ePrivacy Directive: main focus

Protects confidentiality of electronic communications and regulates access to/storing information on terminal equipment (e.g., cookies), plus rules on traffic data, location data, directories and unsolicited communications.

Cookies: when is consent required?

Consent is required before storing/accessing information on a device unless the cookie is strictly necessary for a service requested by the user. Analytics and marketing cookies typically require prior, informed, freely given consent.

Soft opt-in for email marketing

Under many national ePrivacy laws, a business may email existing customers about similar products without prior opt-in if the email was collected during a sale, customers were informed and given a clear, easy opt-out at collection and in each email.

NIS 2: who is covered?

Essential and important entities in specified sectors (e.g., energy, transport, health, banking, digital infrastructure, some manufacturing and digital services), typically medium and large organisations.

NIS 2 vs GDPR breaches

NIS 2 focuses on cybersecurity incidents affecting network and information systems; GDPR focuses on personal data breaches risking individuals' rights. A single cyberattack can trigger both sets of notification duties.

Small text files or similar technologies stored on a user's device, used for functions such as session management, preferences, analytics and tracking; regulated by ePrivacy and GDPR.

Under the EU AI Act, a machine-based system designed to operate with varying levels of autonomy and that can, for explicit or implicit objectives, generate outputs such as predictions, recommendations or decisions influencing environments.

A limited exception in many ePrivacy implementations allowing email marketing to existing customers about similar products without prior opt-in consent, provided strict conditions and easy opt-out are offered.

What is Lex specialis?

A legal principle meaning that a more specific rule overrides a more general rule in case of conflict, used to describe the relationship between ePrivacy rules and GDPR.

Related EU Instruments: ePrivacy, NIS/NIS 2 and the EU AI Act — CIPP/E Exam Prep: Mastering European Data Protection Law and the GDPR

Big Picture: Why ePrivacy, NIS/NIS 2 and the EU AI Act Matter

The Wider EU Framework

GDPR is only one part of EU tech law. For CIPP/E, you must also know ePrivacy, NIS/NIS 2 and the EU AI Act, and how they interact with GDPR in real practice.

Current Legal Status (2026)

ePrivacy Directive is still in force; the ePrivacy Regulation has not replaced it. NIS 2 is now the main EU cybersecurity directive. The EU AI Act was adopted in 2024 and is phasing in.

Constellation, Not a Single Star

Think: GDPR = core data rules; ePrivacy = communications and cookies; NIS/NIS 2 = cybersecurity; AI Act = risk-based AI governance. The exam expects you to see how these fit together.

ePrivacy Directive vs GDPR: Scope and Key Concepts

Different Focus

GDPR covers personal data processing in general. ePrivacy focuses on electronic communications and terminal equipment (like phones and browsers), even if no personal data is involved.

What ePrivacy Covers

Key areas: confidentiality of communications, traffic and location data, public directories, unsolicited communications (spam), and access to/storing info on devices.

How It Relates to GDPR

ePrivacy is a sector-specific layer on top of GDPR. It often acts as lex specialis: if both apply, ePrivacy’s more specific rule usually takes priority, but GDPR still applies afterward.

Exam Signal

If a scenario mentions telecoms, messaging apps, cookies, or spam emails/SMS, you should immediately consider both ePrivacy rules and GDPR obligations.

Cookies and Consent: Applying ePrivacy + GDPR

When Do Cookies Need Consent?

Under ePrivacy, storing or accessing info on a device needs prior consent unless the cookie is strictly necessary for a service the user requested (e.g., shopping cart).

Cookie Types and Rules

Strictly necessary: no consent, but inform users. Preference, analytics, and marketing/tracking cookies usually require prior, informed, freely given consent.

GDPR Still Applies

Once you get ePrivacy consent, GDPR governs consent quality, transparency, and later processing. Consent must be specific, informed, unambiguous, and easy to withdraw.

Online Shop Example

Basket cookie: strictly necessary → no consent. Google Analytics and Facebook Pixel: need opt-in via a clear banner with separate choices for analytics and marketing.

Thought Exercise: Electronic Marketing Scenarios

Work through these scenarios and decide what ePrivacy + GDPR likely require. You do not need to know every Member State's exact rule; focus on common EU patterns.

