EU Chat Control: What Companies Need to Know Now

6 min reading time

502 cryptographers warned that Signal threatened to exit the European market – and Germany’s Federal Constitutional Court struck down parts of “on-device” communications interception. Yet the EU continues negotiating chat surveillance rules. The CSAR Regulation is now in trilogue negotiations, and the ePrivacy exception permitting voluntary scanning expires on 4 April 2026. What does this mean for businesses relying on encrypted communication?

The debate is often framed as a battle between child protection and privacy. For cybersecurity teams, it’s far more concrete: any legally mandated weakness in encryption systems affects everyone – including attackers.

TL;DR

• Council agreed on no mandatory scanning: On 26 November 2025, the Council of the EU adopted a position with no mandatory detection orders. Instead: risk assessment obligations and voluntary scanning. Germany led the blocking minority (Council of the EU press release).
• Trilogues continue: The second trilogue is scheduled for 26 February 2026, the third for 4 May, and the fourth for 29 June. The ePrivacy exception for voluntary scanning expires on 4 April 2026.
• Federal Constitutional Court, “Trojaner II” ruling (June 2025): Declared parts of “on-device” communications interception unconstitutional and void. Mass, indiscriminate surveillance of encrypted communications would almost certainly fail under this standard.
• Signal’s threat remains active: Meredith Whittaker, Signal’s president, announced the company will exit the European market if client-side scanning becomes mandatory (confirmed via X post, May 2024).
• 502 internationally renowned cryptographers and security researchers deem client-side scanning “technically unfeasible” and warn of new vulnerabilities exploitable by hackers and hostile states.

According to Telecom Reseller, use of SOCKS5 proxies in Europe has surged nearly 1,770% – a clear signal that technically savvy users and enterprises are already taking preventive action. Anyone designing corporate communication infrastructure today must consider the possibility that encrypted messaging services will come under regulatory pressure. This doesn’t affect chat apps alone: end-to-end encrypted email services, zero-knowledge cloud storage, and VPN providers could also be implicated. The CSAR Regulation deliberately defines “hosting services” and “interpersonal communications services” very broadly.

Another issue many companies overlook: legal liability. If a platform provider implements scanning after a detection order enters into force – and due to a software bug or compromised update – leaks confidential corporate data to unauthorized third parties, who bears responsibility? The provider that implemented the scanning mechanism? Or the legislator who mandated it? This question remains legally unresolved – and won’t be clarified until the first incident occurs… far too late for affected businesses.

This article contextualises what has been agreed, what remains pending, and what German companies must prepare for.

What the Council agreed – and what it didn’t

After three years of negotiations, the Council of the EU adopted a common position on the CSAR Regulation (Regulation on Combating Child Sexual Abuse) on 26 November 2025. At its core: mandatory detection orders have been dropped. Platform providers must conduct risk assessments and may voluntarily scan – but no one will be legally compelled to inspect messages before encryption.

Germany, alongside a blocking minority, halted an earlier draft that did include mandatory scanning. Justice Minister Stefanie Hubig clearly articulated the government’s stance: mass, suspicionless chat surveillance violates the fundamental principles of a constitutional democracy. The German Data Protection Conference, chaired by Meike Kamp – Berlin’s Data Protection Commissioner – explicitly urged the federal government to reject chat control.

But the agreement contains a review clause: Within three years, the European Commission must assess whether mandatory detection orders are “necessary and feasible.” Privacy experts and the Electronic Frontier Foundation warn of the risk of progressive scope creep – the backdoor for mandatory scanning remains explicitly preserved in the legal text.

The trilogue between the Council, Parliament, and Commission began in December 2025. The second meeting took place on 26 February; the third is scheduled for 4 May. A critical date: the ePrivacy exception currently permitting voluntary scanning legally expires on 4 April 2026. Without extension or new legislation, the legal basis vanishes.

Why backdoors don’t work technically

Client-side scanning means analysing messages directly on the user’s device – before they are encrypted. It appears to be a compromise: encryption remains intact, and scanning happens upstream. In practice, it’s precisely the opposite: the scanning code installed on every device becomes a highly attractive target for attackers.

