If they aren’t doing business in the EU, they don’t need to comply with GDPR. While it technically protects EU citizens’ data everywhere, in practice it’s not possible to govern companies that are completely outside the EU.