On Friday, September 12, 2025, EU Council members are asked to share their final position on the controversial child sexual abuse (CSAM) scanning bill.
It’s been a long ride, started in May 2022, when the EU Commission first unveiled its Child Sexual Abuse Regulation (CSAR) proposal. The goal is ambitious – to make the online environment safer for kids by preventing the sharing of child sexual abuse material. Yet, the proposed system for how to do that, meaning the scanning of private messages, has sparked a strong debate among political ranks and the tech industry alike.
Three years after failing to reach an agreement, the Danish Presidency unveiled the latest iteration of what’s become known as Chat Control[1] on July 1, 2025. For the first time, lawmakers appear to be close to getting the majority of countries on board. At the time of writing, 15 countries already support the proposal, six are undecided, and only six are against.
The Danish proposal introduces new obligations for all messaging services operating in Europe to scan users’ chats – even if they’re encrypted – in the search for both known and unknown CSAM material.
Crucially, the mandatory scanning is expected to occur directly on the device before messages get encrypted, targeting shared URLs, pictures, and videos. Only governments and military accounts are excluded from the scope of the bill.
While acknowledging some of the improvements the Danish version has made, on Tuesday (September 9), over 500 cryptography scientists and researchers signed a letter[2] to warn the EU Council of the risks of agreeing to the proposal in its current form. This is the third time since 2022 that experts have urged against mandatory chat scanning. So, how did we get here? And what’s at stake?
Three years of failed attempts
As mentioned earlier, the EU Council has so far failed to craft a bill that could attract the necessary majority for submission to the Parliament for negotiations. Over a period of more than three years, various proposals have been made, as Presidency after presidency attempted to find a compromise that could work for most countries.
As per its first version, all messaging software providers would be required to perform indiscriminate scanning of private messages to look for CSAM. The backlash was strong, with the European Court of Human Rights proceeding to ban all legal efforts to weaken the encryption[3] of secure communications in Europe.
In June 2024, Belgium proposed a new, more compromising text[4] to target only shared photos, videos, and URLs, with users’ permission. In February 2025, Poland tried to find a better compromise by making encrypted chat scanning voluntary[5] and classified as “prevention.”
Fast forward to July 2025, Denmark reintroduced Chat Control as a top legislative priority on its first day of Presidency. While keeping the Belgian approach of limiting scanning to URLs and multimedia files, many experts feel that the text goes back to where it started – it reintroduces the indiscriminate scanning of unknown CSAM material, too.
That’s most likely why former MEP for the German Pirate Party and digital rights jurist, Patrick Breyer, deemed the Danish proposal the “more radical version” so far, warning against the “intrusive and unreliable scanning” that the law will create. Other experts who talked to TechRadar also agree that, as it stands, the regulation is too far-reaching and likely ineffective.
Defining between consensual and non-consensual abuse material is challenging, in fact, and even AI detection tech won’t help against false positives. Also, limiting the scanning to a certain part of the private messages could allow criminals to easily bypass detection, ultimately creating a false sense of security for both parents and children.
All of this, while irremediably breaking encryption for all. As Bart Preenel, a Belgian cryptographer, professor at Leuven University, and signatory of the September 9 open letter, explains, while the Danish proposal mentions the commitment to preserve end-to-end encryption protections, that technology simply does not exist.
“[Lawmakers] try to deny it, but encryption means that only the sender and receiver can see the message. If anybody has looked at it [even before getting encrypted], then you destroy the value offered by the encryption,” Preenel told TechRadar.
Why breaking encryption is a bad idea
Encryption[6] refers to the technical infrastructure that scrambles our online communications to prevent unauthorized access.
Encrypted messaging apps like Signal or WhatsApp, secure email providers like Proton Mail[7] and Tuta[8], and the best VPN[9] services all rely on end-to-end encryption to ensure our communications remain private between the sender and the receiver – end-to-end.
Law enforcement bodies, however, have long argued that this level of protection is an obstacle during investigations and have been pushing to create an encryption backdoor (in and out of the EU) for years.
Digital rights experts, cryptographers, and technologists keep fighting back against this idea, though, warning that a backdoor could cause more harm than good.
