E-Evidence and the Limits of Jurisdiction: What Really Protects Your Email

On 12 March 2026, Germany enacted the law implementing the EU “E-Evidence package” — a pair of European instruments (Regulation (EU) 2023/1543 and Directive (EU) 2023/1544) that quietly redraws the map of how law enforcement agencies across the European Union can obtain digital evidence from service providers. The transposition rules took effect the day after publication, and the remaining provisions become applicable on 18 August 2026. From that date forward, prosecutors in any participating EU Member State will be able to send production and preservation orders directly to email providers, messengers, hosting companies, and other “information society services” — bypassing the slow machinery of mutual legal assistance treaties that has historically defined cross-border investigations.

For users who care about email privacy, this is a moment to pay attention. Not because E-Evidence creates new powers out of thin air — most of these data requests were already legally possible — but because it dramatically changes the speed, the scope, and the routing of how user data moves from a private inbox to a foreign prosecutor’s file. And once that pipeline is in place, the variable that determines what actually flows through it isn’t the country listed on your provider’s corporate registration. It’s the architecture of the service itself.

This article walks through what E-Evidence is, who it applies to, what changes for users in three different jurisdictions, and — perhaps most importantly — why the popular shorthand “use a provider in country X because country X is privacy-friendly” is starting to lose its meaning.

What the E-Evidence package actually does

The two new instruments introduce two new types of cross-border order:

The European Production Order allows a judicial authority in one EU Member State to require a service provider in another Member State to hand over electronic data — emails, chat messages, IP addresses, location data, subscriber information. The order travels directly from the issuing authority to the provider’s designated legal representative, with no intermediary court in the receiving country needing to review or rubber-stamp it for most data categories.

The European Preservation Order allows the same authority to require the provider to freeze data, preventing its deletion until a production order or other legal request follows.

The deadlines are tight by any standard. Preservation orders must be acted on without delay. Production orders must be answered within ten days — and in urgent cases, within eight hours. Non-compliance is an administrative offence, punishable by fines.

To make all of this work technically, the EU is building out an infrastructure of its own: providers must register on a central Notification Platform and feed the contact details of their designated representative into a Court Data Base (CDB). Communication between authorities and providers will then happen through a decentralised IT system called e-CODEX, accessed either through a reference implementation called JUDEX (the renamed eEDES) or through APIs that large providers can integrate with their own systems.

In Germany specifically, the validation of provider registrations is handled by the Federal Office of Justice (Bundesamt für Justiz), and the technical onboarding is coordinated by an office at the North Rhine-Westphalia Ministry of Justice (the EKE). The deadline to register is the same as the application date of the Regulation: 18 August 2026.

Who counts as a “service provider”

The Regulation’s definition is deliberately broad. It covers, among others:

• Electronic communication services — messengers, video-conferencing platforms, internet access providers, and email services.
• Information society services — online platforms, cloud and hosting providers, marketplaces, social networks, and certain gaming services where users can communicate or store data.
• Domain name and IP numbering services — registries and similar technical infrastructure providers.

Crucially, the definition is not limited to companies headquartered in the EU. Any provider offering services to users in the EU falls within the scope, regardless of where it is incorporated. A US-based provider with European users is just as much a “service provider” under the Regulation as a Berlin-based one — and is required to designate a legal representative in a participating Member State, register on the Notification Platform, and respond to orders within the same deadlines as anyone else.

This is a meaningful shift. The old model assumed that to compel data from a foreign provider, an authority had to ask another government for help. The new model assumes that if the provider sells (or even just offers) its services to EU residents, it has voluntarily entered the EU’s legal space — and must be reachable inside it.

What this means for German-based providers

For email providers headquartered in Germany, E-Evidence is not so much a new regime as an expansion of who can knock on the door.

A German provider was already subject to German law — to the Telecommunications Act (TKG), to the Code of Criminal Procedure, to lawful interception obligations under the TKÜV, and to administrative orders from German authorities. None of that changes. What changes is that, starting in August 2026, prosecutors in 25 other Member States can now issue production orders that arrive directly at the provider’s representative, without going through a German court or German central authority for prior review of most data categories.

The practical consequence: a provider that was used to handling perhaps a few hundred lawful requests per year from domestic authorities may suddenly be handling many more, originating from across the continent, on tight deadlines, in multiple languages, through a new technical channel. The compliance burden grows. The number of potential requesters grows. And the time available to scrutinise each request before responding shrinks.