Scenario A: B2C email marketing

A retailer collects a customer's email during a purchase. The customer is clearly told their email will be used for similar product offers and can opt out at any time. The customer does not opt out. Later, the retailer emails them about a related product.

Question: Under typical ePrivacy rules, is this allowed without prior opt‑in consent? What conditions must be met?

Scenario B: Cold SMS marketing

A gym buys a list of mobile numbers from a data broker and sends promotional SMS messages to people who have never interacted with the gym.

Question: Under ePrivacy, what is usually required before sending these SMS messages?

Scenario C: B2B email marketing

A software vendor sends promotional emails to business addresses like "it-manager@company.eu" found on company websites.

Question: Are B2B emails treated the same as B2C emails under ePrivacy? What should you check at national level?

Reflect on each:

Is prior consent required, or is there a soft opt‑in possibility?
What information must be given in the message itself (e.g., identity of sender, easy opt‑out link)?
How does GDPR still apply (e.g., lawful basis, transparency, data subject rights)?

Write down short answers for yourself, then compare them with official DPA guidance for one EU country of your choice.

NIS and NIS 2: Cybersecurity Meets Data Protection

What Is NIS/NIS 2 For?

NIS and NIS 2 aim to raise cybersecurity standards and incident reporting for key sectors across the EU, going beyond personal data to overall system security.

Who Must Comply?

NIS 2 applies to essential and important entities in sectors like energy, transport, health, banking, digital infrastructure, and some manufacturing, usually medium and large firms.

Key Obligations

Covered entities must manage cyber risks, implement security measures, and report significant incidents to national authorities within strict timeframes.

How It Relates to GDPR

A cyberattack may trigger both NIS 2 reporting (service/system impact) and GDPR breach notification (risks to individuals), especially in sectors like healthcare.

EU AI Act: Risk-Based AI Governance and Data Protection Links

AI Act Overview

The EU AI Act regulates AI systems used in the EU with a risk-based model: banned practices, strict rules for high-risk AI, transparency for some systems, and light rules for minimal-risk AI.

High-Risk AI Duties

High-risk AI must have solid data governance, documentation, transparency, human oversight, and technical robustness, echoing GDPR principles like accuracy and accountability.

AI + GDPR

The AI Act sits alongside GDPR. AI systems using personal data must still respect lawful basis, purpose limitation, data minimisation, and data subject rights under GDPR.

Transparency to Users

People must be told when they interact with AI (unless obvious) and when content is AI-generated or deepfaked, with limited exceptions, improving user awareness and trust.

Check Understanding: ePrivacy, NIS 2 and AI Act

Test your grasp of the scopes and interactions of these instruments.

Which statement best describes how these instruments interact with GDPR?

The ePrivacy Directive, NIS 2 and the AI Act all replace GDPR whenever they apply.
The ePrivacy Directive, NIS 2 and the AI Act are sector- or technology-specific layers that usually apply alongside GDPR.
Only the AI Act applies together with GDPR; ePrivacy and NIS 2 are completely separate and never overlap.
NIS 2 and the AI Act apply only when no personal data is involved, so GDPR is irrelevant in those cases.

Show Answer

Answer: B) The ePrivacy Directive, NIS 2 and the AI Act are sector- or technology-specific layers that usually apply alongside GDPR.

These instruments are complementary, not replacements. ePrivacy specialises rules for communications and devices; NIS 2 for cybersecurity of key sectors; and the AI Act for AI systems. When personal data is processed, GDPR still applies in parallel.

