When Abuse Meets Evidence: What Nordic Domain Days 2026 Revealed About E-Evidence

In May 2026, the eco Association’s topDNS Initiative and iQ Global co-hosted “When Abuse Meets Evidence: Preparing DNS Providers for the EU’s New Reality” at Nordic Domain Days in Stockholm.

What happens when a registrar receives a legally binding request from a foreign prosecutor on a Saturday night? How quickly must a hosting provider preserve data that may be critical to an ongoing criminal investigation? And who is responsible if a request is missed?

The workshop brought together four complementary perspectives: Tania Schröter of the European Commission provided an overview of the E-Evidence framework; Annika Bergstedt of the Swedish Ministry of Justice examined national implementation; and as speakers, we focused on the legal, operational, and technical implications for Internet infrastructure providers.

Beginning in August 2026, these questions will have increasingly concrete legal answers. The more pressing question is whether providers will be operationally ready to meet them.

The conclusion was unambiguous: E-Evidence is not simply another compliance layer to be managed alongside GDPR, NIS 2, and the Digital Services Act. It represents a structural change in the relationship between public authorities and private providers – and the window for preparation is closing fast.

From territorial procedures to direct orders

Tania Schröter of the European Commission opened the workshop by explaining why the E-Evidence framework marks a significant departure from how cross-border investigations have traditionally worked.

Electronic evidence now plays a central role in criminal cases ranging from cybercrime and fraud to terrorism and child sexual abuse material. Yet the procedures traditionally used to obtain that evidence across borders were designed for a more territorial world, relying on multiple layers of government-to-government communication. In a digital environment where evidence can disappear within hours and investigations regularly span multiple jurisdictions, those mechanisms have increasingly struggled to keep pace.

The E-Evidence framework seeks to address this by creating a direct channel between competent authorities and service providers. Through European Production Orders (EPOCs) and European Preservation Orders (EPOC-PRs), authorities can request or secure certain categories of stored data directly from providers operating within the EU — without involving a judicial authority in the provider's home country first, except in a limited notification role for the most sensitive data categories.

Figure 1: EPOC Execution Workflow

The package consists of two complementary instruments: a Regulation establishing the orders themselves, and a Directive requiring service providers operating in the EU to designate a legal representative or designated establishment capable of receiving and responding to them.

Figure 2: The package in a nutshell

Crucially, as Schröter emphasized, the physical location of data is no longer the determining factor. What matters is whether a provider offers services within the Union. A company headquartered in the United States, with servers in Singapore, that sells domain registrations to European customers – that company is in scope.

For the Internet infrastructure sector, the implication is straightforward: providers are no longer simply custodians of data. They are becoming active participants in the investigative ecosystem – with defined responsibilities, enforceable timelines, and an expectation of genuine operational readiness.

Beyond the technical details, participants repeatedly returned to a broader institutional shift. Traditionally, cross-border investigations relied on cooperation between public authorities, with service providers interacting primarily with domestic law enforcement. E-Evidence changes this model by creating a framework in which foreign authorities can, under defined conditions, engage directly with providers across borders. For many organizations, this represents a significant cultural and operational adjustment. Requests that previously arrived through national authorities may increasingly come directly from another Member State, requiring providers to assess legal obligations, operational processes, and escalation procedures in a new cross-border environment.

Why this matters for DNS Providers

One of the most important themes to emerge from the workshop was the direct relevance of E-Evidence for the domain name industry. The Regulation explicitly lists “Internet domain name and IP numbering services” within its scope, alongside electronic communications providers and a broad range of information society services.

Many of the offences that authorities investigate through electronic evidence requests intersect directly with Internet infrastructure. Phishing campaigns, malware distribution, botnets, online fraud, and ransomware operations regularly rely on domain names, hosting infrastructure, and registration data. The crimes that generate E-Evidence requests are, in large part, the same crimes that generate abuse reports today.

This means that DNS abuse and electronic evidence are converging rather than remaining separate policy discussions. The abuse reports handled by registries, registrars, and hosting providers today may well generate the evidence requests they receive tomorrow.

The Regulation also brings a supply-chain dimension that deserves attention. If the controller of data cannot be identified despite reasonable efforts, or if contacting the controller might compromise an investigation, the order may be directed at a processor instead. For wholesale registrars operating with large networks of resellers, this means that even parties who consider themselves processors – rather than controllers – may receive direct requests.

The eight-hour challenge

Among all topics discussed in Stockholm, one requirement attracted particular attention: the emergency response deadline.

While standard production orders allow ten days for a response, emergency situations – defined in the Regulation as involving an imminent threat to the life, physical integrity, or safety of a person, or to critical infrastructure – may require action within eight hours. Preservation orders must be executed without undue delay and remain in force for up to 60 days, with possible extension.

These are hard, legally binding deadlines. Non-compliance can lead to sanctions reaching up to 2% of a provider's total global annual turnover, under a strict liability regime – meaning the authority imposing the fine does not need to prove intent or negligence. The mere fact of non-compliance is sufficient.

As Annika Bergstedt of the Swedish Ministry of Justice explained, the Regulation establishes demanding timelines for both production and preservation orders, requiring providers to be prepared to act quickly once a request is received.

Figure 3: Response timelines (the Regulation)

The discussion quickly moved beyond legal theory. Can a provider receive and identify an E-Evidence request on a Sunday evening? Can legal review be performed overnight? Is there a documented escalation process that functions under pressure? For many participants, these questions illustrated how E-Evidence transforms compliance from a legal exercise into an operational challenge.

