What Is e-Evidence?

e-Evidence — short for electronic evidence — is the broad term for any digital information used to investigate, prosecute or adjudicate criminal offences. In its widest sense the concept covers everything from email correspondence, chat messages and cloud-stored documents to IP connection logs, subscriber records and geolocation data. If a piece of data exists in electronic form and is relevant to a criminal case, it qualifies as electronic evidence.

In the context of EU law, the term has taken on a much more specific meaning since 2023. When legislators, regulators and the telecommunications industry refer to “e-Evidence” today, they almost always mean the legal and technical framework created by Regulation (EU) 2023/1543 — the European Production and Preservation Orders for electronic evidence in criminal proceedings — and its accompanying Directive (EU) 2023/1544, which together establish a new mechanism for cross-border evidence gathering across all 27 EU Member States.

The significance of this framework cannot be overstated. Before the e-Evidence Regulation, obtaining digital evidence stored in another EU country required a Mutual Legal Assistance Treaty (MLAT) request — a diplomatic process that could take ten months or longer. The new regulation allows a prosecutor or judge in one Member State to issue an order directly to a service provider in another, with response deadlines measured in days rather than months. For emergency cases involving terrorism or imminent threats to life, the deadline is just eight hours.

The e-Evidence framework represents a fundamental shift in how digital evidence is collected across borders. It moves the obligation from state-to-state diplomacy to a direct relationship between judicial authorities and service providers, placing significant operational and technical demands on every company that offers electronic communication services, cloud storage, social networking or online marketplace services within the European Union.

A Brief History of e-Evidence in Europe

The path toward a unified European e-Evidence framework began long before the regulation was formally adopted. Understanding this history is essential for appreciating why the current rules exist and where they are heading.

For decades, cross-border access to electronic evidence relied on the Council of Europe’s Convention on Mutual Assistance in Criminal Matters (2000) and the Budapest Convention on Cybercrime (2001). These instruments established the principle that one country could request another’s help in obtaining digital evidence, but the process was cumbersome. Requests passed through central government authorities, required translation, and were subject to the responding country’s domestic procedures. Average response times stretched beyond ten months — an eternity in criminal investigations where suspects can destroy evidence in seconds.

The European Investigation Order (EIO), introduced by Directive 2014/41/EU, improved the situation within the EU by creating a more standardised mutual recognition instrument. While the EIO reduced processing times to approximately 120 days, it still relied on state-to-state channels and proved inadequate for the speed of modern digital crime. The European Commission’s own impact assessment found that more than 85 percent of criminal investigations required access to electronic evidence, and that in roughly two-thirds of those cases the relevant data was stored in a different jurisdiction.

In April 2018, the European Commission published its e-Evidence legislative proposals. After five years of negotiation between the European Parliament and the Council, the final texts were adopted on 12 July 2023 and published in the Official Journal as Regulation (EU) 2023/1543 and Directive (EU) 2023/1544. The regulation applies directly in every Member State from 18 August 2026. The directive, which requires Member States to designate the authorities and channels for order execution, had a transposition deadline of 18 February 2026.

In Germany, the implementing legislation — the Elektronische-Beweismittel-Umsetzungs- und Durchführungsgesetz (EBewMG) — was published in the Federal Law Gazette in March 2026 and is entering force in stages. Germany’s Federal Office of Justice (Bundesamt für Justiz) has been designated as the central authority for receiving and validating incoming orders, while the Bundesnetzagentur continues its established role as the technical regulator for lawful interception and data retention obligations.

The EU e-Evidence Regulation Explained

Regulation (EU) 2023/1543 introduces two new legal instruments that allow judicial authorities in one EU Member State to compel service providers in another to produce or preserve electronic evidence. These instruments bypass the traditional diplomatic channels entirely, creating a direct legal relationship between the issuing authority and the service provider.

European Production Order (EPOC)

The European Production Order compels a service provider to hand over specified electronic evidence to the requesting judicial authority. An EPOC can target four categories of data, each with different thresholds for issuance. Subscriber data and access data (such as login records and IP addresses associated with an account) can be requested for any criminal offence. Transactional data (metadata about communications, such as timestamps, sender and recipient identifiers and session durations) and content data (the actual substance of messages, emails, stored files or voice recordings) can only be requested for offences punishable by a maximum custodial sentence of at least three years, or for specific listed offences including cybercrime, terrorism, child sexual exploitation and fraud.