Review Key Terms and Exam Angles

Flip through these cards to reinforce core concepts that are likely to appear in the current CIPP/E Body of Knowledge.

ePrivacy Directive: main focus: Protects confidentiality of electronic communications and regulates access to/storing information on terminal equipment (e.g., cookies), plus rules on traffic data, location data, directories and unsolicited communications.
Cookies: when is consent required?: Consent is required before storing/accessing information on a device unless the cookie is strictly necessary for a service requested by the user. Analytics and marketing cookies typically require prior, informed, freely given consent.
Soft opt-in for email marketing: Under many national ePrivacy laws, a business may email existing customers about similar products without prior opt-in if the email was collected during a sale, customers were informed and given a clear, easy opt-out at collection and in each email.
NIS 2: who is covered?: Essential and important entities in specified sectors (e.g., energy, transport, health, banking, digital infrastructure, some manufacturing and digital services), typically medium and large organisations.
NIS 2 vs GDPR breaches: NIS 2 focuses on cybersecurity incidents affecting network and information systems; GDPR focuses on personal data breaches risking individuals' rights. A single cyberattack can trigger both sets of notification duties.
EU AI Act: risk tiers: Unacceptable risk (banned practices), high-risk AI (strict requirements), limited-risk (transparency duties), and minimal risk (no specific AI Act obligations beyond existing law).
High-risk AI obligations (data-related): High-risk AI must use well-governed, relevant, and high-quality datasets, maintain documentation and logs, ensure transparency and human oversight, and be robust and secure.
AI Act and GDPR relationship: The AI Act does not replace GDPR. When AI systems process personal data, GDPR rules on lawful basis, purpose limitation, minimisation, security and data subject rights apply in addition to AI Act obligations.
CIPP/E exam signals for ePrivacy: Look for telecom providers, messaging apps, cookies, tracking technologies, spam email/SMS, and device access. These usually indicate ePrivacy + GDPR issues, not GDPR alone.
CIPP/E exam signals for NIS 2 and AI Act: Critical infrastructure or essential services + cyber incidents suggest NIS/NIS 2 + GDPR. Automated decision-making, profiling, biometric identification, or high-impact AI uses suggest GDPR + AI Act themes.

Key Terms

Cookies: Small text files or similar technologies stored on a user's device, used for functions such as session management, preferences, analytics and tracking; regulated by ePrivacy and GDPR.
AI system: Under the EU AI Act, a machine-based system designed to operate with varying levels of autonomy and that can, for explicit or implicit objectives, generate outputs such as predictions, recommendations or decisions influencing environments.
Soft opt-in: A limited exception in many ePrivacy implementations allowing email marketing to existing customers about similar products without prior opt-in consent, provided strict conditions and easy opt-out are offered.
Lex specialis: A legal principle meaning that a more specific rule overrides a more general rule in case of conflict, used to describe the relationship between ePrivacy rules and GDPR.
NIS Directive: The original EU Directive 2016/1148 on security of network and information systems, now updated and largely superseded by NIS 2.
NIS 2 Directive: Directive (EU) 2022/2555, strengthening and expanding EU-wide cybersecurity obligations for essential and important entities in key sectors, including risk management and incident reporting.
ePrivacy Directive: EU Directive 2002/58/EC (as amended) on privacy and electronic communications, covering confidentiality of communications, cookies, traffic and location data, directories and unsolicited communications.
High-risk AI system: An AI system listed or falling within categories defined by the EU AI Act as high risk due to its significant impact on health, safety or fundamental rights, subject to strict compliance requirements.
ePrivacy Regulation: A proposed EU regulation intended to replace the ePrivacy Directive with directly applicable rules; as of May 2026 it has not yet entered into force.
Personal data breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data (GDPR Article 4(12)).

Big Picture: Why ePrivacy, NIS/NIS 2 and the EU AI Act Matter

The Wider EU Framework

Current Legal Status (2026)

Constellation, Not a Single Star

ePrivacy Directive vs GDPR: Scope and Key Concepts

Different Focus

What ePrivacy Covers

How It Relates to GDPR

Exam Signal

Cookies and Consent: Applying ePrivacy + GDPR

When Do Cookies Need Consent?

Cookie Types and Rules

GDPR Still Applies

Online Shop Example

Thought Exercise: Electronic Marketing Scenarios

NIS and NIS 2: Cybersecurity Meets Data Protection

What Is NIS/NIS 2 For?

Who Must Comply?

Key Obligations

How It Relates to GDPR

EU AI Act: Risk-Based AI Governance and Data Protection Links

AI Act Overview

High-Risk AI Duties

AI + GDPR

Transparency to Users

Check Understanding: ePrivacy, NIS 2 and AI Act

Review Key Terms and Exam Angles

Key Terms

Finished reading?