E-Evidence Regulation: new rules for cross-border digital evidence
The E-Evidence Regulation becomes applicable on 18 August 2026. From that moment, the rules will change for how digital evidence is collected, preserved, and authenticated in cross-border criminal proceedings across the European Union.
For legal professionals, compliance officers, and IT directors, the operational consequences are anything but theoretical.
Until now, cross-border requests for digital evidence followed the Mutual Legal Assistance Treaty (MLAT) channel. A mechanism designed for an era when evidence was physical and investigations stayed within national borders. The average processing time for an MLAT request reaches 10 months in the United States, with letters rogatory often exceeding a year. Meanwhile, emails get deleted, servers decommissioned, accounts closed. According to US Department of Justice data, the backlog of MLAT requests for digital data grew by over 1,000% between 2000 and 2017.
The E-Evidence Regulation (EU 2023/1543) was created to close this gap and introduces two new instruments: the European Production Order (EPOC) and the European Preservation Order (EPOC-PR), which allow judicial authorities in one Member State to address service providers in another State directly, bypassing the central authority. Response times drop from months to days. But responsibility shifts too: anyone managing data must be able to produce authenticated, integrity-verified evidence within deadlines that leave no room for improvisation.
Digital speed versus bureaucratic inertia
The mismatch is structural: digital evidence can vanish in days, yet the mechanisms to acquire it take months. Online fraud, cyberattacks, and the spread of illegal content operate across borders by definition: data sits on servers distributed across multiple jurisdictions.
What was needed was a tool that could move at the same speed as the offences themselves.
What the E-Evidence Regulation (EU 2023/1543) requires
European Production Order (EPOC): deadlines and obligations
The EPOC allows a judicial authority in one Member State to order a service provider in another State to produce electronic data directly. The provider must respond within 10 days of receiving the order. In duly justified emergency cases, the deadline drops to 8 hours.
The data covered by the order falls into four categories: subscriber data, IP address data, traffic data, and content data. For the last two categories, which are the most sensitive, an EPOC can only be issued for offences punishable by a maximum custodial sentence of at least three years, or for specific cyber and terrorism offences.
European Preservation Order (EPOC-PR): safeguarding evidence
The EPOC-PR does not require immediate data production. Instead, it obliges the service provider to preserve the data for 60 days, extendable by a further 30. The purpose is to prevent data deletion while the authority issues a production order or activates a mutual assistance procedure.
Who must comply
The Regulation applies to providers of electronic communications services, domain name and IP address registration services, and information society services that enable communication between users or the storage and processing of data. Social media platforms, marketplaces, cloud services, and hosting providers all fall within scope. The rule extends to non-EU providers offering services to users in the Union: in Germany alone, roughly 9,000 companies fall within the scope of application.
Every provider must designate an establishment or legal representative in the EU and notify its contact details by 18 August 2026.
The digital evidence authentication challenge
Integrity and chain of custody in cross-border transfers
The E-Evidence Regulation speeds up evidence production, but it does not resolve a question that remains open: how do you demonstrate that digital data transferred from one jurisdiction to another has not been altered during preservation and transfer?
Digital evidence, unlike physical evidence, can be copied, modified, or deleted without leaving obvious traces. When a judicial authority in one country receives data from a provider based in another, it must be able to verify that the data is identical to what was originally acquired. Without a documented, verifiable chain of custody, the evidence is contestable.
Article 5 of the Regulation requires that produced data be transmitted “in the most complete form possible.” But it does not prescribe a specific methodology to guarantee this integrity. The responsibility for adopting robust authentication processes falls, in practice, on the entities that collect and preserve the data.
The role of eIDAS and ISO/IEC 27037 standards
Two regulatory frameworks provide the technical foundations to address this challenge.
The eIDAS Regulation (EU 910/2014) defines qualified trust services, including qualified timestamps and electronic signatures, which enjoy a legal presumption of accuracy across all Member States.
ISO/IEC 27037 establishes guidelines for the identification, collection, acquisition, and preservation of digital evidence, defining the requirements for maintaining evidentiary integrity throughout the data lifecycle.
Combining eIDAS-compliant timestamps with a methodology aligned to ISO/IEC 27037 creates a level of assurance recognised across borders. Digital evidence becomes verifiable regardless of the jurisdiction in which it is presented.
Operational implications for enterprises and service providers
Preparing for 18 August 2026
Compliance is not just a procedural matter. It requires a review of internal data management processes: from collection to preservation, from authentication to production on demand.
The operational questions are concrete: Is the preserved data traceable? Can its integrity be demonstrated? Does a documented chain of custody exist? Do internal response times allow data to be produced within 10 days (or 8 hours in an emergency)?
For many organisations, answering these questions requires changes to their digital evidence management infrastructure. Buying software is not enough. What is needed is a process that guarantees authenticity and integrity from the moment the data is acquired.
Forensic certification at source: the proactive approach
How source certification addresses the authentication challenge
The E-Evidence Regulation implicitly requires digital evidence to be authenticated and intact at the moment of production. The most effective way to meet this requirement is to certify the data at the very moment it is created or acquired, not after the fact.
Digital provenance, the ability to trace and verify the origin and history of digital content, provides exactly this guarantee. When data is certified at source with verified metadata (GPS, timestamp, device identifiers), digital signatures and eIDAS-compliant timestamps, and a complete, documented chain of custody, the result is evidence that is born compliant with the Regulation’s integrity requirements.
TrueScreen operates on this principle. The platform enables organisations and professionals to acquire and certify digital content (photos, videos, documents, audio recordings, web sessions, emails) through a forensic process that includes device parameter verification, qualified timestamp application, cryptographic integrity proof generation, and a complete forensic report with all acquisition metadata.
In an E-Evidence scenario, an organisation using TrueScreen to certify its data at source can respond to a production order with evidence whose authenticity is independently verifiable. The chain of custody does not need to be reconstructed after the fact: it is already documented from the moment of acquisition.
In practice, compliance with the Regulation’s requirements becomes a by-product of the acquisition process, not an additional cost. And the risk of evidence being challenged in court drops significantly.
