CalendarEU

EU ePrivacy Directive Deadlines and Compliance Calendar

Current-state milestones plus a recurring cadence for cookies and marketing compliance.

Focus: directive baseline, guidance milestones, and evidence freshness.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 21, 2026
Updated
Feb 21, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 21, 2026
Updated Feb 21, 2026
Overview

ePrivacy compliance does not end after a banner redesign. It breaks when trackers change, consent logging drifts, or suppression lists stop propagating. Use this page to anchor on the current directive baseline and major guidance milestones, then run a repeatable cadence for tracker audits, CMP QA, consent-log verification, and direct-marketing suppression audits. This page does not modify the underlying timeline or dataflow artifacts - it gives you an operational calendar.

Section 1

Current baseline and guidance milestones

Your day-to-day obligations still come from the directive as implemented in national law, not from the proposed regulation. The most useful timeline points are therefore the current directive baseline and the major GDPR-era guidance documents.

Use these milestones to frame your documentation, training, and annual legal review checkpoints.

  • 12 July 2002, Directive 2002/58/EC entered into force as the sector-specific privacy framework for electronic communications.
  • 25 November 2009, Directive 2009/136/EC updated Article 5(3) and strengthened the consent model for storing or accessing information on terminal equipment.
  • 25 May 2018, the GDPR started applying, which made the GDPR conditions for valid consent central to many ePrivacy implementations.
  • 12 March 2019, EDPB Opinion 5/2019 clarified the ePrivacy and GDPR interplay and competence split.
  • 4 May 2020, EDPB Guidelines 05/2020 on consent reinforced the positions on valid consent and cookie walls.
  • 18 January 2023, the EDPB Cookie Banner Taskforce report summarized common enforcement positions on reject options, pre-consent firing, and withdrawal.
Recommended next step

Turn EU ePrivacy Directive Deadlines and Compliance Calendar into an operational assessment

Assessment Autopilot can take EU ePrivacy Directive Deadlines and Compliance Calendar from planning deadlines, owners, and milestones from this page to a reusable workflow inside Sorena. Teams working on EU ePrivacy Directive can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow
Open Assessment Autopilot for EU ePrivacy Directive Deadlines and Compliance Calendar

Start from EU ePrivacy Directive Deadlines and Compliance Calendar and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through EU ePrivacy Directive

Review your current process, evidence gaps, and next steps for EU ePrivacy Directive Deadlines and Compliance Calendar.

Explore next step
Section 2

Quarterly cadence - tracker governance

Most compliance failures happen through silent drift: new tags, new SDKs, new vendors, and new purposes that bypass review.

Run quarterly tracker audits the way you would run a security or release-control review.

  • Run a tracker scan, tag-manager export, network scan, and mobile SDK list diff.
  • Update the Article 5(3) decision table, consent versus exemption, and re-approve any changes.
  • Verify pre-consent blocking with automated tests and spot checks in production.
Section 3

Monthly cadence - CMP configuration and consent-logging QA

Consent systems often fail silently through broken logging, vendor-mapping errors, or locale mismatches.

Monthly QA is the easiest way to avoid enforcement surprises and evidence gaps.

  • Export and diff the CMP configuration, then validate vendor and purpose mappings.
  • Check consent-log completeness, missing events, unexpected spikes, and locale problems.
  • Test withdrawal propagation so suppression and firing changes take effect across systems.
Section 4

Biannual cadence - direct-marketing suppression audit

Direct-marketing complaints often come down to suppression failures, not policy wording.

Treat suppression integrity as a control that needs recurring testing.

  • Audit suppression-list governance, access, approvals, and change logs.
  • Test vendor propagation end to end, unsubscribe to suppression to no further send.
  • Reconcile CRM and ESP segments against the suppression source of truth.
Section 5

Annual cadence - enforcement readiness rehearsal

You should be able to answer what trackers you run, why, how consent works, and what logs prove it.

Rehearse evidence exports like an incident tabletop exercise.

