NOLO
Можности Цени Споредба Транспарентност Chat Control ЧПП За нас
LEGISLATIVE ANALYSIS · JULY 2026

What Is Chat Control?

The EU's proposed regulation to combat child sexual abuse material (CSAM) through automated message scanning has become one of the most contentious digital rights debates in Europe. This guide explains what Chat Control is, how it works technically, where the legislation stands, and what it could mean for your privacy.

2021
Chat Control 1.0 adopted
2026
Extended to 2028
314
MEPs voted AGAINST
Позадина

What Is Chat Control?

The term "Chat Control" was coined by digital rights activists and journalists to refer to a set of EU legislative measures aiming to combat the spread of child sexual abuse material (CSAM) and online grooming through automated analysis of user communications.

Two parallel tracks

The legislative framework has two separate paths. Chat Control 1.0 is a temporary, voluntary derogation from the ePrivacy Directive that allows companies to use detection technologies. Chat Control 2.0 is a proposed permanent regulation (CSAR) that would mandate risk assessments and potentially require detection orders for all applicable providers across the EU.

What it scans

Messages, images, videos and files transmitted through instant messaging, email, social media private chats and VoIP services.

Why it matters for privacy

For the first time, a major democratic jurisdiction is considering mandating that private communications be scanned before they are sent, creating technical mechanisms that critics argue fundamentally weaken end-to-end encryption for everyone.

Current status

The temporary regime (1.0) was extended until April 2028 in a controversial July 2026 vote. Trilogue negotiations on the permanent regulation (2.0) continue with deep divisions between the Parliament, Council and Commission.

Технички механизам

How the Scanning Actually Works

The technical implementation of Chat Control depends on whether the service uses end-to-end encryption. Two fundamentally different approaches apply.

Server-Side Scanning

On platforms without end-to-end encryption, images, text and videos are analysed automatically on the company's servers before being delivered to the recipient or stored. This is technically simpler and already common for detecting known CSAM hashes.

  • Applies toTraditional email, non-E2EE cloud storage, server-side platforms
  • Technical impactNo change to existing encryption architecture
  • Privacy concernProvider has access to all content by design

Client-Side Scanning

For services protected by end-to-end encryption (E2EE), the provider's servers cannot read content. To scan anyway, the proposal places detection software on the user's device itself — scanning the message just before it is encrypted for sending, or just after it is decrypted upon receipt.

  • Applies toWhatsApp, Signal, Telegram, iMessage, ProtonMail, E2EE apps
  • Technical impactCreates a scanning agent inside the trusted device boundary
  • Privacy concernCritics say this structurally weakens the encryption model

Detection Methods

Споредување на хашови

Files are compared against international databases of known CSAM images and videos using unique digital fingerprints (hash values). Only pre-identified illegal content is flagged.

Класификација со ВИ

Machine learning classifiers and vision models trained to detect previously unseen illegal material, new CSAM content not yet registered in hash databases, and suspicious patterns in visual content.

Grooming Detection

Natural language processing (NLP) models trained to detect patterns of predatory behaviour in conversations. These algorithms analyse text for linguistic markers associated with the grooming process.

Законодавно патување

Key Events in the Chat Control Timeline

From the original proposal to the latest emergency vote, the path of this regulation has been marked by deep institutional divides and procedural controversy.

May 2022
Proposal Commission publishes CSAR regulation

The European Commission publishes the official permanent regulation proposal COM(2022) 209, titled "Regulation to prevent and combat child sexual abuse." It proposes mandatory risk assessments and detection orders for all communication providers.

November 2023
Parliament MEPs reject mass scanning of encrypted messages

The European Parliament approves its negotiating mandate, explicitly rejecting mass scanning of encrypted communications and calling for detection orders to be limited to specific, court-authorised targets with reasonable suspicion.

November 2025
Council Internal compromise reached

The Council of the EU reaches a preliminary internal agreement that softens the explicit mandatory scanning language but retains generalised technical mitigation obligations, keeping the door open to client-side scanning requirements.

March 26, 2026
Parliament Votes against extending 1.0

The European Parliament votes 311 against to 228 во корист на обновување на привременото дерогирање на Chat Control 1.0. Доброволниот режим на скенирање треба да истече на 3 април.

April 3, 2026
Expiry Chat Control 1.0 lapses

The ePrivacy derogation expires as scheduled. For approximately three months, voluntary scanning operates without its specific legal safe harbour under EU law.

