In brief
The European Union’s Regulation (EU) 2023/15431 (“E-Evidence Regulation”) will become binding in all EU member states on 18 August 2026, following a three-year transition period. It enables law enforcement authorities to obtain direct, cross-border access to electronic evidence held by service providers.
At the end of January 2026, the German Bundestag also passed the Act on European Production and Preservation Orders for Electronic Evidence2 (“E-Evidence Act”). The Act implements the European Union’s Directive (EU) 2023/15443 (“E-Evidence Directive”). Together with the E-Evidence Regulation, this creates a new legal framework for cross-border access to electronic evidence by investigative authorities.
Companies that fall within the scope of the Regulation as service providers should take the necessary technical and organizational measures in a timely manner. We outline these measures below.
In more detail
Practical classification
Starting 18 August 2026, investigative authorities within the EU will be able to request electronic evidence directly from service providers in other EU member states.
This replaces the previous, lengthy mutual legal assistance procedure involving government agencies. Until now, the rule has been that if service providers receive requests for information from investigative authorities in other EU countries directly – for example, by mail or email – and without the involvement of domestic authorities, they may refuse to respond to the request. From a data protection perspective, a refusal to cooperate might even have been appropriate.
Once the E-Evidence Rules take effect, investigative authorities will be able to directly order telecommunications and internet companies in other EU countries to preserve and produce electronic data. This includes subscriber data, traffic data, and content data.
One of the main goals of the new regulations is to combat cybercrime more effectively.
Scope of the E-Evidence Regulations
Scope of application
The E-Evidence Regulation applies to service providers as defined in Article 3(1)(3) of the Regulation. This includes both providers of electronic communications services – such as Internet telephony, instant messaging, and email services – and providers of information society services, provided they facilitate communication between users or store or process data on behalf of their users – for example, online marketplaces, platforms for online games, cloud computing, and other hosting services.
The regulation applies to providers to the extent that they offer the aforementioned services within the EU (Art. 2(1) and Art. 3(1)(4) of the Regulation). “Provision” occurs when the provider enables the use of the services within the EU and also has a substantial connection to the EU. Such a substantial connection may consist of an EU branch, but may also simply consist of targeted marketing or a significant number of users in one or more EU member states.
In practice, it can be difficult to determine whether a service falls within the scope of the E-Evidence rules.
Key legal instruments
The E-Evidence Regulation introduces two new tools to facilitate cross-border investigations:
- The European Production Order Certificate (EPOC) enables investigative authorities in one EU member state to request digital evidence, such as customer data or the contents of emails, directly from service providers in another EU member state (Art. 10 of the E-Evidence Regulation).
As a general rule, production orders must be complied with within 10 days (Art. 10(2) of the E-Evidence Regulation) – and in urgent cases, within eight hours (Art. 10(4) of the E-Evidence Regulation).
- The European Preservation Order Certificate (EPOC PR) requires service providers to temporarily preserve data to prevent its deletion until, if necessary, an order for its production is issued (Art. 11 of the E-Evidence Regulation).
This obligation must be fulfilled immediately and remains in effect for at least 60 days (Art. 11(1) of the E-Evidence Regulation).
The E-Evidence Regulation contains several annexes with corresponding sample forms for investigative authorities and obligated service providers.
Obligations of service providers
Service providers must designate a permanent point of contact within the EU by 18 August 2026, to whom investigative authorities can turn (“designated contact”). This may be one (of several) branches within the EU. If the provider does not have a branch in the EU, it is required to appoint at least one representative established in the EU as the addressee (Art. 7(1) of the E-Evidence Regulation, § 3 of the E-Evidence Act). If a service provider begins offering services within the meaning of the E-Evidence Regulation in the EU for the first time after 18 August 2026, an addressee must be designated within six months (Section 3(1) of the E-Evidence Act).
In Germany, the designated recipient must be identified in writing to the Federal Office of Justice. The authorities must be able to communicate with the designated recipient in German (Section 4(4) of the E-Evidence Act).
Upon receipt of a preservation or disclosure order, the recipient must immediately preserve the requested data and, in the case of a disclosure order, transmit it to the investigating authority within the specified time limit. Failure to transmit data or failure to do so in a timely manner must be justified in writing and is generally legally permissible only under strict conditions – for example, factual and unforeseeable impossibility of data disclosure or defects in the official order (Art. 10 and Art. 11 of the E-Evidence Regulation).
Sanctions
Service providers with global annual revenue exceeding EUR 5 million face fines of up to 2% of their global annual revenue for violations of the disclosure, preservation, and production obligations under the E-Evidence regulations (Section 18(4) and (5) of the E-Evidence Act).
Central office in Germany
In Germany, the Federal Office of Justice is responsible for overseeing the implementation of the E-Evidence Regulation (Section 6 of the E-Evidence Act).
According to an earlier announcement by the Federal Ministry of Justice and Consumer Protection, the European E-Justice Coordination Office (EKE), established within the Ministry of Justice of North Rhine-Westphalia, will be responsible for the technical implementation of the regulations. The plan is to establish a connection to the e-justice communication via online data exchange (eCodex) infrastructure.4 This is an IT system for cross-border electronic data exchange that enables users – investigative authorities, legal advisors, and companies – to electronically send and receive official forms, evidence, or other information.
Recommended actions
Service providers should determine whether they – or which of their group companies – fall within the scope of the E-Evidence Regulations. If so, they should now begin implementing the organizational and technical measures necessary to comply with the obligations that will take effect on 18 August 2026. These include:
- Which company, branch, or representative should be designated as the designated contact under the E-Evidence Rules? It should be noted that not all EU member states have yet enacted national implementing legislation for the E-Evidence Rules, meaning that national jurisdictional responsibilities – such as for receiving the notification of the addressee – remain unclear in some member states, for example in Austria, France, or Spain.
- The designated contact person must be granted all necessary authority to comply with official disclosure and preservation orders within the tight deadlines. This also means that the company must maintain internal technical processes – including interfaces with official communication channels – that enable data collection, preservation, and transmission within the required short timeframes. Employees must be trained accordingly, and clear responsibilities must be established at an early stage.
- In addition, a standardized procedure for reviewing the content of incoming orders must be established. Although the E-Evidence regulations do not impose an obligation on the addressee to conduct a review of the content or legality of an order, an order that is insufficiently specific or incompatible with the addressee’s obligations under data protection law in third countries must – and should – not be complied with.
Given the potential for fines of up to 2% of a service provider’s global annual revenue and the practical complexity of the procedures, early, structured preparation for the E-Evidence Rules is essential from a business perspective. This is the only way to ensure compliance with the law, timely implementation, and technically flawless execution.
1 Available here.
2 Bundestag Printed Paper 21/3904, available here.
3 Available here.
4 e-CODEX stands for e-justice communication via online data exchange – communication via online data exchange within the framework of e-justice. See also: https://www.bmjv.de/DE/themen/digitales/digitalisierung_justiz/digitalisierungsinitiative/laendervorhaben/_doc/artikel_vorhaben_09_eevidence.html and List of Authorised e-CODEX Access Points. Regarding the planned interface, see also: Interface definition for the e-Evidence Regulation (EU) 2023/1543 for National Authorities and Service Providers.