EU e-Evidence Regulation for Service Providers: Obligations, Orders, and Cross-Border Cooperation
Every European service provider that stores user data, from cloud operators to online marketplaces and communication platforms, already handles requests from judicial authorities. Until now, these requests moved through slow mutual legal assistance channels that could take months, with different rules in each Member State and no harmonised response time. From August 2026, that landscape changes. Regulation (EU) 2023/1543 and Directive (EU) 2023/1544, together known as the EU e-Evidence Regulation, introduce two new instruments, the European Production Order and the European Preservation Order, that let a judicial authority in one Member State compel a service provider in another Member State to deliver or preserve digital data within strict deadlines.
This is not a minor administrative update. A French prosecutor will be able to order a German cloud provider to hand over user data in ten days, or eight hours in an emergency, bypassing traditional mutual legal assistance. Service providers that do not respond, or that respond late, face penalties up to 2% of annual worldwide turnover.
The practical question for DPOs, corporate counsel and compliance managers is no longer whether the e-Evidence Regulation applies, but how to build an operational response process that works under pressure. This article walks through the obligated subjects, the two order types, the designated establishment duty, what evidence must be preserved with forensic methodology, and how to structure certified evidence packages ready for cross-border judicial cooperation.
What the EU e-Evidence Regulation changes for service providers
The Regulation creates a single, directly applicable legal base for cross-border access to digital evidence inside the EU. Before 2026, a prosecutor in one country who needed user data held by a provider in another country had to go through mutual legal assistance, letters rogatory, or the European Investigation Order, with authentication, translation, and review times that often exceeded six months. The new framework removes most of those steps. A judicial authority issues the order directly to the service provider, in a common template, and the provider must comply within a fixed deadline. The shift moves the compliance burden from the requesting authority to the receiving provider.
EU Regulation 2023/1543 and Directive 2023/1544 in a nutshell
Regulation (EU) 2023/1543 sets out the substantive rules: what an order is, who can issue it, which providers are covered, which data categories can be requested, and what sanctions apply. It is directly applicable and does not need national implementation, although Member States must designate competent authorities and adapt procedural rules. Directive (EU) 2023/1544 is the complementary piece: it obliges every service provider offering services in the EU to appoint either a designated establishment or a legal representative who can receive and execute orders on the provider's behalf. Both texts entered into force in August 2023 with a delayed application date of 18 August 2026, giving providers and Member States roughly three years to prepare.
National transposition and Member State obligations
While the Regulation is directly applicable, the Directive requires transposition. Each Member State must designate issuing and enforcing authorities, define procedural details, and set sanctions that are effective, proportionate and dissuasive. As an example of national transposition, Italy adopted Legislative Decree No. 215 of 30 December 2025, and the Italian Supreme Court's Massimario Office published Report No. 25/2026 on 7 April 2026 with the first systematic reading of the new rules. Similar exercises are under way across the Union, and service providers operating in multiple countries will need to map the specific authorities and sanctions regime in each market where they are established.
European Production Order (EPO) and European Preservation Order (EPO-PR)
The Regulation introduces two distinct instruments, and conflating them is one of the most common compliance mistakes. A Production Order forces disclosure of data. A Preservation Order freezes it. Both are issued by a competent judicial authority in the issuing Member State, transmitted directly to the addressee via a standardised certificate (EPOC for production, EPOC-PR for preservation), and both carry deadlines. The decision to treat a request as one or the other depends on the investigative need, the data category, and the available legal thresholds, which differ by data sensitivity.
What a European Production Order is
A European Production Order (EPO) is a binding decision issued by a judicial authority that compels a service provider to produce specified electronic data already in its possession. It covers four data categories: subscriber data, traffic data, content data, and data requested for the sole purpose of identifying the user. Subscriber data and identification data can be requested for any criminal offence. Traffic and content data are reserved for serious crimes, generally those carrying a maximum custodial sentence of at least three years, or specific offences listed in the Regulation such as terrorism, child sexual abuse material, or attacks against information systems. The order must include a specific factual basis, identify the user, and justify necessity and proportionality.
What a European Preservation Order is
A European Preservation Order (EPO-PR) does not require the provider to hand over data. It requires the provider to preserve specified data for a period of 60 days, extendable once for another 30 days, to prevent deletion while the issuing authority prepares a full production order or a mutual legal assistance request. It is the right instrument when an investigation is in an early phase, or when the competent authority in another jurisdiction still needs to act. The preservation scope must be precise: generic "preserve everything about this user" requests are not compliant.
Response deadlines: 10 days standard, 8 hours for emergency cases
Article 10 of the Regulation fixes the response windows. The default deadline is ten days from receipt of the order. In emergencies, meaning situations involving an imminent threat to life, physical integrity, or critical infrastructure, the deadline drops to eight hours. These deadlines apply to preservation orders with the same rigour. Missing them is not a minor issue: the sanctions regime in Article 15 allows Member States to impose fines up to 2% of the provider's total annual worldwide turnover for the preceding financial year. For a mid-sized cloud operator, that exposure is measured in millions of euros per single non-response.
| Instrument | Purpose | Standard deadline | Emergency deadline | Data categories |
|---|---|---|---|---|
| European Production Order (EPO) | Force disclosure of data | 10 days | 8 hours | Subscriber, traffic, content, identification |
| European Preservation Order (EPO-PR) | Freeze data for 60+30 days | 10 days | 8 hours | All categories |
Who must respond: the designated establishment duty
Any provider that offers services in the EU must be reachable, in practice, by a single judicial channel. That is the point of Article 7 of the Regulation and of Directive 2023/1544: regardless of where the corporate headquarters sits, the provider must identify one point of contact, staffed and empowered to act, and notify it to the authorities of the Member States where services are offered. Failure to designate such a point is itself a sanctionable breach.
