What Is Chat Control?
The EU's proposed regulation to combat child sexual abuse material (CSAM) through automated message scanning has become one of the most contentious digital rights debates in Europe. This guide explains what Chat Control is, how it works technically, where the legislation stands, and what it could mean for your privacy.
What Is Chat Control?
The term "Chat Control" was coined by digital rights activists and journalists to refer to a set of EU legislative measures aiming to combat the spread of child sexual abuse material (CSAM) and online grooming through automated analysis of user communications.
Two parallel tracks
The legislative framework has two separate paths. Chat Control 1.0 is a temporary, voluntary derogation from the ePrivacy Directive that allows companies to use detection technologies. Chat Control 2.0 is a proposed permanent regulation (CSAR) that would mandate risk assessments and potentially require detection orders for all applicable providers across the EU.
What it scans
Messages, images, videos and files transmitted through instant messaging, email, social media private chats and VoIP services.
Why it matters for privacy
For the first time, a major democratic jurisdiction is considering mandating that private communications be scanned before they are sent, creating technical mechanisms that critics argue fundamentally weaken end-to-end encryption for everyone.
Current status
The temporary regime (1.0) was extended until April 2028 in a controversial July 2026 vote. Trilogue negotiations on the permanent regulation (2.0) continue with deep divisions between the Parliament, Council and Commission.
How the Scanning Actually Works
The technical implementation of Chat Control depends on whether the service uses end-to-end encryption. Two fundamentally different approaches apply.
Server-Side Scanning
On platforms without end-to-end encryption, images, text and videos are analysed automatically on the company's servers before being delivered to the recipient or stored. This is technically simpler and already common for detecting known CSAM hashes.
- Applies toTraditional email, non-E2EE cloud storage, server-side platforms
- Technical impactNo change to existing encryption architecture
- Privacy concernProvider has access to all content by design
Client-Side Scanning
For services protected by end-to-end encryption (E2EE), the provider's servers cannot read content. To scan anyway, the proposal places detection software on the user's device itself — scanning the message just before it is encrypted for sending, or just after it is decrypted upon receipt.
- Applies toWhatsApp, Signal, Telegram, iMessage, ProtonMail, E2EE apps
- Technical impactCreates a scanning agent inside the trusted device boundary
- Privacy concernCritics say this structurally weakens the encryption model
Detection Methods
Споредување на хашови
Files are compared against international databases of known CSAM images and videos using unique digital fingerprints (hash values). Only pre-identified illegal content is flagged.
Класификација со ВИ
Machine learning classifiers and vision models trained to detect previously unseen illegal material, new CSAM content not yet registered in hash databases, and suspicious patterns in visual content.
Grooming Detection
Natural language processing (NLP) models trained to detect patterns of predatory behaviour in conversations. These algorithms analyse text for linguistic markers associated with the grooming process.
Key Events in the Chat Control Timeline
From the original proposal to the latest emergency vote, the path of this regulation has been marked by deep institutional divides and procedural controversy.
The European Commission publishes the official permanent regulation proposal COM(2022) 209, titled "Regulation to prevent and combat child sexual abuse." It proposes mandatory risk assessments and detection orders for all communication providers.
The European Parliament approves its negotiating mandate, explicitly rejecting mass scanning of encrypted communications and calling for detection orders to be limited to specific, court-authorised targets with reasonable suspicion.
The Council of the EU reaches a preliminary internal agreement that softens the explicit mandatory scanning language but retains generalised technical mitigation obligations, keeping the door open to client-side scanning requirements.
The European Parliament votes 311 against to 228 во корист на обновување на привременото дерогирање на Chat Control 1.0. Доброволниот режим на скенирање треба да истече на 3 април.
The ePrivacy derogation expires as scheduled. For approximately three months, voluntary scanning operates without its specific legal safe harbour under EU law.
Under the Cypriot Presidency, the fifth trilogue between the Commission, Parliament and Council takes place to negotiate the final text of permanent Chat Control 2.0. Key disagreements on encryption and scope remain unresolved.