Standard Production Orders must be fulfilled within ten days of receipt. In defined emergency situations — where there is an imminent threat to life, to physical integrity or to critical infrastructure — the response deadline is reduced to just eight hours. These timelines are non-negotiable and apply regardless of the volume of data requested or the complexity of the provider’s internal systems.

European Preservation Order (EPOC-PR)

The European Preservation Order requires a service provider to freeze specified data and prevent its deletion or alteration. Preservation does not require the provider to hand the data over immediately; instead, it secures the evidence while the issuing authority prepares a full Production Order or a traditional mutual legal assistance request. A Preservation Order remains in force for 60 days, with the possibility of a 30-day extension. If no follow-up production request is received within that period, the provider must lift the preservation and may delete the data in accordance with its normal retention policies.

Safeguards and Objection Mechanisms

The regulation includes a number of safeguards to protect fundamental rights and prevent abuse. Every Production Order for transactional or content data must be validated by a judicial authority in the issuing state, and a notification is sent to the enforcing state (the Member State where the provider’s designated establishment is located). The enforcing state’s authorities can raise an objection within ten days if the order conflicts with immunities, privileges, rules on press freedom or fundamental rights under the Charter of the European Union. Service providers themselves may also object if compliance would conflict with obligations under the law of a third country — a provision designed to address potential conflicts with non-EU data protection laws.

Legal Frameworks Beyond the EU

While the EU e-Evidence Regulation is the most comprehensive and technically prescriptive framework for cross-border electronic evidence, it does not exist in isolation. Several other international instruments shape the global landscape for digital evidence collection.

إن Budapest Convention on Cybercrime, administered by the Council of Europe, remains the most widely adopted international treaty on cybercrime and electronic evidence. Its Second Additional Protocol, opened for signature in 2022, introduces direct cooperation with service providers, expedited disclosure of subscriber information and joint investigation teams — mechanisms that parallel elements of the EU regulation but apply to a broader group of signatory states including the United States, Canada, Japan, Australia and several Latin American countries.

In the United States, the Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018 established a framework for bilateral executive agreements that allow law enforcement in one country to request data directly from providers in the other. The EU and the US have been negotiating a CLOUD Act executive agreement that would determine how US-based providers respond to European Production Orders and vice versa — a critical piece of the puzzle given that many of the world’s largest cloud and communication platforms are headquartered in the United States.

The United Kingdom enacted its own cross-border evidence framework through the Crime (Overseas Production Orders) Act 2019, which enables UK courts to order service providers in countries with which the UK has a bilateral agreement to produce electronic evidence. Following Brexit, the UK is no longer within the scope of the EU e-Evidence Regulation, making bilateral agreements the primary mechanism for UK-EU evidence cooperation.

Germany’s e-Evidence Implementation

Germany occupies a central position in the European e-Evidence landscape, both as a major digital economy with thousands of affected service providers and as a jurisdiction with particularly rigorous data protection and telecommunications regulation traditions.

The Elektronische-Beweismittel-Umsetzungs- und Durchführungsgesetz (EBewMG) transposes Directive (EU) 2023/1544 into German law and establishes the domestic procedures for processing incoming and outgoing e-Evidence orders. The Bundesamt für Justiz (Federal Office of Justice) acts as the central authority for incoming European Production and Preservation Orders addressed to service providers with a designated establishment in Germany. The Bundesnetzagentur retains its established role in certifying the technical interception and data handover infrastructure that service providers operate.

According to the German Federal Ministry of Justice, an estimated 9,000 companies in Germany fall within the scope of the e-Evidence Regulation. This number extends well beyond traditional telecommunications operators to include cloud service providers, hosting companies, e-commerce platforms, social networks and any other entity that stores or processes electronic communication data as part of its service offering. Every affected provider must designate an official contact point in the EU — referred to as the Adressat — that is responsible for receiving, validating and executing Production and Preservation Orders. Providers must also register with the Bundesamt für Justiz and establish internal workflows capable of meeting the regulation’s strict response deadlines.

