Dutch Tax Authority
A new European law is coming: the eEvidence Regulation. Sounds like something for big corporations? Mostly, yes. But there are smaller business owners who need to pay attention too and you'll want to know about it in time. We'll explain it in plain English.
The EU wants to make it easier for authorities across different countries to request digital evidence from businesses. Think emails, IP addresses, account details and communication data, the kind of information that helps solve criminal cases. Right now, that process takes an average of 120 days through existing channels, sometimes up to 10 months. That needs to change.
The eEvidence Regulation fixes this. From now on, authorities can issue a production order (hand over data) or a preservation order (hold data for later use) directly to you as a service provider.
Effective date: 18 August 2026.
In the Netherlands, the ACM (Authority for Consumers and Markets) has been appointed as the supervisory authority. They enforce compliance together with the Public Prosecution Service.
This is the most important part of the article. The law applies to "service providers" offering services in the EU. That sounds broad — and it is, but there's a clear legal definition.
According to Article 3 of the eEvidence Regulation, you fall under it if you offer any of the following services:
That last category is the interesting one for many entrepreneurs. Read it carefully: the law only applies if storing data is an essential (= core) part of the service you offer to your clients.
Let's say you're a freelance web designer or IT service provider. You build websites, apply AI to client platforms, and use tools like Supabase, cloud storage or a hosting service to do so. That means client data ends up in those systems.
Does eEvidence apply to you?
The answer comes down to one question: are you offering a service where storing client data is the core of what you do — or are you simply using other people's tools to do your work?
You build a website for a client and use Supabase as the database behind the scenes. You're the developer, Supabase is the service provider. Supabase falls under the eEvidence Regulation not you.
Example: Pete is a web designer. He builds custom websites and manages them for his clients. He uses Supabase for the technical infrastructure but doesn't offer his own storage platform as a service. → Pete is probably not directly covered by this law.
It's a different story if you offer your own SaaS product or platform where clients log in to your environment and their data is stored in your systems — and that storage is exactly what they're paying you for.
In that case, you are the service provider in the eyes of the law, and eEvidence may well apply to you.
Example: Pete has built his own client portal used by multiple businesses. Their end customers log in to Pete's platform and all their data is managed in his systems. Storage is the core of what he delivers. → In this case, Pete does need to seriously check whether this applies to him.
More and more entrepreneurs are applying AI on behalf of their clients — personalised chatbots, automated analysis, smart integrations. If personal data of end clients is stored in systems that you manage and offer as a service, you may be considered a service provider.
This really varies case by case. The key question remains: is storing that data an essential part of what you offer?
Received a letter from the ACM or the Dutch Ministry of Justice and Security? Then it's clear: you're covered and need to take action.
The eEvidence Regulation provides for fines of up to 2% of global annual turnover. On top of that, a fine is effectively mandatory if you fail to comply with an order to produce or preserve data (Article 16(10) of the Regulation). That's serious money, even for smaller businesses.
Sign up for the newsletter of the ECP Platform for the Information Society at eevidence.nl. They'll keep you updated on when and how to register in the Court Database (CDB). Registration isn't possible yet — the EU is still building the system.
The eEvidence law is primarily aimed at the big players: internet providers, hosting companies, cloud services, large platforms. If you're a small entrepreneur using other people's tools, you probably have nothing to worry about.
But if you offer your own platform or service where storing client data is at the core of what you deliver? Then it's worth taking this seriously, before August 2026.
Not sure? Let's talk it through. We're not lawyers, but we can help you ask the right questions and point you in the right direction.
Questions about this or other new legislation? Just drop us a message.
This blog is intended as general information and does not constitute legal advice. For your specific situation, we recommend consulting an IT lawyer.