In a fast-track emergency vote under Article 170, the European Parliament votes 314 against to 276 in favour of extension. Despite more votes against, the measure passes because 361 absolute votes were needed to block the Council's proposal. The voluntary scanning regime is restored and extended to April 3, 2028, pending formal ratification by member states within three months.
Which Services Are Affected?
The legal definitions under the European Electronic Communications Code cover a broad spectrum of everyday digital communication technologies.
Where EU Institutions Stand
The three main EU bodies are deeply divided on Chat Control, creating a legislative deadlock that has delayed consensus for years.
European Commission
Original proponent of the permanent regulation. Led initially by Home Affairs Commissioner Ylva Johansson. Argues voluntary tools are insufficient and a coordinated, technology-forward structure is needed to address the massive increase in online CSAM.
European Parliament
Majority opposed to indiscriminate scanning. Advocates for protecting end-to-end encryption, restricting detection orders to individuals with substantiated suspicion under prior judicial warrant, and eliminating mass automated surveillance.
Council of the EU
Deeply divided. France, Spain and the Cypriot Presidency push for broad detection capabilities. Germany formally stated in October 2025 it would vote against any framework that risks E2EE. Austria, Poland and the Netherlands have expressed serious objections.
Arguments For and Against
The public debate on Chat Control pits child protection against fundamental digital rights. Here are the main arguments on both sides.
+ In Favour
European Commission, child protection NGOs
Efficacy and urgency: Millions of CSAM files are distributed through digital platforms monthly. Automated analysis is argued to be the only method with sufficient scale and speed to identify distribution hubs and dismantle criminal networks.
Grooming prevention: Text scanning algorithms could intercept offenders in the early stages of contacting minors, before physical abuse occurs.
Corporate responsibility: Mandates large technology corporations to take a proactive role in child safety within their closed ecosystems.
– Against
Cybersecurity experts, digital rights advocates, tech industry
Backdoor за шифрирање: Скенирањето од страна на клиентот структурно го ослабува E2EE. Создавањето механизам за пристап пред шифрирање воведува безбедносни ранливости искористливи од злонамерни актери, сајбер-криминалци и авторитарни влади.
Mass surveillance: Intercepting and analysing all communications without suspicion of wrongdoing subverts the presumption of innocence and normalises mass surveillance.
False positives: AI detection systems have error rates. Innocent family photos (beach, bath) or legitimate conversations about sexual health could be flagged, sending private data to authorities.
Questionable effectiveness: Internal EU reports (COM(2025)740) found no statistically demonstrable link between voluntary scanning activities and increased convictions or effective rescues of minors compared to traditional targeted police investigation.
Frequently Asked Questions
Chat Control е неформалното име за законодателните иницијативи на ЕУ за борба против материјалите за сексуална злоупотреба на деца (CSAM) и онлајн вознемирување. Го опфаќа привремена доброволна мерка (Chat Control 1.0) и предложена постојана регулатива (Chat Control 2.0, официјално Регулативата CSAR) која би барала од давателите на дигитални комуникации да откриваат незаконска содржина преку автоматизирана анализа на пораки, датотеки и комуникации.
Chat Control 1.0 (Регулатива 2021/1232) е привремено дерогирање од Директивата за ePrivacy кое им дозволува — но не бара — на компаниите доброволно да распоредуваат технологии за откривање. Продолжен е до април 2028 година. Chat Control 2.0 (COM(2022) 209) е предложена постојана регулатива која би ги направила проценките на ризик задолжителни и ќе им даде овластување на властите да издаваат обврзувачки налози за откривање. Се уште е во преговори во трилог.
Критичарите тврдат дека скенирањето од страна на клиентот — единствениот технички изводлив начин за скенирање на E2EE содржина — создава структурна ранливост во моделот на шифрирање. Компјутерските научници и агенциите за безбедност предупредуваат дека секој механизам за скенирање пред шифрирање на уредите на корисниците може да биде пренаменет како backdoor од злонамерни актери, поткопувајќи ги безбедносните гаранции кои E2EE ги обезбедува на сите корисници, не само на оние за кои постои сомнение за неправилно понесување.