ETSI Standards for e-Evidence: TS 104 144 Explained

The European Telecommunications Standards Institute (ETSI) has developed a dedicated technical standard to support the operational implementation of the e-Evidence Regulation. ETSI TS 104 144, published in June 2025 under the title “Interface definition for the e-Evidence Regulation (EU) 2023/1543 for National Authorities and Service Providers,” defines the standardised interfaces and data formats that national authorities and service providers must use when exchanging Production Orders, Preservation Orders and the associated electronic evidence.

ETSI TS 104 144 sits within the broader ecosystem of ETSI’s lawful interception and data retention standards, which include the widely implemented TS 102 232 family (for real-time lawful interception handover), TS 102 657 (for retained data handover) and TS 103 707 (for OTT service interception). While those earlier standards focus on real-time surveillance and historical metadata, TS 104 144 addresses the specific workflow and data exchange requirements of the e-Evidence Regulation’s production and preservation order mechanisms.

What Does ETSI TS 104 144 Define?

The standard specifies the technical interface between the national authority systems (which issue, transmit and track orders) and the service provider systems (which receive, validate, execute and respond to those orders). It defines the data structures for each type of order — Production Order, Preservation Order and the associated acknowledgments, objections and responses — using formal data description languages that enable automated processing.

The standard covers the complete lifecycle of an e-Evidence order: the initial issuance and secure transmission of the order to the service provider; the provider’s acknowledgment of receipt; the validation and execution workflow; the structured delivery of the requested electronic evidence back to the issuing authority; and the handling of objections, extensions and cancellations. By defining these interactions as standardised interfaces, TS 104 144 ensures interoperability between the diverse IT systems operated by authorities and providers across all 27 EU Member States.

The standard is designed to work alongside the EU’s e-CODEX (e-Justice Communication via Online Data Exchange) platform, which serves as the secure digital communication backbone for transmitting orders and evidence between judicial authorities and service providers across the EU. ETSI TS 104 144 defines the payload formats and interaction patterns, while e-CODEX provides the transport and routing infrastructure.

How TS 104 144 Relates to Existing ETSI LI Standards

Service providers who already operate ETSI-compliant lawful interception and data retention infrastructure will recognise many architectural principles from TS 104 144. The standard follows ETSI’s established pattern of separating the request interface (how orders are received) from the delivery interface (how evidence is handed over), and it uses similar security mechanisms for authentication, encryption and integrity verification. Providers with existing TS 102 232 and TS 102 657 implementations can integrate e-Evidence capabilities into their compliance platforms without rebuilding their core infrastructure — a significant advantage for operators who have already invested in standards-based lawful interception systems.

How Does the e-Evidence Process Work? A Technical Overview

The e-Evidence process involves a defined sequence of interactions between judicial authorities, national central authorities and service providers. While the legal instruments are new, the underlying workflow follows a logical pattern that telecommunications compliance professionals will find familiar from existing lawful interception and data retention processes.

Step 1: Issuance of the Order

A judicial authority in an EU Member State — typically a prosecutor or judge — determines that electronic evidence held by a service provider is necessary for a criminal investigation. The authority completes a European Production Order Certificate (EPOC) or European Preservation Order Certificate (EPOC-PR) using the standardised forms annexed to the regulation. The certificate specifies the target (identified by account, email address, telephone number, IP address, device identifier or similar), the categories of data requested, the legal basis and the applicable deadline.

Step 2: Transmission to the Service Provider

The order is transmitted to the service provider’s designated establishment or legal representative in the EU. Transmission occurs through the decentralised IT system established under the regulation, built on the e-CODEX infrastructure. In parallel, a notification is sent to the enforcing state’s central authority (for example, the Bundesamt für Justiz in Germany) so that it can exercise oversight and, if necessary, raise objections.

