On 18 August 2026, Regulation (EU) 2023/1543, the EU E‑Evidence Regulation, becomes directly applicable in every Member State, and criminal lawyers Portugal‑wide face an immediate shift in how cross‑border electronic evidence is requested, transmitted and challenged. The Regulation introduces a dedicated Digital Exchange System through which competent authorities in one Member State can serve European Production Orders and European Preservation Orders directly on service providers established or represented in another, bypassing the slower mutual‑legal‑assistance channels that have dominated Portuguese practice for decades. For defence counsel the stakes are high: data that once took months to obtain may now reach a prosecution file within days, compressing the window for admissibility challenges, privilege claims and procedural objections.
For communication‑service providers (CSPs) operating in Portugal, the compliance burden is equally acute, with mandatory registration, strict response deadlines and new record‑keeping obligations. This guide provides the Portugal‑specific procedural map that prosecutors, judges, defence lawyers and CSP compliance officers need before the go‑live date.
- Defence counsel: Audit current cross‑border evidence workflows and prepare template motions for admissibility challenges under Portuguese constitutional standards.
- CSPs & in‑house legal: Register a designated legal representative, build internal triage processes for Digital Exchange System requests, and test response‑time compliance.
- Prosecutors & judges: Familiarise yourselves with the European Production Order and European Preservation Order forms, notification duties, and the judicial‑validation requirements that apply to content‑data requests.
E‑Evidence Regulation: Scope, Timeline and Legal Essentials
Regulation (EU) 2023/1543 was adopted on 12 July 2023 and published in the Official Journal of the European Union. It establishes a uniform EU framework for the cross‑border gathering of electronic evidence in criminal proceedings, creating two new instruments, the European Production Order (EPO) and the European Preservation Order (EPrO), that can be addressed directly to service providers, without routing through the judicial authority of the Member State where the provider is established.
The Regulation applies to CSPs that offer services within the EU, regardless of where they are headquartered. Its material scope covers four categories of electronic data: subscriber data, access data (sometimes called metadata relating to access), transaction data (broader traffic and transactional metadata), and content data. Different levels of judicial oversight attach to each category, a point of particular relevance for criminal lawyers Portugal practitioners will encounter repeatedly in admissibility disputes.
Key definitions practitioners should know
- Service provider: Any natural or legal person providing electronic communications services, information‑society services (including social networks, online marketplaces and cloud platforms), or internet‑domain‑name and IP‑numbering services.
- European Production Order (EPO): A binding order issued by a competent judicial authority in one Member State requiring a service provider in another to produce specified electronic data.
- European Preservation Order (EPrO): An order requiring a service provider to preserve specified data so that it remains available for a subsequent production request or mutual‑assistance procedure.
- Digital Exchange System: The secure, decentralised IT system through which orders, responses and data are transmitted between issuing authorities and service providers.
Legislative timeline
| Date |
Event |
Practical effect |
| 12 July 2023 |
Regulation (EU) 2023/1543 adopted |
Text finalised; Member States and CSPs gain a three‑year preparation window. |
| August 2023 |
Publication in the Official Journal |
Countdown to direct applicability begins. |
| 18 August 2026 |
Regulation becomes directly applicable |
Digital Exchange System goes live; EPOs and EPrOs may be issued and enforced across all Member States, including Portugal. |
Because a regulation is directly applicable, Portugal does not need to transpose the instrument into national legislation. However, certain organisational measures, such as designating competent issuing and validating authorities and notifying the Commission, must be completed by 18 August 2026. Industry observers expect the Portuguese Ministry of Justice and the Procuradoria‑Geral da República (PGR) to issue supplementary operational guidance; practitioners should monitor the Ministry of Justice and PGR websites for updates.
How Cross‑Border Electronic Evidence Access Changes, Digital Exchange System Explained
The Digital Exchange System replaces the informal patchwork of emails, letters rogatory and bilateral contacts that currently characterise many cross‑border electronic evidence requests involving Portugal. Under the Regulation, requests follow a structured digital workflow designed to compress timescales and standardise documentation.
Process flow: from request to data delivery
- Issuing authority prepares the order. A prosecutor or judge in the issuing Member State completes the standardised EPO or EPrO certificate, specifying the data categories sought, the legal basis, the underlying offence and the targeted service provider.
