--- title: "ePrivacy Deadlines and Compliance Calendar" canonical_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/deadlines-and-compliance-calendar" source_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/deadlines-and-compliance-calendar" author: "Sorena AI" description: "A practical ePrivacy calendar built around the current directive baseline and recurring controls: the 2002 directive, the 2009 cookie amendment." published_at: "2026-02-21" updated_at: "2026-02-21" keywords: - "ePrivacy compliance calendar" - "Directive 2002/58/EC timeline" - "Directive 2009/136/EC cookie amendment" - "EDPB cookie banner taskforce 2023" - "EDPB consent guidelines 2020" - "cookie banner audit cadence" - "suppression list audit cadence" - "ePrivacy timeline" - "COM(2017)10" - "ST 6087/21" - "cookie banner" - "CMP governance" - "direct marketing" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ePrivacy Deadlines and Compliance Calendar A practical ePrivacy calendar built around the current directive baseline and recurring controls: the 2002 directive, the 2009 cookie amendment. *Calendar* *EU* ## EU ePrivacy Directive Deadlines and Compliance Calendar Current-state milestones plus a recurring cadence for cookies and marketing compliance. Focus: directive baseline, guidance milestones, and evidence freshness. ePrivacy compliance does not end after a banner redesign. It breaks when trackers change, consent logging drifts, or suppression lists stop propagating. Use this page to anchor on the current directive baseline and major guidance milestones, then run a repeatable cadence for tracker audits, CMP QA, consent-log verification, and direct-marketing suppression audits. This page does not modify the underlying timeline or dataflow artifacts - it gives you an operational calendar. ## Current baseline and guidance milestones Your day-to-day obligations still come from the directive as implemented in national law, not from the proposed regulation. The most useful timeline points are therefore the current directive baseline and the major GDPR-era guidance documents. Use these milestones to frame your documentation, training, and annual legal review checkpoints. - 12 July 2002, Directive 2002/58/EC entered into force as the sector-specific privacy framework for electronic communications. - 25 November 2009, Directive 2009/136/EC updated Article 5(3) and strengthened the consent model for storing or accessing information on terminal equipment. - 25 May 2018, the GDPR started applying, which made the GDPR conditions for valid consent central to many ePrivacy implementations. - 12 March 2019, EDPB Opinion 5/2019 clarified the ePrivacy and GDPR interplay and competence split. - 4 May 2020, EDPB Guidelines 05/2020 on consent reinforced the positions on valid consent and cookie walls. - 18 January 2023, the EDPB Cookie Banner Taskforce report summarized common enforcement positions on reject options, pre-consent firing, and withdrawal. *Recommended next step* *Placement: after the timeline or milestone section* ## Turn EU ePrivacy Directive Deadlines and Compliance Calendar into an operational assessment Assessment Autopilot can take EU ePrivacy Directive Deadlines and Compliance Calendar from planning deadlines, owners, and milestones from this page to a reusable workflow inside Sorena. Teams working on EU ePrivacy Directive can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Assessment Autopilot for EU ePrivacy Directive Deadlines and Compliance Calendar](/solutions/assessment.md): Start from EU ePrivacy Directive Deadlines and Compliance Calendar and turn the guidance into owned tasks, evidence requests, and review checkpoints. - [Talk through EU ePrivacy Directive](/contact.md): Review your current process, evidence gaps, and next steps for EU ePrivacy Directive Deadlines and Compliance Calendar. ## Quarterly cadence - tracker governance Most compliance failures happen through silent drift: new tags, new SDKs, new vendors, and new purposes that bypass review. Run quarterly tracker audits the way you would run a security or release-control review. - Run a tracker scan, tag-manager export, network scan, and mobile SDK list diff. - Update the Article 5(3) decision table, consent versus exemption, and re-approve any changes. - Verify pre-consent blocking with automated tests and spot checks in production. ## Monthly cadence - CMP configuration and consent-logging QA Consent systems often fail silently through broken logging, vendor-mapping errors, or locale mismatches. Monthly QA is the easiest way to avoid enforcement surprises and evidence gaps. - Export and diff the CMP configuration, then validate vendor and purpose mappings. - Check consent-log completeness, missing events, unexpected spikes, and locale problems. - Test withdrawal propagation so suppression and firing changes take effect across systems. ## Biannual cadence - direct-marketing suppression audit Direct-marketing complaints often come down to suppression failures, not policy wording. Treat suppression integrity as a control that needs recurring testing. - Audit suppression-list governance, access, approvals, and change logs. - Test vendor propagation end to end, unsubscribe to suppression to no further send. - Reconcile CRM and ESP segments against the suppression source of truth. ## Annual cadence - enforcement readiness rehearsal You should be able to answer what trackers you run, why, how consent works, and what logs prove it. Rehearse evidence exports like an incident tabletop exercise. - Export pack, tracker decision table, CMP snapshots, consent-log schema, and test