Back to Frameworks

EU ePrivacy Directive (2002/58/EC)

European Union
v2002/58/EC (amended by 2009/136/EC); pending replacement by ePrivacy Regulation (proposal under review)
5 domains
15 controls

Directive 2002/58/EC (the ePrivacy Directive) is the EU sectoral lex specialis on privacy in the electronic communications sector, alongside the GDPR (which is the lex generalis for personal data). The 2009/136/EC amendment introduced the prior-consent rule for cookies and similar storage-of-information technologies (Article 5(3)) and the security and personal-data-breach-notification regime (Article 4). The Directive applies to providers of publicly available electronic communications services and to natural and legal persons placing or accessing information stored in subscribers' / users' terminal equipment. The proposed ePrivacy Regulation has been WITHDRAWN by the European Commission (February 2025); the 2002/58/EC Directive remains the in-force instrument until the Commission tables a new proposal. Key operational articles: Article 4 security of services + personal-data-breach notification (60-day model in Article 4(3) feeds the GDPR Art.33-34 baseline); Article 5 confidentiality of the communications + Article 5(3) prior-consent storage-of-information rule (cookies, tracking pixels, fingerprinting); Article 6 traffic data; Article 7 itemised billing; Article 8 calling-line identification; Article 9 location data other than traffic data; Article 13 unsolicited communications (email/SMS/voice marketing).

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (5)

ePrivacy - Implementation, Enforcement and Final (Articles 14-21)

6 controls
Controls in the ePrivacy - Implementation, Enforcement and Final (Articles 14-21) domain of EU ePrivacy Directive (2002/58/EC)6 controls
CodeTitle
ePD-Art.14Technical features and standardisation (Article 14)
ePD-Art.14a_15aCommittee procedure and implementation/enforcement (Articles 14a and 15a)
ePD-Art.15Application of Directive 95/46/EC provisions and Article 15(1) Member-State restrictions (Article 15)
ePD-Art.16_17Transitional arrangements and transposition (Articles 16-17)
ePD-Art.18_19_20_21Review, repeal, entry into force and addressees (Articles 18-21)
ePD-Status.eRegWithdrawnStatus: proposed ePrivacy Regulation withdrawn (February 2025)

ePrivacy - Scope and Definitions (Articles 1-3)

1 controls
Controls in the ePrivacy - Scope and Definitions (Articles 1-3) domain of EU ePrivacy Directive (2002/58/EC)1 controls
CodeTitle
ePD-Art.1_2_3Scope, definitions and services concerned (Articles 1-3)

ePrivacy - Security and Confidentiality (Articles 4-5)

2 controls
Controls in the ePrivacy - Security and Confidentiality (Articles 4-5) domain of EU ePrivacy Directive (2002/58/EC)2 controls
CodeTitle
ePD-Art.4Security of services and personal-data-breach notification (Article 4)
ePD-Art.5Confidentiality of communications including the Article 5(3) cookie consent rule

ePrivacy - Traffic, Billing, CLI, Location and Directories (Articles 6-12)

5 controls
Controls in the ePrivacy - Traffic, Billing, CLI, Location and Directories (Articles 6-12) domain of EU ePrivacy Directive (2002/58/EC)5 controls
CodeTitle
ePD-Art.10_11_12Exceptions, automatic call forwarding and directories of subscribers (Articles 10-12)
ePD-Art.6Traffic data (Article 6)
ePD-Art.7Itemised billing (Article 7)
ePD-Art.8Calling-line and connected-line identification (Article 8)
ePD-Art.9Location data other than traffic data (Article 9)

ePrivacy - Unsolicited Communications (Article 13)

1 controls
Controls in the ePrivacy - Unsolicited Communications (Article 13) domain of EU ePrivacy Directive (2002/58/EC)1 controls
CodeTitle
ePD-Art.13Unsolicited communications (Article 13)

Maps to 2 other frameworks

15 total controls
GDPR
4 source controls mapped|3 target controls covered
27%
Digital Services Act (DSA) - Regulation (EU) 2022/2065
1 source controls mapped|1 target controls covered
7%

Frequently Asked Questions

What is EU ePrivacy Directive (2002/58/EC)?

EU ePrivacy Directive (2002/58/EC) is a compliance framework from European Union with 5 domains and 15 controls. Directive 2002/58/EC (the ePrivacy Directive) is the EU sectoral lex specialis on privacy in the electronic communications sector, alongside the GDPR (which is the lex generalis for personal data). The 2009/136/EC amendment introduced the prior-consent rule for cookies and similar storage-of-information technologies (Article 5(3)) and the security and personal-data-breach-notification regime (Article 4). The Directive applies to providers of publicly available electronic communications services and to natural and legal persons placing or accessing information stored in subscribers' / users' terminal equipment. The proposed ePrivacy Regulation has been WITHDRAWN by the European Commission (February 2025); the 2002/58/EC Directive remains the in-force instrument until the Commission tables a new proposal. Key operational articles: Article 4 security of services + personal-data-breach notification (60-day model in Article 4(3) feeds the GDPR Art.33-34 baseline); Article 5 confidentiality of the communications + Article 5(3) prior-consent storage-of-information rule (cookies, tracking pixels, fingerprinting); Article 6 traffic data; Article 7 itemised billing; Article 8 calling-line identification; Article 9 location data other than traffic data; Article 13 unsolicited communications (email/SMS/voice marketing). It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does EU ePrivacy Directive (2002/58/EC) have?

EU ePrivacy Directive (2002/58/EC) has 15 controls organised across 5 domains. The largest domains are ePrivacy - Implementation, Enforcement and Final (Articles 14-21) (6 controls), ePrivacy - Traffic, Billing, CLI, Location and Directories (Articles 6-12) (5 controls), ePrivacy - Security and Confidentiality (Articles 4-5) (2 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does EU ePrivacy Directive (2002/58/EC) map to?

EU ePrivacy Directive (2002/58/EC) maps to 2 other compliance frameworks. The top mapping partners are GDPR (27% coverage), Digital Services Act (DSA) - Regulation (EU) 2022/2065 (7% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with EU ePrivacy Directive (2002/58/EC) compliance?

Start your EU ePrivacy Directive (2002/58/EC) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about EU ePrivacy Directive (2002/58/EC) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 15 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 723 frameworks.

Get Started Free →

Free forever — no credit card required