Obligated subjects (cloud providers, marketplaces, communication services)
The scope is broad. The Regulation covers electronic communications services, information society services where storage of data is a defining component (cloud storage, hosting, content delivery, document management), internet domain name and IP numbering services, and online marketplaces when they store user data relevant to criminal investigations. A small SaaS company with European users, an online auction platform, and a hyperscale cloud provider are all in scope. There is no revenue or user threshold: what matters is offering services in the EU and holding electronic evidence categories.
The role of the designated establishment and legal representative
A provider that has a main establishment in the EU must designate that establishment as the recipient of orders. A provider without an EU establishment must appoint a legal representative in a Member State where it offers services. The designated establishment or legal representative must have the legal authority and operational capacity to comply within the deadlines, including translating orders, assessing their formal validity, retrieving data from production systems, and delivering the response through the secure electronic channel set up by the Commission. A purely nominal designation, for example a law firm with no operational link to the provider's data infrastructure, does not meet the standard.
Sanctions for non-response or partial response
Article 15 requires Member States to set sanctions that are effective, proportionate and dissuasive, with a ceiling of 2% of total annual worldwide turnover. National transpositions translate this into specific fines, typically graduated by severity. A late response can trigger a penalty even when the provider eventually complies. A partial response that omits relevant data without justification is treated as non-compliance. Providers should assume that both civil fines and, in some Member States, administrative enforcement against directors are possible.
What evidence must be preserved with forensic methodology
A production or preservation order is not only a legal obligation. It is also a request to deliver evidence that must survive judicial scrutiny in criminal proceedings, often in a different legal system from the provider's home country. Delivering raw exports is rarely enough. The receiving authority, and eventually the defence and the court, will examine how the data was identified, extracted, transported, and sealed. If the chain of custody is broken, the evidence can be challenged or excluded, and the provider can be asked to repeat the exercise under worse conditions.
Integrity, chain of custody, and ISO 27037
ISO/IEC 27037 is the international reference for identification, collection, acquisition and preservation of digital evidence. It requires documented procedures, qualified personnel, repeatable and auditable processes, and cryptographic integrity proofs such as hash values computed at the moment of acquisition. For cross-border use, the integrity proof has to be anchored to a trusted time source: a qualified timestamp under eIDAS Regulation (EU) 910/2014 issued by a Qualified Trust Service Provider is the strongest option available in the EU legal space, because it carries a presumption of accuracy and integrity that national courts across the Union must recognise.
Operational example: an Italian marketplace receiving a request from a French authority
Consider an Italian online marketplace that receives a French Production Order for subscriber data, transaction logs and chat messages between two users suspected of fraud. The marketplace has ten days. On day one, legal validates the certificate. On day two, engineering extracts the data from three different systems: the user database, the transaction log, and the messaging backend. Each extraction produces a file; each file is hashed with SHA-256 at the moment of acquisition; each hash is written into an acquisition log together with the operator's identity and a qualified timestamp. The files plus the log are packaged, the package itself is hashed, signed with a digital signature, and sealed with a qualified timestamp. The package is then delivered through the Commission's secure channel. If the French court later asks how the marketplace proves that the messaging file shown at trial is identical to what was extracted on day two, the provider can recompute the hash and present the timestamp and digital signature as proof. This is the level of discipline that the e-Evidence Regulation implicitly assumes.
How TrueScreen helps enterprises and law firms with cross-border judicial cooperation
TrueScreen, the Data Authenticity Platform, is built around the problem described above: producing digital evidence whose integrity can be proven to any counterparty, in any jurisdiction, at any point in the future. For a provider receiving an EPO or EPO-PR, that translates into a working process for acquiring data from internal systems with forensic methodology, sealing each artefact with a qualified timestamp and a SHA-256 hash, applying a digital signature, and delivering a certified evidence package that a foreign court can verify independently. Because TrueScreen operates as a Qualified Trust Service Provider under eIDAS, the certifications it issues carry the legal presumption of integrity and accuracy that Article 41 of eIDAS attaches to qualified timestamps and qualified electronic seals, making the resulting package directly usable in judicial cooperation across EU Member States.
In practice, compliance and legal teams use the TrueScreen Platform to ingest data extracted from their systems, apply the qualified timestamp and digital signature in a single step, and export a structured package that includes the original files, the acquisition log, the integrity proofs and a verification report. The same process supports API integration, so that providers with high volumes of requests can automate ingestion from ticketing and legal hold systems. The output is an evidence package that matches what foreign judicial authorities expect: identifiable, hashed, timestamped, and verifiable without any dependency on the provider's internal infrastructure.