  • Export pack, tracker decision table, CMP snapshots, consent-log schema, and test results.
  • Marketing pack, consent model, capture logs, suppression governance, and vendor list.
  • Annual legal review, confirm national guidance updates, DPA positions, and any legislative reform movement, then document what changed and who approved it.
Primary sources

References and citations

Related guides

Explore more topics

Confidentiality of Communications (ePrivacy Directive) | Traffic Data, Location Data, Content, and the OTT Gap
A practical guide to communications confidentiality under the current ePrivacy Directive, Directive 2002/58/EC: how to classify content, traffic data.
Cookies & Consent (ePrivacy Directive Article 5(3)) | Exemptions Test, Analytics, CMP Implementation
An advanced guide to cookie consent under the ePrivacy Directive (Directive 2002/58/EC): how Article 5(3) applies to cookies/SDKs/local storage.
Direct Marketing Consent Checklist (ePrivacy Article 13) | Proof, Opt-Out, Suppression Lists
A practical direct marketing consent checklist for ePrivacy (Directive 2002/58/EC, Article 13): consent capture fields, wording/version control.
Direct Marketing Rules (ePrivacy Directive Article 13) | Consent, Soft Opt-In, Opt-Out, Suppression Lists
A practical guide to ePrivacy direct marketing rules (Directive 2002/58/EC, Article 13): when prior consent is needed.
ePrivacy Applicability Test (Directive 2002/58/EC) | Cookies Article 5(3), Marketing Article 13, Metadata
A practical EU ePrivacy applicability test: decide whether your product triggers terminal equipment access rules (cookies/SDKs/local storage/fingerprinting.
ePrivacy Checklist (Directive 2002/58/EC) | Cookie Banner, Consent Logs, Exemptions, Marketing Evidence
An audit-ready ePrivacy checklist: build a tracker inventory and Article 5(3) decision table (consent vs exemptions).
ePrivacy Compliance Program | Cookies, Consent UX, Evidence, Marketing Controls (Directive 2002/58/EC)
A practical ePrivacy implementation playbook: governance, tracker inventory and Article 5(3) decision table, cookie banner and CMP design.
ePrivacy Directive Enforcement (Cookies + Marketing) | How Regulators Assess Cookie Banners, Consent, and Evidence
An advanced guide to ePrivacy Directive enforcement: who enforces national ePrivacy laws, what regulators look for in cookie banners and consent UX.
ePrivacy Directive Penalties and Fines | What "Effective, Proportionate, Dissuassive" Means + Risk Reduction Controls
Understand penalties and fine exposure under national laws implementing the ePrivacy Directive (Directive 2002/58/EC).
ePrivacy Directive Requirements (2002/58/EC) | Article 5(3) Cookies, Article 13 Marketing, Metadata + Evidence Map
A practical ePrivacy Directive requirements breakdown: terminal equipment access and cookie consent/exemptions (Article 5(3)).
ePrivacy Directive vs GDPR | Which Law Applies to Cookies, Tracking, Communications Metadata, and Marketing?
A practical, source-grounded split between the ePrivacy Directive and GDPR: ePrivacy for placement/reading on devices and communications confidentiality.
ePrivacy FAQ (Directive 2002/58/EC) | Cookies, Consent Exemptions, Cookie Walls, Marketing, Enforcement
High-signal ePrivacy answers: when cookies/SDKs need consent (Article 5(3)), what counts as strictly necessary (WP29 WP194).
ePrivacy vs GDPR (Cookie Stack Blueprint) | Align Consent UX, Tag Firing, Processing Purposes, and Evidence
A combined ePrivacy + GDPR implementation blueprint for cookies, tracking, and marketing.
EU Cookie Banner Requirements | ePrivacy Directive + GDPR Consent (EDPB) | UX Patterns + Test Cases
A practical cookie banner and CMP requirements guide: acceptance/reject parity, granularity, clear purposes, vendor transparency, no pre-ticked boxes.