EU Chat Control 2026: Why Encryption Backdoors Will Hit Businesses Too

6 min Reading Time

502 cryptographers are warning, Signal threatens to exit the EU market, Germany’s Federal Constitutional Court has ruled parts of source telecommunications surveillance unconstitutional – and the EU is still negotiating chat control. The CSAR regulation is in trilogue, while the ePrivacy exception allowing voluntary scanning expires on April 3, 2026. What does this mean for companies relying on encrypted communication?

The debate is often framed as child protection versus privacy. For IT security teams, it’s more concrete: every legally mandated vulnerability in encryption is a vulnerability for everyone – including attackers.

TL;DR

• Council agrees without scanning mandate: On November 26, 2025, the EU Council adopted a position without mandatory Detection Orders. Instead: risk assessment obligations and voluntary scanning. Germany led the blocking minority (EU Council press release).
• Trilogue ongoing: Second trilogue on February 26, 2026; third on May 4; fourth on June 29 planned. The ePrivacy exception for voluntary scanning expires on April 3, 2026.
• BVerfG Trojaner II (June 2025): Ruled parts of source telecommunications surveillance unconstitutional. Unwarranted mass surveillance of encrypted communication would likely fail under this standard.
• Signal’s threat stands: Signal President Meredith Whittaker announced she would withdraw from the EU market if client-side scanning becomes mandatory (verified via X post, May 2024).
• 502 scientists with expertise in cryptography and IT security call client-side scanning “technically unfeasible” and warn of vulnerabilities exploitable by hackers and hostile states.

Use of SOCKS5 proxies in Europe has surged by nearly 1,770 percent, according to Telecom Reseller – a clear sign that technically savvy users and businesses are already preparing. Anyone planning enterprise communication today must account for the possibility that encrypted messengers could come under regulatory pressure. This affects not just chat apps: encrypted email services, cloud storage with zero-knowledge encryption, and VPN providers could also fall under Detection Orders. The CSAR regulation deliberately defines “hosting services” and “interpersonal communication services” broadly.

Another aspect many companies overlook: liability. If a platform provider, after a Detection Order takes effect, implements scanning and – due to a software flaw or compromised update – leaks confidential corporate data to unauthorized third parties, who is liable? The platform that implemented the scanning mechanism? Or the legislator who mandated it? This question remains legally unresolved and will only be answered after the first incident – too late for the affected businesses.

This article explains what has been decided, what remains open, and what German companies should prepare for.

What the Council Decided – and What It Didn’t

After three years of negotiations, the EU Council adopted a common position on the CSAR regulation (Child Sexual Abuse Regulation) on November 26, 2025. The core of the compromise: No mandatory Detection Orders. Platform providers must conduct risk assessments and may scan voluntarily – but no one is legally required to scan messages before encryption.

Germany, together with a blocking minority, had previously blocked an earlier draft mandating scanning. Justice Minister Stefanie Hubig stated the government’s position clearly: unwarranted chat control is a taboo in a rule-of-law state. The Data Protection Conference, chaired by Berlin’s data protection officer Meike Kamp, explicitly urged the federal government to reject chat control.

But the compromise includes a review clause: The European Commission must assess within three years whether mandatory detection requirements are “necessary and feasible.” Privacy experts and the Electronic Frontier Foundation warn of mission creep – the backdoor for mandatory scanning remains embedded in the legal text.

The trilogue between Council, Parliament, and Commission has been ongoing since December 2025. The second session took place on February 26, with the third scheduled for May 4. A critical deadline: The ePrivacy exception currently enabling voluntary scanning legally expires on April 3, 2026. Without extension or new legislation, the legal basis will lapse.

Why Backdoors Don’t Work Technically

Client-side scanning means messages are scanned on the end device before encryption. It sounds like a compromise – encryption remains intact, scanning happens before. In practice, it’s the opposite: the scanning code on every device becomes a highly attractive attack target.

502 scientists with credentials in cryptography and security engineering have warned in an open letter that these measures are technically unfeasible and would undermine the security and privacy of all European citizens. Signatories include Cas Cremers (CISPA Helmholtz Center), Bart Preneel (KU Leuven), Carmela Troncoso (EPFL), and René Mayrhofer (JKU Linz).

The argument boils down to one sentence: A backdoor accessible only to “good” actors does not exist. Any mechanism granting access to law enforcement also grants access to hackers, spyware developers, and hostile intelligence agencies. History proves this: the NSA’s Clipper Chip from the 1990s – an encryption chip with built-in government access – failed in 1994 when Matt Blaze from AT&T Bell Labs demonstrated that the escrow mechanism could be manipulated.

The same debate is unfolding in Canada. Bill C-8, nearly identical to the failed Bill C-26, empowers the government to order telecom providers to lower encryption standards. The term “systemic vulnerability” is undefined in the legislation – a gap that reflects either intent or negligence, but is dangerous in either case. The Citizen Lab at the University of Toronto warns in a formal statement about the consequences for IT security. The pattern is global: governments attempt to force backdoors into encryption, cryptographers warn, courts intervene – and the pressure starts anew.

For CISOs and IT managers in DACH companies, the consequence is pragmatic: chat control is not decided, but not off the table. The review clause in the Council’s text keeps the option of mandatory scanning open. Anyone planning their communication infrastructure today should factor in this uncertainty – with an architecture flexible enough to switch to alternative providers or decentralized systems if needed. This isn’t alarmism. It’s risk management.

“Unwarranted mass surveillance, placing millions of EU citizens under general suspicion, is disproportionate.”
– Meike Kamp, Berlin Data Protection Officer / Chair of DSK (BfDI, October 2025)

BVerfG Trojaner II: The Constitutional Boundary

On June 24, 2025, the Federal Constitutional Court ruled in the “Trojaner II” decision (1 BvR 180/23) that parts of source telecommunications surveillance are unconstitutional and null and void. The court set clear limits on state interference in encrypted communication.

