The IAPP document that groups BoK topics into domains and shows their approximate percentage weight on the exam.

Domain II – European Data Protection Law and Regulation

The largest CIPP/E domain, covering detailed GDPR rules, ePrivacy, international transfers, and awareness of related frameworks like NIS 2 and the EU AI Act.

An EU cybersecurity directive (2022/2555) focusing on essential and important entities. In CIPP/E it mainly appears in relation to security of processing and incident/breach reporting.

The EU regulation adopted in 2024 that introduces a risk-based framework for AI systems. For CIPP/E, know its high-level structure and its interaction with GDPR duties.

A major content area of the CIPP/E exam, such as Introduction, Law and Regulation, or Compliance in Practice.

An EU regulation adopted in 2024 that introduces a risk-based regulatory framework for AI systems; relevant to CIPP/E at a high level and in relation to GDPR.

What is Scaled score?

A standardized exam score that adjusts for differences in difficulty between exam versions; CIPP/E passing is typically around 75 on a 0–100 scale.

What is Exam Blueprint?

An IAPP document that groups BoK topics into domains and shows each domain's approximate percentage of exam questions.

Orienting to CIPP/E: Exam Blueprint, Domains and Study Strategy — CIPP/E Exam Prep: Mastering European Data Protection Law and the GDPR

Step 1 – What CIPP/E Actually Tests (2026 View)

What CIPP/E Tests

CIPP/E is the IAPP certification on European privacy and data protection law. To study efficiently, you must know what the exam is built to test and how the IAPP structures the content.

Core IAPP Documents

Two key documents drive the exam: the Body of Knowledge (BoK), which lists topics you must know, and the Exam Blueprint, which groups topics into domains and shows their exam weight.

Recent Content Updates

Recent BoK updates reflect Schrems II, NIS 2 (in force since 2023, applying from Oct 2024), and the EU AI Act (adopted 2024, phasing in 2025–2027). CIPP/E tests awareness and application, not deep specialist expertise.

Your Goal in This Module

You will learn the current domains and weights, exam format and question style, how new topics like NIS 2 and the AI Act appear, and how to turn all of this into a domain-based study plan.

Step 2 – Exam Format, Timing and Scoring

Core Exam Mechanics

CIPP/E currently has about 90 multiple-choice questions in 150 minutes, delivered on computer at a test center or remotely. You choose one best answer from four options.

Question Types

Expect a mix of knowledge questions (definitions, roles, articles) and application questions (short scenarios asking how GDPR and related rules apply, or the best next step).

Scoring

Scores are reported on a scaled basis, often out of 100, with passing around 75. There is no negative marking: wrong answers do not subtract points, so you should answer everything.

Timing Strategy

You have about 1.6 minutes per question. Aim for 1–1.25 minutes on easy items, flag hard ones, and return later. Practice timed sets to make this pacing feel natural.

Step 3 – Current CIPP/E Domains and Approximate Weighting

Why Domains Matter

The Exam Blueprint divides content into domains with different weights. Knowing these helps you allocate study time to match the proportion of questions on the exam.

Domain I – Introduction

Domain I covers the history of European data protection, EU institutions, legal sources, and high-level views of GDPR, ePrivacy, NIS 2, and the EU AI Act. It is roughly 10–15% of the exam.

Domain II – Law and Regulation

Domain II is the core: detailed GDPR rules, data subject rights, controller and processor duties, international transfers, plus ePrivacy, NIS 2 links, and EU AI Act awareness. It is about 50–60%.

Domain III – Compliance in Practice

Domain III focuses on implementing privacy: governance, policies, privacy by design, vendor management, and breach handling. It accounts for roughly 25–35% of the exam.

Step 4 – How New Topics (NIS 2, EU AI Act, AI/GDPR) Show Up

NIS 2 in CIPP/E

NIS 2 is about cybersecurity for essential and important entities. For CIPP/E, it mainly appears as context for security of processing, incident reporting, and overlapping obligations with GDPR breaches.

EU AI Act in CIPP/E

The EU AI Act is tested at awareness level. You should know its risk-based structure and that AI systems using personal data must still comply with GDPR duties like transparency and data quality.

AI and GDPR Themes

Expect questions about lawful basis for AI, purpose limitation, data minimization, and automated decision-making and profiling under GDPR Articles 21–22 in AI-related scenarios.

Link Back to GDPR

Use NIS 2 and the AI Act as extensions of familiar GDPR ideas: security, DPIAs, transparency, accountability, and fundamental rights. This keeps new material manageable.

Step 5 – Map Yourself to the Domains (Quick Self‑Assessment)

Use this short exercise to see where you are strong or weak, so you can later build a realistic study plan.

For each question, answer in your head or jot down: Strong / Okay / Weak.

Domain I – Introduction

Can you explain the difference between the EU and the Council of Europe?
Do you know what the Charter of Fundamental Rights is and how it relates to privacy?

Domain II – Law and Regulation

Can you list at least four GDPR lawful bases and give a one‑line example for each?
Can you explain the difference between a controller and a processor?
Do you know the basic idea of Schrems II and its effect on international transfers?

Domain III – Compliance in Practice

Can you outline the main steps in a DPIA?
Do you know what should be in a data processing agreement (DPA) with a vendor?
Can you sketch the main stages of a breach response process?

Now, count your ratings:

If a domain has mostly Strong, you may only need light review + practice questions.
If a domain has several Weak, you should plan deeper study + structured notes.

Keep this quick self‑assessment; you will use it in a later step when building your study plan.

Step 6 – Turning the BoK into a Study Map

Start With the Latest BoK

Download the latest CIPP/E Body of Knowledge and mark which domain each section belongs to. This gives you a complete, official list of what you must know.

