Back to EUR-Lex homepage

EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search
You are here

Summaries of EU Legislation

Electronic evidence in criminal proceedings

 

SUMMARY OF:

Regulation (EU) 2023/1543 on European Production and Preservation Orders for electronic evidence in criminal proceedings and for the execution of custodial sentences following criminal proceedings

Directive (EU) 2023/1544 laying down harmonised rules on the designation of designated establishments and the appointment of legal representatives for the purpose of gathering electronic evidence in criminal proceedings

WHAT IS THE AIM OF THE REGULATION AND THE DIRECTIVE?

Regulation (EU) 2023/1543 aims to:

  • enable national judicial authorities involved in criminal proceedings to order service providers* offering services in the European Union (EU) to produce or preserve electronic evidence wherever the data may be located;
  • make cross-border access to electronic evidence easier and quicker and prevent its deletion, while ensuring legal safeguards for people whose data are sought.

Directive (EU) 2023/1544 requires certain service providers offering services in the EU to have designated establishments or appointed legal representatives in the EU so they can receive and comply with orders from national authorities for the purpose of gathering electronic evidence in criminal proceedings.

KEY POINTS

Regulation (EU) 2023/1543 applies to service providers providing one or more of the following categories of services in the EU:

  • electronic communications;
  • internet domain names and IP numbering;
  • communication, storage and processing services.

The regulation does not apply to providers providing:

  • financial services (i.e. banking, credit, insurance, reinsurance, occupational or personal pensions, securities, investment funds, payment and investment advice);
  • services exclusively within their own EU Member State.

European Production Orders* and European Preservation Orders* may only be issued:

  • during criminal proceedings and to execute custodial sentences or detention orders of at least 4 months;
  • for specific data that service providers hold (see key terms).

The authority issuing a European Production Order must inform the person whose data are being requested. As a rule, this must happen without undue delay; however, it can be delayed if, for example, doing so would endanger the investigation. The person can challenge the legality of the order before a court in the issuing Member State (right to effective remedies).

European Production and Preservation Orders and certificates

  • A judge, court, investigating judge or, for the least intrusive data categories, a public prosecutor may issue a European production or preservation order.
  • The orders can be sent directly to the service provider in another Member State without any prior involvement by that country’s authorities.

European Production Orders:

  • must be necessary for and proportionate to the criminal proceedings;
  • must respect the suspect’s or accused’s rights;
  • can only be issued under the same conditions as for a similar domestic case;
  • must comply with other conditions, including any immunities or privileges granted, and the determination and limitation of criminal liability relating to freedom of the press or freedom of expression, depending on whether they request subscriber, identification, traffic or content data;
  • include specific information, such as the issuing authority, addressee, requested data and time range, applicable provisions of the issuing Member State’s criminal law and summary of the case;
  • are, as a rule, addressed to the service provider controlling the personal data (controller).

European Preservation Orders:

  • must be necessary and proportionate to prevent the removal, deletion or alteration of data which may subsequently be requested;
  • can be issued for all criminal offences if they could have been issued under the same conditions for a similar domestic case;
  • include specific information, such as the issuing authority, addressee, requested data and time range and applicable provisions of the issuing Member State’s criminal law.

Orders are addressed directly, through a European Production Order certificate (EPOC) or a European Preservation Order certificate (EPOC-PR), to a service provider’s designated establishment or legal representative.

Complying with European Production Order certificates

Addressees:

  • must act expeditiously, on receipt of an EPOC, to preserve the data requested;
  • must transmit the data within 10 days;
  • must transmit the data within 8 hours in emergency cases (although the data may not be used if their national authority objects to the EPOC in certain cases);
  • must inform both the issuing and enforcing authorities if they believe the EPOC could interfere with immunities or privileges or with rules on the determination or limitation of criminal liability in relation to freedom of the press or freedom of expression.

They must explain to the issuing authority, without undue delay, if they cannot produce the data because of one of the following issues.

  • The EPOC is incomplete, contains manifest errors or provides insufficient information. The authority has 5 days to respond.
  • Data are unavailable due to circumstances beyond their control. If the authority agrees, it informs the addressee.
  • There is any other reason for their non-compliance, such as the order could conflict with the law of a non-EU country where the data may be stored.