Do you know?
German encrypted mail provider, Tuta, is ready to drag the EU into Court[10] if the controversial Danish CSAM scanning bill becomes law. “We will not stand by while the EU destroys encryption,” says Matthias Pfau, CEO of Tuta Mail.
Talking to TechRadar, Director of Government Affairs and Advocacy at the Internet Society, Callum Voge, explains that the proposed “client-side scanning” system would not only violate people’s right to privacy and confidentiality, but also inevitably introduce new vulnerabilities that both law enforcement and cybercriminals will be able to exploit.
“This is a very big threat to national security in the EU. A weakness that the EU should not be creating at all,” said Voge. “Given the current geopolitical situation, we think governments should really be encouraging more encryption, not trying to weaken it, or undermine it.”
He’s certainly not alone in feeling this way. Both the Swedish Armed Forces[11] and the Netherlands Intelligence Agency[12] have stressed that circumventing encryption creates too great a national security risk, arguing that hostile nations would exploit new technologies to attack European users. Yet, while the Netherlands is currently opposing the bill in the Council, Sweden is among the supporters.
“What’s very telling of the Danish proposal is that government and military accounts are exempt from scanning. So, clearly [lawmakers] understand there’s a security risk, but they think that risk is acceptable for the public but not acceptable for themselves,” Voge added.
Beyond national security, concerns include the potential for indiscriminate surveillance against all EU citizens.
As Voge puts it, “If breaking encryption is like a letter going to the post office and someone rips it open and reads what’s inside, then client-side scanning is like someone reads the letter over your shoulder as you write it. Crucially, once the system is created, it’s very easy to expand it to scan for anything you want.”
Germany – the deciding factor
Friday is the day EU members need to share their final positions on the Danish Chat Control proposals. Another meeting with the EU Justice Minister is also set for October 14, but that’s just a formal sign-off, with the country’s positions expected to remain unchanged.
If successful, the CSAR bill will finally land in the European Parliament to be discussed as part of the trilogue negotiations, alongside the EU Council and Commission.
Despite the list of countries opposing the law growing, support for Chat Control remains strong, with 15 countries supporting the proposal (including crucial members like France, Italy, and Spain) against six opposing the law (Austria, Belgium, the Czech Republic, Finland, the Netherlands, and Poland), and six still undecided (Germany, Estonia, Greece, Luxembourg, Romania, and Slovenia), according to the latest data.[13][14]
Among the latter group, Germany is thought to be the deciding factor – and it’s making Chat Control’s critics worried.
As Voge from the Internet Society explains, Germany is key because there’s a new government in charge. The previous government was indeed very pro-encryption – seeking to make encryption a legal right[15] at home, while strongly opposing mandatory scanning in the block. Yet, the new administration “is giving very mixed messages and no one can definitively say what’s going to happen on Friday,” Voge added.
What’s certain, however, is that the Chat Control is far from being the only proposal threatening encryption protections in the EU.
Commenting on this point, Preenel told TechRadar: “There is enormous pressure to get access to encrypted data: it’s not only the CSAM case, there is also the ProtectEU[16] document. That’s the real debate, and I think that CSAM is used as an excuse to open the door.”
You might also like
References
- ^ Chat Control (www.techradar.com)
- ^ 500 cryptography scientists and researchers signed a letter (www.techradar.com)
- ^ ban all legal efforts to weaken the encryption (www.techradar.com)
- ^ Belgium proposed a new, more compromising text (www.techradar.com)
- ^ encrypted chat scanning voluntary (www.techradar.com)
- ^ Encryption (www.techradar.com)
- ^ Proton Mail (www.techradar.com)
- ^ Tuta (www.techradar.com)
- ^ best VPN (www.techradar.com)
- ^ Tuta, is ready to drag the EU into Court (www.techradar.com)
- ^ Swedish Armed Forces (regeringen.se)
- ^ Netherlands Intelligence Agency (uk01.l.antigena.com)
- ^ list of countries opposing the law growing (www.techradar.com)
- ^ according to the latest data. (fightchatcontrol.eu)
- ^ make encryption a legal right (www.techradar.com)
- ^ ProtectEU (www.techradar.com)