Cross-border access to electronic Evidence in the EU: speed vs. safeguards
- Joint Defense Team
- 11 hours ago
- 9 min read
Why the defence must stay alert ahead of the e-Evidence Regulation’s application as from 18 August 2026
In our increasingly digital world, electronic evidence is becoming more important every day. Crime evolves alongside technology: communication, planning, transactions and coordination increasingly happen online, leaving digital traces rather than traditional physical evidence. Investigations therefore focus more and more on electronic footprints—messages, metadata, location data, cloud files, IP-logs, and online account information.
At the same time, the technological environment in which this evidence exists has changed fundamentally. Data no longer sits on one identifiable server in one jurisdiction. Modern infrastructures — cloud services, distributed storage, remote access, and constant data movement — mean that information can shift rapidly across borders and across systems. As a result, cross-border investigations are no longer exceptional. They have become daily practice for law enforcement agencies across Europe.
Digitalisation, new technologies and the changing nature of evidence
In recent years, has been high on the agenda of EU policymakers, especially in criminal justice. New information and communications technologies have changed how people communicate, store information, and use services. Online platforms have become part of everyday life — banking, housing, food delivery, education and professional communication all depend on digital services. As a result, digital traces have become central not only in cybercrime investigations, but in almost any criminal case where a digital service or device played a role.
This shift raises a key question: how can police and judicial authorities lawfully obtain electronic evidence when the data is stored abroad or controlled by a service provider based in another country? This key question naturally leads to another crucial issue: what safeguards are required in such cases to guarantee the rights of the defence?
Traditional cooperation tools: effective, but often too slow
To facilitate cross-border investigations, EU Member States have long relied on cooperation mechanisms and mutual legal assistance treaties (MLATs). These instruments are designed to ensure both effective law enforcement and the protection of fundamental rights. They work through structured procedures, legal review, and safeguards that aim to prevent abuse. However, those guarantees come at a price: time.
In practice, MLA procedures can be slow and administratively demanding. Even within the EU, the European Investigation Order (EIO) is often considered too slow for electronic evidence, which can be volatile and easily deleted. Data retention periods may be short, platforms can remove information quickly, and accounts can be closed or changed in real time. This tension — between procedural safeguards and investigative speed — has become one of the central motivations behind new EU initiatives.
The EU’s response: the e-Evidence package
To address limits of existing mechanisms, the European Union has developed new tools specifically designed for cross-border access to electronic evidence. Alongside instruments such as the Second Additional Protocol to the Budapest Convention, the EU has adopted the so-called e-evidence package. This package consists of:
the e-Evidence Regulation, which will apply in all EU Member States from 18 August 2026, and
the e-Evidence Directive, which must be transposed by 18 February 2026.
Together, these instruments establish a new EU framework for cross-border access to electronic evidence — one that shifts away from classic state-to-state cooperation and moves towards direct interaction with service providers.
A new model: direct cooperation with service providers
The key innovation of the Regulation is straightforward in concept, but significant in impact: it allows law enforcement and judicial authorities in one Member State to directly request electronic evidence from service providers in another Member State.
This direct link between the issuing authority and the provider reduces or even eliminates the involvement of the authorities in the service provider’s Member State. In terms of efficiency, this should be a major step forward. The Regulation is built on mutual trust between Member States and aims to streamline and expedite the process of obtaining digital evidence. But from a defence perspective, this shift is also where the most serious concerns arise.
The Regulation is designed primarily around cooperation between issuing authorities and private companies. The individual whose data is sought risks becoming a secondary figure in a system that prioritises speed, operational practicality, and cross-border effectiveness.
Two core tools: production and preservation orders
The Regulation provides for two main investigative tools.
European Production Order (EPOC):
The European Production Order allows authorities in one Member State to request data directly from a service provider in another Member State. In principle, the provider must ensure that the requested data is transmitted directly to the issuing authority within 10 days. In emergency cases, the deadline can be shortened to eight hours.
European Preservation Order (EPOC-Pr):
The European Preservation Order, on the other hand, allows authorities to request that certain data be preserved for a maximum period of 60 days, ensuring that it is not deleted or altered while further steps are taken.
