The ePrivacy Regulation: What's Coming After the Cookie Directive

If you work in digital privacy, you've heard the refrain for years: the ePrivacy Regulation is coming. It was supposed to arrive alongside the GDPR in 2018. Then 2020. Then "soon." As of mid-2026, it still hasn't landed — but neither has the political process stopped. The proposal is alive, the stakes are enormous for the cookie consent industry, and dismissing it as perpetually stalled would be a mistake.

This guide is for compliance officers and privacy teams who need to understand what the ePrivacy Regulation would actually change, why it keeps getting delayed, where the legislative process sits today, and — most importantly — what you should be doing right now regardless of the timeline. If you need background on the current rules, start with our guide on the ePrivacy Directive.

The ePrivacy Directive vs the ePrivacy Regulation: Why It Matters

The ePrivacy Directive (Directive 2002/58/EC, amended in 2009) is the legal instrument that created the cookie consent requirement most of us know. As a directive, it doesn't apply directly to individuals and companies — each EU member state had to transpose it into national law. That's why cookie consent rules differ between France, Germany, the Netherlands, and every other member state. The CNIL's interpretation in France is notably stricter than the baseline, while other countries have been more lenient.

The proposed ePrivacy Regulation would change the legal instrument from a directive to a regulation — the same type of law as the GDPR. Regulations apply directly and uniformly across all EU member states. No national transposition, no per-country variation on the core rules. This alone would be a seismic shift. Instead of navigating 27 slightly different cookie law implementations, companies would face one set of rules.

The Regulation is also intended to modernize the substance of the rules, not just the legal form. The 2002 Directive was written for a web of HTTP cookies and basic tracking. It doesn't adequately address device fingerprinting, IoT data collection, metadata from messaging apps, or the browser-based consent mechanisms that modern technology makes possible.

Why the Regulation Has Been Delayed Since 2017

The European Commission published its proposal for an ePrivacy Regulation in January 2017, intending it to take effect on 25 May 2018 — the same day as the GDPR. The Parliament adopted its position quickly, in October 2017. Then the process stalled in the Council of the EU. The delays reflect genuine, deep disagreements:

• Adtech and publisher lobbying. The advertising industry has pushed hard for broader exceptions, especially a "legitimate interest" basis for certain cookies. Publishers argue stricter rules threaten ad-funded journalism.
• Scope disagreements. Member states can't agree whether the Regulation should cover only traditional telecoms or extend to OTT services like WhatsApp and Signal.
• Browser-level consent. Whether browsers should handle consent centrally — technically elegant, but politically explosive because it would reshape the CMP industry.
• GDPR overlap. Preventing conflicting obligations between the two regulations has required careful drafting that several Council presidencies couldn't resolve.

Ten Council presidencies have tried to find a common position. The current negotiating text bears little resemblance to the 2017 original.

Where Things Stand in 2026

As of mid-2026, the ePrivacy Regulation has not been formally adopted. The legislative process remains in the trilogue phase — negotiations between the Commission, Parliament, and Council — though "active" is generous.

• The Council adopted a general approach in February 2021 under the Portuguese presidency, introducing significant changes around legitimate interest for cookies and metadata rules.
• The Parliament has maintained its stricter 2017 position favouring tighter consent requirements.
• Trilogue negotiations have proceeded intermittently, crowded out by the AI Act, the Data Act, and digital markets regulation.
• No agreement is imminent. Experts broadly expect continued negotiations through at least 2027, with some questioning whether this proposal will ever reach adoption — or whether a future Commission might withdraw it and start fresh.

The uncertainty itself is a planning challenge. You can't ignore a Regulation that could reshape your consent architecture, but you also can't bet your program on a timeline nobody can predict.

Key Changes: What the Regulation Would Do Differently

Despite the moving target of negotiating texts, several substantive changes have been consistent across most versions of the proposal. These are the shifts compliance teams should understand.