- Judicial validation (where required). For content data and transaction data, the order must be validated by a judge or court in the issuing State before transmission. Subscriber data and access‑data requests may be issued by a prosecutor without prior judicial validation, although Member States may impose additional domestic requirements.
- Transmission via the Digital Exchange System. The completed certificate is transmitted electronically to the service provider’s designated legal representative. Simultaneously, a notification is sent to the enforcing authority, the competent authority in the Member State where the provider is established, which may raise grounds for refusal.
- Service provider response. The provider must produce the data within 10 days of receiving an EPO, or within 8 hours in emergency cases. For an EPrO, the provider must preserve the data for 60 days (extendable).
- Enforcing‑State review. The notified authority in the provider’s Member State has a limited window to raise objections based on specific grounds, including immunities, privileges and fundamental‑rights conflicts.
- Data transfer to issuing authority. Once produced, data is transmitted back through the Digital Exchange System and enters the criminal file of the issuing State.
Comparison: E‑Evidence vs European Investigation Order vs traditional MLA
| Feature |
E‑Evidence (Reg. 2023/1543) |
European Investigation Order (EIO) |
Traditional MLA (letters rogatory) |
| Addressee |
Service provider directly |
Judicial authority in the executing State |
Central authority / Ministry of Justice |
| Typical response time |
10 days (EPO); 8 hours (emergency) |
90 days (with 30‑day acknowledgement) |
6–18 months |
| Judicial oversight in receiving State |
Notification + limited grounds for refusal |
Full recognition/execution by executing judge |
Full dual‑authority review |
| Data types covered |
Subscriber, access, transaction, content |
Any investigative measure, including data access |
Any investigative measure |
| Transmission channel |
Digital Exchange System |
Secure channels / direct judicial contact |
Diplomatic / central‑authority channels |
The likely practical effect for criminal lawyers Portugal‑wide is a dramatic acceleration of evidence flows. Defence counsel should anticipate that cross‑border electronic evidence will appear in prosecution files far earlier in proceedings than under EIO or MLA timelines, and should adjust their case‑preparation calendars accordingly.
Portugal Practical Procedure: What Criminal Lawyers Must Know
Mapping the E‑Evidence Regulation onto the Portuguese criminal‑procedure landscape requires attention to both the Regulation’s direct requirements and the residual role of the Código de Processo Penal (CPP). The Regulation does not displace Portuguese procedural law on admissibility, privilege or constitutional protections; it supplements the existing framework with a new evidence‑gathering channel.
Prosecutors: issuing and receiving orders
- Before issuing an EPO for content or transaction data, the prosecutor must obtain judicial validation from a Portuguese juiz de instrução (investigating judge). For subscriber and access data, the prosecutor may issue directly, subject to any additional domestic requirements that Portugal notifies to the Commission.
- Standard forms must be completed in full and transmitted via the Digital Exchange System. Incomplete certificates risk refusal by the provider or the enforcing‑State authority.
- When Portugal is the enforcing State (i.e., when a foreign authority serves an EPO on a provider established in Portugal), the designated Portuguese authority must review the notification within the timeframe set by the Regulation and raise any applicable grounds for refusal, such as the protection of fundamental rights, immunities, or press freedom, before the response deadline expires.
Defence counsel: immediate steps on receipt of notice or evidence
- Step 1, Identify the data source. Determine whether the electronic evidence in the prosecution file was obtained via an EPO, an EIO, a domestic warrant or an informal request. The legal basis governs the applicable challenge.
- Step 2, Check judicial validation. For content data and transaction data obtained via an EPO, verify that judicial validation in the issuing State was obtained before the order was transmitted. Absence of validation is a ground for exclusion.
- Step 3, Examine notification compliance. Confirm that the enforcing‑State authority (in Portugal, if the provider is Portuguese) was duly notified and given the opportunity to raise objections. Procedural failures here may support a motion to suppress.
- Step 4, Review proportionality. Challenge whether the data requested was proportionate and necessary under Article 5 of the Regulation, applying Portuguese constitutional standards (Articles 26 and 34 of the Constitution of the Portuguese Republic).
- Step 5, Request source material. Demand the complete EPO certificate, the provider’s response log, chain‑of‑custody documentation and any metadata showing the integrity of the transmitted data.