On paper, this two-step mechanism makes sense: preserve first, produce later. In practice, however, it creates a fast-moving system where data can cross borders with unprecedented speed, often before meaningful safeguards can operate.
Speed comes with a price: fundamental rights under pressure
The speed at which data can now be collected and transferred across borders is precisely what makes the Regulation attractive for investigations. But it is also what makes it risky. The Regulation contains safeguards such as necessity and proportionality requirements, and it foresees limited grounds for refusal. Yet these guarantees may prove insufficiently protective in practice.
One reason is structural: service providers are placed at the centre of the system, but they are not designed protect fundamental rights. Even if a provider detects potential concerns, there are strong incentives to comply rather than challenge:
extremely short deadlines,
legal uncertainty,
the risk of sanctions or liability for non-compliance,
and limited operational capacity to assess complex legal issues.
As a result, compliance may often become the rational default—even in situations where fundamental rights questions should be raised.
The enforcing authorities (in the service provider’s Member State) can refuse in certain cases, but it is exceptional and narrowly defined. It is also unlikely to be applied systematically. Effective review requires time, resources and institutional willingness. Yet in many cases the orders do not concern the enforcing state’s own nationals, reducing the practical incentive to intervene. The risk is clear: in day-to-day practice, neither service providers nor enforcing authorities are likely to function as a reliable safeguard. That places the protection of fundamental rights under considerable strain.
The data subject’s position: notification and remedies are not a given
Another concern is that the Regulation is primarily structured around the issuing authority and the service provider, while the individual whose data is sought receives far less attention.
In principle, there is a duty to notify the person concerned. In practice, however, notification can be postponed or restricted on the basis of a brief justification. This means individuals may be informed late (or not at all) about the order and the disclosure of their data.
This directly affects defence rights. If the data subject is not notified in time, there is no meaningful opportunity to challenge the lawfulness, necessity or proportionality of the order. At the same time, service providers are largely protected when they act in good faith, which makes it less likely that unlawful or questionable orders will be challenged.
In addition, it remains uncertain to what extent breaches of the Regulation will lead to real consequences in criminal proceedings. In many legal systems, the exclusion of unlawfully obtained evidence is applied restrictively. If violations do not result in exclusion or meaningful judicial sanctions, safeguards risk becoming theoretical rather than effective.
The Regulation does contain a separate notification mechanism, aimed not at the data subject, but at the authorities of the service provider’s Member State. This mechanism was introduced as a compromise: instead of full state-to-state cooperation, the enforcing State is merely informed in certain situations and may raise objections within a short timeframe. In theory, this adds a layer of oversight for the most intrusive categories of data.
In practice, this safeguard is limited. Notification to the enforcing State is not required for every production order, and it can be avoided in many cases where the issuing authority considers the case sufficiently “domestic”. This means that many cross-border requests—despite being executed abroad and involving a foreign provider—may go ahead without any real involvement of the enforcing State.
Even when notification is required, it does not guarantee proper scrutiny. The enforcing State is not under a clear obligation to review the order in depth, and the deadlines are short. Where large providers are based in certain Member States, the number of notifications may be high, making systematic review difficult. Oversight may then become inconsistent or superficial—precisely what fundamental rights protection should avoid.
More fundamentally, the choice to notify the service provider’s State can be questioned. If the goal is to protect the person whose data is targeted, it is not obvious why notification is directed to the provider’s jurisdiction rather than to the person’s own Member State, which may have a stronger interest in protecting its resident. This reinforces the broader concern: the framework prioritises speed, while the defence must remain alert to cases where notification safeguards—towards the individual or towards the enforcing State—were bypassed, delayed, or treated as a formality.
A concrete example: Italy
Italy implemented the EU Regulation with Legislative Decree no. 215 of 30 December 2025.
The practical application of Community rules confirms the doubts and perplexities highlighted here.
The competent authority to issue an EOP or EOC is always the Judge, who must also intervene when the order is issued on an emergency basis by the Public Prosecutor or, when permitted, directly by the judicial police.
