The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding.
- Louis D. Brandeis
You've probably already noticed the slight tug at your pants. Things are heating up around them legislator long-tables. I just received an.. ahem.. interesting... letter. From the Ministry of Justice, no less. Fancy.
Where my personal opinions lie in this domain, you can most likely guess, so I'm leaving this here, out in the open, for informative purposes and to invite any kind of discussion around it.
If you're not a fan of legalese-in-the-morning, the TL;DR is this: From August 2026, any "competent" (whatever that means) authority within the EU will have the powers to immediately order any digital services or communications providers to surveil and collect data on individual persons, and hand that over to "authorities" in other EU countries, cross-border and without protection or due process from national legal systems.
This is all going to happen over a, repeat after me: "secure" - "eEvidence" - "portal". Three words that belong in a pretty low-grade dystopian pulp magazine, not a civilized society.
Highlights from this shit-show include:
- Foreign law enforcement agencies can demand disclosure of personal data, including communication content, without judicial review by a court in the home country of the citizen.
- Orders may originate from countries with compromised judicial systems, enabling politically motivated "investigations". Standing ovation on this one.
- Individuals who have their data seized will not be notified, during or after the process, eliminating the possibility of challenge or due process.
- Bypasses existing mutual legal assistance treaties, removing the existing layers of oversight that were designed to protect fundamental rights.
- Service providers, including small and non-EU companies, are legally obligated to comply; regardless of conflicting national laws or ethical concerns.
- Limited grounds for refusal place the burden on providers to challenge unlawful or abusive requests. Who you gonna call? Ghostbusters?
- Very broad definitions of "relevant services" extend obligations to basically anything; cloud storage, domain registrars, messaging systems, social platforms, even online games.
- Compliance is "automated" through a centralized EU portal. This increases the risk of bulk or systemic data access and other misuse.
- No requirement for proportionality or necessity assessments by an independent authority prior to data disclosure.
- Absence of public reporting or transparency mechanisms obscures the scale and use of powers from democratic scrutiny.
- Sets a very concerning precedent for normalizing direct executive access to private digital data, severely weakening the separation of powers.
- Anyone said function creep?
If we ever had it, this is exactly how democracy dies.
Letter follows below. Machine-translated from original language into English, since I might as well have posted it in Elvish if not.
No, this is not a joke. Yes, the letter is real, and sent from the Ministry of Justice of the relevant country.
Dear Sir/Madam,
You are receiving this letter because your organization may be affected by the new European: "Regulation on European Production and Preservation Orders for electronic evidence in criminal matters and the enforcement of custodial sentences following a criminal procedure (EU 2023/1543)", and the "Directive establishing harmonised rules on the designation of legal representatives and the appointment of competent representatives for the gathering of electronic evidence in criminal proceedings (EU 2023/1544)".
Collectively referred to as the "eEvidence Regulation and Directive".
This legislation obliges your organization, upon receiving an order, to preserve and/or disclose stored data to a competent law enforcement authority in another EU Member State. Such an order can, under this new legislation, be issued directly by an authority in another EU country — without the involvement of the [...] Public Prosecution Service. The data you provide may subsequently be used as digital evidence in criminal proceedings in that EU Member State.
These obligations broadly apply to companies offering services related to (digital) communication. Further details are provided below. To comply with these requirements, your organization must have the necessary internal procedures in place before the legislation enters into force in August 2026.
Please read the information below carefully so that you can prepare for the new legislation and understand which processes you need to establish.
What will change?
Digital evidence is already exchanged between countries, and your organization may already have experience with this. However, to make this process faster and simpler for all parties involved, the new eEvidence Regulation has been introduced. This new legislation was necessary due to the increasing digitalization of society, making digital evidence indispensable in the investigation and prosecution of crime.
Direct Orders
A key change is that, as of August 2026, a competent law enforcement authority in another EU Member State can issue an order directly to your organization. Previously, a national judicial authority (in the [...], typically the Public Prosecution Service or the police) had to be involved in every request.
Increased Urgency and Enforcement
The obligation to preserve and disclose the requested evidence will be stricter and subject to shorter deadlines than before. These obligations and timelines will be enforced in the [...] by [...] authorities.
More Relevant Organizations
The scope of organizations covered by the new legislation has been significantly expanded. It no longer matters whether an organization is based in the EU — from August 2026, it will be sufficient that your organization offers services to individuals within the EU.
The eEvidence Portal
A new secure digital environment — the eEvidence Portal — will be developed to implement the regulation. All communication regarding preservation or production orders issued by judicial authorities in other EU countries will take place exclusively through this secure portal.
Registration in the EU Database
To access the portal and to ensure your organization is identifiable by law enforcement authorities, relevant companies are required to register in a central EU database. In some cases, an organization will first need to appoint an establishment or legal representative within the EU to receive and respond to orders via the portal. In the [...], the Authority for Consumers & Markets (ACM) will supervise compliance with this registration requirement starting from March 2026.
For more background and details on the development and national implementation of the legislation, please visit our website.
Which organizations does this apply to?
The eEvidence Regulation applies to organizations providing one or more of the following services:
a. Electronic communications services, such as telephony and internet access;
b. Services related to internet domains and IP addresses, such as domain name registration, IP address allocation, and privacy services for domain owners;
c. Other online services, such as:
I. platforms enabling user-to-user communication (e.g., social media, online games);
II. services allowing users to store or process data (e.g., cloud storage), provided that data storage constitutes a significant part of the service;
III. services for which electronic communication is such an essential component that the service cannot exist or be delivered without it.
If you are unsure whether your organization meets these criteria, please use our assessment tool at [...].
What kind of data is involved?
The digital data will be used in criminal investigations and proceedings. Examples include:
- The user’s name and contact information (user identification);
- Traffic data (information about the user’s data usage);
- The content of communications.
Such data may be requested from your organization — if stored by or on behalf of your service provider — via a production order.
What can you do now?
a. Until end of 2025: Stay informed. Subscribe to our newsletter at [...]
b. From March 2026: If applicable, mandatory registration of your company in the central EU database. You will receive notification in due course from either the relevant department of my ministry or the supervisory authority (the ACM, Authority for Consumers and Markets).
c. From March 2026: Begin preparations by setting up internal procedures aligned with the objectives of the legislation and the operation of the portal.
d. 18 August 2026: The eEvidence system goes live. If you receive a production and/or preservation order via the eEvidence portal, you must respond within the timeframe specified in the order.
Note:
If you are a member of a trade association, we recommend contacting them with any questions not answered on [...]. If you are not affiliated with a trade association, we advise consulting your legal counsel.
Yours sincerely,
The Minister of Justice and Security
On behalf of the Minister,
Director, Law Enforcement and Crime Prevention