Judges: validation and admissibility gatekeeping
Portuguese investigating judges will serve a dual gatekeeping role: validating outbound EPOs for content and transaction data, and adjudicating defence challenges to inbound evidence. Early indications suggest that the judicial workload associated with E‑Evidence requests could be significant, particularly in cybercrime and financial‑crime cases where multi‑jurisdiction data requests are common. Court administrators should consider establishing dedicated digital‑evidence dockets or assigning specialist judges familiar with both the Regulation and EU data‑protection law.
Defence Rights and Admissibility: The Portugal Perspective for Criminal Lawyers
The E‑Evidence Regulation expressly states that it does not modify the obligation to respect fundamental rights and legal principles enshrined in Article 6 of the Treaty on European Union, including the right to a fair trial and the rights of the defence. For criminal lawyers Portugal courts will continue to apply the admissibility and exclusion standards set out in the CPP and the Constitution of the Portuguese Republic, the Regulation does not create automatic admissibility.
Constitutional safeguards under Portuguese law
- Right to privacy and secrecy of communications (Articles 26 and 34 of the Constitution): Any interference must be authorised by a judge and comply with strict proportionality requirements. Content data obtained via an EPO that lacked proper judicial validation could be challenged as a violation of these constitutional norms.
- Prohibition of evidence obtained through torture or coercion (Article 32(8) of the Constitution): Although primarily directed at physical coercion, the broader principle that improperly obtained evidence is inadmissible, the proibições de prova doctrine codified in Article 126 of the CPP, extends to procedural irregularities in evidence gathering.
- Nemo tenetur se ipsum accusare: Portuguese law recognises the privilege against self‑incrimination. Defence counsel should scrutinise whether production orders have been used to compel a suspect, acting in a capacity as a CSP employee, to produce self‑incriminating data.
Challenging Digital Exchange requests, procedural steps and motions
Defence counsel may raise admissibility challenges at multiple procedural stages under Portuguese law:
- During the instrução (investigative phase): File a requerimento (motion) before the juiz de instrução requesting exclusion of evidence obtained via an EPO that was issued without proper judicial validation, that exceeded the permitted data categories for the underlying offence, or that violated the proportionality requirements of the Regulation.
- At the audiência de julgamento (trial hearing): Raise an objection under Article 340 of the CPP to the admission of electronic evidence where chain‑of‑custody documentation is incomplete, where the data has been altered or where the integrity of the Digital Exchange System transmission cannot be verified.
- Interlocutory appeals: Where a trial court admits contested electronic evidence, seek an interlocutory appeal under the CPP, arguing that admission constitutes a breach of fundamental rights that cannot be cured at a later appellate stage.
Evidence exclusion scenarios and case‑law analogies
Portuguese courts have a developed body of case law on the exclusion of improperly obtained evidence under Article 126 of the CPP. Industry observers expect these doctrines to be applied by analogy to E‑Evidence requests. Likely exclusion scenarios include:
- An EPO for content data issued by a foreign prosecutor without judicial validation in the issuing State.
- Data produced by a service provider that exceeds the scope of the original order (e.g., production of content data when only subscriber data was requested).
- Failure by the enforcing‑State authority to raise a fundamental‑rights objection when grounds for refusal were manifest.
- Data integrity issues, where the defence demonstrates that files were modified, incomplete, or that metadata timestamps do not correspond to the Digital Exchange System transmission logs.
The GDPR and Portugal’s data‑protection framework (supervised by the CNPD) add a further layer. Although the E‑Evidence Regulation provides a legal basis for data processing, defence counsel may argue that disproportionate or unnecessary data collection breaches GDPR principles and should be excluded under the broader proibições de prova framework.
Service Provider Obligations and Compliance Checklist for Portugal
CSPs operating in Portugal, whether headquartered domestically or merely offering services to Portuguese users, must prepare operational processes well before 18 August 2026. The Regulation imposes direct obligations on service providers, backed by potential penalties for non‑compliance.
Step‑by‑step compliance checklist
- Designate a legal representative. CSPs not established in the EU but offering services within it must designate a legal representative in a Member State. CSPs established in Portugal should confirm their designated contact point for receiving Digital Exchange System requests.
- Register on the Digital Exchange System. Ensure technical connectivity and test message reception before the 18 August 2026 go‑live. Monitor Commission guidance for technical specifications and onboarding procedures.
- Build internal triage workflows. Create standard operating procedures (SOPs) for receiving, logging, escalating and responding to EPOs and EPrOs within the prescribed deadlines (10 days standard; 8 hours emergency).
