In March 2026, Europol coordinated its largest-ever referral action targeting terrorist audio propaganda, referring over 1,100 hours of online extremist talks and chants for removal from digital platforms. The operation is part of a broader action by law enforcement against emerging terrorist and violent extremist trends in online radicalisation and recruitment. Countering this threat depends not only on removing violative content fast. It also depends on law enforcement’s capacity to access electronic evidence in terrorism investigations, which hinges on collaboration with service providers.
To address this, in April 2018, the European Commission put forward a long-awaited legislative proposal on e-evidence. The proposal consisted of two interconnected instruments: a Regulation on European Production and Preservation Orders for electronic evidence in criminal matters, and a Directive establishing common rules for appointing legal representatives to facilitate the collection of such evidence. The aim of the proposal was to formalise the largely voluntary cooperation between internet service providers (ISPs) and law enforcement agencies seeking cross-border electronic evidence.
Given the transnational context created by information and communication technologies (ICTs), police and judicial authorities face challenges in collecting necessary data from ISPs headquartered in the United States, due to the extraterritorial location of the data. Most of the companies that processed, stored, or transmitted digital information were foreign service providers subject to their own national restrictions and could only transfer non-sensitive data. Moreover, under voluntary cooperation, companies like Google, Apple, and Microsoft would decide whether to transfer data, based on their own assessments of necessity and proportionality (p.59). These assessments did not always align with the operational needs of law enforcement, reflecting the tension between investigative requirements and companies’ legal and privacy obligations, and at times hindering timely access to evidence.
The Regulation and Directive were negotiated for five years before the final text was published in the Official Journal on 28th of July 2023.
This Insight will analyse the main features of this new legal framework, its relevance for terrorism investigations, and the admissibility of evidence. Questions remain as to how the framework’s conflicting provisions will accommodate industry needs in criminal investigations requiring greater legal certainty and security than the regulation currently provides.
What Does the e-Evidence Regulation and Directive Bring to the EU?
On the 18th of August this year, the e-Evidence Regulation and Directive will come into full effect in the European Union. Member States had until the 18th of February to transpose the Directive into national law, while the Regulation will be directly applicable as a matter of EU law from August onwards. From then on, law enforcement agencies in one EU member state will be able to directly compel service providers in another member state to produce or preserve electronic evidence, without needing the other state’s active cooperation.
The Regulation applies to online service providers that offer services in the EU. “Service provider” is understood to be any provider that offers electronic communication services on the territory of the EU (Article 3 (3) of the Regulation).
In practice, the e-evidence regulation should serve as a unified framework for law enforcement agencies seeking to access electronic data in serious criminal investigations, offering a faster and more effective alternative to previous international cooperation and mutual legal assistance tools. The Regulation departs from the territoriality principle to address the ‘loss of location’ of stored data and introduces a new system of direct cooperation in EU criminal justice. By contrast, the Directive requires service providers operating in the EU to appoint a legal representative to receive and comply with judicial orders for the collection or preservation of electronic evidence. While it facilitates more direct and efficient access to such evidence, it does not address the challenges posed by national laws that affect providers outside the EU. Similar to its US counterpart (the CLOUD ACT), the e-Evidence Regulation sought to address issues related to data localisation. Yet, its structural limitation (see the testimony of Jennifer Daskal, p. 7) lies in the stalled negotiations over an EU-US agreement that would allow the transfer of sensitive data by US-based service providers. Until then, the e-evidence package will only apply to service providers that are established and offer services in the EU (see Article 3 of the Regulation).
What is New For Service Providers?
In 2026, several factors will influence the work of service providers operating in the EU.
Before the e-Evidence Regulation, the Mutual Legal Assistance Treaty was the primary instrument for obtaining sensitive traffic and content data from service providers headquartered in the United States. Member States also adopted domestic legislation with extraterritorial effects to fill the gaps, but ended up creating a patchwork of overlapping jurisdictional obligations. This is one of the reasons why the Regulation was deemed necessary.
Beyond the ongoing inability to access data due to the US ‘blocking statute’ (for a deeper analysis, see A.K. Woods and K. Propp), the new legal framework is one among several coexisting instruments governing criminal-law cooperation for evidence in the European Union. That’s why, in the case of service providers established in Ireland, they will have to nominate a separate legal representative in another EU Member State for the service of the European Investigation Order. The reason is that Ireland has not yet opted into the EIO and will not do so by August 18th this year.
The second change is a procedural detail that service providers have relied on to maintain legal operations under the EU General Data Protection Regulation (GDPR). Prior to the EPO and EPO-PR, service providers conducted their own necessity and proportionality assessments to verify that disclosure requests complied with the GDPR. The E-Evidence Regulation will challenge service providers in this practice. First, it removes the legal basis on which service providers could expect or request such justification. Section “M” of the Regulation, which sets out the contents of the EPO and EPO-PR certificate, limits access to the necessity and proportionality assessment to the enforcing authority in cases where notification is required, thereby explicitly excluding service providers.
Furthermore, the Regulation and the GDPR do not clearly speak to one another on the central question of who is a data controller and who is a data processor (see G. Robinson, Section 3.3.2, p. 85). The distinction is significant for the purposes of lawful access and transfer of evidence. Under the GDPR Article 28, a processor is prohibited from touching, processing, or disclosing data without the controller’s instruction. Where law enforcement seeks untargeted data in a criminal investigation (i.e. so-called “enterprise data”, referring to an entire email domain rather than an individual account) from a processor that does not control the requested data, this places the processor in a difficult position.
