e–Evidence Regulation: Key compliance takeaways for service providers by 2026

Overview

On 18 August 2026, the EU’s new framework for cross-border access to electronic evidence will enter into application across all EU Member States (except Denmark). It consist of two legislative acts: Regulation (EU) 2023/1543, which applies directly, and the accompanying Directive (EU) 2023/1544, which EU Member States must transpose by 18 February 2026.

Together, these acts establish a harmonised mechanism that allows law enforcement authorities and judicial bodies in one Member State to directly request electronic evidence from service providers in another – without, or with only limited, involvement of authorities in the provider’s country of establishment.

Electronic evidence includes subscriber data, IP address data, traffic data, and content data.

Key concepts

The Regulation introduces two new investigative tools:

• European Production Order: Enables authorities in one EU Member State to directly compel a service provider in another EU Member State – via its designated contact point (“addressee”) – to produce electronic evidence.
• European Preservation Order: Enables authorities to request preservation of electronic evidence for 60 days to ensure it remains available for later access via production orders.

These tools bypass traditional mutual legal assistance channels, aiming to speed up access to electronic evidence. Requests are transmitted via the new decentralised IT system that will connect national authorities and the providers’ contact points.

Who is in scope?

Obligations apply broadly to providers of:

• Electronic communications services;
• Domain name and IP registration services;
• Information society services (digital services) enabling communication (such as social media platforms, online marketplaces) or data storing/processing on behalf of the users (such as cloud services).

Importantly, the Regulation also extends to providers based outside the EU, as long as they offer services to users within the Union.

For illustration, the rules are estimated to affect approximately 9,000 companies in Germany alone.

Practical obligations

Service providers will face significant new obligations:

1. Designation/Appointment of an Addressee: Service providers must designate an EU establishment or appoint a legal representative within the EU to receive and execute orders.
2. Timely Response: Deadlines for responding to a European Production Order can be as short as 8 hours for requests in emergency cases, and 10 days for standard requests.
3. Verification and Execution: Addressees must review orders, ensure compliance with EU and national law, and provide data securely.
4. Confidentiality and Data Protection: Providers must implement measures to protect users’ rights, including notification rules and legal remedies.

Challenges and open issues

Despite harmonisation, practical challenges remain:

• Unclear definitions: The distinction between “offering services” in an EU Member State and merely making them accessible online remains contested but offers room for argumentation.
• Overlap with national law: While we can observe the first drafts of the Directive transposition laws, some national rules raise uncertainty for providers and authorities alike.
• Cross-border conflicts: US-based providers face potential conflicts between EU obligations and US disclosure restrictions under the Stored Communications Act, unless and until a bilateral EU-US agreement resolves these legal conflicts. Such an agreement is currently being negotiated; however, a result has not been reached.
• Technical readiness: ETSI has published specifications (ETSI TS 104 144) defining the architecture, interfaces, and workflows for the decentralised IT system. These standards form the technical foundation for transmitting orders and responses between authorities and service providers. The European Commission has made key aspects of the ETSI specifications legally binding through Commission Implementing Regulation (EU) 2025/1550. Together, these instruments offer providers initial clarity on system design and interoperability requirements.

What this means for service providers

For companies, the Regulation presents both an operational and legal compliance challenges. Providers will need to:

• Assess whether they are in scope of the Regulation;
• Establish or adapt compliance structures for their addressee;
• Review internal processes for handling law enforcement requests;
• Prepare for the new ETSI-based interface and security requirements;
• Train staff on the scope, timelines, and safeguards of the new regime.

Conclusion

The e-Evidence Package marks a paradigm shift in cross-border criminal investigations. While it promises faster access to electronic evidence, it also imposes demanding obligations on service providers, both technical and organisational. Companies should monitor national implementing measures, the publication of guidance, and developments in EU-US negotiations. Early preparation will be crucial to reduce risk and ensure readiness by 18 August 2026.