Cross-border cloud access: E-Evidence law comes into force

The digital chain of evidence in the EU and Germany is being significantly streamlined. On March 12, the law for the implementation of the E-Evidence Directive was promulgated in the Federal Law Gazette. This is the so-called Electronic Evidence Implementation and Enforcement Act (EBewMG). It is intended to fundamentally renew the way law enforcement agencies access data in the cloud. The first parts have already come into force since Friday. The remaining complex of regulations will become fully effective on August 18, 2026. This marks the end of an era in which lengthy mutual legal assistance requests often slowed down investigations into cybercrime.

In the past, investigators faced a dilemma: crimes are increasingly planned and carried out in the digital space, but the evidence is often stored on servers in other member states. Previous mutual legal assistance formats were considered cumbersome and time-consuming. Not infrequently, relevant data was already deleted before the official request reached the responsible provider abroad. The new E-Evidence package addresses this and enables authorities to contact service providers in other EU countries directly. This direct access is intended to ensure that digital traces are secured before they disappear into the digital ether.

New powers for law enforcement

Federal Minister of Justice Stefanie Hubig (SPD) emphasized on the occasion of its entry into force: In a highly networked world, law enforcement agencies need means to react quickly and hold those responsible accountable. The law is a crucial building block of a strategy to combat internet-based crime more effectively. However, this does not sacrifice the rule of law and the protection of sensitive data.

Critics, on the other hand, saw the balance between efficient prosecution and safeguarding privacy as not being maintained during the parliamentary debate. The acceleration of investigations met with strong headwinds from the opposition and civil rights advocates. The disapproval is fueled primarily by the fear that standards of the rule of law will be sacrificed on the altar of European cooperation. There is a risk, it is said, that authoritarian governments, such as in Hungary, could use the system to take action against journalists, opposition figures, or lawyers.

The practical implications for service providers are significant. The regulatory framework stipulates that providers must respond to a preservation order immediately. When it comes to the actual disclosure of data, a period of ten days remains. In defined emergencies, this time window is drastically shortened: information must be provided within just eight hours. To ensure this communication, service providers operating in the EU are obliged to designate official recipients. These so-called addressees act as fixed contact points for the judicial authorities.

Obligations and sanctions for providers

The Federal Office of Justice (BfJ) acts as the central supervisory authority in Germany. The authority monitors whether providers are fulfilling their new obligations. If companies ignore the orders or refuse to cooperate, severe consequences are threatened, as such violations can now be prosecuted as administrative offenses. Fines can amount to up to 500,000 euros for serious violations. For particularly large service providers with a total turnover of more than 25 million euros, the penalty can even reach up to two percent of their worldwide annual turnover.

Technically, data exchange is handled via software established by the EU and the member states. Service providers must register on a special platform, the so-called Notification Platform, to be reachable by investigators at all. The BfJ seeks to address concerns through specific protective mechanisms for particularly sensitive data categories.

Nevertheless, the EBewMG marks a paradigm shift: the physical location of a server loses importance for law enforcement within Europe. Whether the technical infrastructures of the providers and the personnel resources of the authorities are up to the new pace will become apparent in the coming months.

(nie)