E-Evidence Regulation: New obligations for service providers from 2026

With Regulation (EU) 2023/1543 on European Production and Preservation Orders for electronic evidence in criminal proceedings ("e-Evidence Regulation"; in German), the European Union has created a new instrument to facilitate cross-border access to digital data. The regulation came into force on August 18, 2023 (we reported), but will only be directly applicable from August 18, 2026 after a three-year transitional period. From this date, law enforcement authorities from all EU member states will be able to directly oblige providers of digital services to hand over or secure electronic evidence. For affected companies, this will result in new obligations to check and act, which already require organizational and legal preparations.

I. Key content  

The aim of the e-Evidence Regulation is to simplify and speed up access by law enforcement authorities to electronic evidence in the context of cross-border investigations within the European Union. The central instruments of the Regulation are the European Production Order (EPOC) and the European Preservation Order (EPOC-PR). With these orders, investigating authorities of one EU Member State can oblige service providers in another Member State to hand over digital data or to preserve it for a certain period of time without the cooperation or confirmation of judicial authorities of the requested state being required.

The order may concern all types of electronic evidence, in particular subscriber, traffic and content data. The Regulation also contains provisions on the responsibility of the issuing authorities, formal requirements for the orders and possible grounds for refusal. Rules on legal protection for data subjects and the involvement of national enforcement authorities in certain cases are also part of the regulation. It will be implemented via a newly established, decentralized IT communication system between authorities and service providers.

II. Companies affected

The scope of the e-Evidence Regulation is broad and affects a large number of companies that provide digital services within the EU. It covers not only traditional telecommunications companies, but also providers of other online services in which the processing or storage of personal data plays a central role. The application requirement is not linked to the company's registered office within the EU, but rather to whether the respective service is aimed at users in one or more Member States. Indications of this may include the language of the service, availability in regional app stores or local customer support.

The companies addressed include, in particular, those that provide communication services such as email providers, VoIP services or messengers, but also platform operators, cloud service providers and hosting providers, if they process or store data to a relevant extent. The term "service provider" is interpreted broadly within the meaning of the Regulation, which means that operators of platforms with integrated communication functions or user accounts may also fall under the provisions. The decisive factor is whether the service enables communication between users or whether the service is designed to manage user-generated content or data.

The Regulation does not differentiate between company size or economic significance. The requirements therefore apply regardless of whether the providers are established corporations or smaller, specialized providers. Even the involvement of external service providers does not change the fact that the primary responsibility lies with the respective provider, who acts as the controller under data protection law within the meaning of the GDPR. In exceptional cases, processors may also be affected by orders, for example if they have direct access to the requested data.

Overall, the Regulation means that numerous companies that have not previously been involved in criminal proceedings for the disclosure of data may in future be confronted with sovereign requests from abroad, which is associated with legal and organizational implications.

III. Procedure for EPOC and EPOC-PR

If a service provider is confronted with a production or preservation order in accordance with the e-Evidence Regulation, it must respond immediately to its content and the associated deadlines. The Regulation stipulates a standard period of ten calendar days from receipt for European Production Orders (EPOC), within which the requested electronic evidence must be provided. In particularly urgent cases, this period may be reduced to eight hours. Technical and organizational measures to identify and secure the data concerned must therefore be introduced as soon as the order is received.

In addition to operational implementation, a legal review must also be carried out. It must be determined whether the disclosure in the specific individual case is incompatible with other legal provisions, in particular those from third countries to which the provider is subject. It must also be checked whether factual or legal circumstances prevent timely execution. If this examination reveals that there is an obstacle to execution, the issuing authority must be notified immediately, stating the reasons, using the prescribed notification form (Annex III of the Regulation).

Special constellations arise when an EPOC is aimed at traffic or content data that is not exclusively used to identify the person concerned. In such cases, the competent enforcement authority in the Member State of the provider is also informed in parallel with the addressing of the service provider. However, this does not apply if the offense and the residence of the data subject are both located in the issuing state. If the national executing authority is informed, this has a suspensive effect: the data may only be transmitted if no grounds for refusal have been raised within the specified period of ten days or 96 hours in the case of an emergency, or if an express waiver of such an objection has already been declared beforehand. In the event of a refusal by the enforcement authority, the execution of the order is inadmissible.

