From 2026, the European Union (EU) will fully implement the new e-evidence regulation, which significantly changes the procedure for obtaining electronic evidence in cross-border criminal proceedings. The previously complex and time-consuming cooperation between Member States will be replaced by a more unified system, allowing data to be requested more quickly and directly from electronic service providers in certain cases.

For electronic communications providers and other digital service providers, this will mean the practical necessity to ensure the capability to respond promptly to requests from law enforcement authorities in other Member States, as well as to review internal processes related to data retention, accessibility, and disclosure.

The EU e-evidence package comprises Regulation (EU) 2023/1543 and Directive 2023/1544 of the European Parliament and of the Council, both dated 12 July 2023. The deadline for transposing the Directive into national law was 18 February 2026, while the Regulation will apply from 18 August 2026. To ensure the application of the new regulation, amendments are currently being advanced to several legal acts in Latvia.

What are e-evidence?

Electronic evidence (e-evidence) refers to data stored electronically by a service provider and used to investigate criminal offences. Examples include subscriber data, Internet Protocol (IP) addresses, and identifiers necessary to identify users, email messages, text messages, and app communications.

What changes?

Until now, obtaining electronic evidence in cross-border cases often relied on lengthy and administratively complex mutual legal assistance procedures. The new regulation provides for clearer and more efficient cooperation between investigative authorities and service providers. In certain cases, law enforcement authorities in one EU Member State will be able to address electronic communications or digital service providers in another Member State directly with:

  • an e-evidence preservation order, requiring the preservation of specific data to prevent its deletion or alteration until a further request is made; and
  • an e-evidence production order, requiring the disclosure of specific data for the purposes of criminal proceedings.

A significant change is the substantially shorter execution deadlines. Upon receipt of an e-evidence production order, the service provider must transmit the requested data within 10 days, or within 8 hours in urgent cases. In the case of a preservation order, data must be preserved immediately for 60 days. This means that service providers must establish clear internal procedures, designate responsible persons, and have the capacity to promptly identify, preserve, or disclose the requested data.

To whom does the regulation apply?

The regulation applies to a broad range of service providers offering one or more of the following categories of services (excluding financial services):

  • electronic communications services (e.g., internet access services or interpersonal communication services);
  • internet domain name and IP numbering services (e.g., IP address allocation, domain name registration, and related privacy and intermediary services);
  • other information society services that enable users to communicate with each other or to store or process data on behalf of users (e.g., social networks, online marketplaces, or other hosting service providers).

What is expected of service providers?

Although the new system is still developing in practice, it is already clear that providers will need to ensure a significantly higher level of operational readiness than before. Therefore, it is advisable for providers subject to the e-evidence regulation to:

  • assess what data they hold and how quickly it can be accessed;
  • designate responsible persons and establish internal procedures for handling such requests;
  • review data retention, access, disclosure, and protection processes;
  • prepare internal guidelines for executing orders;
  • evaluate necessary contractual, technical, and compliance measures to the extent not regulated by legislation.

Service providers offering services in the EU must also designate a clear recipient for receiving and executing e-evidence orders. For providers established in the EU, this will be the chosen establishment; for those established outside the EU, a legal representative. The service provider must ensure that this recipient has the necessary authorisations and resources and must notify the relevant central authority of their contact details.

Liability for non-compliance

Significant fines may be imposed for failure to comply with the e-evidence regulation requirements. For example, unjustified refusal to execute an e-evidence production or preservation order may result in a fine of up to 2% of the service provider’s total worldwide turnover in the preceding financial year.

Changes to Latvian legislation

To implement and apply the new EU regulation in Latvia, amendments are being made to several national legal acts, including the Electronic Communications Law, the Information Society Services Law, and the Criminal Procedure Law. The development of related Cabinet of Ministers regulations is also planned. These will specify in greater detail the procedures for issuing and executing e-evidence orders in Latvia, the obligations of service providers, as well as administrative liability for non-compliance and data protection breaches.