Step 3: Receipt, Validation and Acknowledgment

The service provider’s compliance system receives the order through the standardised interface defined in ETSI TS 104 144. The provider must acknowledge receipt promptly and begin the validation process. Validation includes verifying that the order is formally complete, that the requesting authority has jurisdiction, that the data categories are consistent with the offence threshold requirements and that compliance would not conflict with third-country legal obligations. If the order is valid, the provider proceeds to execution. If there are grounds for objection, the provider must communicate them within the prescribed timeframe.

Step 4: Data Extraction and Delivery

For Production Orders, the provider extracts the requested data from its systems — subscriber records, access logs, transactional metadata or content data depending on the order’s scope — formats it according to the applicable technical standards and delivers it securely to the issuing authority through the e-CODEX platform. The delivery must occur within the order’s deadline: ten days for standard orders, eight hours for emergencies. For Preservation Orders, the provider freezes the specified data in place, ensuring it is not deleted, modified or made inaccessible, and confirms the preservation to the issuing authority.

Step 5: Oversight, Objection and Closure

Throughout the process, the enforcing state’s authority maintains oversight. If the authority determines that the order conflicts with fundamental rights, immunities, privileges or national security interests, it can raise a formal objection that suspends execution. The issuing authority must then review, withdraw or modify the order. Once the evidence has been delivered (or the preservation period expires without a follow-up request), the order is closed and the provider’s obligations cease — though audit records must be retained for compliance documentation.

Who Must Comply with the e-Evidence Regulation?

The scope of the e-Evidence Regulation is significantly broader than traditional lawful interception obligations. While lawful interception has historically applied primarily to telecommunications operators and internet service providers, the e-Evidence Regulation extends to any entity that provides services within the EU that involve the storage or processing of electronic data on behalf of users. The regulation explicitly identifies the following categories of service providers.

Electronic Communication Service Providers

All providers of electronic communication services as defined by the European Electronic Communications Code (EECC, Directive 2018/1972). This includes traditional telephony operators, mobile network operators, VoIP providers, email services and interpersonal messaging platforms such as WhatsApp, Telegram, Signal and Microsoft Teams. These providers are already familiar with lawful interception and data retention obligations, but the e-Evidence Regulation adds a new cross-border production and preservation order workflow to their existing compliance requirements.

Information Society Service Providers

A much broader category encompassing cloud storage and computing platforms (such as AWS, Microsoft Azure, Google Cloud and smaller European hosting providers), social media networks, online marketplaces, domain name registries and registrars, and any other service that stores or processes user data electronically. This category brings thousands of companies into scope that have never previously faced obligations comparable to lawful interception.

Internet Domain Name and IP Numbering Services

Providers of domain name registration, DNS resolution and IP address allocation services — including WHOIS/RDAP database operators — are explicitly covered. These providers hold subscriber and technical data that is often critical for identifying suspects in cybercrime investigations.

Non-EU Providers Offering Services in the EU

The regulation has extraterritorial reach. Any service provider that offers services to users within the European Union is within scope, regardless of where the provider is headquartered or where the data is physically stored. Non-EU providers must appoint a designated establishment or legal representative within the EU to receive and process orders — a requirement modelled on the GDPR’s representative obligation. Failure to designate a representative does not exempt the provider from the regulation’s obligations; it simply means that orders may be transmitted through alternative channels, and the provider remains liable for non-compliance.

Penalties for Non-Compliance

The e-Evidence Regulation establishes a tiered penalty framework that Member States must transpose into national law. For failure to comply with a Production Order within the prescribed deadline, or for failure to preserve data as required by a Preservation Order, providers face fines of up to EUR 500,000 per violation. For large service providers — those with annual global turnover exceeding EUR 25 million — the maximum penalty rises to 2 percent of worldwide annual turnover, whichever is higher. This penalty structure mirrors the GDPR’s approach and is designed to ensure that non-compliance is financially significant even for the largest global technology companies.

Beyond direct financial penalties, non-compliance carries significant reputational and operational risks. Judicial authorities may escalate enforcement through the enforcing state’s legal system, and persistent non-compliance could lead to restrictions on the provider’s ability to operate within the EU. For providers that are already subject to lawful interception and data retention obligations, e-Evidence non-compliance may also trigger scrutiny of their broader regulatory posture.

e-Evidence vs. Lawful Interception vs. Data Retention

e-Evidence, lawful interception and data retention are three distinct but closely related disciplines within the broader field of telecommunications compliance. Understanding the differences — and the overlaps — is essential for building an efficient and integrated compliance infrastructure.