This does not mean that German providers are about to leak user data wholesale. The substantive grounds for issuing an order, the categories of data that can be requested, and the safeguards built into the Regulation (notification to the executing state, grounds for refusal, judicial remedies for users) all remain in place. But the friction that used to slow cross-border requests down — the diplomatic letters, the translations, the months of waiting — is being engineered out of the system on purpose.

What this means for Swiss-based providers

Switzerland is not in the European Union and is not bound by Regulation (EU) 2023/1543. Production and preservation orders from EU authorities cannot be sent directly to Swiss providers under E-Evidence. EU prosecutors who want data from a Swiss provider must still use mutual legal assistance — the same slow, formal channel that E-Evidence was designed to bypass within the Union.

This is a real and important difference, and it is one of the reasons Swiss-based email services are often described as benefiting from a more protective jurisdiction. The description has some truth to it.

But it is incomplete. Swiss providers operate under Swiss law, which includes its own framework for lawful data disclosure (the BÜPF/VÜPF regime governing surveillance of postal and telecommunications traffic), its own retention obligations for certain categories of metadata, and its own judicial cooperation arrangements with foreign states. A Swiss provider that possesses data of investigative interest can be compelled by Swiss authorities to produce it, and that data can — through proper channels — reach foreign investigators. The pipe is slower than E-Evidence. It is not closed.

The more honest framing is this: Switzerland gives providers more time and more procedural friction. It does not give them an exemption from disclosure.

What this means for US-based providers

Service providers incorporated in the United States — including LLCs and other US entities — are outside the EU’s direct enforcement reach under E-Evidence. EU authorities cannot send production or preservation orders through JUDEX to a provider that has no establishment and no designated representative in the Union. To obtain data from a US provider, European prosecutors must continue to use the mutual legal assistance channel, routed through the US Department of Justice, with review under US standards before any data is produced. The friction that E-Evidence was designed to remove inside the Union remains fully in place at its external border.

This is a meaningful difference. MLAT requests are measured in months, not days. They are reviewed by US authorities applying US constitutional and statutory standards — the Fourth Amendment, the Electronic Communications Privacy Act, the Stored Communications Act. They can be, and are, refused or narrowed when they fail to meet those standards. For a user whose threat model includes routine cross-border data sharing within Europe, a US-based provider sits behind a procedural barrier that EU-based providers no longer have.

It would be misleading, however, to present US incorporation as a privacy guarantee. The United States has its own framework for compelled disclosure, and parts of it reach further than the EU’s. The CLOUD Act allows US authorities to compel US providers to produce data regardless of where in the world that data is stored, and it enables qualifying foreign governments to negotiate executive agreements for direct access to US providers — the UK-US agreement under this framework has been operational since 2022, and an EU-US arrangement has been under discussion. FISA Section 702 authorises foreign-intelligence collection from US providers targeting non-US persons abroad, and was a central reason the Court of Justice of the EU invalidated the Privacy Shield framework in Schrems II. National Security Letters allow the FBI to compel certain categories of subscriber and transactional records without prior judicial review, accompanied by a gag order.

None of these tools are dormant. They are part of the actual legal environment any US-based provider operates within, and any honest privacy discussion has to acknowledge them.

The conclusion that holds up across all three jurisdictions we have looked at — Germany, Switzerland, the United States — is the same: the law of the provider’s country changes the shape of the disclosure pipeline. It does not close it. German providers face the most direct and rapid cross-border access under E-Evidence. Swiss providers retain the procedural friction of MLAT toward the EU but operate under their own domestic disclosure regime. US providers sit behind MLAT for EU requests but within reach of CLOUD Act, FISA, and NSL processes domestically. Each jurisdiction offers different trade-offs. None offers immunity.

Which brings us back to the variable that no legal regime can override.

Where the real privacy variable lives

This is the part of the conversation that gets less attention than it deserves.

If you imagine the legal pipeline as the path data takes from a user’s account to a prosecutor’s case file, the laws of the provider’s country determine the shape of the pipeline — its width, its speed, its checkpoints. But what flows through it is determined by something else entirely: what the provider actually has.

