The European Union brands itself as a champion of quality of life through rigorous regulations that secure accessible healthcare, affordable education, and social securities. However, while most EU regulations aim to enhance personal freedoms and freedoms of member states, the recent European Commission proposal for Child Sexual Abuse Material (hereinafter CSAM)/chat control regulation is an outlier in this approach. Most notably, it makes EU data privacy more authoritarian in personal data management.[1]
According to research done by the Internet Watch Foundation, in the period between 2018 – 2022, severe child abuse material has almost doubled on the internet, stating that the majority of child sexual abuse reports originate from inside the EU.[2][3][4] Furthermore, the foundation mentions in its reports a need for EU regulations that will protect children.[5] During this time, in a bid to protect children from sexually abusive materials being circulated, inMay 2022, the European Commission made a proposal for a “Regulation to Prevent and Combat Child Sexual Abuse”. If implemented, the regulation would create a single EU-wide legal framework for detecting, reporting, and removing CSAM and for exposing online grooming of children.[6]
The proposal comes at a time when more importance is being given to digital privacy and who controls a user’s information. Furthermore, a group that is especially vulnerable to malicious attacks and sexual exploitation is children. This is why the European Commission’s proposal was made on the backdrop of the United Nations’ Committee on the Rights of the Child (CRC) 2021’s General Comment No. 25 that emphasises the protection of children in the digital space.[7]
Evolution of the Proposal
In its 2022 form, it was still vague in how it would protect children in the digital space, but after Sweden‘s Presidency in the Council of the European Union, it took on a more concrete form. The Swedish Presidency pushed for stricter online government control to combatCSAM, where the regulation (then referred to as Chat Control 2.0) would force tech companies such as WhatsApp, Instagram, and Google to detect and report illegal content, an action that they currently aren‘t legally required to do, but can volunteer to carry out.[8] This would force these tech companies to scan all private digital communications, including encrypted messages and photos of EU citizens, to find any potential connections to perpetrators, and failing to do so would risk a fine. The proposal faced overwhelming opposition from both regular citizens and stakeholders throughout Europe and beyond for its threats to fundamental privacy rights and digital security, with research indicating at the time that over 80% of respondents were against implementing the regulation in 2021.[9][10] This negative perception by the public quieted the proposal down for a while. However, after Denmark took over the mandate for the Presidency in the Council of the EU in July 2025, the push for this proposal would be characteristic for the Danish Presidency.
Why the Scandinavian EU member states are pushing hard for this proposal is uncertain. In Denmark, the current Minister of Justice, Peter Hummelgaard, a strong supporter of the CSAM proposal, cites multiple times the problem of criminals using encrypted messaging apps, questioning the right to use such messaging services in the first place.[11] One could argue that the governments spearheading the regulation efforts deem their countries‘ specific cultural framework and high institutional trust that information such as private communication would not be taken advantage of could be expanded on the European level.[12] However, the CSAM proposal has seen backlash even in Danish society, with a citizens‘ initiative reaching almost 60,000 signatories, as of the writing of this analysis, to reject the CSAM proposal.[13]
In November, however, after a meeting in the Council of the EU, a compromise was made by the Danish Presidency where the obligatory scanning would be dropped in favour of voluntary scanning of messages.[14] If codified under a voluntary basis, the proposal would give messaging services the option to voluntarily install automated chat monitoring software, but experts such as Carmela Troncoso warn that this could set the stage for expanding chat monitoring in the future, as well as the grounds to reconsider mandatory scanning at a later time.[15] Now, the European Parliament will decide whether the proposal as it is passes by the deadline set for April.
Child Protection vs Ramifications
The proposal has virtuous goals: an easier approach for authorities to find perpetrators of sexual exploitation of children and bring them to justice. However, the proposition, depending on the final form it takes, has a key flaw in order to work – it must eliminate or bypass end-to-end encryption.
End-to-end encryption (E2EE) is the safest security method, ensuring that whatever is being said in a private chat can only be read by both the sender and the recipient. E2EE functions by encrypting data on the sender’s device, and that data can only be decrypted on the recipient’s device, meaning no one other, including service providers, can access the messages or their contents. Allowing for full transparency between people and providers, knowing that their communication isn’t being followed or scanned at all times. Examples of messaging apps that utilize E2EE with the goal of enhancing security include Signal, WhatsApp, Messenger, etc. In July 2025, the Danish Presidency made a memo stating it’s against breaking end-to-end encryption, instead utilizing one-directional client-side scanning.[16] One-directional client-side scanning is when software scans the contents of a message before it is sent, and after the scanning is complete, it encrypts the contents of the message. While this seems like a good compromise in theory, in practice, it still undermines end-to-end encryption and maintains ways of being bypassed by serious criminals.[17]
The proposal not only risks trampling on the digital privacy of its citizens, but also risks undermining this internationally. While it’s still being debated in the European Parliament, we are seeing state-organized cyberattacks steadily rise in relevance and precision, with Russia’s Unit 29155 attacks on Estonia’s Digital Infrastructure and alleged Chinese Advanced Persistent Threat (APT) group attacks on US companies.[18][19] To implement this regulation, it would require the compromise mentioned above with one-directional client-side scanning, or the complete dismantling of E2EE for messaging platforms to ensure ease of access to private chats between its citizens. While the former still weakens data security, the latter option has even larger consequences, as it will only make malicious attacks in cyberspace by rivaling geopolitical actors much easier, undermining the European Union’s position on the global stage through constant digital disruptions, destruction of digital infrastructure, and theft of sensitive company and private data.
