NBIP logo

How do you prepare for eEvidence?

News
In 2026, eEvidence will come into force in Europe. This regulation and accompanying directive, which will be implemented in national legislation, will ensure that Member States will soon be able to request direct access to electronic evidence (e-evidence) from providers offering digital services in Europe. That is why NBIP discusses in this article how providers should prepare for eEvidence.
According to the European Commission, in more than half of all criminal investigations, authorities now submit requests to obtain electronic evidence (‘e-evidence’). This includes emails, chat messages and account information.

However, according to the European Commission, obtaining this data is a lengthy legal process. This is particularly true if the data is stored on servers located in other European countries. That is why the European Commission has proposed two new rules under the heading of eEvidence. With eEvidence, Member States will soon be able to request direct access to electronic evidence from providers offering services in Europe.

What is eEvidence?

The eEvidence package consists of a regulation and a directive. The regulation is directly applicable, which means that it does not need to be transposed into national law but will enter into force directly in the Member States. This will happen on 18 August 2026.

The directive must be transposed into national law. At the time of writing, it is not yet known when the bill will be published. According to the directive, it must be transposed by all Member States by 18 February 2026. We will update this article as soon as more information becomes available.

The regulation and the directive regulate the following matters:

Regulation

The regulation establishes the legal basis for competent authorities to access stored data within a Member State. This falls under the disclosure order. It also states that providers must respond within 10 days, or in urgent cases within 8 hours. Currently, a period of 120 days still applies to disclosure orders, and a period of ten months applies to mutual legal assistance procedures.

The preservation order prevents a provider from deleting electronic evidence while the disclosure order is still pending.

Directive

According to the directive, providers who are not established in the European Union but offer services here must appoint a legal representative in a Member State. This representative is responsible for receiving, complying with and implementing orders and decisions relating to eEvidence.

Who will be affected by eEvidence?

The directive and regulation apply to providers of:

  • public electronic communications networks
  • internet domain names and IP numbering
  • communications, storage and processing services


As a provider covered by eEvidence, you must be registered with the Netherlands Authority for Consumers and Markets (ACM). The ACM acts as the supervisory authority for eEvidence and ensures that companies register in the European Commission’s Court Database (CDB) in a timely manner. If this is not done, the ACM can apply administrative law to enforce compliance when companies fail to register (in a timely manner) or keep their data up to date.

What is expected of me as a provider within eEvidence?

Providers offering their services in the European Union must, from March 2026, designate at least one addressee (i.e. a designated establishment) or legal representative (if the provider is not the legal representative) who will ensure that the addressee can receive and comply with an order addressed to the addressee.

For some European production orders for the delivery of traffic or content data, the authorities in the Member State of the designated establishment or legal representative (enforcement authorities) of the provider receive the order at the same time as the provider. However, they may refuse an order on the following grounds:

    • The requested data is protected by immunities or privileges or is subject to rules on the determination or limitation of criminal liability relating to freedom of the press or freedom of expression that are applied in the Member State where the provider is established.
    • The order:
      • could lead to a clear violation of the fundamental rights of the person whose data is being requested;
      • is contrary to the principle that a person cannot be tried again in criminal proceedings for an offence for which that person has already been finally acquitted or convicted within the EU.
      • he act referred to in the order is not a criminal offence in the executing State.

If a provider fails to comply with an order, the enforcement authority may impose a fine under criminal law or proceed with prosecution if the provider remains in default. However, this is a last resort. The supervisory authority for the eEvidence Directive will first impose a fine under administrative law when it receives a complaint about a provider from a Member State and after conducting its own investigation. This fine can amount to up to 2% of the provider’s total global annual turnover.

What does eEvidence look like in practice?

A platform is being developed in Europe, with a connection point in each European Member State for accessing, sending and receiving requests. The platform will be used by both the applicant and the provider.

It is important to note that there will be no European data storage. There will be national connection points for government and service providers.

The legitimacy of competent authorities is guaranteed in the following respects:

  • Information is specified per Member State in the IT system and electronic signatures are provided.
  • An eEvidence order can only be sent to the provider via the Dutch national connection point.

When will eEvidence come into force?

Within the Netherlands, the Ministry of Justice and Security (J&V) is responsible for implementing eEvidence in national legislation. According to the European Commission, the directive must be transposed into national legislation by 18 February 2026 at the latest.

It is important to note that the regulation will apply within the European Union as of 18 August 2026. From that moment on, Dutch providers of a public electronic communications service or network may also receive direct requests from competent European authorities to share requested data.

What is the role of NBIP?

Through the lawful interception and disclosure service (Tapdienst) – which has been helping NBIP participants receive, check and process requests for more than 25 years – the team has extensive expertise in handling eEvidence requests on behalf of participants. For many organisations, processing claims can be a financial and organisational burden that is not always easy to bear. That is why the lawful interception and disclosure service (Tapdienst) will soon also offer a solution for eEvidence claims by jointly resolving this common issue in the sector.

