EU e-Evidence Package
The e-Evidence Package establishes a harmonised mechanism that allows law enforcement and judicial authorities in one EU Member State to directly request the production or preservation of electronic evidence from a service provider's contact point in another EU Member State - bypassing traditional mutual legal assistance channels. For this purpose, two new instruments are introduced: the European Production Order and the European Preservation Order.
The Package consists of two legislative acts: the Regulation (EU) 2023/1543, which applies directly from 18 August 2026, and the accompanying Directive (EU) 2023/1544, which EU Member States must transpose by 18 February 2026.
Types of e-Evidence Covered
The Regulation covers four categories:
- subscriber data (e.g., name, address, billing information),
- access data (IP addresses, ports, timestamps),
- traffic data (e.g., communication metadata),
- content data (e.g., text, voice, images, videos).
Importantly, the Regulation only covers e-Evidence already stored when an order is received - it does not create obligations to retain data without a reason.
Reach out to our experts below for more information on how we can support you.
Your organisation may be subject to the e-Evidence framework if you provide electronic communications services, internet domain name and IP numbering services, or information society services enabling communication between users or data storage/processing. The Regulation extends to providers based outside the EU if they offer services to users within the Union.
Examples of covered services: Telecommunications providers, messenger services, email services, social media platforms, online marketplaces, cloud services, domain name registries.
Not covered: Video streaming services, e-commerce websites that only enable communication with the merchant itself, SaaS where data storage is not an essential feature.
Before 18 August 2026
1. Designate a contact point (addressee)
Service providers must designate an EU establishment or appoint a legal representative within the EU to receive and execute orders, and notify this to the relevant central authority by 18 August 2026.
2. Ensure IT system access
Providers must ensure their addressees can access the decentralised IT system for transmitting orders and responses. The ETSI specifications TS 104 144 define the architecture, interfaces and workflows, with key aspects made legally binding through Commission Implementing Regulation (EU) 2025/1550. Service providers must bear integration costs.
3. Implement security measures
Implement technical and operational measures to ensure confidentiality, secrecy and integrity of orders and data, including qualified seals or electronic signatures where required.
From 18 August 2026
When receiving a European Production Order:
- Identify and preserve the requested e-Evidence immediately
- Conduct a limited review checking for infringement of immunities or privileges, manifest errors, or conflicts with third-country law
- Transmit data securely via the decentralised IT system within 8 hours (emergencies) or 10 days (standard requests)
When receiving a European Preservation Order:
Preserve the electronic evidence for 60 days (extendable by 30 days) to ensure data remains available for later access via production orders.
Determining the correct service provider within a corporate group remains a key challenge, as compliance obligations attach to individual legal entities rather than the group as a whole.
It remains challenging to determine in which EU Member State a service provider must designate its addressee and to what extent that designation covers operations in other EU Member States.
US-based providers face potential conflicts between EU obligations and US disclosure restrictions under the Stored Communications Act, unless and until a bilateral EU-US agreement resolves these legal conflicts.
As a leading international law firm with deep expertise in technology, telecommunications, data protection and regulatory compliance, we are uniquely positioned to support service providers navigating the e-Evidence Regulation.
Our Services
Compliance Assessment & Gap Analysis We can assess your current operations against e-Evidence requirements, identify compliance gaps, and provide a clear roadmap to meet the 18 August 2026 deadline.
Addressee Designation Strategy We can advise on the optimal structure for designating establishments or appointing legal representatives, particularly for corporate groups operating across multiple EU Member States, and support you in handling notifications to central authorities.
Technical & Operational Readiness Our multidisciplinary teams can work with your IT and compliance functions to ensure readiness for the ETSI-defined decentralised IT system, implement required security measures, and establish internal processes for handling orders within tight deadlines.
Cross-Border Conflict Resolution We advise on managing potential conflicts between EU obligations and third-country laws (particularly US disclosure restrictions), and monitor ongoing EU-US negotiations to keep you informed of developments.
Process Design & Training We help design and implement internal workflows for receiving, reviewing and responding to European Production Orders and Preservation Orders, and provide staff training on the new regime.
Ongoing Compliance Support We closely monitor national implementing measures across EU Member States, provide updates on regulatory developments, and offer ongoing advisory support as the regime evolves.
Why Bird & Bird?
The EU e-Evidence Package is the latest in a long line of tech-related regulations. We pride ourselves on being at the forefront of these developments, helping our clients to respond proactively to changes.
A snapshot of our recent experience
- Advising a pan-European telecommunications provider on the impact of the e-Evidence Regulation on the group's European entities and developing a strategy to centralise compliance obligations.
- Advising a global technology company on the interaction between the DSA and the e-Evidence Regulation, including reconciling potential conflicts between the two instruments arising from requirements related to user notification of disclosure orders.
- Assisting a global technology company in responding to the public consultation on Belgium’s draft national implementation of the e-Evidence Package
- Advising a wide range of clients (including ECS providers and information society services) on managing cross-border law enforcement and judicial data disclosure requests and investigative measures, in the pre-e-Evidence Regulation landscape.
