A great thanks goes to https://fightchatcontrol.eu/chat-control-overview for their simple visual summary.
When negotiations in the Council on the Child Sexual Abuse Regulation, known more often as Chat Control, intensified in the summer of 2025, public opposition surged across Europe. Citizens put pressure on their national governments to reject the proposal, in line with the decision of the European Parliament.
And as citizens’ resistance mounted, several Member States revised their positions in the Council. With Germany announcing its opposition in October 2025, negotiations on the proposal appeared to have fallen through.
Then, in July 2026, headlines suddenly announced that “Chat Control had passed the European Parliament.” For many, this came as a surprise. Had Parliament reversed its position? Had the proposal been revived? Not quite.
The confusion lies in the fact that there are actually two separate pieces of legislation referred to in mainstream debate as “Chat Control”. Chat Control 1.0 is a temporary legal framework, while Chat Control 2.0 involves a permanent Child Sexual Abuse Regulation that remains under negotiation.
Confounding the two obscures both what Parliament actually approved and the far more intrusive measure still waiting in the wings.
The Road to Chat Control
To understand the impetus for control of messenger-based communication, one has to go back to 2021.
It was then that the new EU privacy rules (the ePrivacy directive) came into force, and many online communication providers lost the legal basis that allowed them to voluntarily detect and report Child Sexual Abuse Material (CSAM) within their services. To prevent this work from stopping overnight, the European Union adopted Regulation (EU) 2021/1232, commonly referred to as Chat Control 1.0.
Importantly, this was always intended to be a temporary derogation. It gave providers a legal basis to continue voluntary detection while the European Commission prepared a permanent legislative framework.
That permanent framework arrived in May 2022 as the proposed Child Sexual Abuse Regulation (CSAR), better known as Chat Control 2.0.
From that point onwards, the European Union has had two simultaneous Chat Control pieces of legislation: one temporary and one permanent.
The Permanent Proposal
The permanent Chat Control 2.0 is intended to create a permanent EU framework for combating child sexual abuse online.
Its framework was first outlined in 2022 by Home Affairs Commissioner Ylva Johansson, proposing a regulation making the detection and reporting of child sexual abuse material a legal requirement for platforms, including an obligation to bypass end-to-end encryption.
This immediately became one of the most controversial digital rights proposals in EU history. In fact, the European Court of Human Rights ruled, in an unrelated case, that requiring degraded end-to-end encryption “cannot be regarded as necessary in a democratic society”.
The European Parliament adopted a significantly more privacy-protective negotiating position, with its Committee on Civil Liberties, Justice, and Home Affairs moving to remove indiscriminate chat control, seeking to only allow targeted surveillance and Parliament voting in favour of the protection of encrypted communications.
The Parliament’s position was remarkably consistent: any scanning of private communications should only occur where there are reasonable grounds for suspicion, it should require judicial authorisation, and should not apply to end-to-end encrypted communications.
The Council, meanwhile, pursued a different approach. The Danish Presidency in the second half of 2025 made passing this permanent regulation a priority, pushing hard for mandatory scanning of end-to-end encrypted communications (with convenient exemptions for politicians).
This is where the “Fight Chat Control” movement gained much of its prominence. Civil liberties and tech orgs across Europe put great pressure on EU Member States to oppose the proposal.
European Students For Liberty were at the forefront of this, with our members reaching out to MEPs, hosting discussions and launching petitions, most successfully in Malta, where I led the effort to collect over 1500 signatures in just 2 weeks.
In October 2025, Germany announced it would vote against mandatory suspicionless scanning. The Danish presidency was forced to drop obligatory detection orders and shifted to “voluntary” suspicionless detection and broad risk-mitigation duties, including mandatory age verification.
In November, the Council approved the softened Danish compromise, opening trilogue negotiations between the Council, Parliament and Commission, but never found common ground.
Despite progress on excluding mandatory age verification, the Council’s request to make suspicionless scanning permanent could not be agreed upon. Hence, Chat Control 2.0 has not been adopted, and talks continue under the incoming Irish presidency.
The Temporary Framework
The lack of agreement on the permanent proposal created a problem, as there was no existing legislation to protect against CSAM online. To fill the void, the EU proposed a temporary derogation in 2021, known as Chat Control 1.0. This measure did not require providers to scan private communications. Instead, it gave providers a legal basis to voluntarily search messages for the presence of child pornography, enabling mass surveillance without a warrant or judicial oversight.
Although end-to-end encryption was not directly threatened under the new law, providers could deploy “client-side scanning”, software capable of analysing messages, images, videos, or files before they are encrypted and sent, hence undermining many of the privacy guarantees users expect from end-to-end encrypted services.
In 2026, the Council Legal Service would go on to state that the “voluntary” scanning proposal still constitutes generalised scanning of communications and is incompatible with Article 7 of the EU Charter (right to privacy) without reasonable suspicion and prior judicial authorisation.
The regulation was originally due to expire in 2024 before being extended until April 2026 due to a lack of progress on the permanent proposal.
In March 2026, EP’s Committee surprisingly rejected the extension of this framework to 2028. Parliament then voted for a compromise: extend to 2027, but only with targeted and proportionate detection of known content, no end-to-end encrypted communications, and limiting scanning to suspected users or groups identified by the competent judicial authority.
Yet the Council refused to budge, and the extension talks collapsed. In response, Parliament rejected the extension together with the proposal of automated assessment of unknown photos and texts, with a one-vote majority. Even though Chat Control 1.0 expired in April (with some providers committing to continue scanning) and despite the Parliament’s rejection being final, the Council (making no progress on the permanent regulation) proposed a formally new law with identical content via an expedited procedure. At the helm of the effort is the EPP and President of the European Parliament Roberta Metsola.
It is this resurrection of the Chat Control 1.0 that was the subject of the 9th July vote. Although more MEPs voted in favour of rejecting the proposal, the motion failed because an absolute majority of 361 Members was required to block it. An amendment to restrict scanning to judiciary-identified suspects won 322 votes and missed the absolute majority as well, while an exemption for end-to-end encrypted services passed.
Chat Control 1.0 was adopted and set in force until 2028. Mass scanning will continue, even though a majority of the MEPs who voted wanted it stopped.
Where Do Things Stand Today?
Whether temporary or permanent, Chat Control represents one of the greatest threats to digital privacy that the European Union has ever considered. Both legislations seek to permit or facilitate the scanning of private communications, treating the confidential messages of millions of law-abiding citizens as fair game in the pursuit of criminals.
And despite the European Parliament repeatedly rejecting mass surveillance, substantially similar proposals continue to re-emerge through rushed-through new legislative texts and procedural manoeuvres, prolonging a debate that many believed had already been settled.