On 18 August 2026, the European Union's E-Evidence Regulation (Regulation (EU) 2023/1543) and its companion Directive (EU) 2023/1544 become operational across all 27 member states. After nearly eight years of negotiation, prosecutors and judges from Lisbon to Tallinn will be able to issue European Production Orders (EPOs) and European Preservation Orders (EPO-PRs) directly to service providers — including US-headquartered platforms — with tight, statutorily fixed response windows. It is the most consequential overhaul of cross-border data access in a generation, and it will land squarely on top of a US legal regime that does not always allow what Brussels is about to demand.
What the Regulation Actually Does
The new instrument lets a competent authority in any EU member state compel a service provider — whether established in the Union or merely offering services to users there — to produce or preserve electronic evidence held anywhere in the world. The mechanism intentionally bypasses traditional Mutual Legal Assistance Treaties (MLATs), which Commission officials have long criticised as slow and unreliable for digital investigations.
Response deadlines are aggressive. Subscriber and traffic data must be produced within 10 days of receipt of an order, and within 8 hours in emergency cases involving imminent threats to life or critical infrastructure. Preservation orders freeze data for up to 60 days, extendable. Non-EU providers offering services in the Union must designate a legal representative under Directive 2023/1544, and non-compliance can trigger fines of up to 2% of worldwide annual turnover.
The Legitimate Case for Reform
It would be a mistake to dismiss the Commission's rationale. EU law enforcement officials have consistently argued that the overwhelming majority of serious criminal investigations now involve digital evidence held by a handful of large platforms, and that MLAT response times — often measured in months — are incompatible with the cadence of modern investigations. The Council of Europe's Second Additional Protocol to the Budapest Convention on Cybercrime, opened for signature in May 2022, reflects the same concern at the global level.
For genuinely time-sensitive cases — child sexual abuse material, terrorism, ongoing kidnappings — a faster lane is defensible. Even pro-innovation commentators should concede that the status quo, in which a Dutch prosecutor waits 9 months for routine subscriber data from a US provider, helps neither civil liberties nor public safety.
Where the Regime Goes Too Far
The problem is not the principle of faster cross-border access. It is the design choices Brussels has made around it.
- Thin judicial review for the receiving state. The regulation establishes a notification mechanism for the country where the provider is based, but the grounds on which that state can object are narrow and the timelines are punishing. In practice, a single member-state judge can compel disclosure that touches users in 26 other jurisdictions and beyond.
- Direct conflict with US law. The US CLOUD Act and the Electronic Communications Privacy Act (ECPA) restrict when US providers may disclose content data to foreign authorities. A long-promised US-EU executive agreement under the CLOUD Act framework — which would provide the safety valve — has been under negotiation since 2019 and has not yet been concluded. Without it, providers face the prospect of being lawfully ordered to disclose by an EU prosecutor while being lawfully prohibited from doing so by US statute.
- Burden on small and mid-sized providers. The legal-representative regime in Directive 2023/1544 is a fixed cost that falls disproportionately on startups and non-US foreign providers. Big Tech can absorb it. A 30-person German encrypted-messaging startup cannot easily.
- Limited transparency. Unlike the US framework, there is no statutory obligation to permit aggregate transparency reporting on EPO volumes — a baseline accountability tool that civil society has rightly campaigned for.
What a Better Regime Would Look Like
A proportionate cross-border evidence framework would preserve the EU's speed gains while doing four things the current text does not adequately do.
First, it would require independent judicial authorisation for content data in every case — not just at the issuing state's discretion. Second, it would build in meaningful, time-bounded refusal grounds for the executing state, including freedom-of-expression and dual-criminality checks. Third, it would condition extra-territorial application on a concluded US-EU executive agreement, rather than racing ahead and creating a conflict-of-laws minefield. Fourth, it would mandate annual aggregate transparency reports, both from issuing authorities and from providers.
The Stakes for the Open Internet
The risk is not that the E-Evidence Regulation produces a chilling effect overnight. The risk is slower and structural: that providers, faced with overlapping and contradictory legal orders, begin to geofence services, withdraw from smaller European markets, or quietly route around EU users. That outcome would be bad for European competitiveness, bad for European law enforcement, and bad for the open internet writ large.
August 2026 is not a moment for triumphalism in Brussels or panic in Silicon Valley. It is a moment to finish the US-EU agreement, publish clear implementing guidance, and commit to a serious post-implementation review on the two-year anniversary. The principle of faster cross-border evidence access is sound. The details, as ever, are where civil liberties and innovation will be won or lost.