The EU’s e-Evidence Package: Your questions answered

What is the e-Evidence Package?

The e-Evidence Package is the EU framework designed to streamline judicial authorities’ cross-border access to digital evidence in the context of criminal proceedings. It consists of Regulation (EU) 2023/1543 and Directive (EU) 2023/1544, both adopted on July 12, 2023 and fully applicable as of August 18, 2026.

Under the e-Evidence Package, EU judicial authorities may issue orders directly to certain service providers offering their services in the EU — such as providers of electronic communications, cloud storage, messaging, and domain and IP services — requiring them to produce or preserve electronic data (namely subscriber data, traffic data, content data, and data sought for the sole purpose of identifying a user).

Italy has already implemented the e-Evidence Package through Legislative Decrees No. 215 and 216 of December 30, 2025 (respectively “Decree 215” and “Decree 216”), which entered into force on January 30, 2026. The Decrees identify the Italian authorities competent to issue, validate, and enforce the orders, and set out the obligations applicable to service providers. Additional implementing decrees will be enacted to fully operationalize the e-Evidence Package.

What are the new instruments introduced by the e-Evidence Regulation (Regulation (EU) 2023/1543)?

The Regulation introduces two new orders:

  1. The European Production Order (EPO): allows a judicial authority in one EU Member State to order a service provider established in another Member State to provide electronic data directly, without the need for a lengthy mutual legal assistance request.
  2. The European Preservation Order (EPO-PR): allows a judicial authority to instruct a service provider to freeze data while a formal production request is being prepared, preventing it from being deleted or altered in the meantime.

An EPO or an EPO-PR shall be transmitted through the certificate (respectively an “EPOC” or an “EPOC-PR”) to the service provider.

The e-Evidence Regulation also establishes a comprehensive procedural framework governing the issuance, transmission, and enforcement of EPOCs and EPOC-PRs, including the use of standardized forms to ensure consistency across all EU Member States.

Who are the recipients of the orders?

As mentioned, according to the e-Evidence Package, orders can be issued directly to service providers offering their services in the EU.

To this end, the e-Evidence Directive (Directive (EU) 2023/1544), as implemented by Decree 216,requires service providers to designate a point of contact within an EU Member State in which they offer their services.

The point of contact is responsible for receiving and complying not only with EPOCs and EPOC-PRs, but also with other legal instruments, including European Investigation Orders (EIOs) and requests made pursuant to the EU Convention on Mutual Assistance in Criminal Matters (the so called “Legal Instruments”).

Which are the deadlines to comply with an EPOC or an EPOC-PR?

  • EPOC: The point of contact shall provide the requested data within 10 days from receipt of the EPOC, or in case of  emergency, within 8 hours. For traffic data (except for data required for the sole purpose of identifying the user) and content data, a specific procedure involving notification to the so called “enforcement authority” is also required.
  • EPOC-PR: The point of contact shall preserve the requested data for 60 days from receipt of the EPOC-PR, unless the issuing authority takes  further action (i.e., the “Confirmation of issuance of a request for production following a European Preservation Order” or “Extension of the preservation of electronic evidence” forms are received).

What are the key obligations for service providers under the e-Evidence Directive?

Service providers are required to designate a point of contact, which may be either a designated establishment, if the service provider is already established in an EU Member State, or a legal representative, if the service provider is established outside the EU or in an EU Member State not participating in the Legal Instruments.

Service providers shall grant their designated establishment or legal representative  the powers and resources necessary to comply with the orders concerning the Legal Instruments.

Service providers and their designated establishment or legal representative are jointly and severally liable for compliance failures.

How are orders received by the point of contact?

All written communications between competent authorities and designated establishments or legal representatives must be channelled through a decentralized IT system governed by the EU Commission Implementing Regulation No. 2025/1555.

The use of alternative means of communication is permitted only where the decentralized IT system cannot be used — for example, due to specific forensic requirements, technical constraints on the volume of data to be transferred, or where an establishment not connected to the system must be addressed in an emergency. In such cases, transmission should be carried out by the most appropriate alternative means, taking into account the need to ensure a swift, secure, and reliable exchange of information.

In light of the above, once duly appointed, the legal representative or designated establishment must register in the decentralized IT system.

To date, Italy has not yet implemented such IT system.

What are the deadlines to appoint or designate the point of contact?

The e-Evidence Package will become fully applicable on August 18, 2026.

Service providers already operating in the EU as of February 18, 2026 must appoint their points of contact by August 18, 2026. Those who started offering services in the EU after February 18, 2026 have six months from the date they commence operations to comply.

Non-compliance carries fines up to EUR1,500,000.

What should companies do now?

  • Assess applicability: Determine whether the company qualifies as a “service provider” under the e-Evidence Package.
  • Map EU presence: Identify the Member States in which the company offers its services and whether it is already established in one of them.
  • Designate or appoint: Designate one of the EU establishments or appoint a legal representative in the EU, ensuring they have the necessary powers and resources to handle incoming orders.
  • Notify the authorities: Submit the required notification to the competent authority in the relevant Member State within the prescribed deadlines.
  • Check local laws: Verify whether any specific local requirements apply (e.g., language requirements, additional notification obligations, etc.).;
  • Review internal procedures: Put in place internal processes for handling EPOCs and EPOC-PRs as well as other Legal Instruments (e.g. through checklists), including escalation protocols and response timelines aligned with the deadlines under the e-Evidence Regulation.

Portolano Cavallo is available to assist companies in (i) assessing the applicability of the e-Evidence Package, including determining whether a legal representative must be appointed or an establishment designated, and (ii) complying with the related obligations (e.g. notification to the competent Authority and actions to be taken upo  receipt of an EPO or EPO-PR).

Indietro
Seguici su