502 scientists with recognised expertise in cryptography and security engineering warned in an open letter that such measures are technically unfeasible – and would undermine the security and privacy of all European citizens. Signatories include Cas Cremers (Helmholtz CISPA), Bart Preneel (KU Leuven), Carmela Troncoso (EPFL), and René Mayrhofer (JKU Linz).

The argument boils down to one sentence: There is no backdoor accessible only to “good actors.” Any mechanism granting law enforcement access also grants it to hackers, spyware vendors, and hostile intelligence services. History proves it: the NSA’s Clipper chip – a 1990s encryption system built with integrated state access – failed in 1994 when Matt Blaze of AT&T Bell Labs demonstrated its key escrow mechanism was manipulable.

The same debate is unfolding simultaneously in Canada. Bill C-8 – nearly identical to the failed C-26 – authorises the Canadian government to order telecom operators to lower encryption standards via administrative decree. The term “systemic vulnerability” is undefined in the bill – a gap that may be intentional or negligent, but either way dangerous. The University of Toronto’s Citizen Lab has formally warned of the cybersecurity consequences. The pattern is global: governments attempt to impose backdoors in encryption systems; cryptographers sound the alarm; courts rein them in – and pressure begins anew.

For CISOs and IT leaders across DACH (Germany, Austria, Switzerland), the conclusion is pragmatic: chat control is not approved – but neither is it ruled out. The Council’s review clause keeps mandatory scanning on the table. Anyone designing communication infrastructure today must factor in this uncertainty – with an architecture flexible enough to migrate, if necessary, to alternative providers or decentralised systems. This isn’t alarmism. It’s risk management.

«Mass, indiscriminate surveillance – which subjects millions of EU citizens to blanket suspicion – is disproportionate.»
– Meike Kamp, Berlin Data Protection Commissioner / Chair of the German Data Protection Conference (BfDI, October 2025)

BVerfG “Trojaner II”: The constitutional limit

On 24 June 2025, Germany’s Federal Constitutional Court issued its “Trojaner II” ruling (1 BvR 180/23), declaring parts of “on-device” communications interception unconstitutional and void. The court set clear limits on state interference with encrypted communication.

Key conclusions: On-device interception may not be applied to offences punishable by less than three years’ imprisonment. Its use is restricted to communications that could also be intercepted using traditional telephone surveillance methods (the principle of synchronicity). Both the secrecy of telecommunications (Article 10 of the Basic Law) and the fundamental right to informational self-determination – the right to confidentiality and integrity of IT systems – are affected.

This is directly relevant to the chat control debate. If the Federal Constitutional Court already deems targeted on-device interception disproportionate for minor offences, then mass, indiscriminate surveillance of all encrypted messages would fail even more decisively under the same standard. The fundamental right to informational self-determination – established in the 2008 “data retention” ruling – protects the integrity of end-user devices – and client-side scanning precisely violates that integrity.

This ruling has direct economic consequences for Germany. Companies using end-to-end encrypted communication – including, per Bitkom, 58% of all firms with more than 20 employees – operate on a constitutionally protected foundation. A European regulation mandating client-side scanning would be immediately challenged in Germany. The question is not whether, but when, such a regulation would land before the Federal Constitutional Court – or the Court of Justice of the EU.

What this means for businesses

The consequences are not theoretical. If detection orders become mandatory in a future version of the regulation, they will affect all encrypted platforms: Microsoft Teams, Slack, Signal, WhatsApp – and any end-to-end encrypted email solution.

Compliance teams face three concrete risks. First: internal communications – contract negotiations, M&A processes, personnel files, source code – would be automatically scanned, with a documented false-positive rate in detection. False positives could transmit confidential corporate data to authorities without the company’s knowledge or consent.

Second: divergent requirements between the EU and the United States make a uniform global encryption architecture impossible. Companies would need to manage separate communication channels for EU and non-EU contexts.

