For decades, when prosecutors needed electronic evidence held by a service provider in another country, they had only one realistic option: the Mutual Legal Assistance Treaty (MLAT). The MLAT system worked — eventually — but it was built for paper-era investigations, not for cloud-era cybercrime, ransomware, online fraud or cross-border terrorism. Requests routinely took 6 to 18 months, and by the time a German provider finally received a request originating in France, suspects had often disappeared and ephemeral data had been lost.
The EU e-Evidence Regulation (EU) 2023/1543, which becomes directly applicable on 18 August 2026, fundamentally changes that picture. It replaces the slow, diplomatic MLAT route with a fast, harmonised, judicial-to-provider channel that operates in days — and in emergencies, in hours. For every electronic communications, hosting, cloud, marketplace and online platform provider operating in the EU, this is the most significant shift in cross-border evidence law in a generation.
This article explains, in practical terms, what changed between the MLAT world and the e-Evidence world, what it means operationally, and how service providers should reshape their compliance programmes before the deadline.
The Old World: How MLATs Worked (and Why They Struggled)
An MLAT is a bilateral or multilateral treaty under public international law that enables one State to request judicial cooperation — including the production of evidence — from another. In practice, an MLAT request to obtain electronic evidence followed a long, multi-stage path:
- A prosecutor in the requesting State drafted a formal letter rogatory and submitted it to their national Central Authority (typically the Ministry of Justice).
- The Central Authority reviewed and translated the request, then forwarded it through diplomatic channels to its counterpart in the requested State.
- The receiving Central Authority transmitted the request to a competent local court or prosecutor.
- The local authority issued a domestic legal order against the service provider.
- The provider produced the data, which was then routed back through the same chain in reverse.
Each step added weeks or months. Translation and formality requirements added further delay. By the time the requested provider finally received an enforceable domestic order, the underlying investigation had often moved on, the data may have aged out of retention windows, or the suspect had crossed yet another border. Studies repeatedly found average MLAT cycle times of around 10 months, with many cases stretching well beyond a year.
The New World: Direct Orders Under the EU e-Evidence Regulation
The e-Evidence Regulation introduces two new instruments — the European Production Order (EPO) and the European Preservation Order (EPOC-PR) — that judicial authorities can issue directly to a service provider in another Member State, without going through diplomatic or governmental intermediaries. The order travels through the secure decentralised IT system e-CODEX, using standardised EPOC and EPOC-PR certificates.
Take the same scenario: a French prosecutor investigating ransomware targeting EU hospitals needs subscriber and traffic data held by a German hosting provider. Under e-Evidence, the prosecutor (with the appropriate judicial validation) issues an EPO and sends it directly to the provider’s designated point of contact. The provider validates the order, extracts the data, and delivers it back through e-CODEX. Standard turnaround is 10 days. Emergency turnaround is 8 hours.
e-Evidence vs MLAT: A Side-by-Side Comparison
| Dimension | MLAT | EU e-Evidence Regulation |
|---|---|---|
| Legal basis | Bilateral / multilateral treaty | EU Regulation, directly applicable |
| Recipient of request | Foreign State authority | Service provider (directly) |
| Transmission channel | Diplomatic / Central Authorities | e-CODEX (secure IT system) |
| Typical timeframe | 6–18 months | 10 days standard / 8 hours emergency |
| Format | Free-form letter rogatory | Standardised EPOC / EPOC-PR certificates |
| Provider’s role | Recipient of a domestic order | Direct addressee of the foreign order |
| Sanctions on providers | Domestic law of the requested State | Up to 2% of global annual turnover |
| Data preservation | Ad hoc, jurisdiction-dependent | Harmonised EPOC-PR (60 + 30 days) |
| Geographic scope | State-to-State only | Any provider offering services in the EU |
What Stays the Same — and Where MLATs Still Matter
The e-Evidence Regulation does not abolish MLATs. They remain the primary mechanism for evidence requests involving non-EU countries, and they continue to apply in many criminal-justice scenarios outside the Regulation’s scope. Inside the EU, prosecutors can also still rely on the European Investigation Order (EIO) under Directive 2014/41/EU for broader investigative measures. The e-Evidence Regulation is best understood as a specialised, faster instrument for one specific need — production and preservation of electronic evidence — layered on top of the existing toolkit.