Create Sub-Topics

Break each domain into smaller chunks, like lawful bases, data subject rights, DPIAs, and international transfers in Domain II, or governance and vendor management in Domain III.

Mark Your Familiarity

Next to each sub-topic, write Strong, Okay, or Weak based on your self-assessment. This quickly shows where you need deeper study versus light review.

Allocate Time and Tasks

Use domain weight and your weaknesses to assign hours to each domain. Then define concrete tasks: read, summarize, and practice questions for each sub-topic.

Step 7 – Build a Mini Study Plan for One Week

Now apply the mapping idea in a very practical way. Imagine you have 6 hours to study CIPP/E this week.

Pick your focus domain

Choose the domain where you had the most Weak ratings in Step 5.

Split your 6 hours

Example if Domain II is your focus:
2 hours – Principles and lawful bases.
2 hours – Data subject rights.
2 hours – International transfers and Schrems II.

Define tasks for each 2‑hour block

First 60 minutes:
Read the relevant BoK sections.
Read a textbook or IAPP training notes.
Write a 1‑page summary (handwritten or digital).
Next 60 minutes:
Do 10–20 practice questions on that sub‑topic.
Review explanations, especially for wrong answers.
Update your summary with any corrections.

Write your own 1‑week plan now (short version)

On paper or in a note app, quickly write:
"This week, I will focus on Domain X. I will cover sub‑topics A, B, C. I will spend about Y hours on each and do Z practice questions."

This simple exercise helps you move from vague intention (“I should study GDPR”) to a specific plan you can actually follow.

Step 8 – Quick Check: Domains and Strategy

Test your understanding of the CIPP/E domains and how to prioritize your study.

You have 40 hours total to prepare for CIPP/E. The latest Blueprint shows Domain II is around 55% of the exam, and you rated yourself Weak in many Domain II topics. What is the MOST sensible way to allocate your time?

Spend about 10 hours on each domain so your study time is evenly balanced.
Spend about 22–26 hours on Domain II, and divide the remaining time between Domains I and III based on your weaknesses.
Focus almost all 40 hours on Domain II and ignore Domains I and III since they are smaller.
Spend most of your time on Domains I and III because they are easier and you can score quick points.

Show Answer

Answer: B) Spend about 22–26 hours on Domain II, and divide the remaining time between Domains I and III based on your weaknesses.

Because Domain II is both the largest portion of the exam and an area of weakness, it deserves the majority of your time (roughly proportional to its weight). The remaining hours should be split between Domains I and III, still considering your weaker areas. Ignoring any domain is risky.

Step 9 – Flashcard Review: Key Exam Terms

Use these quick flashcards to reinforce core concepts related to the CIPP/E exam structure and strategy.

Body of Knowledge (BoK): The official IAPP document listing the detailed topics the CIPP/E exam can test. It defines the content scope for your study plan.
Exam Blueprint: The IAPP document that groups BoK topics into domains and shows their approximate percentage weight on the exam.
Domain II – European Data Protection Law and Regulation: The largest CIPP/E domain, covering detailed GDPR rules, ePrivacy, international transfers, and awareness of related frameworks like NIS 2 and the EU AI Act.
NIS 2 Directive: An EU cybersecurity directive (2022/2555) focusing on essential and important entities. In CIPP/E it mainly appears in relation to security of processing and incident/breach reporting.
EU AI Act: The EU regulation adopted in 2024 that introduces a risk-based framework for AI systems. For CIPP/E, know its high-level structure and its interaction with GDPR duties.
Scaled Score: A standardized exam score (often out of 100) that adjusts for slight differences in difficulty across exam forms. CIPP/E typically considers about 75/100 as the passing mark.
Application Question: A multiple-choice item that presents a short scenario and asks you to apply GDPR and related rules to choose the best or most appropriate answer.
Domain-Based Study Plan: A study plan that allocates time and resources to each CIPP/E domain in proportion to its exam weight and your personal strengths and weaknesses.

Step 10 – Putting It All Together on Exam Day

First Pass Strategy

On exam day, answer short, clear questions quickly and flag long or confusing scenarios to revisit. This ensures you collect easier points before spending time on harder items.

Think in Domains

Recognize which domain a question belongs to. Lawful bases and transfers signal Domain II; governance and DPIAs suggest Domain III. This helps you recall the right part of your notes.

Use GDPR Logic

In scenarios, identify controller and processor, purpose and lawful basis, and any rights or transfer rules. Then rule out answers that contradict these fundamentals.

Stay Current, Not Overwhelmed

Check IAPP for recent BoK and Blueprint updates, especially on NIS 2 and the AI Act, but always anchor new material back to core GDPR principles you already know.

Key Terms

Domain: A major content area of the CIPP/E exam, such as Introduction, Law and Regulation, or Compliance in Practice.
EU AI Act: An EU regulation adopted in 2024 that introduces a risk-based regulatory framework for AI systems; relevant to CIPP/E at a high level and in relation to GDPR.
Scaled score: A standardized exam score that adjusts for differences in difficulty between exam versions; CIPP/E passing is typically around 75 on a 0–100 scale.
Exam Blueprint: An IAPP document that groups BoK topics into domains and shows each domain's approximate percentage of exam questions.
NIS 2 Directive: EU Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union, relevant to CIPP/E mainly for security and incident reporting context.
Application question: A multiple-choice exam question that requires applying legal rules to a factual scenario, not just recalling definitions.
Body of Knowledge (BoK): The official IAPP document listing the detailed topics that can be tested on the CIPP/E exam.
Domain-based study plan: A study plan that allocates time and resources to each exam domain based on its weight in the Blueprint and the learner's strengths and weaknesses.