EU Chat Control 2026: How Encryption Backdoors Harm Businesses
502 cryptographers warn, Signal threatens EU market exit, Bundesverfassungsgericht declares parts of source TKÜ invalid, and EU continues negotiations on chat control. The CSAR regulation is in trilogue, the ePrivacy exception for voluntary scanning expires on April 3, 2026. What does this mean for companies that rely on encrypted communication?
Key Takeaways
- Council agrees without scanning mandate: On November 26, 2025, the EU Council adopted a position without mandatory detection orders. Instead, risk assessment obligations and voluntary scanning were introduced. Germany led the blocking minority (EU Council press release).
- Trilogue ongoing: Second trilogue on February 26, 2026, third on May 4, fourth on June 29. The ePrivacy exception for voluntary scanning expires on April 3, 2026.
- BVerfG Trojaner II (June 2025): Parts of the source TKÜ declared unconstitutional. Indiscriminate mass surveillance of encrypted communication is likely to fail at this scale.
- Signal threat: Signal President Meredith Whittaker announced that the company would leave the EU market if client-side scanning becomes mandatory (verified via X-post, May 2024).
- 502 scientists: With credentials in cryptography and IT security, they describe client-side scanning as “technically infeasible” and warn of vulnerabilities for hackers and hostile states.
The use of SOCKS5 proxies in Europe has increased by almost 1,770 percent according to Telecom Reseller – a clear signal that technically savvy users and companies are already preparing. Any company planning enterprise communication today must factor in the possibility that encrypted messengers will come under regulatory pressure. This affects not only chat apps: Encrypted email services, cloud storage with zero-knowledge encryption, and VPN providers could also be subject to detection orders. The CSAR regulation explicitly defines “hosting services” and “interpersonal communication services” broadly.
Another aspect many companies overlook: The liability issue. If a platform provider implements scanning after a detection order comes into force and, due to a software error or compromised update, leaks confidential corporate data to unauthorized third parties – who is liable? The platform provider that implemented the scanning mechanism? Or the legislator who enforced it? This legal question remains unresolved and will only be answered after the first incident – too late for the affected companies.
This article outlines what has been decided, what remains open, and what German companies should prepare for.
What the Council Has Decided – and What It Hasn’t
The debate is often framed as child protection versus privacy. For IT security teams, it’s more concrete: any legally mandated vulnerability in encryption is a vulnerability for everyone, including attackers.
After three years of negotiations, the EU Council adopted a joint position on the CSAR Regulation (Child Sexual Abuse Regulation) on November 26, 2025. The core of the compromise: No mandatory detection orders. Platforms must conduct risk assessments and can scan voluntarily – but no one will be legally required to scan messages before encryption.
Germany, along with a blocking minority, had earlier stopped a draft that mandated scanning. Justice Minister Stefanie Hubig clearly stated the government’s position: indiscriminate chat control is a taboo in a constitutional state. The Data Protection Conference, chaired by Berlin’s Data Protection Officer Meike Kamp, explicitly called on the federal government to reject chat control.
However, the compromise includes a review clause: The EU Commission must review within three years whether detection mandates are “necessary and feasible.” Privacy experts and the Electronic Frontier Foundation warn of mission creep – the legal text retains the option for mandatory scanning.
The trilogue between the Council, Parliament, and Commission has been ongoing since December 2025. The second meeting took place on February 26, and the third trilogue is scheduled for May 4. A critical deadline: The ePrivacy exemption, which currently allows voluntary scanning under law, expires on April 3, 2026. Without an extension or new law, the legal basis will disappear.
Why Backdoors Technically Do Not Work
Client-side scanning means: Messages are scanned on the end device before they are encrypted. This sounds like a compromise – the encryption remains intact, and the scanning occurs before encryption. In practice, it’s the opposite: The scanning code on every end device becomes an attractive target for attackers.
502 scientists with credentials in cryptography and security engineering have warned in an open letter: The measures are technically unfeasible and would undermine the security and privacy of all European citizens. Among the signatories: Cas Cremers (CISPA Helmholtz Center), Bart Preneel (KU Leuven), Carmela Troncoso (EPFL), and René Mayrhofer (JKU Linz).
