European Regulations

Digital evidence in EU criminal proceedings: what digital service providers must do

E
Equipo Editorial CambiosLegales
13 Jul 2026 7 min 11 views

Key data

RegulationAmendment to Regulation (EU) 2023/1543 of the European Parliament and of the Council, of 12 July 2023
Publication13 July 2026 (OJEU OJ:L_202690580)
Entry into forceNot specified in the amendment
Affected partiesDigital service providers, judicial and prosecutorial authorities of the EU
CategoryEuropean Regulation
Reference standardRegulation (EU) 2023/1543 — OJ L 191 of 28.7.2023
Impact analysis reserved for PRO
The detailed impact analysis of this regulation is available for users with a PRO plan or higher. Access the full content and receive personalized alerts.
From €9.99/month · Cancel anytime

Digital service providers operating in the European Union are obliged to respond to cross-border judicial orders for production and preservation of electronic evidence, regardless of the Member State in which they are established. This obligation derives from Regulation (EU) 2023/1543, originally published in the Official Journal on 28 July 2023, and whose technical amendment was just published on 13 July 2026.

The amendment published under the reference OJ:L_202690580 is technical in nature and does not alter the substantive regulatory framework. However, its publication is a clear signal that European institutions are consolidating and refining the text to ensure its correct practical application. For digital providers, this means that the framework is definitive and enforceable.

What does this regulation establish?

Regulation (EU) 2023/1543 creates a unified European mechanism through which the judicial authorities of one Member State can address directly a service provider established in another Member State to require two types of actions:

  • European production orders: oblige the provider to deliver specific digital data relevant to a criminal investigation or to the execution of custodial sentences.
  • European preservation orders: oblige the provider to retain and preserve digital data to prevent its loss or destruction while a formal delivery request is being processed.

The most disruptive element for companies is the elimination of the state intermediary: previously, requests for data between countries required channels of international judicial cooperation, which were slow and complex. With this regulation, the foreign judicial authority can contact the provider directly, which is obliged to respond within the strict timeframes set by the text.

The amendments published in July 2026 are technical in nature and do not modify these substantive mechanisms, but ensure consistency and correct application of the text in all official EU languages.

Economic and operational impact

For a digital service provider, complying with this regulation is not free. It involves investment in internal processes, qualified personnel and technical systems. The main vectors of operational cost are:

  • Designation of a legal representative in the EU if the provider is established outside European territory but provides services within it.
  • Urgent response protocols to handle orders within the strict timeframes established by the regulation.
  • Data preservation systems that allow isolating and preserving specific information without altering the rest of the data environment.
  • Legal review of each order received to verify its formal validity before executing it, since the regulation also establishes grounds for denial or challenge.

The most relevant financial risk is that derived from non-compliance: the regulation provides for significant penalties for providers that do not comply with orders on time or that do not have adequate mechanisms. Although the text of the amendment does not specify concrete penalty amounts, the qualification of "significant" in the European regulatory framework usually translates into fines proportional to the provider's turnover.

Who does it affect?

  • Communication and messaging platforms (email, instant messaging, videoconferencing).
  • Web hosting and cloud service providers that store data of European users.
  • Social networks and content platforms with users in the EU.
  • Marketplaces and e-commerce platforms that manage transaction and user data.
  • Internet service providers (ISPs) and telecommunications operators with presence in the EU.
  • SaaS companies that provide services to European clients and manage data on their behalf.
  • Judicial and prosecutorial authorities of all Member States, as issuers of the orders.

Both companies established in the EU and those established outside that provide services to European users are affected, provided they do not have a specific exemption under the regulation.

Practical example

Imagine a Spanish company that offers a cloud storage service (SaaS) with clients in Germany, France and Italy. A German judge investigating a fraud case detects that one of his suspects used this platform to store relevant documents.

With Regulation (EU) 2023/1543 in force, that German judge can directly issue a European production order directed at the Spanish company, requiring the delivery of that user's specific data. The Spanish company is obliged to respond within the strict timeframe set by the regulation, without any judicial cooperation procedure between Spain and Germany.

If the company does not have internal protocols to manage this type of orders, or if it does not have a designated legal representative to receive them, it incurs non-compliance from day one, with the consequent risk of significant penalties.

Do you need to track this and other regulations?

Consult the full details in CambiosLegales

What should companies do now?

  1. Audit whether your company is within the scope of application: review whether you provide digital services to users in the EU and whether you manage data that could be relevant in criminal investigations. If the answer is yes, the regulation applies to you.
  2. Designate a legal representative in the EU: if your company is established outside the EU but provides services within it, you must have a designated legal representative who can receive and manage the orders.
  3. Establish an internal protocol for responding to European judicial orders: define who receives the order, who validates it legally, who executes the delivery or preservation of data and within what timeframes.
  4. Review your technical data preservation systems: ensure that you can isolate and preserve a specific user's data without affecting the rest of the environment, and that you can do so quickly.
  5. Consult with legal advisors specialized in European digital law: the regulation establishes grounds for denial and challenge that your company must know about to avoid executing invalid orders or rejecting legitimate ones.
  6. Train the responsible team: legal, compliance and operations personnel must know the procedure and timeframes before receiving the first order.

Frequently asked questions

What is a European production order and within what timeframe must you respond?

It is an order issued by a judicial authority of an EU Member State that obliges a digital service provider to deliver specific data relevant to a criminal investigation. Regulation (EU) 2023/1543 establishes strict response timeframes, although the exact amounts of the timeframes should be consulted in the full text of the regulation, since the amendment published on 13 July 2026 is technical in nature and does not modify them.

Does this regulation affect technology companies established outside the EU?

Yes. Regulation (EU) 2023/1543 applies to all digital service providers that provide services to users in the EU, regardless of where they are established. Companies outside the EU must designate a legal representative in European territory to be able to receive and manage the orders.

What is the difference between a production order and a preservation order?

The production order obliges the provider to deliver the requested data to the judicial authority. The preservation order obliges the provider to retain and preserve that data to prevent its loss or destruction, while the delivery request is formally processed. Both figures are regulated by Regulation (EU) 2023/1543.

What happens if my company does not comply with a European production or preservation order?

Non-compliance can result in significant penalties under Regulation (EU) 2023/1543. Although the technical amendment published on 13 July 2026 does not specify concrete penalty amounts, the European framework usually provides for fines proportional to the provider's turnover. In addition, non-compliance may generate additional legal liability in the Member State that issued the order.

Does the amendment published in July 2026 change anything for my company?

It does not change the substantive regulatory framework. The amendments are technical in nature and serve to ensure the correct application of the text in all official EU languages. The framework of obligations for digital service providers remains intact. Its publication confirms that the regulation is consolidated and fully enforceable.

Official source

Consult the complete regulation in the official source

Disclaimer: This article is for informational purposes only and does not constitute legal advice. For specific decisions, consult a qualified professional. Source: https://eur-lex.europa.eu/./legal-content/AUTO/?uri=OJ:L_202690580



Share:
E
Equipo Editorial CambiosLegales

El equipo editorial de CambiosLegales analiza diariamente los cambios normativos que afectan a empresas y autónomos en España, ofreciendo análisis pro...

Comments

No comments yet. Be the first to comment!

Leave a comment
Get free alerts