Direct applicability across the EU

As a regulation rather than a directive, the rules would apply identically in all 27 member states without national transposition. This eliminates the patchwork of national cookie laws and DPA interpretations that currently make pan-European compliance so complicated. One set of rules, one interpretation framework, one enforcement regime. For organizations operating across multiple EU markets, this would actually simplify life — even if the rules themselves are strict.

Browser-level and device-level consent

Multiple versions of the proposal have included provisions for software — particularly web browsers — to manage user consent centrally. Instead of each website presenting its own cookie banner, browsers could prompt users to set their privacy preferences at install or first use. Websites would then query the browser's settings and respect them without showing a banner at all.

The practical implications are enormous. If browsers become the consent layer, the role of website-level cookie banners shrinks dramatically. Users would no longer face consent fatigue from hundreds of pop-ups. But the implementation details — how granular the browser settings would be, whether they'd distinguish between analytics and advertising, how consent would be communicated to third-party scripts — remain contested.

Expanded scope: metadata and communications content

The Regulation would extend confidentiality protections to communications metadata — the who, when, where, and how-long of a communication, not just its content. For telecoms and messaging providers, this means stricter rules on using metadata for profiling, location analytics, or advertising purposes. Website owners won't feel this directly, but it signals the EU's direction: more data types under stricter consent requirements.

Machine-to-machine and IoT coverage

The current Directive was written for human-to-human communication. The Regulation explicitly addresses machine-to-machine (M2M) communications and IoT devices, though several versions have exempted M2M from confidentiality requirements where no human communication is involved. If your organization operates connected TV or IoT devices, the Regulation's scope matters.

Revised cookie wall rules

The Council's 2021 text was more permissive than the Parliament's on cookie walls — the practice of blocking access unless a user consents to tracking. Some versions have allowed websites to condition access on consent, provided the service is free and a reasonable alternative exists. Others have restricted or prohibited the practice. The final text will determine whether pay-or-consent models get explicit legal backing or a clear prohibition.

The Legitimate Interest Debate

One of the most contentious issues is whether certain cookies could be placed under legitimate interest rather than requiring explicit consent. Currently, non-essential cookies require consent — full stop. But several Council versions have proposed exceptions for:

• Audience measurement and analytics (similar to the CNIL's exemption approach, but codified in EU law)
• Fraud prevention
• Software updates and security patches
• First-party analytics where data isn't shared externally

Parliament has opposed this, arguing it undermines consent and opens loopholes adtech would exploit. Privacy advocates worry "we need this cookie for security" would become the new "necessary for the website to function."

If legitimate interest for analytics makes the final text, many websites could run basic measurement without opt-in for those cookies. But without tight guardrails, the exception risks recreating the ambiguity the Regulation is supposed to resolve.

Could Browsers Replace Cookie Banners?

The idea isn't new. Do Not Track (DNT) tried something similar in 2009 and failed because websites had no legal obligation to honour it. Global Privacy Control (GPC) has had more success where it carries legal weight, like California.

Browser-level consent under the ePrivacy Regulation would be different: if written into EU law, websites would be required to respect the browser's signal. No opt-out, no ignoring the header. But the practical challenges are real:

• Granularity. Banners distinguish necessary, analytics, marketing, and preference cookies. Can browser settings replicate that? A simple on/off toggle would be too blunt. Purpose-level settings need standardization across vendors.
• Vendor-level consent. Under TCF, consent is granular down to individual ad vendors. Communicating vendor-level preferences via browser settings is a much harder technical problem.
• Browser market power. Moving consent into Chrome, Safari, and Firefox makes Google, Apple, and Mozilla gatekeepers of the consent layer — some with their own advertising businesses.
• Coexistence. Even if browser consent becomes law, there'd be a transition where both systems run in parallel. CMPs wouldn't disappear overnight.

What It Means for the CMP Industry

If the Regulation passes with strong browser-consent provisions, the CMP industry changes — but it doesn't vanish.