News

NBIP NEXT 2025: Europe is on track to strengthen its digital resilience (but we are not there yet)
Events, News
DDoS attacks in Q3 2025
NaWas, News
NBIP publishes latest edition of the Annual Monitor
Reports
Connect2Trust, NBIP, and SIDN Fund are jointly increasing the Netherlands’ digital resilience
News

Wil je meer informatie of je abonneren op onze nieuwsbrief?

NBIP logo
NBIP NEXT
Platform- and supplier-independent Cloud with Haven

Thursday, 27 November – 1:50 p.m. – 2:30 p.m.

Haven is an open solution for platform- and supplier-independent Cloud services. Haven is a building block of the pGDI and the NDS. Haven offers agnostic configuration of Cloud technology and provides organisations with a feasible exit plan. Expect an inspiring story about the practice of ecosystem-driven collaboration, in which we use the power of digitisation for the benefit of society.

Highlights:

  • Haven+
  • Ecosystem-driven collaboration
  • Platform- and supplier-independent cloud services
  • Data sovereignty

About Jacco Brouwer

Jacco Brouwer works for the Association of Netherlands Municipalities as Cloud Policy Coordinator and represents municipal interests in the NDS implementation programme on Cloud. From the Innovation Knowledge Centre at VNG, Jacco is the initiator of the public Incubator GROEI, through which VNG guides municipal collaboration and innovations based on a start-up philosophy in scaling up to broad and collective use among municipalities and fellow authorities.

Jacqueline van de Werken is bijna 10 jaar actief als global general counsel bij Leaseweb, na een loopbaan in de advocatuur en actief te zijn geweest in legal & regulatory affairs bij buitenlandse telecom/ datacom aanbieders.

Sinds enige tijd is Jacqueline ook board member & secretaris van brancheorganisatie Dutch Cloud Community. Als president/chair bij Cloud Infrastructure Service Providers Europe richt ze zich ook op het behartigen van regulatory belangen van de IAAS cloud sector.

Woensdag 26 november 

Van vrijwillig naar verplicht: de nieuwe werkelijkheid van regelgeving voor providers

Interactieve sessie

11:15 – 12:00 uur

Ir. Bas Dunnebier EngD

Bas Dunnebier is Chief Science and Technology Officer (CSTO) bij de Algemene Inlichtingen- en Veiligheidsdienst (AIVD). De CSTO speelt in op de kansen en uitdagingen die technologische en wetenschappelijke innovatie met zich meebrengen, onder meer voor de offensieve en defensieve taken van de dienst.

Eerder vervulde Dunnebier verschillende andere functies binnen de AIVD, waaronder die van hoofd Unit Weerbaarheid. Hij heeft daardoor een brede expertise ontwikkeld op het gebied van (cyber)weerbaarheid, inlichtingen, en technologieën zoals AI, quantum en cryptologie. Hij studeerde Toegepaste Wiskunde aan de Universiteit Twente, en Informatie- en Communicatietechnologie aan de Technische Universiteit Eindhoven. Voordat Dunnebier bij de AIVD kwam werken, werkte hij onder meer bij Thales, TNO en Technolution.

Het huidige dreigingsbeeld volgens de AIVD: wat nu te doen?

Woensdag 26 november 
14:00 – 14:35
Parkzaal: Wet- en Weerbaarheid

During his presentation, Dr. Alberto P. Martí will provide an update on the European IPCEI Cloud Infrastructure and Services (CIS) project.

Thursday, 27 November

3:00 p.m. – 3:45 p.m.

Parkzaal: Towards digital autonomy

During NBIP NEXT, René will share more about the implementation of the eEvidence legislation that will come into force for internet service providers on 18 August 2026.

Wednesday 26 November

3:00 p.m. – 3:35 p.m.

Parkzaal: Track Law & Resilience

During NBIP NEXT, Johan will give a presentation as part of the DDoS Mitigation track on how to use a WAF to mitigate layer 7 attacks.

Wednesday, 26 November
1:15 p.m. – 1:50 p.m.
Fonteinzaal: Collaborative DDoS mitigation track (ENGLISH)

Dr. Cristina Caffarra is one of the driving forces behind EuroStack. This movement, which has the ear of politicians and policymakers in Europe, is campaigning for more investment in European technology, based on the belief that this is the only path to digital autonomy.

Caffarra is a competition expert and knows the world of big tech companies from the inside. She has made important contributions to competition investigations into mergers and antitrust cases for the European Commission. Caffarra does not mince her words and tells it like it is: we must work together to give shape to European digital autonomy as quickly as possible. At NBIP NEXT, she will share her vision during an inspiring keynote speech, followed by an opportunity for discussion.

Thursday 27 November
1:15 p.m. – 1:50 p.m.
Parkzaal: Towards digital autonomy