By 18 August 2026, certain providers must be ready to comply with a new law enforcement data request regime with demanding deadlines and serious sanctions for non-compliance.
Background
Last week, the Irish Government published the draft text to the Criminal Justice (International Cooperation on Electronic Evidence and Other Matters) Bill 2026 (“the Bill“). The Bill has primarily been drafted to give effect to the EU’s e-Evidence Package and to establish the Office of Director of Criminal Justice International Cooperation (the “CJICO”). The EU’s e-Evidence Package, comprising Regulation (EU) 2023/1543 and Directive (EU) 2023/1544, will impose new and far-reaching obligations on (i) telecoms / electronic communications service providers, (ii) domain name registries etc, and (iii) information society service providers whose core activity is messaging or storage of user data, insofar as they “offer services in the Union” (a concept described in the Regulation).
Under the new regime, EU Production Orders and / or Preservation Orders originating from judicial authorities in other EU Member States may be transmitted to providers through the CJICO. An affected provider must appoint an EU-based recipient for these EU Orders if it does not have an establishment in the EU itself (see below).
The EU’s e-Evidence Package is intended to facilitate judicial authorities across the EU getting quicker replies to requests for data needed for criminal investigations / prosecutions. The regime will also involve greater coordination and reporting on use of the regime between authorities across the EU. Commentators have raised concerns about the balance struck by the e-evidence Package between (i) law enforcement authorities’ wish for urgent production of evidence, and (ii) the fundamental rights of citizens. The regime is based on mutual trust (in the rule of law across all EU Member States ensuring that requests made under the regime are lawful) and accordingly leaves limited scope for companies to refuse requests based on user rights concerns.
The e-Evidence Package will be incorporated into Irish law shortly. Under the Bill, the CJICO is also due to acquire wider functions relating to the Terrorist Content Online Regulation.
As Ireland is at the forefront of digital regulation in the EU, it is anticipated that the CJICO will be “one of the EU’s busiest and most strategically significant in the justice domain”. In 2025, the Irish Minister for Justice stated as follows, underscoring the huge workload and importance attaching to this new regime:
“Ireland’s role is central to implementation of the E-evidence package. It is expected that over 600 service providers could designate their ‘addressee’ in the State, and it’s estimated that the number of production orders issued to those service providers will be in the hundreds of thousands annually. ….Progress will enhance Ireland’s reputation as a hub for digital regulation and ensure effective and timely access to digital evidence in tackling serious crime to the benefit of all EU citizens.”
Legislation
The Bill has been listed as priority legislation under the Government’s summer legislative programme, and will likely be expedited through the Dáil’s legislative procedure. Separately, the Government has also begun the process to appoint the Director of Criminal Justice International Cooperation (the “Director”). Once appointed, the Director will be tasked with ensuring that CJICO is ready to discharge its statutory obligations upon commencement of the e-Evidence package on 18 August 2026. It is currently envisaged that the CJICO will have circa 150 staff members working across its divisions.
While the draft text of the Bill is subject to amendment, the following key points are worth highlighting to stakeholders:
- The CJICO will receive European Production and Preservation Orders from overseas, liaise with the providers to whom Orders are addressed (or their representatives), and enforce compliance including through the imposition of significant financial penalties;
- Irish District Courts will issue European Production and Preservation Orders (to be delivered to service providers established in other EU countries);
- service providers that are established in the State and offer services in the State are under an obligation to designate a “designated establishment” for the receipt of, and compliance with EU Orders and decisions by the Director;
- service providers that are not established in the State, but nevertheless offer services in the State, must appoint a legal representative for the receipt of compliance with and enforcement of and appoint a legal representative for the receipt of EU Orders and decisions by the Director;
- upon request from the Director, service providers may be obliged to provide compliance reports to CJICO;
- in certain circumstances, “Authorised Officers” appointed by the Director may inspect service providers’ premises as part of the CJICO’s investigatory powers; and
- service providers may be issued with significant fines for failure to comply with an order of up to 2% of their total annual worldwide turnover in the financial year preceding the relevant contravention. Further, it is a criminal offence to provide “false or misleading information” under the Bill.
Challenges faced by service providers
While having a single point of contact in Ireland for law enforcement requests from other EU countries may be a positive development for service providers based in Ireland who currently deal with multiple authorities, the new regime will impose very challenging deadlines including a general 10 day deadline for production.
There is a lot of detail for service providers to get familiar with in the Bill and Regulation (EU) 2023/1543, including on the rules on (i) who can issue Orders, (ii) what data can be covered, (ii) where data covered can be stored (in some cases relating to data stored for State authorities, only the EU Member State in the storage location can issue an Order), and (iii) what limited reasons can be relied on by a provider for not producing or preserving data sought by an Order. Providers may need to seek legal advice on the interpretation of these rules, and may need to do so pre-emptively given the above-noted 10 day deadline and the imminent implementation of the Irish regime.
It is important that affected service providers start work now on ensuring compliance with this new regime. Where a representative in the EU needs to be appointed, this must be done promptly as the CJICO can be expected to demand such details once it is established. Where a service provider already has an architecture in place within its Irish operation to deal with incoming law enforcement requests, a project will be needed to consider what adjustments to that architecture are required given the new regime to protect the service provider from serious sanctions and reputational damage arising from non-compliance, while at the same time ensuring that the service provider is not releasing data where a legal exception applies pursuant to Regulation (EU) 2023/1543 and/ or other EU law rules.
Contact Us
As Ireland’s leading advisor on regulatory compliance in the telecoms sector for many years, Matheson is deeply familiar with the relevant challenges arising from this new regime. Please get in touch with your regular Matheson contact or the authors of this piece, Kate McKenna, or Simon Shinkwin with any queries.
