On July 28, 2023, more than five years after the Commission’s original proposal, the EU e-evidence Regulation and Directive were published in the Official Journal of the European Union, signalling the end of the legislative process for this file.

In summary, the Regulation establishes a regime whereby law enforcement authorities (“LEAs”) in one EU Member State will be able to issue legally-binding demands for certain data from certain categories of service providers (namely providers of electronic communications services, domain name and IP registration services, and information society services that enable users to communicate or store data) that are established or have a legal representative in a different EU Member State, or demand such service providers to preserve such data. 

The Regulation also sets out the procedures that LEAs must comply with to issue these “European Production Orders” and “European Preservation Orders”, which differ depending on the category of data at issue.  For example, an LEA wishing to issue a European Production Order to obtain the content of a user’s communications or associated metadata (that will not be used solely to identify the user) must, among other things, obtain prior authorization from an independent judicial authority, and may only issue such an Order in relation to a crime that is punishable by a maximum custodial sentence of three years or more.  The requirements for European Production Orders for other data, and for European Preservation Orders for any data, are less onerous—for example, a competent public prosecutor can approve such Orders.  Non-compliance with a valid Order can lead to financial penalties of up to 2% of the worldwide annual turnover of the service provider.

The Regulation also covers other matters relevant to these Orders, including the grounds on which a provider may refuse to comply, procedures for the Member State of establishment (the “enforcing authority”) to review and object to certain Orders, and a process for resolving situations where compliance with an Order would conflict with the requirements of third-country law.  Of specific relevance to cloud service providers, the Regulation requires LEAs to address European Production Orders to companies that act as the controller of the personal data (as defined in the GDPR), unless the controller cannot be identified or issuing the order to the controller might be detrimental to the investigation.  In some cases, therefore, LEAs will need to issue European Production Orders to cloud services’ customers (acting as controllers of the data in question), not to the providers themselves.

The Directive aims to ensure that all service providers covered by the Regulation—i.e., those that offer covered services to users in the EU—comply with it, even if they are not established in the EU.  To do so, it requires covered providers to designate at least one addressee for the receipt of, compliance with, and enforcement of European Production Orders and European Preservation Orders.

The Regulation will apply in full from 18 August 2026, and Member States must transpose the Directive into national law by 18 February 2026.

*           *           *

The Covington team will continue to monitor developments related to the e-evidence package, and would be happy to answer any questions about the issues raised above.

Photo of Lisa Peets Lisa Peets

Lisa Peets is co-chair of the firm’s Technology and Communications Regulation Practice Group and a member of the firm’s global Management Committee. Lisa divides her time between London and Brussels, and her practice encompasses regulatory compliance and investigations alongside legislative advocacy. For more…

Lisa Peets is co-chair of the firm’s Technology and Communications Regulation Practice Group and a member of the firm’s global Management Committee. Lisa divides her time between London and Brussels, and her practice encompasses regulatory compliance and investigations alongside legislative advocacy. For more than two decades, she has worked closely with many of the world’s best-known technology companies.

Lisa counsels clients on a range of EU and UK legal frameworks affecting technology providers, including data protection, content moderation, artificial intelligence, platform regulation, copyright, e-commerce and consumer protection, and the rapidly expanding universe of additional rules applicable to technology, data and online services.

Lisa also supports Covington’s disputes team in litigation involving technology providers.

According to Chambers UK (2024 edition), “Lisa provides an excellent service and familiarity with client needs.”

Photo of Marty Hansen Marty Hansen

Martin Hansen has over two decades of experience representing some of the world’s leading innovative companies in the internet, IT, e-commerce, and life sciences sectors on a broad range of regulatory, intellectual property, and competition issues, including related to artificial intelligence. Martin has…

Martin Hansen has over two decades of experience representing some of the world’s leading innovative companies in the internet, IT, e-commerce, and life sciences sectors on a broad range of regulatory, intellectual property, and competition issues, including related to artificial intelligence. Martin has extensive experience in advising clients on matters arising under EU and U.S. law, UK law, the World Trade Organization agreements, and other trade agreements.

Photo of Paul Maynard Paul Maynard

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.