On 18 August 2026, one of the most consequential pieces of EU criminal-justice legislation in a decade quietly comes into force. Regulation (EU) 2023/1543 — the E-Evidence Regulation — together with its companion Directive (EU) 2023/1544, will let a prosecutor in Lisbon, Vilnius or Sofia send a binding order directly to a cloud or communications provider operating anywhere in the EU and demand subscriber, traffic or content data. The standard deadline is 10 days. In emergencies involving an imminent threat to life, it shrinks to 8 hours.
For Meta, Google, Microsoft, Apple, Amazon, Cloudflare, Proton, OVH and the long tail of European hosting and SaaS providers, this is not a paperwork exercise. It is a structural change to how law enforcement and the cloud interact in Europe — and the build-out has to be done before late summer.
What the regulation actually does
Today, when Italian police want WhatsApp messages stored on Meta's Irish servers, they typically use a Mutual Legal Assistance Treaty request or a European Investigation Order, both of which route through Ireland's authorities. Response times are measured in months. The E-Evidence Regulation cuts the intermediary out: an Italian judicial authority issues a European Production Order (EPO) or European Preservation Order (EPO-PR) directly to Meta's designated EU establishment, and Meta must respond on the regulation's clock.
Four data categories are covered, with escalating safeguards: subscriber data and data requested solely to identify a user; traffic data; and content data. For traffic and content data, an additional notification mechanism alerts the “enforcing” Member State (where the provider is established), which can raise narrow grounds for refusal — for instance, if the order would breach press-source protections or fundamental rights.
Non-compliance is not theoretical. Member States are required to set penalties of up to 2% of a provider's total worldwide annual turnover. That is GDPR-tier exposure, applied to a far more operationally demanding obligation.
Why August 2026 is a hard deadline for industry
The companion Directive 2023/1544 had to be transposed by Member States by 18 February 2026, and providers offering services in the EU must by 18 August 2026 have designated either an establishment or a legal representative authorised to receive, comply with and enforce these orders. In practice this means:
- A named, reachable legal contact — 24/7 for emergency orders.
- Internal triage and authentication systems capable of validating an EPO from any of 27 Member States, in any official language.
- Engineering pipelines that can produce structured data exports within 10 days — and, for genuine emergencies, within 8 hours.
- A decentralised IT system (the Commission is building one based on e-CODEX) for transmitting orders and certificates, which providers will need to integrate against.
For the hyperscalers, much of this builds on existing Law Enforcement Response Team infrastructure. For mid-sized European SaaS firms and privacy-focused providers, it is a meaningful new compliance lift.
The civil-liberties debate is not settled
European Digital Rights (EDRi), Access Now and a coalition of academic experts spent years arguing that the regulation underweights the role of the “enforcing” state. Their core concern: a prosecutor in a Member State with weakening rule-of-law guarantees can demand sensitive content data on a journalist, activist or lawyer located elsewhere, and the provider — not an independent court in the user's country — becomes the principal gatekeeper. The notification mechanism narrows but does not eliminate this risk.
The European Data Protection Supervisor and the European Parliament's LIBE committee secured improvements during negotiation, including the notification regime for content data and clearer fundamental-rights grounds for refusal. But the architecture remains one of mutual trust by default, with refusal as the exception.
A pro-innovation read: speed is good, safeguards must keep up
From a proportionate-regulation standpoint, there is a real problem the E-Evidence Regulation is solving. Cross-border evidence requests under the old MLAT system routinely took 10 months or more, frustrating serious criminal investigations into ransomware, child sexual abuse material and terrorism — cases where data is stored in one jurisdiction, the suspect is in another, and the victim in a third. A faster, more predictable channel benefits both rights-holders and victims of crime.
But three things now matter for the regulation to be a net positive for the open internet:
- Robust authentication. Forged or fraudulent law-enforcement requests are a known threat vector. The decentralised IT system and standardised certificates must be technically hardened from day one — an EPO is, after all, an order to disclose private data on demand.
- Real refusal capacity. Providers must be willing — and legally protected when they choose — to push back on orders that look fundamental-rights-incompatible, particularly when targeting journalists, lawyers and political activists. National implementing laws should make those protections explicit, not merely theoretical.
- Transparency. Member States and providers should publish granular annual statistics on EPOs issued, complied with, refused and challenged. Without numbers, oversight by parliaments, courts and civil society becomes guesswork.
The E-Evidence Regulation is, on balance, the kind of cross-border tool a digital single market eventually needs. But its first 18 months of operation will determine whether it becomes a model for proportionate cooperation — or a cautionary tale about what happens when speed is engineered in and safeguards are left as an afterthought. The clock starts on 18 August.