ePrivacy Directive Obligations for Electronic communications

Obligations in scope

Article 3 — Member States

Member States must notify the Commission of cases where it is technically impossible or requires a disproportionate economic effort to fulfil the requirements of Articles 8, 10, and 11. Action required: notify.

Article 4 — provider of a publicly available electronic communications service

The provider must take appropriate technical and organisational measures to safeguard the security of its services, ensuring a level of security appropriate to the risk presented, considering the state of the art and implementation costs. Action required: implement.

Article 4 — provider of a publicly available electronic communications service

In case of a particular risk of a breach of network security, the provider must inform subscribers concerning such risk and, where the risk lies outside the scope of the provider's measures, of any possible remedies including likely costs. Action required: inform.

Article 5 — Member States

Member States shall ensure the confidentiality of communications and related traffic data by means of a public communications network and publicly available electronic communications services through national legislation. Action required: ensure.

Article 5 — Member States

Member States shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and related traffic data by persons other than users without the consent of the users concerned. Action required: prohibit.

Article 5 — Member States

Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed if the subscriber or user is provided with clear and comprehensive information and offered the right to refuse such processing. Action required: ensure.

Article 10 — Member States

Member States shall ensure that there are transparent procedures governing the way in which a provider may override the elimination of the presentation of calling line identification on a temporary basis upon application of a subscriber requesting the tracing of malicious or nuisance calls. Action required: ensure.

Practical steps

What the obligations on this page actually require you to do, ordered by article. Use this as a starting checklist; verify each item against the underlying article text before treating it as legal advice.

• Art 3 — notify (Member States)
• Art 4 — implement (provider of a publicly available electronic communications service)
• Art 4 — inform (provider of a publicly available electronic communications service)
• Art 5 — ensure (Member States)
• Art 5 — prohibit (Member States)
• Art 10 — store (provider of a public communications network and/or publicly available electronic communications service)
• Art 9 — process (service provider)

Obligation reference table

Penalty exposure

None of the 35 obligations on this page carry an explicit penalty figure in the ePrivacy Directive text itself — the fine ceiling is set elsewhere in the regulation and applies by reference. Refer to ePrivacy Directive's general penalties article (or the diagnostic below) to estimate exposure before signing off on a compliance programme.

Cross-regulatory conflicts

ePrivacy Directive interacts with other EU regulations in ways that can pull compliance teams in opposite directions. The most concrete conflicts in the Fontvera corpus involving this regulation:

• GDPR Art 11 ↔ ePrivacy Directive Art 5 (medium) — [entity affected: controller / provider of publicly available electronic communications service] GDPR Art 11 allows processing without identifying the data subject if not required, while ePrivacy Art 5 requires specific consent for accessing terminal equipment, implying a need to identify the user to validate consent.
• AI Act Art 19 ↔ ePrivacy Directive Art 6 (high) — [entity affected: provider] The AI Act requires providers to keep automatically generated logs for at least six months, whereas ePrivacy requires traffic data to be erased or anonymized as soon as it is no longer needed for transmission, potentially creating a conflict if logs contain traffic data.
• DMA Art 1 ↔ ePrivacy Directive Art 15 (high) — [entity affected: Member States] DMA prohibits Member States from imposing further obligations on gatekeepers to ensure contestable markets, while ePrivacy allows Member States to restrict rights for national security or public security, potentially creating overlapping or contradictory enforcement scopes for gatekeepers.
• DORA Art 10 ↔ ePrivacy Directive Art 5 (high) — [entity affected: Financial entities providing electronic communications services] DORA requires monitoring of user activity and ICT anomalies, which may conflict with ePrivacy's strict prohibition on interception or surveillance of communications without user consent.
• DORA Art 12 ↔ ePrivacy Directive Art 6 (high) — [entity affected: Financial entities providing electronic communications services] DORA mandates backup and retention of data for business continuity, while ePrivacy requires traffic data to be erased or anonymized once no longer needed for transmission, creating tension over retention periods.
• DSA Art 15 ↔ ePrivacy Directive Art 6 (high) — [entity affected: provider of hosting services / provider of a publicly available electronic communications service] DSA requires reporting on content moderation actions and data processing for transparency, while ePrivacy strictly limits the processing and retention of traffic data to specific purposes like billing, potentially conflicting with broad reporting requirements if they imply data retention beyond necessity.

Related Fontvera pages

• eprivacy vs gdpr comparison
• eprivacy vs nis2 comparison
• ai act art 17 provider obligations
• ai act art 70 commission obligations

Check your full compliance exposure with the 5-minute Fontvera diagnostic →