The argument can be reduced to a single sentence: There is no backdoor that is only accessible to “good” actors. Any mechanism that gives law enforcement access also gives hackers, spyware developers, and hostile intelligence agencies access. History bears this out: The NSA’s Clipper Chip from the 1990s – an encryption chip with built-in government access – failed in 1994 when Matt Blaze of AT&T Bell Labs demonstrated that the escrow mechanism was manipulable.
The same debate is running parallel in Canada. Bill C-8, which is almost identical in content to the failed Bill C-26, authorizes the government to order telecom providers to lower encryption standards. The term “systemic vulnerability” is not defined in the legislation – a gap that is either intentional or due to negligence, in either case it is dangerous. The Citizen Lab at the University of Toronto warns in a formal statement of the consequences for IT security. The pattern is global: Governments attempt to enforce backdoors in encryption, cryptographers warn, courts intervene – and the pressure comes from the top.
For CISOs and IT leaders in DACH companies, the consequence is practical: Chat control is not decided, but it is not off the table either. The review clause in the council text keeps the option for mandatory scanning open. Anyone planning their communication infrastructure today should factor in this uncertainty – with an architecture that is flexible enough to switch to other providers or decentralized systems if needed. This is not panic-mongering. It is risk management.
“Unjustified mass surveillance that puts millions of EU citizens under general suspicion is disproportionate.”
– Meike Kamp, Datenschutzbeauftragte Berlin / DSK-Vorsitzende (BfDI, October 2025)
BVerfG Trojaner II: The Constitutional Limits
On June 24, 2025, the Federal Constitutional Court (BVerfG) with the “Trojaner II” decision (1 BvR 180/23) declared parts of source telecommunication surveillance unconstitutional and null and void. The court drew clear boundaries for state intervention in encrypted communication.
The key statements: Source TKÜ (telecommunication surveillance) may not be used for crimes that carry a maximum sentence of less than three years. Access is only permitted to communication that would also have been captured by classical telecommunication surveillance (synchronization principle). And: Affected are both the secrecy of telecommunications (Article 10 GG) and the IT fundamental right – the right to confidentiality and integrity of information technology systems.
For the chat control debate, this is directly relevant. If the BVerfG already deems source TKÜ for minor crimes as disproportionate, then unjustified mass surveillance of all encrypted messages at this scale would likely fail even more. The IT fundamental right from the 2008 online search ruling protects the integrity of end devices – client-side scanning violates exactly this integrity.
For the German economy, the decision has direct implications. Companies that use end-to-end encrypted communication – and according to Bitkom, this is 58 percent of all companies with more than 20 employees – operate on a constitutionally protected basis. An EU regulation that mandates client-side scanning would likely be challenged in Germany immediately. The question is not whether, but when such a law would end up before the BVerfG or the ECJ.
What This Means for Businesses
The consequences are not theoretical. If Detection Orders become mandatory in a later version of the regulation, they will affect all encrypted platforms: Microsoft Teams, Slack, Signal, WhatsApp – and any email solution with end-to-end encryption.
For compliance teams, three concrete risks emerge. First: Internal communication – contract negotiations, M&A processes, personnel files, source code – would be automatically scanned, with a proven error rate in detection. False positives could inadvertently disclose confidential corporate data to authorities.
Second: Differing requirements in the EU and the U.S. make a unified global encryption architecture impossible. Companies would need to maintain separate communication channels for EU and non-EU contexts.
Third: The erosion of trust. Signal President Meredith Whittaker has announced plans to withdraw from the EU market if client-side scanning becomes mandatory. For companies that rely on Signal as a secure communication channel – particularly in the security sector – this would directly impact their infrastructure.
What IT Security Teams Should Do Now
First: Document your messenger infrastructure. Which encrypted channels does your company use? Signal, WhatsApp, Teams? Who communicates through which platform? This inventory is the foundation for any adjustments that may be needed.
Second: Review your encryption policies. Which communication is end-to-end encrypted, and which is only transport-encrypted? If a Detection Order mandate were to take effect, E2EE communication would be affected – transport-encrypted communication would not. Understanding your own architecture is critical.
