What is the e-Evidence Regulation?

By Reqport7 min read
What is the e-Evidence Regulation?

The e-Evidence Regulation gives EU law enforcement a fast, cross-border way to obtain user data: an authority in one member state can order a service provider in another to hand over data within a fixed deadline, without going through the courts of the provider's country. It applies from 18 August 2026, and any provider that stores user communications or data needs to be ready to receive these orders, check them, and respond in time.

What is the e-Evidence Regulation?

The e-Evidence Regulation consists of two instruments. Regulation (EU) 2023/1543 sets the substantive rules: what an order is, who can issue one, which providers are covered, and what data can be requested. Directive (EU) 2023/1544 requires every provider in scope to have a designated establishment or legal representative in the EU to receive and act on orders.

The Regulation is directly applicable and takes effect in every member state on 18 August 2026 without national implementing legislation. The Directive required transposition into national law by 18 February 2026.

The regulation is designed to speed up cross-border access to data. Before it, an authority that needed data held by a provider in another EU country relied on mutual legal assistance (MLA) or a European Investigation Order (EIO). An EIO can take up to 120 days, and mutual legal assistance around ten months on average. Under the e-Evidence Regulation, the authority issues a standard order directly to the provider, and the provider must comply within a fixed deadline.

What is an order?

An order is a binding demand from a law enforcement or judicial authority for specified data, issued on a standard cross-border form.

The regulation creates two orders.

A European Production Order (EPO) requires the provider to hand over specified data it already holds: subscriber data, traffic data, or content data.

A European Preservation Order (EPO-PR) requires the provider to preserve specified data so it cannot be deleted, while the authority prepares a production request. The data must be preserved for 60 days, extendable once by a further 30. It does not require disclosure.

Both are issued on a standard certificate and transmitted through a secure EU-wide system.

How fast do providers have to respond?

A European Production Order must be answered within 10 days. In an emergency, the deadline is 8 hours. A European Preservation Order must be acted on without delay, to prevent the data being deleted before a production request is made.

Meeting these deadlines requires locating the data, confirming the order is valid, and transmitting it securely within the time allowed.

Who is in scope of the e-Evidence Regulation?

A company is in scope if it meets two conditions: it provides a covered service, and it offers that service in the EU.

The regulation covers three categories of service:

  • Communications services, such as telecom operators, messaging apps, email providers, and internet telephony.
  • Internet infrastructure services, such as domain name registries, IP address assignment, and related privacy and proxy services.
  • Other information society services that let users communicate or that store and process their data, such as cloud and hosting providers, social networks, online marketplaces, and similar platforms.

The second condition, offering services in the EU, has two parts. The service must be genuinely available to users in a member state; mere accessibility from the EU is not enough. And the provider must have a substantial connection to the Union. That connection exists where the provider has an establishment in the EU. Failing that, it exists where the provider has a significant number of users in one or more member states, or directs its activities at them. Targeting is judged on factors such as use of a local language or currency, the ability to order goods or services, or availability in a local app store.


This means a provider based outside the EU can still be in scope, if its service is genuinely available to EU users and it has a substantial connection to the Union.

Does the e-Evidence Regulation apply to financial firms?

No. Financial services are excluded by name from the definition of a service provider. The exclusion covers banking, credit, insurance and reinsurance, occupational and personal pensions, securities, investment funds, payment services, and investment advice.

Financial institutions receive authority requests, but their obligation to respond arises under other frameworks, such as anti-money-laundering law among them, rather than under the e-Evidence Regulation. The regulation applies to providers of communication and data-storage services, not to institutions on the basis that they hold sensitive financial data.

Crypto-asset service providers (CASPs) are not named in the exclusion, but the same result follows. A pure exchange or custody service is not a communication, domain, or data-storage service, so it falls outside scope. A CASP's duty to respond to authority requests comes through anti-money-laundering law and MiCA, where it is treated as a financial entity.

Does it apply to domestic law enforcement requests?

No. The two orders apply only where an authority in one member state seeks data from a provider established in another. The mechanism is based on mutual recognition between member states, which applies across borders.

Domestic requests are unaffected. A national authority requesting data from a provider established in its own country continues to use ordinary national criminal procedure. The regulation also provides that an order can only be issued where the same data could have been obtained in a comparable domestic case. The e-Evidence Regulation adds a cross-border route alongside the existing domestic regime; it does not replace it.

What data can be requested, and by whom?

The regulation applies different conditions depending on the sensitivity of the data.

Subscriber data and data requested solely to identify a user are the least sensitive. They can be requested by a public prosecutor, for any criminal offence.

Traffic data and content data are more sensitive and subject to higher thresholds. An order for this data must be issued or validated by a judge or court. The underlying offence must be punishable by a custodial sentence of at least three years, or fall within a defined set of offences including terrorism, child sexual abuse, non-cash payment fraud, and certain cybercrime offences.

What do service providers have to do before 18 August 2026?

Designate an addressee. Every provider in scope must designate an establishment, or appoint a legal representative, in the EU to receive and execute orders. The provider and its legal representative are jointly liable for compliance.

Notify the authorities. Providers must notify the relevant national authority of their contact details and the languages they accept, by 18 August 2026 or within six months of beginning to offer services in the EU.

Establish an internal process. Providers must adapt their existing procedures for handling law enforcement requests to the new orders and deadlines, and train the staff who will handle them.

What are the penalties for non-compliance?

Member states must be able to impose financial penalties of up to 2% of a provider's total worldwide annual turnover. Penalties can apply to late or incomplete responses. The provider and its legal representative are jointly liable.

Is implementation on schedule?

Implementation is behind schedule. By the Directive's transposition deadline of 18 February 2026, most member states had not fully transposed it into national law, and the European Commission opened infringement proceedings against a number of them. The decentralised IT system that will carry orders between authorities and providers remains under development and may not be fully operational by 18 August 2026.

The application date for the Regulation is unchanged. The obligation on providers applies from 18 August 2026 regardless of the state of the surrounding infrastructure.

How service providers can prepare

  • Determine whether the company's services fall within scope
  • Identify which legal entity should act as the addressee.
  • Decide in which member state to designate.
  • Prepare and file the notification.
  • Establish a process to receive, verify, and respond to Production and Preservation Orders within the deadlines.
  • Confirm the ability to identify, preserve, and securely transmit requested data, with a record of each step.
  • Train the staff who will handle incoming orders.

Readiness has two parts. One is the legal analysis: confirming scope, designating an addressee, filing notifications. The other is operational: receiving an order, verifying it is legitimate, producing the correct data within the deadline, and retaining a record of what was done. The deadlines mean the operational process has to exist before the first order arrives.

---

This article is a general overview of the e-Evidence Regulation for informational purposes and does not constitute legal advice. For how the rules apply to your specific situation, consult qualified legal counsel.

Reqport

Reqport

Reqport is a platform for handling law enforcement and other authority data requests.

LinkedIn

Related articles