In addition to the complete breach of privacy and easier breaching capabilities for competing geopolitical state actors, weakening E2EE would also greatly assist rogue actors, such as hackers, to more easily obtain private information from unsuspecting people and use it as leverage to blackmail them for personal gain.
Taking into account the technological aspects of this proposal shared with the public, and of the leaked documents, the setbacks seem to outweigh the additional security granted for protection against child sexual exploitation, and won’t present a decisive blow to tech-savvy criminals in spreading CSAM. Denmark’s Presidency in the Council of the European Union lobbied hard for this proposal to go through, and it only lost to a last-minute German opposition.[20] Germany would, however, go back on this decision in November and ultimately support the proposal with a compromise dropping the obligatory scanning.[21]
Future Developments
As of the writing of this article there are already early reports available stating that the Danish Presidency was still preparing aditional edits to the proposal by turning the One-directional client-side scanning, or going back on the mandatory dismantling of E2EE (the dismantling of E2EE is not explicitly mentioned in the bill, but it is hinted by members of the Danish ruling government) into voluntary cooperation of companies with authorities (which is the current situation).[22] This would be a similar compromise as the one made by the European Parliament in 2023, where an order of targeted scanning of messages can occur, provided a court mandates it. This would be exclusive to persons or groups connected to sexual abuse.[23] Despite this, the Danish stance on the matter hasn’t compromised on limiting surveillance to only targeted persons. The proposal remains highly controversial, resulting in an even 33% split between those supporting CSAM, those opposing it, and those abstaining. Examples of countries in favour of the regulation include Spain, France, and Hungary, while those against it are Austria, Poland, and Finland. Countries such as Italy, Greece, and Romania are abstaining.[24] Furthermore, the beginning of 2026 means that the rotating Presidency is now inherited by Cyprus. Therefore, the final result of the proposal will be during the Cypriot Presidency. So far, the Cypriot Presidency’s stance on the matter is ambiguous. Notably, Cyprus (along with Denmark) started publicly backing a major initiative to protect minors online months before assuming the Presidency.[25]
The proposal is months away from being adopted, but its ramifications are worrisome if implemented. If a solution that bypasses E2EE is to be legalized, it risks severely undermining individual privacy and weakening digital infrastructure to the benefit of both geopolitical rivals and rogue actors while not being an effective solution to tech-savvy criminals. Implementing this regulation while maintaining cybersecurity needs will require massive compromises. Still, the most significant barrier that lawmakers must focus on remains the disruption of traditional E2EE, as it will irreparably dwindle the security of chat logs and communication.
[1] EUR-Lex. “Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL Laying down Rules to Prevent and Combat Child Sexual Abuse”. May 11, 2022. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A52022PC0209. Accessed 26.11.2025.
[2] IWF. “EU Still Hosts the Most Child Sexual Abuse Material in the World.” April 26, 2023. https://www.iwf.org.uk/news-media/news/eu-still-hosts-the-most-child-sexual-abuse-material-in-the-world. Accessed 27.11.2025.
[3] IWF. ‘Extreme’ Category A Child Sexual Abuse Found Online Doubles in Two Years. April 25, 2023. https://www.iwf.org.uk/news-media/news/extreme-category-a-child-sexual-abuse-found-online-doubles-in-two-years. Accessed 27.11.2025.
[4] The reader should keep in mind that this only indicates reported cases and does not necessarily reflect total cases.
[5] Ibid.
[6] Euronews. “Fact Check: Is the EU about to Start Scanning Your Text Messages?” September 11, 2025. Available at: https://www.euronews.com/my-europe/2025/09/11/fact-check-is-the-eu-about-to-start-scanning-your-text-messages. Accessed 02.11.2025.
[7] OHCHR. “General Comment No. 25 (2021) on Children’s Rights in Relation to the Digital Environment”. March 2, 2021. Available at: https://www.ohchr.org/en/documents/general-comments-and-recommendations/general-comment-no-25-2021-childrens-rights-relation. Accessed 01.11.2025.
[8] Politico. “A Wonk’s Guide to the Swedish EU Presidency Policy Agenda”. December 26, 2022. Available at: https://www.politico.eu/article/wonk-guide-sweden-eu-presidency-policy-agenda. Accessed 05.11.2025.