Third: Actively monitor regulatory developments. The trilogue negotiations are scheduled to continue until at least June 2026. Any company with a compliance department should have the EDRi document collection and council press releases on their radar.
Fourth: Evaluate alternative communication channels. If Signal were to leave the EU market, Teams would need an alternative with comparable security levels. Wire (Swiss provider), Threema (also Switzerland), and Matrix/Element (decentralized, open source) are candidates – all with their own compliance profiles.
The encryption control debate reveals a fundamental pattern: Regulation that weakens encryption weakens everyone – not just the target group. The BVerfG has marked the constitutional boundaries with the Trojaner-II decision. The 502 cryptographers have marked the technical boundaries. Whether politics respects these boundaries will be determined in the coming months.
One thing is clear: Encryption is not a luxury and not an obstacle to law enforcement. It is the foundation of confidential business communication, whistleblower protection, journalistic sources, and trust in digital infrastructure. Any attempt to weaken it weakens the entire system – a fact confirmed by 502 scientists, the BVerfG, and the history of the Clipper Chip. The question is not whether encryption needs to be protected. The question is whether Europe understands this before it’s too late.
Frequently Asked Questions
Every question is locked. A tap unlocks the answer.
What is the EU Chat Control?
The CSAR Regulation (Child Sexual Abuse Regulation) aims to obligate platform providers to scan their services for illegal content. Critics warn that this could lead to mass surveillance of encrypted communications. The current draft no longer includes mandatory detection orders but retains a review clause.
Is the Chat Control already decided?
No. The Council adopted a position in November 2025, and the trilogue with the Parliament and Commission has been ongoing since December 2025. A final agreement is expected by summer 2026 at the earliest.
Would Signal leave the EU?
Signal President Meredith Whittaker has announced that the company would exit the EU market if client-side scanning becomes mandatory. Since the current draft does not include such a requirement, Signal remains in the EU for now.
What does the BVerfG say about monitoring encrypted communications?
The Trojaner-II decision of June 2025 declares parts of source telecommunication surveillance unconstitutional. Indiscriminate mass surveillance is likely to fail at this scale, as both telecommunications secrecy and the right to privacy are affected.
What does the Chat Control mean for businesses?
If mandatory detection orders are introduced, all encrypted platforms (Teams, Slack, Signal) would need to implement client-side scanning. False positives could inadvertently send confidential business data to authorities without the company’s knowledge.
What is Client-Side Scanning?
Messages are scanned on the device before they are encrypted. The scanning mechanism itself becomes a target. 502 cryptographers have warned that this undermines the security of all users.
Are there alternatives to Signal in Switzerland?
Wire and Threema are Swiss providers with end-to-end encryption. Matrix/Element is decentralized and open source. All three would be less directly affected by an EU scanning mandate than US-based providers.
The use of proxies in Europe indicates that businesses and users are not waiting for regulation. According to a telecom reseller, SOCKS5 proxy usage in Europe has increased by nearly 1,770% – an indicator that proactive measures are being taken. The question is whether the EU will enforce a regulation that can be bypassed technically and is constitutionally challengeable – or whether it will respect the Council’s text compromise: risk assessment instead of mass surveillance, prevention instead of backdoors.
Editor’s Reading Tips
- Copilot as a Security Risk: When the AI Assistant Leaks Corporate Secrets
- Passkeys 2026: Why the Password is Dying
- Supply Chain Attack on Trivy
Editor’s Picks
Editor’s PickCopilot Security Risk: When AI Assistant Leaks Corporate SecretsEditor’s PickTrivy Supply-Chain Attack: Scanner Weaponized
Further reading
Weakest Supplier Opens Critical Facility
The KRITIS roof law makes supplier reliability a mandatory duty for operators. Governance roadmap to registration.
The concentration risk no supplier audit sees
Why single audits miss concentration risk and how a board steers concentration and fourth-party risk.
When Attackers Are Faster Than the Patch
Between disclosure and exploitation of a vulnerability, only days often pass today. The State of Vulnerabilities Report 2026 reveals what matters now.

