On August 18, 2026, the EU's e-Evidence Regulation (EU) 2023/1543 becomes fully applicable, fundamentally changing how electronic evidence is obtained in cross-border criminal investigations. Instead of relying primarily on mutual legal assistance procedures, judicial authorities in one EU Member State will be able to issue European Production Orders (EPOCs) and European Preservation Orders (EPOC-PRs) directly to service providers in another Member State.

The accompanying e-Evidence Directive (EU) 2023/1544 also requires many service providers offering services in the EU—including non-EU providers—to designate an establishment or legal representative in the EU to receive and process such orders.

The official texts are available here:

Who is Affected?

The new regime applies to a broad range of providers offering services in the EU, including electronic communications providers, cloud service providers, hosting providers, online platforms, domain name registries and registrars, and other providers processing electronic data. As a result, many U.S.-based companies with European customers, infrastructure, or legal representatives may fall within its scope. In most cases,  these orders will be addressed to the service provider acting as the controller under the GDPR. Only in limited exceptional circumstances may an order be directed to a processor, for example where the controller cannot be identified despite reasonable efforts or where notifying the controller would jeopardize the investigation. An Order requires criminal proceedings being pending for an offense under the law of the issuing state. This also includes offenses against legal entities, provided that such entities can be held criminally liable in the issuing state.

What Changes?

Beginning on August 18, 2026, in-scope providers may receive legally binding production and preservation orders directly from judicial authorities in another EU Member State, often without the request first passing through the authorities of the provider's home Member State.

A European Preservation Order (EPOC-PR) requires the recipient to preserve ("freeze") specified electronic data so it is not deleted while investigators obtain the legal authority necessary to compel disclosure. A European Production Order (EPOC), by contrast, requires the production of specified categories of electronic evidence and generally must be executed within 10 days, or 8 hours in emergency cases, underscoring the need for robust operational response procedures.

The EPOC-PR is broadly comparable to a preservation request under 18 U.S.C. § 2703(f) of the US Stored Communications Act. In both systems, the preservation obligation does not itself authorize disclosure; it merely ensures that relevant data is retained pending subsequent legal process.

Implementation Challenges

Although the e-Evidence-Framework applies directly throughout the EU, implementation remains uneven. Member States have had to adopt supporting legislation and establish the competent authorities, enforcement mechanisms, and operational procedures required by the accompanying Directive. Some jurisdictions are still completing these preparations.

Germany illustrates the issue. Its legislation introducing a comparable domestic preservation mechanism remains pending in Parliament. As a result, a German service provider could receive its first European Preservation Order from another Member State before German prosecutors are able to issue an equivalent domestic order. From the provider's perspective, however, this distinction has little practical significance: valid European orders must be recognized and handled regardless of the status of national implementing legislation.

What Should Companies Do Now?

With August 18, 2026 rapidly approaching, companies with operations or services in Europe should assess whether they fall within the scope of the new regime and, where required, designate an EU establishment or legal representative to receive orders.

The Regulation applies in the context of criminal investigations and criminal proceedings conducted by judicial authorities across the EU. For many multinational companies, these orders are likely to arise not only in investigations targeting the company itself, but also where the company holds electronic evidence relevant to investigations of customers, employees, business partners, or other third parties. Those investigations may concern a broad spectrum of offenses—from cybercrime, fraud, corruption, money laundering, sanctions violations, and intellectual property offenses to environmental crime, terrorism, and organized crime. For many multinational companies, responding to cross-border criminal process from multiple EU jurisdictions will therefore become a routine compliance issue rather than an exceptional event.

Operational readiness is likely to require a meaningful investment. Companies should establish documented procedures for receiving, authenticating, escalating, preserving, reviewing, and responding to European Production and Preservation Orders; define decision-making responsibilities across legal, privacy, cybersecurity, compliance, and incident response teams; implement technical capabilities to preserve data without disrupting business operations; and maintain appropriate audit trails demonstrating compliance. These requirements are likely to increase compliance costs, particularly for organizations operating shared  Cloud, communications, or platform services across multiple jurisdictions.

Companies should also consider the downstream governance implications of these orders. Records relating to EPOCs and EPOC-PRs—including internal assessments, correspondence, and execution logs—may themselves become the subject of subsequent disclosure requests, including data subject access requests under Article 15 GDPR, national freedom of information requests directed at public authorities, or requests for production in civil litigation. While important exemptions may apply, organizations should carefully consider how they document, retain, and manage records relating to these cross-border criminal process requests as part of their broader information governance strategy.

Practice Areas

Media Contact

Holland Goodrow

Senior Marketing Manager
hgoodrow@potomaclaw.com

Recent News

Jump to Page

By using this site, you agree to our updated Privacy Policy and our Terms of Use