From 18 August 2026, some digital providers serving the EU need a calmer route from order to data.
A small SaaS founder does not usually start the day by thinking about criminal evidence. She thinks about renewal invoices, an open support ticket, a developer who is off sick, and a customer asking whether the new messaging feature is live. Then the company grows. Users store documents. They message each other. Logs are kept. IP addresses sit in systems.
The signal has to become readable
That is the practical signal in the Ondernemersplein notice on eEvidence. From 18 August 2026, certain organisations providing digital services in or to the EU will have to handle European production orders and preservation orders for electronic evidence. The scope includes electronic communications services, online platforms, cloud or storage services, and organisations managing domain names or IP services.
The route changes
The eEvidence package consists of Regulation 2023/1543 and Directive 2023/1544. The Dutch implementation track under Kamerstuknummer 36905 concerns amendments to the Dutch Code of Criminal Procedure. For a business owner, the useful date is clear enough: 18 August 2026 is the moment to be ready for the business-facing duties.
The legal architecture matters because it changes the route. Under conditions, competent authorities in one EU member state may address certain orders directly to a provider’s designated establishment or appointed legal representative. The data may be stored somewhere else. The relevant evidence can include subscriber data, traffic data, and content data stored electronically by or on behalf of the provider.
Rijksoverheid has explained the pressure in plain terms. Providers may have to make digital data available within 10 days, or within 8 hours in urgent cases. Ten days can sound reasonable in a meeting. Eight hours sounds different when the data sits across production systems, backups, logs, and a cloud supplier.
Where small providers feel it
I read eEvidence less as a new legal label and more as a test of company discipline. The first question is not whether the founder has heard of the regulation. The first question is whether the company knows what kind of provider it actually is. The function decides the pressure, not the pitch deck.
What the signal changes
Return to the SaaS founder. Her customers use the platform to exchange files and messages. The company also keeps account records, login history, payment references, support tickets, and technical logs. None of this feels dramatic in daily work. It is just how the product runs.
If an order arrives, the company needs to know which data exists, where it sits, who can reach it, and who may decide what leaves the company. That last point is often where small businesses are fragile. Technical access and decision authority are not the same thing.
The order sits inside the control file
eEvidence does not replace the AVG. It sits beside it. Dutch government privacy guidance is clear that organisations must know which personal data they hold, what they do with it, and how they secure it. A lawful evidence route still needs careful selection. Urgency is not a reason to collect more data as a default or to make uncontrolled copies.
It also sits near cybersecurity work without being the same thing. CBS reported that in 2024, 4 percent of companies had at least one cyber incident caused by an external attack. In information and communication, the figure was 7 percent. The sharper number for small firms is the control gap.
In 2025, 86 percent of companies with 250 or more employees took 10 or more of 12 surveyed cybersecurity measures. Among companies with 2 to 10 employees, that share was 13 percent. Those measures include controls that matter for evidence handling too: access control, encryption, log storage, backups, monitoring, and risk analysis.
What founders should check
This is why eEvidence should not become a separate binder on a shelf. The same weak passwords, unclear admin rights, missing logs, and unmanaged suppliers that hurt security will also hurt evidence response. Other digital regimes may sit nearby, including the Digital Services Act and the Cyberbeveiligingswet path, but eEvidence asks its own narrower question.
The quiet work before August
For many Dutch providers, the sensible work is not spectacular. It is naming the responsible person, checking the receiving route, mapping data types, separating access from authority, and testing whether the company can preserve relevant data without touching unrelated customer data. Ondernemersplein also says affected organisations must register in the European Court Database so authorities can find them.
There is a cash side too. Legal review, technical mapping, supplier checks, logging changes, and out-of-hours escalation all cost time. They may not produce a new sales line. Still, they belong in the management view of the company. A provider that sells trust-sensitive digital services cannot price only storage, uptime, and features.
The founder in the opening scene does not need panic. She needs a route. If the company falls in scope, the question for tomorrow morning is simple enough to start. Who receives the order, who checks it, who freezes the data, who releases it, who logs the timeline, and who protects everyone else’s data while that happens?
That is the quiet lesson of eEvidence. Digital trust no longer ends with a working product. It continues into the server room, the access list, the supplier contract, the weekend roster, and the record of decisions. The companies that understand this early will not become bigger because of compliance. They will become steadier when compliance arrives.
Sources
- CBS source
- eEvidence verplicht bedrijven digitaal bewijs te verstrekken | Ondernemersplein
- Overheid.nl Wetgevingskalender – Current Dutch implementation status
- Rijksoverheid / open.overheid.nl – Core legal architecture of the eEvidence package
- Rijksoverheid / Ministry of Justice and Security – Response deadlines and internal process pressure
- Rijksoverheid – Criminal justice rationale and public-private implementation
- Rijksoverheid – Cyberbeveiligingswet / NIS2 overlap
- Overheid.nl Wetgevingskalender – Cyberbeveiligingswet legislative status and lower regulation
Referenced in the article
Column | Ledger & Tax
Box 3 Is Still Unfinished, So Private Wealth Needs Discipline
The 2028 reform is still moving, while 2026 cash and evidence already matter.
Column | Governance
A Dutch Online Meeting Still Has to Earn Its Decision
The adopted bill makes digital access possible, but valid decisions still need patient governance.
Column | Compliance
ACM’s Digital Signal Puts Platform Dependence on the Invoice
Small firms need proof of data access, cloud exits and platform decisions before pressure arrives.
The Polder is written for readers who need the Dutch business environment translated into practical meaning. Corrections, source policy and editorial accountability are part of the publication record.
