The German Federal Government has published its draft law (Elektronische-Beweismittel-Umsetzungs-und-Durchführungsgesetz – EBewMG) to implement Directive (EU) 2023/1544, a centerpiece of the EU’s e-Evidence package. The proposal establishes a unified and practical framework for the cross‑border preservation and disclosure of electronic evidence in criminal proceedings within the European Union.

A. Summary of the Draft Law

The proposal establishes the EU framework into national law and introduces new obligations for service providers operating within the EU.

1. Background and Objectives

The growth of digital communications and online services has transformed criminal investigations, particularly where relevant data is held in other EU Member States or outside the EU, such as in the United States. The e‑Evidence package enables investigative authorities, under defined safeguards, to issue orders directly to service providers in other Member States to preserve and produce subscriber, traffic, and content data for criminal proceedings. The German draft closely follows the Directive and aligns national law with broader international efforts to combat crime in an cross-border digital environment.

2. Core Elements of the Draft Law

It clarifies which providers are in scope and how they must be positioned to receive and act on cross-border orders under the EU instruments. The core elements are:

Providers must designate an establishment or representative in the EU, referred to as an “addressee”, empowered and resourced to receive, validate, and execute cross‑border preservation and production orders issued under the EU act.

Providers must notify competent authorities of the addressee’s contact details and the language(s) in which communications will be handled.

The draft further codifies detailed procedural rules for the issuance, validation, and enforcement of preservation and production orders, with tailored requirements depending on the category of data sought. Different authorities and thresholds apply to subscriber/identification data, traffic-, and content data.

To support secure and efficient communications, a decentralized IT system will be introduced for digital interactions between authorities and service providers.

Germany will amend the Telecommunications Act (TKG) and the Telecommunications Telemedia Data Protection Act (TDDDG), creating the necessary legal bases for service provider processing of data to comply with European orders.

3. Sanctions for Non-Compliance

The proposal also strengthens rights of redress and establishes sanctions for non‑compliance. Providers that breach their obligations face administrative fines, which for larger companies may be turnover‑based and reach up to 2% of worldwide annual revenue.

4. Timing for Service Providers

The rules will be implemented in phases. Providers offering services in the EU as of 18 February 2026 must designate at least one addressee by 18 August 2026. Providers entering the EU market after 18 February 2026 must appoint an addressee within six months of commencing services in the EU.

B. What Companies should do next

Companies providing digital services in the EU should promptly determine whether they fall within the e‑Evidence framework and, if so, where to designate their addressee. This assessment should address at least three questions.

• First, do your services and business bring you within scope of the e-Evidence package, including where you make services available to users in the EU or otherwise target the EU market? We have already published some guidance on this in our article here.
• Second, do you already have an EU establishment that could serve as the designated addressee, equipped with the authority, expertise, and resources to receive, authenticate, and execute preservation and production orders?
• Third, if you must appoint an addressee, in which Member State should you locate the addressee to optimize legal certainty, operational efficiency, language capabilities, and engagement with competent authorities?

In deciding where to place the addressee function, companies should evaluate the likely volume and origin of requests, relevant language requirements, and technical integration with the decentralized IT system. Providers with larger operational hubs elsewhere in the EU may benefit from centralizing this function in a Member State with established compliance infrastructure and language resources. Regardless of location, the addressee must be formally authorized, sufficiently staffed, and appropriately documented to meet statutory obligations, and its contact and language details must be communicated to the competent authorities.