An individual (defendant or person under investigation) must also contact the Judge when they intend to submit a request of this type, as they cannot act directly.
The recipients of an EOP or EOC request are the Internet Service Providers that provide the communication service.
The passive request, on the other hand, is received by the Public Prosecutor who proceeds to execute it, except in the cases of refusal indicated in the EU Regulation.
Italian legislation is very simple and consists of very few articles (only 10).
A preliminary analysis allows us to appreciate the choice to place all decision-making power in the hands of the Judge.
A comparison with EU Directive 2014/41 on EIOs is immediate.
As seen in the cases of EIOs aimed at acquiring EncroChat and SkyEcc evidence in France, previously an EIO, even if used to acquire communications data, could also be issued by the Public Prosecutor.
The influence of the latest decisions of the CJEU (C-670/22 and C-548/21) and the ECHR is evident.
However, no protection instrument is provided for the individual, i.e. the person whose communication data is requested from an ISP.
The only review procedure provided for by Italian law, in fact, is envisaged only in favour of the ISPs, but not also of the person under investigation (or defendant). This implies:
the person under investigation (or defendant) is not informed of the request for EOP or EOC against him;
does not have any means of appeal;
and even when a request for EOP or EOC is submitted to the Judge, there are no means of appeal in the event of refusal.
It is possible that the lack of this type of protection is justified by the “surprise effect” that must characterize every criminal investigation.
However, this consideration does not appear relevant.
The fact is that an EOP or EOC presupposes that the data is stored by the manager and not acquired in real time.
In fact, the possibility of issuing an EIO to carry out telephone interceptions (i.e. to acquire computer data in real time) in another Member State is already regulated by EU Directive 2014/41.
The new law, therefore, suggests more a new type of seizure of electronic or computer evidence.
But in Italy, seizure is a means of seeking evidence that always requires notification to the interested party.
And today more than ever, it is possible to assert the protection of one's fundamental rights before a Judge, especially in terms of the necessity and proportionality of the means of seeking evidence.
Furthermore, since we are dealing with communications that have already taken place and, therefore, can no longer be "modifiable", the “surprise effect” appears useless.
In conclusion, therefore, a judgment on the practical implications of this new law will be possible only after its initial application in case law. Furthermore, immediate legislative intervention aimed at filling all the regulatory gaps already highlighted seems appropriate (and is not excluded).
Why this matters: the defence must act proactively
The e-Evidence Regulation will fundamentally reshape cross-border evidence gathering within the EU. It is, in many ways, an inevitable response to a world where data is volatile, borders are technically irrelevant, and service providers control essential information.
Yet this shift also increases the responsibility on the defence. In a system where oversight is limited, notification is uncertain, and the practical incentives favour rapid compliance, defence lawyers must be particularly vigilant. In concrete terms, this means that the defence must proactively verify whether:
the correct legal instrument was used,
the issuing authority was competent,
necessity and proportionality were properly assessed,
deadlines and procedural requirements were respected,
notification obligations were fulfilled,
and fundamental rights safeguards were actually applied rather than assumed.
Electronic evidence can be decisive. But in a fast-moving cross-border framework, it can also be fragile legally, technically and procedurally.
Conclusion
The EU’s e-Evidence package marks a major change in how electronic evidence will be gathered across borders. By enabling direct cooperation between issuing authorities and service providers, the Regulation prioritises speed and efficiency, responding to real investigative needs in a digital society.
At the same time, the model raises serious concerns about fundamental rights protection, democratic oversight, and effective remedies for individuals whose data is sought. If safeguards remain weak in practice, the defence will increasingly carry the burden of identifying violations and challenging unlawful evidence.
With the Regulation entering into application in August 2026, one message is clear: cross-border access to electronic evidence is becoming faster than ever. The defence must be ready to move just as quickly and just as carefully.
The members of JDT once again stand ready to vigorously defend the fundamental rights and freedoms of every individual. Should you have any questions, feel free to reach out. Blink, and it'll be August 18, 2026!