The eight-hour deadline therefore became a symbol of a broader reality: compliance increasingly depends on operational preparedness.

A live look at the technical system

While the legal framework generated concern, the technical implementation revealed equally significant practical challenges.

The workshop included a live walkthrough of JUDEX – the Justice Digital Exchange System – the decentralized IT platform that will handle secure communication between authorities and service providers. The demonstration, drawn from direct testing experience, revealed a system that is still very much a work in progress.

The provider registration portal, for instance, requires applicants to upload a signed PDF within a five-minute window – or restart the entire process from scratch. During the demonstration, only one Member State could be selected as a central authority because most had not yet formally designated theirs. The mandatory registration number field could not be completed by natural persons acting as legal representatives, making it structurally impossible for them to finish the notification process.

These are not minor inconveniences. The central database – to which provider registration data flows, and from which issuing authorities across Europe will look up where to send orders – depends entirely on a functioning registration and validation chain. Providers that are not in the database simply cannot be reached through the system.

Figure 4: E-Evidence Regulation

JUDEX implementation and provider onboarding challenges

At the time of the workshop, approximately 42 providers across the EU had completed registration. Seven were actively testing the API. Several Member States had confirmed they would be unable to meet the August deadline. The API itself – essential for any large provider that cannot process requests manually through a web browser – was not expected to be fully operational by 18 August. The European Commission has estimated the total number of potentially affected providers in Europe at around 450,000; in Germany alone, the figure may reach 70,000.

As we noted during the workshop, most of those 70,000 do not yet know they are in scope.

The broader regulatory landscape

E-Evidence does not arrive in isolation. For Internet infrastructure providers, it is one element of a rapidly expanding compliance environment that already includes GDPR, NIS 2, the Digital Services Act, ICANN’s evolving registration data policies, and national disclosure frameworks.

Each of these instruments creates its own obligations. Requests may arrive under different legal bases, involve different authorities, require different response timelines, and carry different consequences for non-compliance. There is no single process that satisfies all of them.

One participant raised a pointed question during the workshop about the interaction between E-Evidence orders and NIS 2's Article 28 disclosure requirements for domain registration data, noting that the two frameworks can generate concurrent obligations with different procedural logic. Schröter acknowledged that E-Evidence is not intended to displace other legal instruments – it is non-mandatory and non-exclusive – but that providers receiving requests under parallel frameworks will need internal processes capable of handling each correctly.

The cumulative picture is one of increasing regulatory density. Organizations that treat each new obligation as a separate compliance exercise will find themselves overwhelmed. Those building governance structures capable of managing multiple frameworks simultaneously – with clear internal accountability, documented processes, and genuine operational readiness – will be significantly better positioned.

What providers should do now

The 18 August deadline is close. Sweden’s implementing legislation enters into force on 1 July, with PTS – the Swedish Post and Telecom Authority – formally designated as central authority from that date. Other Member States are at varying stages; some are further behind. But the Regulation becomes applicable across the Union in August, regardless of whether every Member State's national implementation is complete.

The gradual rollout may reduce the initial volume of requests. But it does not reduce the obligation to be ready.

Organizations should, as a priority, assess whether they fall within the Regulation's scope; designate a legal representative or designated establishment if they have not done so; ensure that representative has genuine operational capacity; establish and test escalation procedures for both standard and emergency requests; and begin connecting to the JUDEX system as it becomes available in their Member State.

The legal and technical infrastructure is still maturing. That is precisely why providers should not wait for it to be finished before beginning their own preparation.

Conclusion: Readiness is now the standard

By Nordic Domain Days 2027, E-Evidence will no longer be a future regulatory development. It will be part of the daily operating environment of Europe’s Internet infrastructure sector.

The broader lesson from Stockholm reaches beyond E-Evidence itself. Across Europe, regulatory frameworks are increasingly converging around a common expectation: organizations must be able to demonstrate operational resilience, accountability, and readiness in practice – not merely on paper. For Internet infrastructure providers, abuse mitigation, cybersecurity, and compliance are no longer separate disciplines. They are different aspects of the same challenge.

The legal framework is now largely in place. The question is no longer whether E-Evidence will affect Internet infrastructure providers. It is whether providers will be ready when the first request arrives – and whether their operational structures can withstand the realities that follow.

Attorney-at-law and domain law expert Thomas Rickert is Director of the Names & Numbers Forum at eco - Association of the Internet Industry (international.eco.de). Thomas Rickert is a member of the GNSO (Generic Names Supporting Organization) Council of the Internet Corporation for Assigned Names and Numbers (icann.org). In 2022, he initiated the topDNS Initiative (topdns.eco) that unites members of the eco Association to fight DNS abuse. Furthermore, Thomas Rickert is Managing Director of the law firm Rickert Rechtsanwaltsgesellschaft mbH (rickert.law), which is specialized in legal issues of the digital economy.

Ulrich Plate currently leads eco’s Competence Group for Critical Infrastructure Providers (KG KRITIS). Since 1995, he has held various management positions in ISPs and infrastructure/network consultancies. From 2005 to 2017, he worked as a Political Advisor to Members of the German Bundestag. He then served as the Chief Information Security Officer (CISO) at aconium GmbH (formerly known as atene KOM) from 2017 to 2022. In 2022, he returned to nGENn as CISO, continuing his contributions to cybersecurity and critical infrastructure protection.