On 27 June 2023, the EU formally adopted a novel set of rules regarding cross-border access to data by law enforcement during criminal investigations. The electronic evidence package, Regulation (EU) 2023/1543, includes a regulation with internal EU rules on law enforcement data access and a directive with compliance requirements for service providers receiving production and preservation requests.
The package represents a notable advancement in criminal justice in cyberspace because it allows law enforcement in one state to directly access private data held in another jurisdiction without a government intermediary. This follows decades of attempts to streamline government access to e-Evidence in cross-border investigations and prosecutions, which resulted in jurisdictional and logistical concerns. That said, the package introduces challenges for service providers and other private entities that will now be forced to receive, assess and respond to requests from foreign authorities through a new legal framework. Since full enforcement status will not occur until 18 Aug. 2026, many questions and plenty of work remain regarding how the regulation and directive will be put into practice, interact with existing legal mechanisms, and impact service providers' regular handling of data. For now, it is important for entities offering services in the EU to be aware of the new e-Evidence package and follow developments closely as it nears enforcement.
Background
With the proliferation of internet crimes throughout the past few decades, authorities in the EU have struggled to investigate and prosecute crimes involving user data effectively. Advances in technology have facilitated criminal behavior while exacerbating the challenges law enforcement and judicial authorities face. For instance, the borderless nature of the internet, the growing use of encryption and the ease of remaining anonymous allow criminals to carry out acts covertly, while impeding investigators' abilities to track down bad actors.
Beyond the technical complexities of accessing data, jurisdictional issues in the EU have further aggravated law enforcement and judicial challenges. Since data is very often stored outside the country whose authorities need access and data can be moved quickly into different jurisdictions, authorities rely on only three mechanisms to gather evidence across borders: judicial cooperation between public authorities, direct cooperation between public authorities and service providers, and direct access to e-Evidence by public authorities. Many crimes cannot be properly investigated and prosecuted due to the various challenges these channels present. For instance, judicial cooperation is often too slow for timely access and requires a disproportionate expense of resources. Direct cooperation is unreliable because it is only possible with certain service providers, and each may apply a distinct data access policy. Direct access, such as the seizure of devices, is difficult when the precise location of data is often unknown.
These complexities came into greater focus in the EU following the 2016 terror attacks in Brussels, when member states could not efficiently and effectively access the alleged attackers' data, which was held by service providers across various jurisdictions. The incident encouraged the EU to regulate this space in the hope of facilitating cross-border data access for EU law enforcement.
Timeline
The period from the initial determination to legally facilitate access to e-Evidence in the EU to the implementation of this new package will have spanned over a decade by the time the regulation and directive formally apply.
- April 2015: The European Commission decided in the EU Agenda of Security to review issues related to cross-border access of e-Evidence.
- April 2016: The European Commission committed to proposing solutions, e.g., legislation, to these problems by the summer of 2017.
- October 2017: The European Parliament adopted a resolution to combat cybercrime, including a focus on establishing a consistent EU approach to criminal justice in cyberspace.
- 27 June 2023: The European Council approved the final version of e-Evidence legislative package.
- 17 August 2023: The e-Evidence Regulation (EU) 2023/1543 was formally adopted.
- 17 February 2026: The directive formally applies.
- 17 August 2026: The regulation formally applies.
The regulation
Regulation (EU) 2023/1543 contains a framework for member states that outlines how to handle data access requests during criminal investigations from authorities within other EU jurisdictions. It details the type of requests authorities can present to private organizations, like service providers, when they need to access specific user data. First, authorities may initiate a European production order, which requests specific data held on a provider's server. Second, authorities may submit a European preservation order, which requires a private entity to retain certain data that could be requested for production at a later date.
