What are the key ePrivacy obligations for EU businesses?

Obtain consent for cookies and tracking. Honour opt-out for direct marketing. Protect confidentiality of communications. Notify breaches to authorities. Implement privacy by default.

What is the maximum fine for ePrivacy non-compliance?

The maximum fine under ePrivacy is Per member state (GDPR rates of €20M/4% apply where violation also breaches GDPR).

When does ePrivacy apply or what is the enforcement deadline?

ePrivacy deadline: In force — update expected 2025-2026.

Which sectors does ePrivacy affect?

ePrivacy applies to: Telecommunications, Digital Services, E-commerce, Marketing.

ePrivacy Directive

The ePrivacy Directive governs electronic communications privacy, covering cookies, email marketing, and confidentiality of communications. Its replacement (ePrivacy Regulation) is pending but the Directive remains law. Maximum administrative fine: Per member state (GDPR rates of €20M/4% apply where violation also breaches GDPR).

Free EU Compliance Checker

What does ePrivacy require and when does it apply?

ePrivacy applies to Telecommunications and Digital Services organisations across all EU member states. The key deadline is In force — update expected 2025-2026. Non-compliance carries a maximum penalty of Per member state (GDPR rates of €20M/4% apply where violation also breaches GDPR). Core obligations include obtain consent for cookies and tracking and honour opt-out for direct marketing.

Obtain consent for cookies and tracking
Honour opt-out for direct marketing
Protect confidentiality of communications
Notify breaches to authorities
Implement privacy by default

Deadline	In force — update expected 2025-2026
Max fine	Per member state (GDPR rates of €20M/4% apply where violation also breaches GDPR)
Primary sectors	Telecommunications, Digital Services, E-commerce

Source: Official Journal of the EU — ePrivacy DirectiveReviewed: 2026-05-01

TL;DR

ePrivacy: Per member state (GDPR rates of €20M/4% apply where violation also breaches GDPR) max fine

ePrivacy applies to Telecommunications and Digital Services organisations in all EU member states. Key deadline: In force — update expected 2025-2026.

Source: Official Journal of the European Union — ePrivacy Directive

Deadline

In force — update expected 2025-2026

Max Fine

Per member state (GDPR rates of €20M/4% apply where violation also breaches GDPR)

Sectors Affected

Telecommunications, Digital Services, E-commerce

Per member state (GDPR rates of €20M/4% apply where violation also breaches GDPR)maximum fine

The highest penalty for non-compliance with ePrivacy in the EU.

EU Official Journal

Key regulatory facts: ePrivacy Directive
Official name	Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector (as amended by Directive 2009/136/EC)
Reg. No.	2002/58/EC
CELEX	32002L0058
Type	directive
In force	2002-07-31
Applies from	2003-10-31
Transposition	2003-10-31
Max fine	Penalties set by national law. Cookie/consent violations may also trigger GDPR Article 83 penalties via the personal-data overlap.
Authorities	National DPAs (in most member states) (member-state) National communications regulators (in some member states) (member-state)
Source	2002/58/EC — EUR-Lex Official Journal

How do I comply with ePrivacy?

Obtain consent for cookies and tracking
Honour opt-out for direct marketing
Protect confidentiality of communications
Notify breaches to authorities
Implement privacy by default

Does ePrivacy apply to your business?

Find out in 2 minutes with our free regulation checker.

Check now — free

Explore ePrivacy in depth

Penalties & Fines

Maximum fine tiers, Article-by-Article breakdown, and mitigation factors.

Enforcement Timeline

Key dates, application milestones, and per-Member-State transposition status.

ePrivacy by Industry

💻

SaaS & Software

💳

Fintech & Financial Services

🏥

Healthcare & MedTech

🏭

Manufacturing & Industry

🛒

E-commerce & Retail

🎓

EdTech & Education

🚚

Logistics & Transport

Energy & Utilities

Telecoms & Media

HR & Recruitment

Legal & Professional Services

🏛️

Public Sector & NGOs

Related Regulations

GDPR

GDPR governs the processing of personal data of EU residents. It requires lawful basis for processing, data subject rights, breach notification, and accountability measures.

DSA

The DSA creates obligations for online platforms and search engines to tackle illegal content, protect users, and ensure algorithmic transparency. Very large platforms face enhanced obligations.

AI Act

The EU AI Act classifies AI systems by risk level and imposes obligations on providers and deployers. High-risk systems face mandatory conformity assessments, documentation, and human oversight requirements.

Explore ePrivacy in depth

Penalties & Fines

See enforcement patterns, fine tier tables, and real enforcement cases across EU member states.

Deadline Timeline

Key milestones, implementation phases, and country-specific deadlines and phased rollout dates.

Industry Guides

Sector-specific ePrivacy guidance for SaaS, fintech, healthcare, and other affected industries.

Next step — classify

Classify your AI systems

Use the free regulation checker to find out exactly which ePrivacy obligations apply to your business in 2 minutes.

Classify your AI systems

Check Your Compliance Obligations

Find out which ePrivacy obligations apply to your organisation in under 2 minutes.

Check Your EU Compliance

For informational purposes only. This is not legal advice — consult qualified legal counsel.

Last verified: May 2026 · Source: EUR-Lex 32002L0058 · Editorial policy

ePrivacy Directive

What does ePrivacy require and when does it apply?

How do I comply with ePrivacy?

Does ePrivacy apply to your business?

ePrivacy by Country

Explore ePrivacy in depth

ePrivacy by Industry

Related Regulations

Explore ePrivacy in depth

Check Your Compliance Obligations