Compliance Audit

A compliance audit is a systematic, independent examination of an organisation's policies, procedures, and practices to verify that they meet legal requirements and internal standards. In the context of TTPA and political advertising, compliance audits assess whether sponsors, publishers, and advertising service providers are meeting their transparency, targeting, and due diligence obligations under EU Regulation 2024/900.

Legal Basis

While Regulation 2024/900 does not explicitly mandate compliance audits for all actors, it establishes supervisory mechanisms and enforcement powers that often require audit processes:

"Member States shall lay down the rules on penalties applicable to infringements of this Regulation and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive."

— Article 26, Regulation 2024/900

National supervisory authorities use compliance audits as a key enforcement tool to verify adherence to the regulation's requirements.

Why It Matters

Compliance audits are essential for organisations involved in political advertising to demonstrate adherence to the transparency and targeting rules of the TTPA Regulation. Sponsors, publishers, and providers of political advertising services may conduct internal audits proactively or face audits initiated by national supervisory authorities as part of regulatory enforcement.

For sponsors and publishers, regular compliance audits help identify gaps in transparency notices, record-keeping practices, or targeting restrictions before they result in penalties. These audits verify that political advertisements are properly labelled, that transparency information is accessible, and that personal data is used only within permitted boundaries for targeting purposes.

Compliance audits also serve as evidence of good faith effort to comply with the regulation, which can be valuable if an organisation faces investigation or enforcement action. Well-documented audit trails demonstrate accountability and can mitigate penalties in cases of inadvertent non-compliance.

Key Points

Systematic verification: Compliance audits examine whether political advertising practices align with legal requirements under Regulation 2024/900, including transparency labelling, record retention, and targeting restrictions
Internal and external: Organisations may conduct internal audits as a preventive measure, while supervisory authorities may initiate external audits during investigations
Documentation focus: Audits typically review transparency notices, sponsorship disclosures, data processing records, and evidence of consent for targeting techniques
Risk management: Regular audits help identify compliance gaps before they escalate into regulatory violations or penalties
Continuous improvement: Audit findings inform updates to policies, staff training, and internal controls to strengthen ongoing compliance
Cross-border complexity: For pan-European campaigns, audits must verify compliance with both the EU regulation and any stricter national rules in relevant Member States

Compliance Audit vs. Data Protection Impact Assessment

While both are compliance tools, a compliance audit examines adherence to all applicable requirements under Regulation 2024/900 retrospectively or on an ongoing basis, whereas a Data Protection Impact Assessment (DPIA) is a prospective analysis required under GDPR when processing personal data for targeting presents high risks to individuals' rights and freedoms.

A compliance audit reviews what an organisation is actually doing across all TTPA obligations—transparency, sponsorship disclosure, record-keeping, and targeting restrictions. A DPIA specifically assesses risks and mitigation measures before launching a political advertising campaign that uses personal data for targeting or ad-delivery techniques. Many political advertising campaigns will require both: a DPIA before launch and periodic compliance audits during and after the campaign.

Aspect	Compliance Audit	DPIA
Timing	Ongoing or retrospective	Before high-risk processing begins
Scope	All TTPA obligations	Personal data processing risks
Focus	Actual compliance with rules	Risk assessment and mitigation
Legal basis	General accountability (TTPA/GDPR)	GDPR Article 35

Related Terms

Very transparent. Every political ad will be labelled, linked to a transparency notice with detailed information, and online ads will be searchable in a central European repository.

The Network coordinates election-related cooperation between member states. National contact points for TTPA enforcement should be members of this network where possible.

Election campaigns will need to ensure all paid advertising includes proper labels and transparency notices. Sponsors must be prepared to provide required information to all service providers.

Several major platforms currently do not allow paid political advertising, including some large social networks. This limits where political actors can place paid online advertisements.

The TTPA applies from 10 October 2025. Member States had until 10 April 2025 to designate competent authorities, and the Commission must provide label templates by 10 July 2025.

Publishers must ensure completeness and accuracy of certain information but are not required to verify all sponsor claims. They must correct manifestly erroneous information when they become aware of it.

Yes. When a hosting provider and a website both display an ad, both are considered publishers with responsibility for their specific services. Contracts should clarify how they share compliance duties.

If a publisher removes or disables access to a political ad due to illegality or terms violations, they must still provide access to the transparency information for the full seven-year retention period.