Lawful interception is the real-time capture and delivery of communications content and metadata for a specific target, based on a warrant or judicial order. It operates continuously for the duration of the authorisation and delivers data to law enforcement in near-real time. The technical standards governing lawful interception — primarily the ETSI TS 102 232 family — define how intercepted data is formatted, encrypted and transmitted to the monitoring facility.

Data retention is the mandatory storage of communications metadata (who communicated with whom, when, for how long and from where) for a defined period, typically six to twelve months depending on national law. Retained data is not delivered in real time; instead, it is stored by the provider and disclosed to law enforcement on request through standardised interfaces such as ETSI TS 102 657.

e-Evidence operates at a different level. Rather than mandating real-time surveillance or blanket metadata storage, it creates a mechanism for on-demand disclosure of stored data — subscriber records, access logs, transactional metadata and content — through cross-border Production and Preservation Orders. The data types may overlap with those captured by lawful interception and data retention systems, but the legal instruments, workflow, deadlines and delivery mechanisms are distinct.

For service providers, the practical implication is that e-Evidence compliance cannot simply be bolted onto an existing lawful interception or data retention system. It requires dedicated order management, validation, extraction and delivery workflows that align with the regulation’s specific requirements and the technical interfaces defined in ETSI TS 104 144. However, providers who have already invested in ETSI-compliant LI and data retention infrastructure have a significant head start, as the architectural principles and security mechanisms are consistent across all three domains.

Preparing for e-Evidence Compliance: Key Steps

With the regulation’s application date of 18 August 2026 approaching, service providers that have not yet begun their compliance programmes face an urgent timeline. The following areas require immediate attention.

First, providers must determine whether they fall within scope. The regulation’s broad definition of covered service providers means that many companies — particularly cloud platforms, hosting providers and online marketplaces — may not realise they are affected until enforcement begins. A thorough scoping assessment should be the starting point for any compliance programme.

Second, every in-scope provider must designate an official contact point in the EU. For EU-based providers, this may be an existing legal or compliance function. For non-EU providers, it requires appointing a designated establishment or legal representative. This entity must be registered with the relevant national authority — in Germany, the Bundesamt für Justiz — and must be operationally capable of receiving and processing orders around the clock, given the eight-hour emergency deadline.

Third, providers must implement the technical infrastructure to receive, validate, execute and respond to Production and Preservation Orders within the regulation’s deadlines. This includes integration with the e-CODEX communication platform, implementation of the interfaces defined in ETSI TS 104 144, and development of internal workflows for order management, data extraction and secure delivery. Providers who already operate ETSI-compliant lawful interception systems can leverage their existing architecture; those without such infrastructure face a more substantial implementation effort.

Fourth, providers must establish internal governance structures including clear escalation paths for emergency orders, legal review processes for orders that may require objection, audit logging for every action taken and staff training to ensure that all personnel involved in the e-Evidence workflow understand their responsibilities and the applicable deadlines.

The ICS e-Evidence compliance platform automates the complete lifecycle of European Production and Preservation Orders — from secure intake through the e-CODEX infrastructure, through legal validation and data extraction, to encrypted delivery to the requesting authority. The platform integrates seamlessly with the ICS Lawful Interception Management System (LIMS) and data retention solutions, enabling providers to manage all three compliance domains from a single, unified interface.

ICS also provides designated establishment support for non-EU providers that need to appoint a legal representative in Germany, advisory services for regulatory interpretation and compliance programme design, and managed operations for providers who prefer to outsource the day-to-day handling of e-Evidence orders to a specialist partner.

Our solutions are built on ETSI-compliant architectures supporting TS 104 144, TS 102 232, TS 102 657 and TS 103 707, and are certified by the German Bundesnetzagentur. Whether you operate a telecommunications network, a cloud platform, a messaging application or an online marketplace, ICS delivers the technology, expertise and operational support to ensure you meet your e-Evidence obligations — on time and with full auditability.