Оригиналното дерогирање истече на 3 април 2026 година, откако Парламентот гласаше против обновувањето на 26 март (311-228). На 9 јули 2026 година, по итна постапка по член 170 побарана од Кипарското претседателство, Парламентот повторно гласаше: 314 против продолжување, 276 за, 17 воздржани. Бидејќи итните постапки бараат 361 апсолутен глас (мнозинство од 720-те места) за да го блокираат предлогот на Советот, продолжувањето помина и покрај тоа што повеќе евро-пратеници беа против. Доброволниот режим на скенирање е обновен до 3 април 2028 година.
Client-side scanning places detection software on the user's device (phone, tablet, computer). Before a message is encrypted for sending — or immediately after it is decrypted upon receipt — the software analyses the content. Се користат три главни техники: (1) споредување на хашови со познати CSAM бази на податоци, (2) класификатори со ВИ и визиски модели за нов или непрепознаен незаконски материјал, и (3) алгоритми за обработка на природен јазик за откривање вознемирување во текстот на разговорот.
The regulations cover: instant messaging (WhatsApp, Signal, Telegram, iMessage), social media private chats (Instagram, Facebook Messenger, TikTok, X, Snapchat), email (Gmail, Outlook, ProtonMail), VoIP and video calling services, and — under the Chat Control 2.0 proposal — app stores, which would be required to verify user age and potentially restrict app downloads for users under 16.
Четири главни критики: (1) структурно го ослабува шифрирањето од крај до крај преку создавање механизам сличен на backdoor; (2) овозможува масовно следење на целото население без индивидуално сомнение, поткопувајќи ја презумпцијата на невиност; (3) системите за откривање со ВИ произведуваат лажни позитивни резултати кои можат да ги изложат приватните податоци на властите; и (4) внатрешна евалуација на ЕУ (COM(2025)740) не најде статистички докажлива врска помеѓу доброволното скенирање и зголемените осуди или ефикасно спасување на деца.
Заклучно со јули 2026 година, постојаната CSAR регулатива (Chat Control 2.0) сè уште е во преговори во трилог помеѓу Комисијата, Парламентот и Советот. Петтата сесија на трилог се одржа на 29 јуни 2026 година под Кипарското претседателство. Клучните несогласувања остануваат, особено околу опсегот на налозите за откривање, заштитата на шифрирањето од крај до крај и исклучоците за одредени категории на корисници.
Неодамнешните текстови за преговори на Советот од крајот на 2025 и средината на 2026 година вклучуваат предложени функционални исклучоци за одредени категории на персонал, вклучувајќи политичари, дипломати, полициски сили и воен персонал, повикувајќи се на причини за национална безбедност. Критичарите тврдат дека ова создава двостепен систем на приватност каде обичните граѓани имаат послаба заштита од владините службеници.
NOLO is a privacy-first AI assistant that believes in minimising data collection and protecting user privacy by design. We don't operate a messaging platform and are not directly subject to these regulations. However, we follow the debate closely because the technical mechanisms proposed — particularly client-side scanning — set precedents for how governments can mandate access to private communications. NOLO's own architecture (no account, no email, local-first history, zero data retention) reflects a commitment to the same privacy principles that Chat Control critics are defending.
Privacy isn't a feature. It's the foundation.
Chat Control represents a pivotal moment for digital privacy in Europe. The outcome of this debate will shape whether end-to-end encryption can survive as a meaningful privacy protection, or whether all digital communications become subject to automated surveillance by design. We built NOLO on the conviction that privacy should be the default, not an exception.
- No account, no email — your identity is an anonymous device ID
- Local-first history — conversations stored only in your browser
- Zero data retention — messages are answered then discarded server-side
- No training on your data — providers are contractually barred
- Transparent about what leaves your device — and what doesn't
Know your digital rights.
The Chat Control debate affects everyone who uses encrypted messaging. Understanding the proposals, the arguments, and the status of the legislation is the first step to making your voice heard.