E-Evidence Act Takes Effect in August: What Companies Need to Do Now

With the German Implementation Act for the E-Evidence Regulation, passed on March 10, 2026, the legislature has established the national requirements for its practical application. The law specifically regulates jurisdictions, procedural matters, and the enforcement of relevant orders against companies in Germany. The background is the E-Evidence Regulation, which takes effect on August 18, 2026, and reorganizes cross-border access by law enforcement authorities to electronic evidence within the European Union (as we reported). It enables authorities to directly require service providers in other member states to hand over or secure data. For companies, this brings the issue into the spotlight of concrete compliance requirements.

I. Affected Companies

The personal scope of the e-Evidence Regulation is deliberately broad and covers all “service providers” that offer electronic communication or data processing services. The decisive factor here is not formal industry affiliation, but the specific function of the respective business model. The key question is whether a company enables users to communicate with one another or stores and processes data on their behalf.

In practice, this initially includes traditional providers of electronic communication services, particularly telecommunications companies, email providers, and messenger and VoIP services. Typical examples are providers of email hosting, enterprise communication solutions, or collaboration tools. Operators of video conferencing systems or business messaging platforms may also be covered, provided they enable interpersonal communication.

Furthermore, hosting and cloud services are centrally affected. These include, for example, cloud storage providers, Software-as-a-Service (SaaS) platforms, data hosting service providers, or providers of project management and CRM systems, to the extent that they store or process data on behalf of users. This is particularly relevant in practice for companies that provide their customers with digital infrastructures, such as data rooms, document management systems, or platform solutions.

However, the scope of application extends even further and also covers other information society services, provided they offer communication or storage functions. These include, in particular, social networks, online marketplaces, gaming platforms with chat functions, dating apps, and collaboration platforms. Even services where communication is only a secondary function – such as chat features in online games or comment features on platforms – may be covered.

Also explicitly included are providers of domain and internet infrastructure services, such as domain registrars, hosting providers, CDN providers, or providers of IP addressing services. These are regularly the focus of when it comes to identifying users based on technical data such as IP addresses.

Finally, the company’s place of business is irrelevant. Providers based outside the EU are also subject to the Regulation if they offer their services within the Union, for example through a corresponding market orientation or a relevant user base within the EU. An exception applies only to certain financial services; otherwise, there are no size- or industry-based exemptions.

II. Production and Preservation Orders (EPOC and EPOC-PR)

At the heart of the e-Evidence Regulation are two new instruments: the European Production Order Certificate (EPOC) and the European Preservation Order Certificate (EPOC-PR). These enable law enforcement authorities to directly and cross-borderly compel service providers to produce or preserve electronic evidence (Art. 5, 6 E-Evidence Regulation).

The EPOC under Art. 5 of the E-Evidence Regulation obligates the addressed service provider to transmit the requested data directly to the competent authority. In particular, the order must be necessary and proportionate and, depending on the type of data, is subject to various substantive and procedural requirements, such as a judicial review requirement for traffic and content data. Upon receipt of the order, the data must generally be transmitted within ten days; in urgent cases, the deadline is reduced to eight hours (Art. 10 E-Evidence Regulation).

In contrast, the EPOC-PR under Art. 6 E-Evidence Regulation serves to secure data in order to prevent its deletion or alteration. Service providers are obligated to retain the relevant data for an initial period of 60 days (Art. 11 E-Evidence Regulation), with the possibility of an extension. It typically functions as a preliminary measure prior to a subsequent production order.

For companies, this means that they may not only be obligated to actively transmit data but must also implement and maintain data preservation measures at short notice. The Regulation thus establishes, for the first time, directly enforceable, cross-border obligations on private service providers.

III. German Implementing Act

With the Act Implementing Regulation (EU) 2023/1543, the German legislature has created an independent national legal framework that specifically defines, in particular, jurisdictions, procedures, and enforcement mechanisms. At its core is the Electronic Evidence Implementation and Enforcement Act (EBewMG), which integrates the requirements of EU law into German criminal procedure law.

First and foremost, the obligation to designate a designated recipient is central: service providers must designate a branch or a representative within the EU who is responsible for receiving and implementing production and preservation orders (§ 3 EBewMG). This designated recipient must be equipped with sufficient powers and resources to actually comply with the orders.

The law also regulates domestic jurisdictions and procedures. Depending on the type of data, public prosecutors’ offices and courts are specifically responsible for issuing and enforcing European Production Orders (Sections 9, 10 EBewMG), while the public prosecutor’s office generally acts as the enforcement authority (Section 11 EBewMG). At the same time, it is clarified that the general provisions of the Code of Criminal Procedure apply in addition (Section 7 EBewMG).

The law also provides for comprehensive enforcement and sanction mechanisms. Violations of cooperation and implementation obligations—such as the failure to provide or secure data in a timely manner—may be punished as administrative offenses with substantial fines, which, for larger companies, are based on global revenue (Section 18 EBewMG).

IV. Recommendations for Companies

In light of the E-Evidence Regulation coming into force on August 18, 2026, affected companies should take concrete organizational and technical measures at an early stage:

1. Define responsibilities and an “e-evidence response process”

Companies should establish a clearly defined internal process for handling EPOC and EPOC-PR orders. This includes, in particular, designating a central point of contact (e. g., Legal/Compliance), setting up a 24/7 availability plan, and defining binding escalation procedures to ensure compliance with the 8-hour deadlines in urgent cases.

2. Implement and document the recipient structure in a timely manner

The designation of a recipient (branch office or representative) required by the Implementation Act should not be merely a formality but should be supported by organizational measures. The recipient must actually be able to review orders, forward them internally, and implement them. This includes clear powers of attorney, access to relevant data structures, and documented communication channels with authorities.

3. Prepare technical processes for data backup and extraction

Companies should verify whether their IT systems allow for a short-term backup (“freeze”) as well as a structured extraction of relevant data (e.g., inventory, traffic, or content data). In practice, it is advisable to establish standardized export and provisioning processes (e.g., for mailboxes, log files, or account data) to ensure requests can be fulfilled in a timely and complete manner.

4. Develop review and decision-making procedures

Incoming orders should not be implemented without review. Companies should develop an internal review framework that systematically maps out, in particular, the formal requirements (e. g., competent authority, correct data category, deadlines) as well as possible grounds for refusal or further inquiry. This review must be designed to function reliably even under significant time pressure.

5. Adapt interfaces to data protection and deletion concepts

Existing deletion and archiving concepts should be reviewed to ensure they are compatible with preservation orders. In particular, mechanisms must be implemented that enable the immediate suspension of automated deletion routines. At the same time, the legal basis for processing and transmitting data in the context of e-evidence orders should be documented.

V. Conclusion and Outlook

The e-evidence regulation and the accompanying German implementing law establish a new, immediately effective regime for cross-border access to electronic evidence. For affected companies, this means a significant expansion of their obligations to cooperate, as well as the need to be able to respond to official orders at short notice. The combination of tight deadlines, direct contact from foreign authorities, and severe sanction mechanisms significantly increases compliance pressure.

In practice, the key factors will be how frequently and to what extent the new instruments are actually used, and how the competent authorities handle the existing discretion – for example, regarding rights of review and refusal. At the same time, interfaces with data protection law, particularly the General Data Protection Regulation, remain fraught with uncertainty and are likely to be subject to further clarification through case law and administrative practice.

Companies should use the time remaining until August 18, 2026, to specifically adapt their internal processes, technical structures, and responsibilities. The e-evidence rules are expected to quickly become an integral part of the regulatory requirements for data-processing business models.