Third: Loss of trust. Meredith Whittaker, Signal’s president, has warned the company will exit the European market if client-side scanning becomes mandatory. For businesses relying on Signal as a secure channel – many, especially in cybersecurity – this would mean immediate infrastructure loss.

What IT security teams must do now

First: document your messaging infrastructure. Which encrypted channels does your company use? Signal, WhatsApp, Teams? Who communicates what – and with whom? This inventory forms the foundation for any future adjustments.

Second: review your encryption policy. Which communications use end-to-end encryption – and which rely solely on transport-layer encryption? Under mandatory detection orders, E2EE communications would be affected, but transport-only encryption would not. Understanding your own architecture is decisive.

Third: actively track regulatory developments. Trilogue negotiations will continue at least through June 2026. Every company with a compliance department should monitor EDRi’s document collection and Council press releases.

Fourth: evaluate alternative communication channels. If Signal does exit the European market, teams will need alternatives offering comparable security. Wire (Swiss provider), Threema (also Swiss), and Matrix/Element (decentralised and open-source) are strong candidates – all with distinct regulatory compliance profiles.

The chat control debate reveals a fundamental pattern: any regulation that weakens encryption weakens everyone – not just the intended target group. The Federal Constitutional Court set constitutional boundaries with “Trojaner II.” The 502 cryptographers set technical boundaries. Whether politics respects those boundaries depends on decisions made in the coming months.

One thing is clear: encryption is neither a luxury nor an obstacle to criminal investigations. It is the foundation of confidential business communication, whistleblower protection, journalistic source confidentiality, and trust in digital infrastructure. Every attempt to weaken it undermines the entire system – confirmed by 502 scientists, confirmed by the Federal Constitutional Court, and proven by the history of the Clipper chip. The question is not whether encryption must be protected. The question is whether Europe understands this – before it’s too late.

Frequently Asked Questions

What is the EU’s chat control?

The CSAR Regulation (Regulation on Combating Child Sexual Abuse) aims to compel platform providers to search for illegal content on their services. Critics warn of mass surveillance of encrypted communications. The Council’s current text no longer includes mandatory detection orders – but does contain a review clause.

Has chat control already been approved?

No. The Council adopted its position in November 2025; the trilogue with Parliament and the Commission began in December 2025. A final agreement is expected no earlier than summer 2026.

Would Signal leave the EU?

Meredith Whittaker, Signal’s president, has announced the company will exit the European market if client-side scanning becomes mandatory. As the Council’s current text imposes no such obligation, Signal remains in the market – for now.

What does the Federal Constitutional Court say about surveillance of encrypted communications?

The “Trojaner II” ruling, issued in June 2025, declared parts of on-device communications interception unconstitutional. Mass, indiscriminate surveillance would fail even more clearly under this standard – as it infringes both the secrecy of telecommunications and the fundamental right to informational self-determination.

What does chat control mean for businesses?

If mandatory detection orders are imposed, all encrypted platforms (Teams, Slack, Signal) would need to implement client-side scanning. False positives could send confidential corporate data to authorities without the company’s knowledge or consent.

What is client-side scanning?

Messages are analysed directly on the user’s device before encryption. The scanning mechanism itself thus becomes an attack target. 502 cryptographers have warned this undermines security for all users.

Are there Signal alternatives based in Switzerland?

Wire and Threema are Swiss-based providers offering end-to-end encryption. Matrix/Element is decentralised and open-source. All three would be less directly exposed to an EU scanning mandate than US-headquartered providers.

The surge in proxy usage across Europe shows businesses and users aren’t waiting for regulation to advance. According to Telecom Reseller, SOCKS5 proxy usage in Europe rose nearly 1,770% – a clear indicator that preventive action is already underway. The question is whether the EU will succeed in imposing a regulation that will be technically circumvented and constitutionally challenged – or whether it will honour the Council’s agreed compromise: risk assessment instead of mass surveillance, prevention instead of backdoors.

Header Image Source: Pexels / Dan Nelson (px:4489171)

About the author: Tobias Massow

More articles by Tobias Massow