European production order
The regulation allows a judicial authority in one member state to execute an EPO that requests e-Evidence directly from a service provider operating in another. Who qualifies as a judicial authority depends on the type of data that is being requested. An EPO requesting traffic or content data requires an issuing authority to be a judge, a court or a judge assigned specifically for an investigation. However, an EPO requesting subscriber data or data that simply identifies a user can be issued by a public prosecutor.
In most cases, EPOs are dispatched directly to the service provider. Once the service provider receives the EPO, it has ten days to transmit the data to the executing party or designated legal authority. In emergency cases, the recipient party must transmit the data within eight hours of receipt of the order.
Generally, an EPO for traffic or content data will be granted under three conditions: if it is necessary and proportionate to the purpose of the criminal investigation or proceeding; if it relates to a crime punishable by a custodial sentence of at least three years; or if it falls under the types of offenses listed in the regulation. In contrast, EPOs requesting subscriber data or data for the sole purpose of identifying a user may be executed for any offense that involves a criminal investigation.
European preservation order
If granted, a EPsO allows a judicial authority in one member state to require a service provider in another to maintain certain data for 60 days. A judge, investigating judge, court or prosecutor may validate the EPsO if necessary and proportionate to prevent the deletion or alteration of e-Evidence. The purpose is to ensure the data is not disposed of or materially changed for a designated period in case authorities determine it is needed for investigatory purposes at a later date. If an EPsO is granted, a service provider is required to preserve the requested material without undue delay. The 60-day window may be renewed for another 30 days to allow for a subsequent EPO if necessary.
Decentralized IT system
Part of the regulation includes a decentralized information technology system that will be formed over the next three years and function as a platform on which data access requests will be received, fulfilled and recorded. The system will be the main network where legal representatives and government authorities will communicate and exchange written communications.
As the decentralized IT system is currently under development and will not be finalized until 18 Aug. 2026, it is unclear how exactly it will operate. Many questions will remain until the enforcement window ends, but service providers need to be aware of their obligation to elect a legal representative and configure their IT network to eventually operate with the decentralized IT system.
Scope
The parties most impacted by this new regulation are service providers that offer services in the EU, which will be compelled to respond to access requests by law enforcement. Directive (EU) 2015/1535 defines service providers, as applicable to this regulation, in two categories: providers of electronic communications services and providers of information society services that present a platform for interaction between users. Even those information society service providers that are not be considered electronic service providers but provide a platform for users to communicate or offer services for data storage and processing qualify as service providers under this regulation. Examples include online marketplaces where users may interact and hosting services with cloud computing capabilities such as online gaming and gambling platforms. Service providers not implicated by this regulation include those that do not foster user communication on the platform, do not boast the ability to store or process data, and do not have storage as an essential component.
What crimes warrant orders?
The type of crime being investigated or prosecuted determines whether a government authority may request the production or preservation of data. To be valid, requests for traffic or content data require a criminal offense "punishable in the issuing state by a custodial sentence of at least three years" or specific offenses delineated by the European Council. These include fraud and counterfeiting of noncash means of payment, production or possession of child sex abuse material, and acts of terrorism. Requests for subscriber data or data for the sole purpose of identifying a user may be granted for "all criminal offenses and for the execution of a custodial sentence or a detention order of at least four months, following criminal proceedings, imposed by a decision that was not rendered in absentia, in cases where the person convicted absconded from justice."
Enforcement and penalties
Under Chapter III of the regulation, member states are tasked with establishing appropriate pecuniary penalties for nonenforcement and infringement under Articles 10, 11 and 13(4). Such penalties must be "effective, proportionate, and dissuasive" and may not exceed 2% of the service provider's worldwide annual turnover of the preceding financial year.
Data protection considerations
Framers of the e-Evidence package sought to prioritize data protection and privacy rights. First, the regulation respects the principle of proportionality, as required by Article 52(1) of the Charter of Fundamental Rights of the European Union. Thus, not all digital material may be requested, and only data that is necessary and proportionate to the needs of a law enforcement investigation or prosecution are proper subjects for respective orders.