- Train legal and compliance teams. Staff responsible for processing orders must understand the distinction between data categories, the grounds on which a CSP may raise an objection (e.g., impossibility, incorrect addressee), and the record‑keeping requirements.
- Implement record‑keeping protocols. Maintain auditable logs of every request received, the data produced, timestamps and the identity of the issuing authority.
- Coordinate with the CNPD. Where doubts arise about data‑protection obligations, for example, notification duties to data subjects, CSPs should seek guidance from the Comissão Nacional de Protecção de Dados.
Obligations by entity type
| Provider type |
Key obligation |
Priority action |
| Telecoms operators |
Produce subscriber, access, transaction and content data on receipt of valid EPO |
Map existing lawful‑interception systems to E‑Evidence response workflows |
| Cloud / SaaS providers |
Produce stored content and metadata; preserve data on EPrO |
Develop automated preservation‑hold mechanisms compatible with Digital Exchange System triggers |
| Hosting providers |
Produce subscriber and access data; content on judicial EPO |
Update terms of service and internal policies; train abuse‑team staff |
| Social networks / messaging platforms |
Produce all four data categories; handle emergency 8‑hour requests |
Establish 24/7 on‑call legal triage; test emergency‑response protocols |
Interaction with the European Investigation Order, MLA and National Warrants
The E‑Evidence Regulation does not replace the European Investigation Order (Directive 2014/41/EU) or traditional mutual‑legal‑assistance treaties. Instead, it offers an additional, faster channel specifically designed for electronic evidence held by service providers. Prosecutors and criminal lawyers Portugal‑wide must understand when each instrument is appropriate.
| Decision factor |
Use E‑Evidence (EPO/EPrO) |
Use EIO or MLA |
| Data held by a CSP |
Yes, primary route from 18 Aug 2026 |
Alternative if EPO is refused or data type falls outside Regulation scope |
| Non‑electronic evidence (physical seizure, witness testimony) |
No, outside Regulation scope |
Yes, EIO or MLA required |
| Urgency (imminent threat to life) |
8‑hour emergency EPO |
EIO urgent procedure (still slower) |
| Provider outside EU with no legal representative |
Not directly applicable |
MLA or bilateral treaty required |
| Privilege / immunity concerns |
Enforcing State may raise objection |
Executing State applies own privilege rules in full |
Defence counsel should track which instrument was used and assess whether the prosecution chose the E‑Evidence route specifically to circumvent the fuller judicial oversight available under an EIO, a point that may support a proportionality challenge.
Risks, Border Cases and the Recommended Defence Playbook
Several high‑risk scenarios are foreseeable as the E‑Evidence framework goes live in Portugal. Criminal lawyers Portugal practitioners advise should be prepared for the following border cases:
- Mixed‑jurisdiction data: A single cloud account may contain data of Portuguese and non‑Portuguese data subjects. Defence counsel should challenge the scope of production orders that sweep in data outside the territorial scope of the underlying investigation.
- Dual‑criminality gaps: The Regulation permits EPOs for offences carrying a maximum penalty of at least three years in the issuing State for certain data categories. Where the underlying conduct is not criminal in Portugal, defence counsel should raise a fundamental‑rights objection.
- Privileged data: Lawyer–client communications, medical records and journalistic source material all attract heightened protection. If an EPO captures privileged material, defence counsel must file an immediate motion for exclusion and, if necessary, seek an injunction preventing further use of the data.
- Transnational service providers: Where a CSP has establishments in multiple Member States, confusion may arise over which enforcing authority is notified. Defence counsel should verify that the correct authority reviewed the order.
Defence hearing checklist
- Confirm the EPO/EPrO certificate is in the file and is complete.
- Verify judicial validation for content and transaction data.
- Request the Digital Exchange System transmission log and timestamps.
- Challenge data integrity (hashes, metadata, forensic duplication records).
- File a motion in limine if any procedural step was omitted or if the data exceeds the order’s scope.
- Request a forensic copy of all produced data for independent defence analysis.
Conclusion: Immediate Action Checklist Before 18 August 2026
The E‑Evidence Regulation is not a distant legislative prospect, it takes direct effect across Portugal in a matter of weeks. Criminal lawyers Portugal‑wide, CSPs and judicial officers should treat the following six actions as urgent priorities:
- Defence counsel: Prepare template motions for admissibility challenges based on the constitutional and CPP provisions outlined above, and brief clients on the accelerated evidence timelines.