Complying with European Preservation Order certificates

Addressees:

  • must act immediately, on receipt of an EPOC-PR, to preserve the data requested;
  • hold the data for 60 days, extendable for a further 30 days by the issuing authority, at which point the preservation then ends, unless the issuing authority has, in the meantime, issued a subsequent request, for example via mutual legal assistance, for the data to be handed over or held for a further 30 days;
  • may raise objections to the order on the same grounds as for an EPOC (i.e. immunities or privileges, incomplete or manifest errors, circumstances beyond their control, other reasons).

Notification of another Member State

For some European Production Orders for traffic or content data, authorities in the Member State of the provider’s designated establishment or legal representative (enforcing authorities) will receive the order at the same time as the provider. They may refuse it on the following grounds.

  • The data requested are protected by immunities or privileges or covered by rules on the determination or limitation that relate to freedom of the press or freedom of expression of criminal liability applied in the enforcing state.
  • The order:
    • could entail a manifest breach of the fundamental rights of the person whose data are sought;
    • is contrary to the principle that a person cannot be tried again in criminal proceedings for an offence for which they have already been finally acquitted or convicted within the EU (ne bis in idem).
  • The conduct cited in the order is not an offence in the enforcing state.

Orders which are refused will be withdrawn. However, the enforcing authority may object to the transfer of only certain data. Before the enforcing authority raises a ground for refusal, the orders can be amended.

Penalties and enforcement

  • Member States must implement effective, proportionate and dissuasive financial penalties for non-compliance. These can reach 2% of the service provider’s total worldwide annual turnover.
  • Issuing authorities may request enforcing authorities to enforce the order if the service provider, without giving acceptable reasons, fails to comply with an EPOC within the deadline or with an EPOC-PR.

All written communications between national authorities and service providers’ designated establishments or legal representatives are carried out through a secure and reliable decentralised IT system. Annexes to the regulation contain the forms to be used.

The European Commission:

  • adopts implementing and delegated acts;
  • must establish, by 18 August 2026, a programme to monitor the regulation’s output, results and impact;
  • must evaluate the regulation by 18 August 2029.

Directive (EU) 2023/1544

The directive applies to service providers supplying:

  • electronic communications;
  • internet domain names and IP numbering;
  • communication, storage and processing services.

The directive does not apply to providers supplying:

  • financial services (i.e. banking, credit, insurance, reinsurance, occupational or personal pensions, securities, investment funds, payment and investment advice);
  • services exclusively within their own Member State.

Providers offering their services in the EU must, by 18 August 2026, designate or appoint at least one addressee, either a designated establishment (if they are established in the EU) or a legal representative (if they are not), to ensure they can receive and comply with orders addressed to them.

Member States must:

  • set out rules on penalties for non-compliance;
  • designate one or more central authorities to ensure proper application of the directive.

The Commission will evaluate the directive by 18 August 2029.

FROM WHEN DO THE REGULATION AND THE DIRECTIVE APPLY?

The regulation applies from 18 August 2026.

The directive has to be transposed into national law by 18 February 2026.

BACKGROUND

Electronic evidence – digital data, such as emails, text messages and traffic data – is estimated to be relevant in 85% of all criminal investigations in the EU. The data are often held in a different country from where the offence, whether it be a terrorist attack, cybercrime, online hate post or sharing of child abuse material, is committed, and are easy to delete.

For further information, see:

KEY TERMS

Service provider. In the context of this legislation, any entity providing electronic communications, internet domain names, IP numbering and addresses, or data storing services.
European Production Order. A judicial decision ordering the handing over of electronic evidence.
European Preservation Order. A judicial decision ordering preservation of electronic evidence, which may subsequently be requested.

MAIN DOCUMENTS

Regulation (EU) 2023/1543 of the European Parliament and of the Council of 12 July 2023 on European Production Orders and European Preservation Orders for electronic evidence in criminal proceedings and for the execution of custodial sentences following criminal proceedings (OJ L 191, 28.7.2023, pp. 118–180).

Directive (EU) 2023/1544 of the European Parliament and of the Council of 12 July 2023 laying down harmonised rules on the designation of designated establishments and the appointment of legal representatives for the purpose of gathering electronic evidence in criminal proceedings (OJ L 191, 28.7.2023, pp. 181–190).

last update 17.11.2023

Top