Additionally, the regulation distinguishes that different types of data receive different levels of protection. Subscriber and user-identifying data may be requested for less serious crimes because these types of data are considered less sensitive. However, traffic and content data, which are determinedly more sensitive, require a more serious offense carrying a greater penalty for an order to be issued. This distinction represents a theme throughout the regulation that different levels of protection should be awarded depending on the sensitive nature of the data and the degrees of invasiveness of a production or preservation order.
Lastly, Article 12 of the regulation provides a check on requesting authorities by allowing service providers or their legal representatives to challenge requests based on an enumerated list of grounds for refusal. Upon receipt of an order from an issuing authority, a service provider has 10 days (or 96 hours for emergency cases) to raise an objection based on the following: the data is protected on privileges and immunities grounds, the freedom of press or freedom of expression safeguards; in special circumstances, the execution of an order would result in a “manifest breach of a relevant fundamental right” enumerated in Article 6 of the Treaty on the European Union and the charter; the order is contrary to the principle of ne bis in idem, or the EU parallel to the U.S. double-jeopardy principle; or the conduct prompting the issuance of an order does not constitute an offense in the enforcing state. These grounds for refusal give service providers the agency to forestall unjustified requests and protect their users' data from governmental overreach.
The directive
The e-Evidence package also contains Directive (EU) 2023/1544, which requires every service provider conducting business in the EU — even if its headquarters or main offices are located elsewhere — to designate a legal representative charged with receiving, responding to and complying with all EPOs and EPsOs. The holder of this position may be any natural or legal person designated in writing by a service provider, such as a data protection officer or other executive with legal authority. This directive ensures there is a singular point of contact for law enforcement authorities to address requests to service providers, particularly those based outside the EU that offer services to EU citizens.
Existing mechanisms
The e-Evidence package is not the only legal channel for public authorities to access evidence in another jurisdiction. While this package is novel because it allows public authorities from one jurisdiction to access data directly from a private entity in another, it will work in conjunction with the legal mechanisms identified below. As of now, it is unclear exactly how these various legal processes will interact with the new regulation and directive, and we will look to the council for further guidance as this package nears full enforcement status in 2026.
- European Investigative Order Directive: An order issued in or validated by one judicial authority in the EU to gather and use evidence for criminal investigations in another EU jurisdiction.
- Mutual Legal Assistance Treaties: Facilitate the sharing of physical and e-Evidence between the U.S. and various other countries.
- The U.S. CLOUD Act: Allows foreign governments to enter into executive agreements with the U.S. to utilize their own legal resources to access data stored in the U.S. pursuant to criminal investigations.
- "Umbrella Agreement:" Establishes a set of data protection standards that govern the exchange of data between EU and U.S. law enforcement.
- The Budapest Convention: A comprehensive international agreement addressing cybercrime through cooperative sharing of e-Evidence.
Greater implications
The e-Evidence package represents a stride toward harmonizing the various legal channels through which public authorities gain access to privately held data. Because the existing means are fraught with time lags and strained resources, the new regulation and directive emerged as a supplemental channel that will attempt to address the persisting challenges. Notably, however, the package facilitates law enforcement processes while placing an onus on private service providers to align with various new obligations.
While the decentralized IT system is still being developed and the regulation and directive do not apply until 2026, service providers impacted by the new legislation should be aware that their responsibilities regarding user data are due to shift. EU service providers and non-EU entities that offer services within the EU will need to be prepared to receive requests from foreign government authorities. They must consider who to designate as a legal authority to acknowledge, assess and respond to requests. They also must configure their IT systems to run in conjunction with the decentralized e-CODEX system in the works. These considerations will be critical to ensure they avoid the cost of noncompliance when the three-year enforcement window closes.
While it is unclear how the e-Evidence regulation and directive will play out in practice until enforcement officially begins, impacted parties need to be aware of it and follow the European Council closely as it publishes developments.