- CSPs: Complete Digital Exchange System registration, designate legal representatives and stress‑test internal triage SOPs against the 10‑day and 8‑hour response deadlines.
- Prosecutors: Train staff on EPO/EPrO certification forms, judicial‑validation requirements, and the correct Digital Exchange System transmission procedures.
- Judges: Establish or update digital‑evidence dockets and ensure familiarity with the Regulation’s grounds for refusal and the dual role as validator (for outbound orders) and admissibility gatekeeper (for inbound evidence).
- All practitioners: Monitor the Portuguese Ministry of Justice and the PGR for any national operational guidance or designations of competent authorities.
- All practitioners: Review the Portugal country guide and consult the Portugal lawyer directory to identify specialist criminal and compliance advisers ahead of the go‑live date.
Appendices and Templates
Appendix A: Preservation‑order checklist for prosecutors
- Identify the target service provider and its designated legal representative.
- Specify the precise data categories to be preserved (subscriber, access, transaction, content).
- Complete the EPrO certificate in full, including the offence description, legal basis and expected duration of preservation (60 days, extendable).
- Transmit via the Digital Exchange System and retain a timestamped confirmation.
- Diarise the preservation expiry date and file a follow‑up EPO or EIO before expiry if production is required.
Appendix B: Template defence motion to challenge production‑order evidence
- Heading: Requerimento para exclusão de prova obtida mediante European Production Order, artigos 126.º e 340.º do CPP e artigos 26.º e 34.º da Constituição da República Portuguesa
- Ground 1, Absence of judicial validation: State that the EPO targeted content data or transaction data but was not validated by a court or judge in the issuing State prior to transmission.
- Ground 2, Disproportionate scope: Argue that the data produced exceeds the categories authorised by the EPO certificate or is not necessary for the investigation of the specific offence.
- Ground 3, Data‑integrity failure: Present evidence (or request disclosure of evidence) that the hash values, metadata or Digital Exchange System transmission logs show alteration, incompleteness or irregularity.
- Ground 4, Privilege: Assert that the produced data includes lawyer–client communications or other privileged material and seek immediate segregation and exclusion.
- Relief requested: Exclusion of the contested evidence from the trial file; alternatively, an order directing the prosecution to produce the complete EPO certificate and chain‑of‑custody documentation for defence inspection.
Appendix C: CSP response‑log template (suggested fields)
| Field |
Description |
| Request ID |
Unique reference assigned by the Digital Exchange System |
| Date/time received |
Timestamp of receipt via Digital Exchange System |
| Issuing authority |
Name, Member State and contact details of the issuing authority |
| Order type |
EPO or EPrO |
| Data categories requested |
Subscriber / access / transaction / content |
| Target account(s) |
User identifier(s) or account reference(s) specified in the order |
| Response deadline |
Standard (10 days) or emergency (8 hours) |
| Internal escalation |
Name of legal/compliance officer who reviewed the request |
| Objections raised |
Yes/No, if yes, specify ground and date of communication to issuing authority |
| Data produced |
Description of data delivered; hash value(s) of transmitted files |
| Date/time of response |
Timestamp of data transmission via Digital Exchange System |
| Enforcing‑State notification |
Confirmation that the enforcing authority was notified (Y/N) and date |
Appendix D: Timeline of key dates
| Date |
Milestone |
Action required |
| 12 July 2023 |
Regulation (EU) 2023/1543 adopted |
Begin compliance planning |
| August 2023 |
Published in the Official Journal |
Analyse final text; identify gaps in domestic procedures |
| Q1–Q2 2026 |
Commission technical specifications for Digital Exchange System expected |
CSPs: begin system integration and testing |
| 18 August 2026 |
Regulation directly applicable; Digital Exchange System live |
All parties operational; template motions ready; CSP SOPs activated |
| Post‑18 August 2026 |
First EPOs and EPrOs served on/by Portuguese authorities |
Monitor case law; update defence templates; file admissibility challenges as needed |
Sources
- EUR‑Lex, Regulation (EU) 2023/1543 (E‑Evidence Regulation)
- European Commission, E‑Evidence package and Digital Exchange System overview
- Eurojust, Guidance on cross‑border evidence in criminal matters
- CNPD, Comissão Nacional de Protecção de Dados
- Portuguese