[9] Breyer, Patrick. n.d. “Chat Control: The EU’s CSAM Scanner Proposal“. https://www.patrick-breyer.de/en/posts/chat-control. Accessed November 28, 2025.
[10] European Commission. “Fighting Child Sexual Abuse: Detection, Removal and Reporting of Illegal Content Online“. https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12726-Child-sexual-abuse-online-detection-removal-and-reporting-/public-consultation_en. Accessed November 28, 2025.
[11] Tantholdt-Hansen, Julie. “Hummelgaard Vil Åbne En Bagdør Til Vores Telefoner – Og Vil Ikke Sige, Hvor Grænsen Går”. September 12, 2025. https://www.dr.dk/nyheder/politik/hummelgaard-vil-aabne-en-bagdoer-til-vores-telefoner-og-vil-ikke-sige-hvor-graensen. Accessed November 28, 2025.
[12] Holmberg, Sören, and Bo Rothstein. 2020. “Social Trust – The Nordic Gold?” University of Gothenburg, January. Page 17.
[13] Folketinget. “Nej Til EU’s “Masseovervågning” Beskyt Vores Privatliv, Digitale Sikkerhed Og Ytringsfrihed“. August 20, 2025. https://www.borgerforslag.dk/se-og-stoet-forslag/?Id=FT-21156. Accessed November 28, 2025.
[14] Clark, Sam. “EU Races to Pass New Law to Combat Online Child Abuse”. November 26, 2025. https://www.politico.eu/article/eu-speed-up-to-pass-chat-control-bill-online-child-sexual-abuse/. Accessed 08.12.2025.
[15] Troncoso, Carmela. “‘More Monitoring, but Not More Protection.’” Startseite – Max-Planck-Gesellschaft. November 26, 2025. Available at: https://www.mpg.de/25788438/chat-control-eu-client-side-scanning. Accessed 10.01.2026
[16] Council of the European Union. “Interinstitutional Files: 2022/0155 (COD)“. July 1, 2025. Page 4. https://data.consilium.europa.eu/doc/document/WK-9150-2025-INIT/en/pdf. Accessed 28.11.2025.
[17] For more information about one-directional client-side scanning, visit: https://www.eff.org/deeplinks/2019/11/why-adding-client-side-scanning-breaks-end-end-encryption
[18] Arntz, Pieter. “Americans Urged to Use Encrypted Messaging after Large, Ongoing Cyberattack.” Malwarebytes. December 5, 2024. Available at: https://www.malwarebytes.com/blog/news/2024/12/americans-urged-to-use-encrypted-messaging-after-large-ongoing-cyberattack. Accessed 04.11.2025.
[19] Council of the EU. “Cyber-Attacks: Three Individuals Added to EU Sanctions List for Malicious Cyber Activities against Estonia“. January 27, 2025. Available at: https://www.consilium.europa.eu/en/press/press-releases/2025/01/27/cyber-attacks-three-individuals-added-to-eu-sanctions-list-for-malicious-cyber-activities-against-estonia/. Accessed 04.11.2025.
[20] Smalley, Suzanne. “Germany Will Not Support ‘chat Control’ Message Scanning in the EU”. The Record. October 8, 2025. Available at: https://therecord.media/chat-control-eu-germany-will-not-support-law. Accessed 05.11.2025.
[21] Clark, Sam. “EU Races to Pass New Law to Combat Online Child Abuse”. November 26, 2025. https://www.politico.eu/article/eu-speed-up-to-pass-chat-control-bill-online-child-sexual-abuse/. Accessed 08.12.2025.
[22] Breyer, Patrick. “Half-Good New Danish Chat Control Proposal”. October 30, 2025. Available at: https://www.patrick-breyer.de/en/half-good-new-danish-chat-control-proposal. Accessed 05.11.2025.
[23] European Parliament. “Report on the Proposal for a Regulation of the European Parliament and of the Council Laying down Rules to Prevent and Combat Child Sexual Abuse: A9-0364/2023: European Parliament”. November 16, 2023. Available at: https://www.europarl.europa.eu/doceo/document/A-9-2023-0364_EN.html. Accessed 05.11.2025.
[24] Breyer, Patrick. “Chat Control: The EU’s CSAM Scanner Proposal”. October 30, 2025. Available at: https://www.patrick-breyer.de/en/posts/chat-control/#epmandate. Accessed 05.11.2025.
[25] News, Politis. 2025. “Cyprus to Champion Children’s Digital Safety Ahead of 2026 EU Presidency.” POLITIS. Politis. October 15, 2025. Available at: https://en.politis.com.cy/globe/globe-europe/962605/cyprus-to-champion-childrens-digital-safety-ahead-of-2026-eu-presidency. Accessed 10.01.2026.
