, great. Finally relays on TOR will get the attention they deserve.

That threshold is its own thing, but smaller companies also have to deal with social media compliance nonsense.

Would a web server have to disclose how many users does it serve? 🙄

In this context Nostr is much more like SMTP or each relay a webforum. BlueSky discussion has muddled the conversation about their federation and the main instance has a company managing it. I can imagine them pushing bullshit like forcing relay operators within the EU to publish some privacy policy document or whatever.

According to the eu, if its a search or social media platform, yes.

But that would be 'platform (search or social) users', not 'web server users'. What if there's no user login?

NIP-42 authentication is effectively a login. Over the long run law does catch up with reality. If half the world uses Nostr, arguments like "it's a web server without login" won't matter. The EU wants to regulate the content of social media, and they will adjust laws to do so. This typically seems to take a decade, or two. What ultimately matters is not the legal details but: 1. To what extend censorship (and other regulatory burdens) are simply not practically enforceable. 2. To convince lawmakers that there's really no need to regulate this. (lol)