Banners become a fallback. If most users set preferences at the browser level, websites only need banners for non-supporting browsers or consent scenarios browsers can't handle (like vendor-level TCF consent).

CMPs shift toward orchestration. The value of a CMP isn't just the pop-up — it's script blocking, consent logging, cookie scanning, and Consent Mode integration. Those functions stay necessary regardless of where users make their choice.

Signal interpretation becomes the core job. CMPs would interpret browser consent signals, translate them into blocking rules, pass them to tag managers, and log them for compliance. The machinery behind the banner matters more than the banner itself.

Transition protects the industry. The infrastructure for browser-based consent doesn't exist yet — no standard protocol, no cross-browser implementation. Building it takes years, giving everyone time to adapt.

What You Should Prepare for Now

You can't plan around a specific adoption date or final text. But you can build a compliance posture that works either way — whether the Regulation passes soon or the Directive-plus-GDPR regime continues indefinitely.

1. Get current compliance airtight

The most likely near-term scenario is the status quo. If your GDPR cookie compliance is already solid — proper consent, comprehensive script blocking, documented inventory, consent logging — you're in good shape regardless.

2. Invest in consent architecture, not just consent UI

The websites that adapt fastest to browser-level consent will be those with clean architecture underneath: clear cookie categories, robust script blocking triggered by any signal source, and proper Consent Mode integration. A pop-up wrapper with no depth leaves you scrambling. An orchestration layer — managing what fires based on whatever signal arrives — keeps you ready.

3. Monitor browser privacy signals

Watch GPC adoption and new consent-related browser APIs. GPC is the closest precedent to what the Regulation envisions, and some DPAs already treat it as a valid consent signal.

4. Audit your cookie inventory regularly

Whether consent comes from a banner or a browser, you need to know what your site uses. Regular cookie scanning is table stakes for any compliance regime — and direct applicability would make enforcement more consistent, leaving fewer gaps to hide behind national interpretation differences.

5. Watch the legitimate interest question

If the final text includes legitimate interest for first-party analytics, document now which of your analytics cookies are strictly first-party, don't share data with third parties, and serve only statistical purposes.

6. Plan for a long transition

Even immediate adoption would include a 12-to-24-month transition period, plus time for browser vendors to implement consent APIs. You're looking at years of coexistence between old and new regimes. No need to panic — every reason to build adaptable infrastructure.

How CookieBeam Is Positioned

CookieBeam is a consent orchestration platform that happens to render a banner — not the other way around. That distinction matters when the consent mechanism might change.

Signal-agnostic processing. CookieBeam already handles banner interactions, GPC headers, and regional consent rules. Adding browser-level signals would be an additional input to the same engine, not a redesign.

Script blocking independent of UI. CookieBeam's script-blocking engine and continuous scanning aren't tied to the banner. They work the same whether consent came from a pop-up or a browser preference.

Consent logging. Every consent event is logged with a timestamp and purpose-level choices — regulation-agnostic audit infrastructure.

Consent Mode integration. Consent Mode v2 translation works regardless of whether the signal came from a CookieBeam banner, a browser setting, or a future protocol.

The question isn't whether consent management will exist after the ePrivacy Regulation — it's whether your CMP adapts when the consent surface changes.

The Bottom Line

The ePrivacy Regulation is the most important piece of unfinished privacy legislation in Europe. Its passage would harmonize cookie consent rules across the EU, potentially introduce browser-level consent mechanisms, and redefine what cookies can be placed under legitimate interest. But after nearly a decade of negotiations, nobody can tell you when — or if — this specific text will be adopted.

That uncertainty isn't a reason to wait. The current rules are already strict, enforcement is already real, and the direction of travel is clear: more user control, more consistency, more accountability. Every step you take toward better consent architecture, cleaner cookie inventories, and broader signal support is a step that pays off whether the Regulation arrives in 2027 or 2030.

Build for the direction, not the date.