June 29, 2026
Trilogue Fifth political trilogue session

Under the Cypriot Presidency, the fifth trilogue between the Commission, Parliament and Council takes place to negotiate the final text of permanent Chat Control 2.0. Key disagreements on encryption and scope remain unresolved.

July 9, 2026
Parliament Urgency procedure extends 1.0 to 2028

In a fast-track emergency vote under Article 170, the European Parliament votes 314 against to 276 in favour of extension. Despite more votes against, the measure passes because 361 absolute votes were needed to block the Council's proposal. The voluntary scanning regime is restored and extended to April 3, 2028, pending formal ratification by member states within three months.

Опфат

Which Services Are Affected?

The legal definitions under the European Electronic Communications Code cover a broad spectrum of everyday digital communication technologies.

Instant MessagingWhatsApp, Signal, Telegram, Viber, iMessage, Element
Social Media ChatsInstagram, Facebook Messenger, TikTok, X / Twitter, Snapchat
Email ProvidersGmail, Outlook, Yahoo Mail, ProtonMail
VoIP & Video CallsTelecommunications and calling platforms
App StoresThe permanent Chat Control 2.0 draft also covers app stores, requiring age verification for minors under 16 and enabling network blocking mechanisms
Институционални ставови

Where EU Institutions Stand

The three main EU bodies are deeply divided on Chat Control, creating a legislative deadlock that has delayed consensus for years.

European Commission

Original proponent of the permanent regulation. Led initially by Home Affairs Commissioner Ylva Johansson. Argues voluntary tools are insufficient and a coordinated, technology-forward structure is needed to address the massive increase in online CSAM.

European Parliament

Majority opposed to indiscriminate scanning. Advocates for protecting end-to-end encryption, restricting detection orders to individuals with substantiated suspicion under prior judicial warrant, and eliminating mass automated surveillance.

Council of the EU

Deeply divided. France, Spain and the Cypriot Presidency push for broad detection capabilities. Germany formally stated in October 2025 it would vote against any framework that risks E2EE. Austria, Poland and the Netherlands have expressed serious objections.

Дебатата

Arguments For and Against

The public debate on Chat Control pits child protection against fundamental digital rights. Here are the main arguments on both sides.

+ In Favour

European Commission, child protection NGOs

Efficacy and urgency: Millions of CSAM files are distributed through digital platforms monthly. Automated analysis is argued to be the only method with sufficient scale and speed to identify distribution hubs and dismantle criminal networks.

Grooming prevention: Text scanning algorithms could intercept offenders in the early stages of contacting minors, before physical abuse occurs.

Corporate responsibility: Mandates large technology corporations to take a proactive role in child safety within their closed ecosystems.

Against

Cybersecurity experts, digital rights advocates, tech industry

Backdoor за шифрирање: Скенирањето од страна на клиентот структурно го ослабува E2EE. Создавањето механизам за пристап пред шифрирање воведува безбедносни ранливости искористливи од злонамерни актери, сајбер-криминалци и авторитарни влади.

Mass surveillance: Intercepting and analysing all communications without suspicion of wrongdoing subverts the presumption of innocence and normalises mass surveillance.

False positives: AI detection systems have error rates. Innocent family photos (beach, bath) or legitimate conversations about sexual health could be flagged, sending private data to authorities.

Questionable effectiveness: Internal EU reports (COM(2025)740) found no statistically demonstrable link between voluntary scanning activities and increased convictions or effective rescues of minors compared to traditional targeted police investigation.

ЧПП

Frequently Asked Questions

Chat Control е неформалното име за законодателните иницијативи на ЕУ за борба против материјалите за сексуална злоупотреба на деца (CSAM) и онлајн вознемирување. Го опфаќа привремена доброволна мерка (Chat Control 1.0) и предложена постојана регулатива (Chat Control 2.0, официјално Регулативата CSAR) која би барала од давателите на дигитални комуникации да откриваат незаконска содржина преку автоматизирана анализа на пораки, датотеки и комуникации.

Chat Control 1.0 (Регулатива 2021/1232) е привремено дерогирање од Директивата за ePrivacy кое им дозволува — но не бара — на компаниите доброволно да распоредуваат технологии за откривање. Продолжен е до април 2028 година. Chat Control 2.0 (COM(2022) 209) е предложена постојана регулатива која би ги направила проценките на ризик задолжителни и ќе им даде овластување на властите да издаваат обврзувачки налози за откривање. Се уште е во преговори во трилог.

