EU ePrivacy Directive Enforcement and Fines

Article 15a is the enforcement anchor. It requires Member States to lay down rules on penalties, including criminal sanctions where appropriate, for infringements of national provisions adopted under the Directive. Those penalties must be effective, proportionate, and dissuasive, and they may cover the period of a breach even if the breach has later been corrected.

The same article requires competent national authorities, and where relevant other national bodies, to be able to order cessation of infringements and to have investigative powers and resources, including power to obtain relevant information needed to monitor and enforce national ePrivacy rules.

The Directive sets objectives and minimum enforcement features, but national law supplies the concrete penalty rules and authority powers. EDPB Opinion 5/2019 states that Member States have chosen different ways to allocate ePrivacy enforcement and that the Directive does not require only one national body to be competent.

That means a cross-border website, app, telecom service, CRM campaign, or analytics stack needs a country-by-country enforcement map before anyone can estimate sanctions. The EU-level sources support the principle of national penalties; they do not support a universal country penalty table on this page.

ePrivacy and GDPR can apply to the same user journey, but not always to the same processing operation. For cookie placement or reading, the Cookie Banner Taskforce confirmed that the applicable framework is national law transposing the ePrivacy Directive. For subsequent personal-data processing after terminal-equipment access, GDPR can apply.

EDPB Opinion 5/2019 adds an important limit: GDPR supervisory authorities remain competent to enforce the GDPR, but they can directly enforce national ePrivacy rules only if national law gives them that competence. GDPR cooperation and consistency mechanisms do not apply to enforcement of national ePrivacy implementation as such, although they remain available for GDPR issues.

Cookie-banner enforcement risk is usually evidentiary. Authorities and complainants can test whether non-essential cookies or similar technologies are set before consent, whether reject choices are available and understandable, whether pre-ticked boxes are used, whether design pushes acceptance, and whether withdrawal is as easy as giving consent.

For Article 5(3), the technical inventory must cover more than browser cookies. EDPB Guidelines 2/2023 address storage of, or access to, information in terminal equipment across technologies, so evidence should cover SDKs, pixels, local storage, device identifiers, IoT access, and similar mechanisms where relevant.

This page intentionally avoids country fine amounts, regulator penalty matrices, and national rules not present in the grounding set. The EU-level sources support the enforcement architecture and evidence priorities, but they do not provide a complete operational answer for every Member State.

They also do not turn the Commission's proposed ePrivacy Regulation fine levels into current ePrivacy Directive penalties. Commission proposal materials are useful for policy context and future-rule design, but current Directive exposure must still be checked against national transposition and the competent authority's powers.