EU E-Evidence Regulation - The end of MLAT proceedings slowing down cross-border investigations?

The Regulation provides two new instruments for European authorities to compel companies operating in EU Member States to disclose or preserve data for criminal investigations: the European Production Order Certificate (EPOC) and the European Preservation Order Certificate (EPOC-PR). These orders do not have to be directed at the actual subject of the investigation but can be directed at data service providers that offer services in any EU Member State. The providers then must disclose relevant data, such as e-mails, voice calls and chats, in a very short period of time – even if the data is located outside the EU. 

Addressees

The Regulation enables national judicial authorities of EU Member States to directly order a service provider in any other EU Member State to produce or to preserve electronic evidence as long as the service provider is established or represented by an agent in any EU Member State.¹  Whether or not the investigated conduct has a nexus to this jurisdiction or is a purely domestic matter is not relevant. It is also not relevant where the data is actually stored or whether the service provider’s seat is within the EU.

A service provider is any natural or legal person that offers one or more of the following categories of services in the EU: Electronic communication services, such as e-mails, voice calls, (group) chats or other messaging tools, as well as internet domain name and IP numbering services and other information society services. Notably, Banks and all other financial services are expressly exempted from the definition of service providers.

The definition of "service provider" is broad and includes services normally provided for remuneration via electronic communications networks. This means that communication or storage providers will be covered, even if this is not the company’s main business.

So, instead of trying to obtain, for example, email data from the investigated subject via mutual legal assistance requests to their local authority, the national judicial authority where the investigation is taking place could, under the Regulation, turn directly to the email provider the investigated subject uses. This means that Authorities can – in many cases – obtain a company’s data without prior knowledge of the investigated company, leaving it with no prior opportunity to challenge or prevent disclosure.

In case of multiple potential addressees, the order must generally first be directed at the service provider acting as GDPR controller.

Affected data

The categories of data covered by the Regulation are set out in Art. 3 (8) and include, most importantly, content data like e-mails and any other kind of communication, stored by or on behalf of a service provider, in electronic form. Also affected are subscriber data, including name, date of birth and postal or geographic address as well as traffic data, such as the source and destination of a message.

However, such an order can only be issued if the collection of data is necessary for the investigation and proportionate (Art. 6 (2)), with some further prerequisites, especially for privileged data (Art. 5 (9)). For an order to obtain content or traffic data, the suspicion of a serious crime and a court order are necessary (Art. 4 (2)).

Tight timeframe and significant sanctions for non-compliance

If an EPOC or EPOC-PR is issued, the service provider has to preserve the data for 60 days (can be extended) and has 10 days to transfer the requested data to the issuing authority. In emergency cases, the deadline for the transfer is only 8 hours.

In the event of non-compliance, the orders shall be enforced by the local authority in the EU Member State where the service provider operates. The local authority shall undertake this without undue delay and no later than five working days after receipt of the order. Also, significant financial fines of up to 2% of the total worldwide annual turnover in the service provider’s preceding financial year may be imposed. However, in case of conflicting obligations under the law of a third state, the addressee can request a court review of the order. Since the decision about compliance lies solely with the service provider, the investigated company might have little to no influence in this respect.

Many uncertainties remain

Many uncertainties remain around the EU E-Evidence Regulation and it remains to be seen how the respective authorities will make use of the law in practice. For example, the Regulation might create GDPR issues or conflict of law issues with U.S. laws as many digital service providers are U.S.-based. Apart from that, companies in internal investigations often store data, including privileged information like legal advice, with cloud-based service providers. An EPOC could potentially lead to disclosure of such material without the company even being aware, let alone having the opportunity to assert privilege. The limited grounds of opposition available to service providers may, in practice, be insufficient to address these conflicts.

Conclusion

The EU E-Evidence Regulation creates enhanced tools for authorities in EU Member States to request data for criminal investigations directly from data service providers – and fast. While many questions remain and implementation in practice remains to be seen, companies should be aware that this change in law might have a significant impact on cross-border investigations after August 2026.  Initial steps for businesses could be to review arrangements with service providers to understand what data they hold and where, and map out which service providers might be addressees of an EPOC.

Footnote

^1. In this context see also DIRECTIVE (EU) 2023/1544 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 12 July 2023 laying down harmonised rules on the designation of designated establishments and the appointment of legal representatives for the purpose of gathering electronic evidence in criminal proceedings, available at http://data.europa.eu/eli/dir/2023/1544/oj (as at 16 April 2026).