The European ePrivacy Regulation | Training

Important note: The European Commission has withdrawn its 2017 proposal for a Regulation on Privacy and Electronic Communications, better known as the ePrivacy Regulation. The decision appears in the Commission’s 2025 Work Programme and reflects the assessment that no agreement was foreseeable between the co-legislators and that the text had become outdated against the backdrop of newer legislative instruments. In practical terms, there is no EU ePrivacy Regulation coming into force, and the legal regime for electronic communications privacy remains anchored in the existing ePrivacy Directive as implemented in Member States, complemented by the GDPR.

Since 2021, the European Union has built a new digital regulatory framework that significantly influences the legal environment originally intended to be occupied by the proposed ePrivacy Regulation. During this period, the Union has adopted and brought into force several major legislative instruments, including Regulation (EU) 2022/2065 on a Single Market for Digital Services (Digital Services Act, DSA) and Regulation (EU) 2022/1925 on contestable and fair markets in the digital sector (Digital Markets Act, DMA). It adopted Regulation (EU) 2023/2854 on harmonised rules for fair access to and use of data (Data Act), a horizontal instrument governing access to and use of data in both business-to-business and business-to-government contexts.

The same period, new directives and regulations closed regulatory gaps once expected to be addressed, at least partially, by the ePrivacy Regulation. Two key instruments form part of the Union’s digital security architecture: Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS 2 Directive), and the Cyber Resilience Act, Regulation (EU) 2024/2847, adopted on 23 October 2024, concerning horizontal cybersecurity requirements for products with digital elements.

Together, these legislative acts address in a sectoral and horizontal manner many of the issues that originally motivated the ePrivacy reform initiative, like governance of digital platforms and intermediaries, online risk management, data usage rights and obligations, cybersecurity, and product integrity. For this reason, the European Commission explicitly cited the “obsolescence” of the 2017 ePrivacy proposal, relative to the now established Digital Services Act package and related regulatory developments, as a justification for its formal withdrawal of the proposal in 2025.

The European ePrivacy Regulation | Training

Cyber Risk GmbH, some of our clients