In a little under two years from now, the Regulation (EU) 2023/1543 (e-Evidence Regulation) will come into effect. Together with the Directive (EU) 2023/1544, this legislative package aims to establish a unified European legal framework for the preservation and cross-border disclosure of electronic evidence in criminal proceedings for the first time.

Despite imposing significant legal requirements on affected companies, the e-Evidence legislative acts have received little media attention compared to other EU digital legislation such as the Digital Services Act or the AI Act. Many companies have therefore not even considered whether the e-Evidence regulations could be relevant for them. This article provides a brief overview of the e-Evidence Regulation and its key features.

Key Features

The e-Evidence Regulation establishes two new legal instruments: the European Preservation Order for Electronic Communications (EPOC) and the European Production Order for Electronic Communications (EPOC-PR). These orders require service providers to immediately preserve certain data categories upon receipt of the order and to disclose them within ten days. In emergencies, this 10-day deadline can even be shortened to eight (!) hours.

The Directive complements the Regulation by requiring that service providers offering services in the EU appoint or designate a recipient for receiving, complying with, and enforcing orders. This ensures that service providers that are not established in the EU but offer services in the EU have a designated representative in the EU.

Scope of Application

Due to the lack of media attention, many companies are currently unaware that they fall within the scope of the Regulation. The Regulation applies to a wide range of service providers that offer services in the EU, regardless of their place of establishment (e.g. in the EU or in third countries such as the USA).

The term 'service provider' is broadly defined and includes:

1. electronic communications services, for example internet access services, email, or internet telephony services;
    
2. internet domain name and IP numbering services, such as IP address assignment, domain name registry, domain name registrar, and domain name-related privacy and proxy services; or
    
3. other information society services as defined in Article 1(1), point (b), of Directive (EU) 2015/1535, namely those that:
   • allow their users to communicate with each other; or
   • enable the storage or other processing of data on behalf of the users of the service, as long as the storage of data is an essential part of the service offered to the user;

The third alternative in particular affects a large number of operators of online services. This means that, besides online marketplaces, other hosting services that have communication functions as a minor ancillary feature (for example chat or comment sections), as well as cloud computing services such as platforms for online games and gambling, are covered by the Regulation.

Take away:

Companies should assess whether they fall within the scope of the e-Evidence legislative package and, if so, establish suitable procedures for dealing with EPOC and EPOC-PR requests. Service providers that fail to comply with the Regulation may face fines of up to 2% of their global annual turnover in the previous financial year.

Over the coming months, we will be taking a closer look at various aspects of the e-Evidence legislation. Stay tuned!