Key points: Source telecommunications surveillance (Quellen-TKÜ) may not be used for crimes punishable by less than three years’ maximum sentence. Access is only permitted to communications that could also have been captured under traditional telecommunications surveillance (synchronicity principle). And: both the secrecy of telecommunications (Art. 10 GG) and the IT fundamental right – the right to confidentiality and integrity of information technology systems – are affected.

This is directly relevant to the chat control debate. If the BVerfG already considers targeted source surveillance disproportionate for minor offenses, unwarranted mass surveillance of all encrypted messages would fail this standard even more clearly. The IT fundamental right, established in the 2008 online search ruling, protects the integrity of end devices – client-side scanning directly violates this integrity.

For German businesses, the ruling has direct implications. Companies using end-to-end encrypted communication – and according to Bitkom, 58 percent of firms with more than 20 employees do – operate on a constitutionally protected basis. An EU regulation forcing client-side scanning would likely be immediately challenged in Germany. The question is not whether, but when such a law ends up before the BVerfG or the CJEU.

What This Means for Companies

The consequences are not theoretical. If Detection Orders become mandatory in a later version of the regulation, they will affect all encrypted platforms: Microsoft Teams, Slack, Signal, WhatsApp – and any email solution with end-to-end encryption.

For compliance teams, three concrete risks emerge. First: internal communications – contract negotiations, M&A processes, personnel files, source code – would be automatically scanned, with a documented error rate in detection. False positives could transmit confidential corporate data to authorities without the company’s knowledge.

Second: differing requirements in the EU and the US make a unified global encryption architecture impossible. Companies would need to operate separate communication channels for EU and non-EU contexts.

Third: loss of trust. Signal President Meredith Whittaker has announced she would leave the EU market if client-side scanning becomes mandatory. For companies relying on Signal as a secure communication channel – and many do, especially in security – this would mean a direct loss of infrastructure.

What IT Security Teams Should Do Now

First: Document messaging infrastructure. Which encrypted channels does the company use? Signal, WhatsApp, Teams? Who communicates about what? This inventory is the foundation for any necessary adjustments.

Second: Review encryption policy. Which communications are end-to-end encrypted, and which only transport-encrypted? Under a mandatory Detection Order, E2EE communications would be affected – transport-encrypted ones would not. Understanding your own architecture is critical.

Third: Actively monitor regulatory developments. Trilogue negotiations continue until at least June 2026. Every company with a compliance department should monitor EDRi’s document collection and Council press releases.

Fourth: Evaluate alternative communication channels. If Signal actually exits the EU market, teams will need a secure alternative. Wire (Swiss provider), Threema (also Swiss), and Matrix/Element (decentralized, open source) are viable candidates – each with its own compliance profile.

The chat control debate reveals a fundamental pattern: regulation that weakens encryption weakens everyone – not just the target group. The BVerfG has marked the constitutional boundaries with the Trojaner II ruling. The 502 cryptographers have marked the technical boundaries. Whether politics respects these boundaries will be decided in the coming months.

One thing is certain: encryption is not a luxury or an obstacle to law enforcement. It is the foundation for confidential business communication, whistleblower protection, journalistic sources, and trust in digital infrastructure. Any attempt to weaken it undermines the entire system – confirmed by 502 scientists, confirmed by the BVerfG, and proven by the history of the Clipper Chip. The question is not whether encryption must be protected. The question is whether Europe understands that before it’s too late.

Frequently Asked Questions

What is EU chat control?

The CSAR regulation (Child Sexual Abuse Regulation) aims to require platform providers to scan their services for illegal content. Critics warn of mass surveillance of encrypted communication. The current Council text no longer includes mandatory Detection Orders, but contains a review clause.

Is chat control already decided?

No. The Council adopted a position in November 2025; trilogue negotiations with Parliament and Commission have been ongoing since December 2025. A final agreement is expected no earlier than summer 2026.

Will Signal leave the EU?

Signal President Meredith Whittaker has announced she would exit the EU market if client-side scanning becomes mandatory. Since the current Council text does not include a scanning mandate, Signal remains in the EU for now.

What does the BVerfG say about surveillance of encrypted communication?

The June 2025 Trojaner II ruling declares parts of source telecommunications surveillance unconstitutional. Unwarranted mass surveillance would likely fail under this standard, as both the secrecy of telecommunications and the IT fundamental right are affected.

What does chat control mean for businesses?

If mandatory Detection Orders are introduced, all encrypted platforms (Teams, Slack, Signal) would have to implement client-side scanning. False positives could transmit confidential corporate data to authorities without the company’s knowledge.

What is client-side scanning?

Messages are scanned on the end device before encryption. The scanning mechanism itself then becomes an attack target. 502 cryptographers have warned this undermines the security of all users.

Are there alternatives to Signal based in Switzerland?

Wire and Threema are Swiss providers with end-to-end encryption. Matrix/Element is decentralized and open source. All three would be less directly affected by an EU scanning mandate than US-based providers.

Proxy usage in Europe shows companies and users aren’t waiting for regulation. According to Telecom Reseller, SOCKS5 proxy use in Europe has increased by nearly 1,770 percent – an indicator that proactive countermeasures are already underway. The question is whether the EU will enforce a regulation that can be technically circumvented and is constitutionally challengeable – or whether it will respect the Council’s compromise: risk assessment instead of mass surveillance, prevention instead of backdoors.

Header Image Source: Pexels / Dan Nelson (px:4489171)

About the author: Tobias Massow

More articles by Tobias Massow