Критичарите тврдат дека скенирањето од страна на клиентот — единствениот технички изводлив начин за скенирање на E2EE содржина — создава структурна ранливост во моделот на шифрирање. Компјутерските научници и агенциите за безбедност предупредуваат дека секој механизам за скенирање пред шифрирање на уредите на корисниците може да биде пренаменет како backdoor од злонамерни актери, поткопувајќи ги безбедносните гаранции кои E2EE ги обезбедува на сите корисници, не само на оние за кои постои сомнение за неправилно понесување.

Оригиналното дерогирање истече на 3 април 2026 година, откако Парламентот гласаше против обновувањето на 26 март (311-228). На 9 јули 2026 година, по итна постапка по член 170 побарана од Кипарското претседателство, Парламентот повторно гласаше: 314 против продолжување, 276 за, 17 воздржани. Бидејќи итните постапки бараат 361 апсолутен глас (мнозинство од 720-те места) за да го блокираат предлогот на Советот, продолжувањето помина и покрај тоа што повеќе евро-пратеници беа против. Доброволниот режим на скенирање е обновен до 3 април 2028 година.

Client-side scanning places detection software on the user's device (phone, tablet, computer). Before a message is encrypted for sending — or immediately after it is decrypted upon receipt — the software analyses the content. Се користат три главни техники: (1) споредување на хашови со познати CSAM бази на податоци, (2) класификатори со ВИ и визиски модели за нов или непрепознаен незаконски материјал, и (3) алгоритми за обработка на природен јазик за откривање вознемирување во текстот на разговорот.

The regulations cover: instant messaging (WhatsApp, Signal, Telegram, iMessage), social media private chats (Instagram, Facebook Messenger, TikTok, X, Snapchat), email (Gmail, Outlook, ProtonMail), VoIP and video calling services, and — under the Chat Control 2.0 proposal — app stores, which would be required to verify user age and potentially restrict app downloads for users under 16.

Четири главни критики: (1) структурно го ослабува шифрирањето од крај до крај преку создавање механизам сличен на backdoor; (2) овозможува масовно следење на целото население без индивидуално сомнение, поткопувајќи ја презумпцијата на невиност; (3) системите за откривање со ВИ произведуваат лажни позитивни резултати кои можат да ги изложат приватните податоци на властите; и (4) внатрешна евалуација на ЕУ (COM(2025)740) не најде статистички докажлива врска помеѓу доброволното скенирање и зголемените осуди или ефикасно спасување на деца.

Заклучно со јули 2026 година, постојаната CSAR регулатива (Chat Control 2.0) сè уште е во преговори во трилог помеѓу Комисијата, Парламентот и Советот. Петтата сесија на трилог се одржа на 29 јуни 2026 година под Кипарското претседателство. Клучните несогласувања остануваат, особено околу опсегот на налозите за откривање, заштитата на шифрирањето од крај до крај и исклучоците за одредени категории на корисници.

Неодамнешните текстови за преговори на Советот од крајот на 2025 и средината на 2026 година вклучуваат предложени функционални исклучоци за одредени категории на персонал, вклучувајќи политичари, дипломати, полициски сили и воен персонал, повикувајќи се на причини за национална безбедност. Критичарите тврдат дека ова создава двостепен систем на приватност каде обичните граѓани имаат послаба заштита од владините службеници.

NOLO is a privacy-first AI assistant that believes in minimising data collection and protecting user privacy by design. We don't operate a messaging platform and are not directly subject to these regulations. However, we follow the debate closely because the technical mechanisms proposed — particularly client-side scanning — set precedents for how governments can mandate access to private communications. NOLO's own architecture (no account, no email, local-first history, zero data retention) reflects a commitment to the same privacy principles that Chat Control critics are defending.

Why This Matters to NOLO

Privacy isn't a feature. It's the foundation.

Chat Control represents a pivotal moment for digital privacy in Europe. The outcome of this debate will shape whether end-to-end encryption can survive as a meaningful privacy protection, or whether all digital communications become subject to automated surveillance by design. We built NOLO on the conviction that privacy should be the default, not an exception.

  • No account, no email — your identity is an anonymous device ID
  • Local-first history — conversations stored only in your browser
  • Zero data retention — messages are answered then discarded server-side
  • No training on your data — providers are contractually barred
  • Transparent about what leaves your device — and what doesn't
Try NOLO, no signup needed
Stay Informed

Know your digital rights.

The Chat Control debate affects everyone who uses encrypted messaging. Understanding the proposals, the arguments, and the status of the legislation is the first step to making your voice heard.