results. - Marketing pack, consent model, capture logs, suppression governance, and vendor list. - Annual legal review, confirm national guidance updates, DPA positions, and any legislative reform movement, then document what changed and who approved it. ## Primary sources - [Directive 2002/58/EC (ePrivacy Directive) - consolidated text (EUR-Lex)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02002L0058-20091219&ref=sorena.io) - Current directive baseline. - [Directive 2009/136/EC (cookie amendment) - EUR-Lex](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32009L0136&ref=sorena.io) - Amendment that strengthened the Article 5(3) consent model. - [EDPB Opinion 5/2019 on ePrivacy Directive and GDPR interplay](https://edpb.europa.eu/sites/edpb/files/files/file1/201905_edpb_opinion_eprivacydir_gdpr_interplay_en.pdf?ref=sorena.io) - Interplay model and enforcement competence. - [EDPB Guidelines 05/2020 on consent under GDPR](https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Consent validity and cookie-wall guidance used in ePrivacy implementations. - [EDPB Cookie Banner Taskforce report (18 January 2023)](https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Current enforcement learnings that should drive operational audit cadence. ## Related Topic Guides - [Confidentiality of Communications (ePrivacy Directive) | Traffic Data, Location Data, Content, and the OTT Gap](/artifacts/eu/eprivacy-directive/confidentiality-of-communications.md): A practical guide to communications confidentiality under the current ePrivacy Directive, Directive 2002/58/EC: how to classify content, traffic data. - [Cookies & Consent (ePrivacy Directive Article 5(3)) | Exemptions Test, Analytics, CMP Implementation](/artifacts/eu/eprivacy-directive/cookies-and-consent.md): An advanced guide to cookie consent under the ePrivacy Directive (Directive 2002/58/EC): how Article 5(3) applies to cookies/SDKs/local storage. - [Direct Marketing Consent Checklist (ePrivacy Article 13) | Proof, Opt-Out, Suppression Lists](/artifacts/eu/eprivacy-directive/direct-marketing-consent-checklist.md): A practical direct marketing consent checklist for ePrivacy (Directive 2002/58/EC, Article 13): consent capture fields, wording/version control. - [Direct Marketing Rules (ePrivacy Directive Article 13) | Consent, Soft Opt-In, Opt-Out, Suppression Lists](/artifacts/eu/eprivacy-directive/direct-marketing-rules.md): A practical guide to ePrivacy direct marketing rules (Directive 2002/58/EC, Article 13): when prior consent is needed. - [ePrivacy Applicability Test (Directive 2002/58/EC) | Cookies Article 5(3), Marketing Article 13, Metadata](/artifacts/eu/eprivacy-directive/applicability-test.md): A practical EU ePrivacy applicability test: decide whether your product triggers terminal equipment access rules (cookies/SDKs/local storage/fingerprinting. - [ePrivacy Checklist (Directive 2002/58/EC) | Cookie Banner, Consent Logs, Exemptions, Marketing Evidence](/artifacts/eu/eprivacy-directive/checklist.md): An audit-ready ePrivacy checklist: build a tracker inventory and Article 5(3) decision table (consent vs exemptions). - [ePrivacy Compliance Program | Cookies, Consent UX, Evidence, Marketing Controls (Directive 2002/58/EC)](/artifacts/eu/eprivacy-directive/compliance.md): A practical ePrivacy implementation playbook: governance, tracker inventory and Article 5(3) decision table, cookie banner and CMP design. - [ePrivacy Directive Enforcement (Cookies + Marketing) | How Regulators Assess Cookie Banners, Consent, and Evidence](/artifacts/eu/eprivacy-directive/enforcement-and-fines.md): An advanced guide to ePrivacy Directive enforcement: who enforces national ePrivacy laws, what regulators look for in cookie banners and consent UX. - [ePrivacy Directive Penalties and Fines | What "Effective, Proportionate, Dissuassive" Means + Risk Reduction Controls](/artifacts/eu/eprivacy-directive/penalties-and-fines.md): Understand penalties and fine exposure under national laws implementing the ePrivacy Directive (Directive 2002/58/EC). - [ePrivacy Directive Requirements (2002/58/EC) | Article 5(3) Cookies, Article 13 Marketing, Metadata + Evidence Map](/artifacts/eu/eprivacy-directive/requirements.md): A practical ePrivacy Directive requirements breakdown: terminal equipment access and cookie consent/exemptions (Article 5(3)). - [ePrivacy Directive vs GDPR | Which Law Applies to Cookies, Tracking, Communications Metadata, and Marketing?](/artifacts/eu/eprivacy-directive/eprivacy-directive-vs-gdpr.md): A practical, source-grounded split between the ePrivacy Directive and GDPR: ePrivacy for placement/reading on devices and communications confidentiality. - [ePrivacy FAQ (Directive 2002/58/EC) | Cookies, Consent Exemptions, Cookie Walls, Marketing, Enforcement](/artifacts/eu/eprivacy-directive/faq.md): High-signal ePrivacy answers: when cookies/SDKs need consent (Article 5(3)), what counts as strictly necessary (WP29 WP194). - [ePrivacy vs GDPR (Cookie Stack Blueprint) | Align Consent UX, Tag Firing, Processing Purposes, and Evidence](/artifacts/eu/eprivacy-directive/eprivacy-vs-gdpr.md): A combined ePrivacy + GDPR implementation blueprint for cookies, tracking, and marketing. - [EU Cookie Banner Requirements | ePrivacy Directive + GDPR Consent (EDPB) | UX Patterns + Test Cases](/artifacts/eu/eprivacy-directive/eu-cookie-banner-requirements.md): A practical cookie banner and CMP requirements guide: acceptance/reject parity, granularity, clear purposes, vendor transparency, no pre-ticked boxes. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/eprivacy-directive/deadlines-and-compliance-calendar