For non-EU service providers, the practical effect is that requests from EU authorities will increasingly come through e-Evidence rather than MLAT — provided the provider offers services in the EU and has, or appoints, a legal representative in a Member State.
What This Means for Service Providers in Practice
Switching from a 10-month diplomatic process to a 10-day (or 8-hour) direct process is not just faster — it is a different operating model. Compliance can no longer be a quarterly side-task handled by a single privacy lawyer. It has to be embedded into engineering, security operations and customer support. The implications fall into four broad areas.
1. Automated order intake and validation
Manual mailbox-based intake will not scale. You need an authenticated endpoint connected to e-CODEX (directly or via a qualified intermediary) that can receive, time-stamp, validate signatures, check issuing-authority credentials and route orders to the right responders. Solutions such as the ICS e-Evidence Compliance Platform are built precisely for this workflow, but providers can also build in-house if they have the engineering capacity.
2. Standardised data extraction across systems
The Regulation distinguishes between subscriber, identification, traffic and content data, each with different thresholds. Your data inventory must map each system to the categories of data it holds, and your extraction tooling must produce outputs in the standardised format defined by the Commission’s implementing acts.
3. 24/7 operational readiness
The 8-hour emergency window applies at any time of day, any day of the year. That requires named on-call legal and engineering responders, runbooks, escalation paths and rehearsed tabletop exercises. For organisations that cannot sustain that footprint internally, a Designated Establishment-as-a-Service arrangement combined with managed operations is increasingly the pragmatic answer.
4. Tamper-evident audit trails
Every action — receipt, validation, internal routing, extraction, review and delivery — must be captured in an audit trail strong enough to be admitted as evidence and to demonstrate, after the fact, that you complied with deadlines, minimisation and the specific scope of the order.
Penalties: Why MLAT-Era Slack Is Gone
Under MLAT, friction in the system was tolerated because everyone — investigators, providers, courts — knew it was slow. The e-Evidence Regulation has no such slack. Member States are required to impose effective, proportionate and dissuasive penalties, with administrative fines benchmarked at up to 2% of the provider’s worldwide annual turnover. Repeated or systemic failures can also trigger court orders, regulatory action by national competent authorities and serious reputational damage with enterprise customers and regulators.
Interaction with GDPR, NIS2 and the Digital Services Act
e-Evidence does not override the GDPR. Disclosures must remain lawful, minimised and properly logged in records of processing. Security controls and incident handling must align with the NIS2 Directive, and very large online platforms must reflect government-order activity in their DSA transparency reports. A modern compliance programme treats these regimes as overlapping rather than competing — the same intake, audit and minimisation infrastructure can serve all of them.
Frequently Asked Questions
For a longer reference, see our dedicated e-Evidence FAQ.
Does the EU e-Evidence Regulation replace MLATs?
No. It complements them. MLATs remain in force, particularly for cooperation with non-EU countries. Inside the EU, e-Evidence offers a faster, specialised channel for production and preservation of electronic evidence.
Can a prosecutor in one Member State really order data directly from a provider in another?
Yes. That is the central innovation of the Regulation. Subject to the safeguards and grounds for refusal in the Regulation, a competent judicial authority issues an EPO that the provider must execute directly, without first going through the authorities of the receiving State.
Does e-Evidence apply to non-EU providers?
Yes — any provider offering services to users in the EU is in scope and must designate a legal representative in a Member State to receive and act on orders.
What happens if my organisation cannot meet the 8-hour deadline?
Missed deadlines can lead to enforcement by the competent authority of the enforcing State, including fines of up to 2% of global annual turnover. Documented, proportionate efforts and a clear cause for any delay are critical mitigations.
From MLAT-Era Compliance to e-Evidence-Ready Operations
The shift from MLAT to e-Evidence is, at its core, a shift from occasional, slow, paper-driven cooperation to continuous, fast, software-driven cooperation. Service providers that thrived under the MLAT model — relying on legacy email queues and ad-hoc legal review — will struggle from August 2026 onwards. Those that invest now in e-Evidence-ready compliance operations will not just avoid penalties; they will turn law-enforcement readiness into a trust signal for enterprise customers and regulators.
If you would like an independent assessment of your readiness, ICS offers a complete e-Evidence compliance assessment covering legal scope, technical infrastructure and operational processes — together with a clear roadmap to the August 2026 deadline. Contact ICS today to schedule yours.