An email provider that holds plaintext message bodies on its servers can be compelled to produce plaintext message bodies. An email provider that holds only encrypted blobs — encrypted with keys it does not possess — can be compelled to produce only encrypted blobs. A provider that logs every IP address, every login timestamp, every device fingerprint, can be compelled to produce all of it. A provider that collects no phone numbers, no identity documents, no payment data tied to a real-world identity, can be compelled to produce only the minimal technical metadata that crosses its systems by necessity.

This is why architectural choices matter more than corporate geography. The strongest legal jurisdiction in the world cannot protect data that has been collected, retained, and held in a form the provider can read. The weakest legal jurisdiction can offer meaningful protection if the provider holds nothing useful in the first place.

E-Evidence makes this principle more visible, not less. By making cross-border data requests faster and more routine, it raises the cost of any privacy claim that depends on requests being rare or slow. A provider that quietly relies on the friction of MLAT as part of its privacy story will find that story harder to tell after August 2026. A provider whose privacy story is built on not having the data to begin with is unaffected — the friction was never the point.

What to look for in an email provider going forward

A few questions worth asking — of any email provider, including ours — as E-Evidence comes into force:

What does the provider actually store about you, and for how long? Subscriber data, IP logs, message metadata, message content. Each of these is a separate disclosure question. The shorter the list, the less is at stake when an order arrives.

Are message contents encrypted in a way the provider cannot read? End-to-end encryption between users, or zero-access encryption on the server side, transforms what the provider can hand over from “the messages” to “ciphertext”.

What is required to register an account? A phone number ties an inbox to a SIM card and a national identity register. An identity document ties it to a passport file. The absence of these reduces what can be cross-referenced if an account ever becomes the subject of a request.

How does the provider handle metadata that it cannot avoid touching? IP addresses appear in connection logs by necessity. Whether they are retained, anonymised, or discarded after the session ends is a design choice with direct privacy consequences.

How transparent is the provider about the requests it receives, and about its own architectural limits? A regularly published transparency report, even a brief one, says more about a provider’s posture than any marketing copy on a homepage. So does an honest description of what the provider can and cannot hand over by design.

Where Onion Mail stands

Onion Mail is an LLC established in the United States. That places us behind the MLAT barrier for EU requests, and it places us within the reach of the CLOUD Act, FISA, and National Security Letter processes domestically. We are not going to pretend otherwise, and we are not going to ask our users to trust a jurisdiction to protect them.

That is, in fact, the reason we built the service the way we did.

We are aware of the laws that govern compelled disclosure in the country where we operate. We know what they can require of us, and we know that the answer to “what can be required” is always shaped first by “what is actually available”. So we built our architecture around the only variable we fully control: the data we collect, retain, and can read.

We do not require a phone number to register an account. We do not require an identity document. We do not tie inboxes to real-world identities through our registration flow. We minimise what we log about user sessions. We design our systems so that the information available to us about our users is small by default, not as a feature toggle that a user has to find and switch on.

This is a deliberate choice, and it is the choice we believe matters most. Legal protections can change — the EU has just demonstrated this with E-Evidence, the US has demonstrated it repeatedly with successive surveillance laws, and Switzerland has its own evolving framework. What does not change is the engineering principle that data which was never collected cannot be produced, and data which was never readable cannot be decrypted on demand.

We also believe that the relationship between a provider and a user is built on transparency, not on trust we have not earned. Users should not have to hand over their virtual identity to a company in order to protect it. They should be able to understand what we hold, what we cannot hold, and what they themselves can do to reduce their exposure further — through end-to-end encryption with correspondents, through careful operational habits, through their own choices about what to put in an email in the first place. Privacy is a shared responsibility, and an honest provider equips users to exercise it independently rather than asking them to outsource it.

Privacy and transparency toward the user, before anything else. That is our position, and it is the position E-Evidence has not changed, because we did not build the service around the assumption that the law would protect it for us.

E-Evidence is a serious piece of legislation, and we take it seriously. But it does not change the question that every email user should be asking, which is the same question they should have been asking before: what does my provider actually have about me, and what would they be able to hand over if asked?

That question has always been the one that mattered most. After 18 August 2026, it will simply be harder to avoid.

This article is intended for general information. It is not legal advice. Users with specific concerns about how E-Evidence or related laws may apply to their situation should consult a qualified lawyer.