In practice, when faced with overly broad requests (p. 14-15), service providers have typically sought either to redirect law enforcement to a narrower order (p. 59) or to notify the enterprise customer whose data is at stake to avoid potential litigation.
This occurred in 2014, when an FBI National Security Letter containing a non-disclosure clause that prevented Microsoft from notifying the affected enterprise customer was successfully challenged in court. Microsoft’s reasoning was that the non-disclosure order constituted an unconstitutional prior restraint on free speech under the First Amendment of the US Constitution. The second option is rarely straightforward, as serious crime and terrorism investigations require higher precautions and often resist prior notification of the data owner for operational security.
The grounds on which service providers may refuse or seek clarification before executing a European Production Order are deliberately narrow and do not include data protection concerns under the GDPR (p. 80). In practice, providers may only raise issues relating to immunities and privileges, potential conflicts with third-country laws, or administrative errors in the order itself.
This reduction in non-execution grounds on the part of the service providers was widely debated. During the trialogue negotiations, both the European Commission and the European Parliament proposed broader grounds for refusal. The Commission suggested that providers should be able to refuse execution in cases of a manifest violation of the EU Charter of Fundamental Rights (Article 9(5) of the Commission’s proposal). The European Parliament went further, proposing refusal where an order was manifestly abusive or beyond its purpose (Article 10(6) of the EP Report). Both proposals were criticised by industry and law enforcement interests alike and were ultimately removed from the final text of the Regulation, leaving service providers with no formal mechanism to raise substantive legal objections.
What is New for Counter-Terrorism and Terrorism Investigations?
Prior to the implementation of the e-Evidence Regulation, requests for data for terrorism investigations were sent to service providers in two ways. Urgent requests were usually sent directly to service providers via the Emergency Disclosure Request (EDR) procedure (p. 55) for non-content data, such as IP addresses. For such instances, there is already a functioning legal framework with a clear legal basis under GDPR, given the imminent threat to life and physical integrity. Content data has a higher threshold and therefore requires a state-to-state procedure, such as an MLAT or a European Investigation Order, even in emergency cases.
From August 2026, the e-Evidence Regulation will apply to content, traffic, and non-content data. What remains unclear is whether, in the absence of justifications in the order certificate, the enforcing authorities will provide practical guidance to service providers on handling emergency requests for content data when no justification is provided.
What is clear is that the Regulation focuses on the production of evidence and does not dwell on the differing admissibility standards across the EU, leaving it to Member States to determine the potential consequences of an invalid or abusive EPO. Given the near-impossibility for service providers to challenge the execution of an order, except on a limited set of grounds, it ultimately remains at the discretion of the issuing state whether unlawfully obtained e-evidence may be used to secure a conviction.
Finally, under Article 15(2), compliance with the Regulation protects service providers from any liability that might arise from the transfer of data. However, it is important to remember that indemnity under one piece of legislation does not shield from liability under another. Where these gaps go unaddressed, the admissibility of evidence, the legal integrity of serious crime and terrorism prosecutions, and the trust relationship between service providers and judicial authorities will be called into question.
Conclusion and Recommendations
Electronic evidence is now central to serious crime and terrorism investigations. The e-Evidence Regulation enters into application at a “turning point” for EU criminal justice as it formalises direct cooperation between tech companies and law enforcement seeking electronic evidence.
The discrepancies raised during the negotiations between the Regulation and industry practice (expressed by NGOs and industry representatives) persist in the final text of the Regulation, and it remains to be seen how these legal and practical questions will be answered come August.
Before then, service providers can prepare to receive European Production and Preservation Orders by taking steps to clarify their internal procedures under the new Regulation.
Actively support the rollout of European Production Orders
Service providers should actively encourage law enforcement to use the EPO Certificates to request electronic evidence rather than through parallel voluntary cooperation or DSA channels. The regulation is not exclusive to the EPO, meaning that authorities in EU Member States can still use other routes. By gradually phasing out voluntary cooperation in favour of EPOCs, service providers can influence a practice that can create predictability and legal clarity for all parties involved.
Map data controller/processor exposure
As already expressed, the data controller/processor distinction is one of the most under-addressed issues in the Regulation. Companies could conduct a legal audit of how their GDPR Article 28 obligations interact with the Regulation’s mandatory compliance requirements, particularly for enterprise data. An audit can expose and document companies’ good-faith efforts to comply with the Regulation, while also showing structural incompatibilities. It remains to be seen whether and how the European Data Protection Board will issue guidance in the coming months or years on how service providers should reconcile their GDPR obligations with mandatory EPOC compliance.
–
Isabella Pirlogea is a Marie Salomea Skłodowska Curie PhD candidate at Leiden University and a Research Fellow at the International Centre for Counter-Terrorism (ICCT) in The Hague.
–
Are you a tech company interested in strengthening your capacity to counter terrorist and violent extremist activity online? Apply for GIFCT membership to join over 30 other tech platforms working together to prevent terrorists and violent extremists from exploiting online platforms by leveraging technology, expertise, and cross-sector partnerships.