Immediate response obligations also apply to preservation orders (EPOC-PR). Upon receipt of the order, the service provider is required to protect the designated data from deletion or modification. The retention period is initially 60 days and can be extended by a maximum of a further 30 days upon request. In the case of an EPOC-PR, it must also be evaluated whether the preservation is legally or actually excluded. If this is the case, a notification must be sent to the issuing authority using the form provided.

If essential information is missing in an order, such as the identity of the person concerned or a more detailed description of the requested data, or if it contains obvious formal deficiencies, the provider may request clarification. The relevant implementation period only begins to run upon receipt of the corrected or supplemented order. If there is no response from the ordering body within five days, the obligation to secure data no longer applies.

Articles 10 and 11 of the Regulation also contain a number of exemptions. The order does not have to be complied with if, for example, the requested authority is not responsible, the prescribed form has not been used, disclosure is objectively impossible or there are overriding obligations under other applicable law. Legal protective provisions in favor of journalistic activity or immunities that may prevent disclosure must also be taken into account. Such a reason for refusal must also be asserted to the authority using the form provided for this purpose. If the authority does not accept the justification, the proceedings will be passed on to the competent national enforcement authority, which will carry out a new examination. As a result, this can also lead to a judicial clarification. An unjustified or unlawful refusal to cooperate, on the other hand, can result in sanctions in the form of severe fines, the amount of which is based on a certain percentage of the global annual turnover.

All categories of electronic evidence can be subject to the orders. This includes, in particular, identification data such as names, dates of birth or contact details (subscriber data), information about communication processes and routes (traffic data) as well as stored content, including text messages, files or audiovisual data (content data).

The Regulation does not provide for a uniform reimbursement of costs. Whether and to what extent reimbursement is made for the fulfillment of the order depends on the national law of the requesting state. A central overview of the applicable regulations will be published by the EU Commission in the future.

IV. Further obligations

In addition to the direct implementation of production and preservation orders, the e-Evidence Regulation obliges service providers to comply with additional organizational and technical requirements. In particular, must take suitable precautions to ensure that both the order itself and the associated data are processed with confidentiality, integrity and secrecy. The technical and operational measures used must correspond to the current state of the art and must be regularly reviewed and, if necessary, adapted (Art. 13 para. 4 e-Evidence Regulation).

Providers established outside the territory of the EU who nevertheless offer their services in one or more Member States are obliged to designate an authorized contact point based within the EU. For providers established in the EU, it is sufficient to designate an internal body responsible for processing the orders. In both cases, it must be ensured that incoming measures can be received and processed promptly.

If the company concerned is not the controller under data protection law, but a processor within the meaning of Art. 28 GDPR, it is obliged to inform the respective controller of the receipt and implementation of the order without delay. However, direct notification to the data subject is not permitted; only the competent authority of the issuing member state is permitted to do so.

V. Conclusion and recommendations for action

At the end of the transition period in August 2026, the e-Evidence Regulation will have direct legal effect for all affected service providers in the EU. Companies whose services are only indirectly available on the European market must deal with the requirements of the Regulation at an early stage. The very short deadlines for processing surrender and preservation orders require careful internal preparation from both a technical and organizational perspective.

It is therefore advisable to define fixed responsibilities within the company now and to establish a standardized procedure for the legal assessment of incoming requests. Companies should also ensure that technical measures for secure data identification, protection and transmission are implemented. Interfaces to official communication must be taken into account, as well as any data protection conflicts with third country law, which should be mapped in an internal review mechanism.

In view of the impending sanctions and the practical complexity of the ordering procedures, early and structured preparation for the e-Evidence Regulation is essential from a business perspective. This is the only way to ensure legally compliant, timely and technically flawless implementation.

This article was created in collaboration with our student employee Emily Bernklau.