The EU e-evidence Regulation and Directive, which establish a regime for law enforcement authorities (“LEAs”) in one Member State to issue legally-binding demands for data from certain types of providers established in other Member States, will come into effect on 18 August 2026 (our post on the specific requirements of the Regulation and Directive is available here). On 28 July 2025, the European Commission adopted an Implementing Regulation (“IR”) setting out the technical specifications for the decentralized communications system that LEAs and covered service providers must use when, among other things, issuing and responding to European Production Orders (“EPOs”) and European Preservation Orders (“EPrOs”) under the e-evidence Regulation.

Article 19 of the e-evidence Regulation requires each Member State to allow covered service providers established in their Member State to access this decentralized IT system via a “national IT system.” In other words, Member States will need to develop systems that enable local service providers to receive communications from and send communications to LEAs (although the e-evidence Regulation also requires the Commission to develop “reference implementation software,” which Member States may use for this purpose). The IR sets out the technical specifications that these national systems, and the reference implementation software, must meet.

Much of the detail in the IR is primarily relevant to the authorities developing the different components of the decentralized system, because it sets out, for example, requirements related to interoperability and the security of communications that the system must facilitate. However, there are some aspects that will be of interest to covered service providers to ensure that they can receive and comply with EPOs / EPrOs they receive, including:

  • File sizes that do not require use of the decentralized system. Service providers are required to use the decentralized system to provide electronic evidence in response to an EPO unless that evidence exceeds 25Mb in size. In such a case, the provider must use “the most appropriate alternative means, taking into account the need to ensure an exchange of information which is swift, secure and reliable, and allows the recipient to establish authenticity,” and must record certain information about that transmission within the relevant national system.
  • API access to the system. The Commission is obliged to define the specifications for the API that service providers will use to access the decentralized system, and Member States must make it available. While there is no deadline for this, the IR states that the API must be based on ETSI TS 104 144 to the extent possible. (This is an existing standard that defines the interface for LEAs and service providers under the e-evidence Regulation.)
  • Encryption requirements. The IR grants LEAs the power to issue—alongside an EPO—a public key encryption certificate. If an LEA does so, then a provider that receives the certificate must encrypt evidence it provides in response to the EPO using that certificate.
  • Database of service providers. The IR requires that the decentralized system maintains a database of information relating to each LEA that is competent to issue EPOs and EPrOs in each Member State. This will include information necessary to ensure the correct routing of data requested by each LEA within the system, including information about each service provider, their designated establishment / representative, and the types of information that are available for each service that they offer. It is therefore possible that LEAs will request this information from covered entities.

We anticipate that Member States will develop their national systems in the coming months, with a view to having these systems operational when the e-evidence Regulation comes into effect.

Separate and apart from the IR, Member States were obliged to notify the Commission of all the LEAs competent to issue and/or enforce EPOs and EPrOs, the authorities competent to address objections to EPOs and EPrOs, and the acceptable languages for EPOs, EPrOs, and associated certificates. The Commission will make this publicly available, likely on the European Judicial Network website (available here).

*              *              *

The Covington team will continue to monitor developments related to the e-evidence package, and would be happy to answer any questions about the issues raised above.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Paul Maynard Paul Maynard

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.

Read more about Paul MaynardEmail
Show more Show less