What do GDPR, NIS2, and eEvidence have in common?

For many IT managers, it feels familiar by now. New European law or regulation is coming. First, it seems abstract, something for later, something legal. Subsequently, these European frameworks translate into national laws, with an implementation period of a year or two. On paper, plenty of time, but in practice, that time flies by.

We saw it happen with GDPR and again with NIS2. The impact was underestimated, including at the board level, until the deadline approached and the questions from the boardroom became increasingly specific. Are we compliant? Where is our data located? Who has access? Ultimately, it is the IT department that must ensure that technology, processes, and contracts are correct under time pressure.

With e-Evidence, we are at that same point again. August 2026 still feels far away. But anyone who has experienced previous projects knows how quickly that changes. Before you know it, IT is facing a barrage of questions, and the space to think calmly has already disappeared.

In addition, e Evidence is not a guideline like NIS2, but a regulation. There is no mandatory implementation for organizations, but there is a direct impact on data access and control. This is precisely what makes it relevant in the context of digital sovereignty.

e-Evidence in brief

e-Evidence is European legislation that regulates how police and justice can request digital evidence across national borders. From August 2026, authorities in one EU country will be able to directly request data from service providers in another EU country. This is faster than through traditional legal assistance and with less intervention from the country where the data is located.

This involves electronic data such as email, user information, and cloud data. For service providers, this means new obligations. For organizations that use these services, it mainly means that the demand for access to data changes. And with it, the demand for control.

The risks no longer come only from the US

In recent years, the focus has been strongly on transatlantic risks; this was massively a topic of discussion, especially in 2025. American cloud providers and the CLOUD Act dominated the discussion. Data could be physically located in Europe but legally fall under American law. Many IT teams have adapted their cloud and infrastructure strategy accordingly, for example, with European alternatives or a hybrid setup, or have at least started these changes.

With e-Evidence, that playing field shifts. The risk is no longer only outside Europe but also within Europe itself. Data that is with a European provider or runs on external applications can be requested by a foreign authority. Especially in environments with international suppliers or shared platforms, the sense of control fades faster than is often assumed.

That requires a revision of assumptions that seemed logical for years. Data in Europe is not automatically data under your control.

The consequences for data and infrastructure

For IT infrastructure and data storage, e Evidence touches the core. Not because the law technically enforces it, but because existing infrastructure choices suddenly have legal consequences. Where is what data located? Under what legal regime does it fall? Who manages access? And can you prove that? Architectures that are primarily designed for performance, scalability, and cost are facing a new challenge.

Backup and recovery also play a role in this. Not only from availability or ransomware protection but from control. Can you guarantee that data is not provided unseen? Can you explain why certain choices were made? And are these recorded in technology and governance, or mainly based on trust in suppliers?

Now what?

The lesson from GDPR and NIS2 is clear. Waiting leads to choices under pressure, to temporary solutions, or even fines. e-Evidence offers the opportunity to do things differently.

Now is the time to review data placement, cloud usage, and infrastructure choices. Ensure that you retain control, at least for the most sensitive data. This can be done by consciously determining which data should be located where, which technical safeguards are needed, and how you organize control. That takes time but provides peace of mind when the questions come later.

Webinar

On January 30 at 1:30 PM, we are organizing a webinar in which we approach e-Evidence from an IT perspective. We look at the concrete impact on data and infrastructure. We discuss what changes, where assumptions are no longer valid, and what choices you can make now.

You can register via this link: https://events.teams.microsoft.com/event/af2dee3e-8104-4afa-8d87-6d5a61962d7e@76c4b9ef-f707-41c7-a97d-5a214214b657