In 7.2.1 you are required to: "determine..."
In 7.3.2 you are required to :determined and records maintained"
In the first case, the organization must determine what the regulations are "related to the product". This does not say you must have them listed and maintain a list, although that may be one way to control them. You need to ensure that all product mandates are known (determined).
Design inputs are slightly different. In this clause, you must maintain records of the inputs ("relating to product requirements"). That would include the regulatory stuff.
In both cases, the standard clearly states the requirements as related to the product. This information could be considered "documents of external origin" and controlled through 4.2.3 f)
It certainly depends on what you say in your QMS, however, if you're serious about compliance you need to be able to access the latest info, which therefore suggests control is required. If you prove access via internet, or what ever, then that's OK.
I'd go with referencing critical legislation relating to your product or service, and make sure you can access them in their lastest version. 'Cause there is a lot of legislation that applies to companies, and I've yet to find a company that has ALL the bases covered.
Of special mention is that your certifier will probably be ecstatic if you have made even the smallest effort to control these external docs. Also note that external docs are a pain to control, so do so with a minimalist approach.