By 18 August 2026, certain providers must be ready to comply with a new law enforcement data request regime with demanding deadlines and serious sanctions for non-compliance.
The EU’s e-Evidence Package, comprising Regulation (EU) 2023/1543 and Directive (EU) 2023/1544, will impose new and far-reaching obligations on (i) telecoms / electronic communications service providers, (ii) domain name registries etc, and (iii) information society service providers whose core activity is messaging or storage of user data, insofar as they “offer services in the Union” (a concept described in the Regulation).
Under the new regime, EU Production Orders and/or Preservation Orders originating from judicial authorities in other EU Member States may be transmitted to providers through a new Irish authority (see below). An affected provider must appoint an EU-based recipient for these EU Orders if it does not have an establishment in the EU itself.
The EU’s e-Evidence Package is intended to facilitate judicial authorities across the EU getting quicker replies to requests for data needed for criminal investigations / prosecutions. The regime will also involve greater coordination and reporting on use of the regime between authorities across the EU.
The e-Evidence Package will be incorporated into Irish law shortly, with Ireland being subject to February 2026 EU deadlines for certain matters. A new Irish authority will be established pursuant to the Irish implementing legislation, the Criminal Justice International Cooperation Office, and this may ultimately acquire wider functions including related to the EU US Cloud Act Agreement, terrorist content regulation, and domestic production / preservation orders.
This week, the Irish Minister for Justice stated as follows, underscoring the huge workload and importance attaching to this new regime:
“Ireland’s role is central to implementation of the E-evidence package. It is expected that over 600 service providers could designate their ‘addressee’ in the State, and it’s estimated that the number of production orders issued to those service providers will be in the hundreds of thousands annually. ….Progress will enhance Ireland’s reputation as a hub for digital regulation and ensure effective and timely access to digital evidence in tackling serious crime to the benefit of all EU citizens.”
While the Irish legislation has yet to be enacted, it is expected that:
- The fundamental legal rules and responsibilities of service providers are already clear from the Regulation (EU) 2023/1543, such that service providers can progress readiness preparations now.
- The Irish Criminal Justice International Cooperation Office will receive European Production and Preservation Orders from overseas, liaise with the providers to whom Orders are addressed (or their representatives), and enforce compliance including through the imposition of significant financial penalties.
- Irish District courts will issue European Production and Preservation Orders (to be delivered to service providers established in other EU countries).
While having a single point of contact in Ireland for law enforcement requests from other EU countries may be a positive development for service providers based in Ireland who currently deal with multiple authorities, the new regime will impose very challenging deadlines including a general 10 day deadline for production.
There is a lot of detail for service providers to get familiar with in Regulation (EU) 2023/1543, including on the rules on (i) who can issue Orders, (ii) what data can be covered, (ii) where data covered can be stored (in some cases relating to data stored for State authorities, only the EU Member State in the storage location can issue an Order), and (iii) what limited reasons can be relied on by a provider for not producing or preserving data sought by an Order. Providers may need legal advice on interpretation of these rules, and to do so pre-emptively given the above-noted 10 day deadline.
It is important that affected service providers start work now on ensuring compliance with this new regime. Where a representative in the EU needs to be appointed, this must be done promptly as the new Irish authority can be expected to demand such details once it is established. Where a service provider already has an architecture in place within its Irish operation to deal with incoming law enforcement requests, a project will be needed to consider what adjustments to that architecture are required given the new regime to protect the service provider from serious sanctions and reputational damage arising from non-compliance, while at the same time ensuring that the service provider is not releasing data where a legal exception applies pursuant to Regulation (EU) 2023/1543 and/ or other EU law rules.
As Ireland’s leading advisor on regulatory compliance in the telecoms sector for many years, Matheson is deeply familiar with the relevant challenges arising from this new regime. Please get in touch with your regular Matheson contact or the author of this piece, Kate McKenna, with any queries.