EU Chat Control is the commonly-used name for the Child Sexual Abuse Regulation (CSAR), a European Commission proposal from May 2022 mandating messenger providers to scan user content for known and novel child-sexual-abuse material. I think the technical reality the debate keeps dancing around is this: the requirement means client-side scanning, mathematically incompatible with E2EE as I implement it in MLS, and as Signal implements it in the Signal Protocol. As of April 2026 the proposal has not passed; it has been blocked in the Council by a coalition led by Germany, Poland, the Netherlands, Austria and the Czech Republic. I incorporated UmbrellaX in Kazakhstan, outside the regulation’s direct legal reach. Signal and Threema have said they would withdraw from the EU rather than implement client-side scanning, and I would do the same.
| Aspect | Detail |
|---|---|
| Full legal name | Regulation laying down rules to prevent and combat child sexual abuse (CSAR) |
| Informal name | Chat Control |
| Proposed | 20 May 2022 by the European Commission |
| Proposing commissioner | Ylva Johansson (Sweden) |
| Core requirement | Mandatory scanning of private messenger content for CSAM |
| Technical mechanism | Client-side scanning before encryption |
| Council vote threshold | Qualified majority: 15 of 27 member states representing at least 65% of EU population |
| Latest blocked vote | October 2024 and March 2025, further delays through 2026 |
| Opposition coalition | Germany, Poland, Netherlands, Austria, Czech Republic, Slovakia, Finland (varies) |
| Support coalition | France, Spain, Italy, Belgium, Denmark, Ireland (varies) |
| Industry stance | Signal, Threema: would leave EU market. WhatsApp: oppose. Apple: previously withdrew its own similar CSAM scanner |
| Interim workaround | Voluntary derogation renewed annually since 2021 |
Below: what the proposed regulation actually requires, why E2EE protocols cannot comply without being rewritten, the political timeline through April 2026, and how UmbrellaX is positioned.
What Chat Control proposes
The CSAR text, filed as COM(2022) 209 final, has two categories of obligations. The first is procedural: messenger and hosting providers must carry out a risk assessment, publish a transparency report, and cooperate with a new EU Centre on Child Sexual Abuse. I have read this category line by line and I do not find anything controversial in it on its own.
The second category is what the whole debate is about. Under a detection order issued by a competent authority, a provider would be required to scan user content for three categories of material: known CSAM images matched against a hash database, novel CSAM identified by an AI classifier, and “grooming” conversations detected through a text-classification model. On an E2EE messenger, that scanning has to happen on the user’s device before encryption, because the server cannot see plaintext. That is what “client-side scanning” means in practice, and I want it named clearly because the debate has been muddied by people who I think benefit from the muddling.
Detection orders can be targeted at a specific user or at a service-wide class of users. The draft text gives judges significant latitude in scope. Orders are time-limited but renewable, which is the part I find genuinely worrying.
Matches trigger a report to the EU Centre, which forwards to national authorities and law enforcement. The AI-classifier paths have documented false-positive rates, and one of the strongest technical criticisms (which I share) is that the scale of scanning multiplied by even a low false-positive rate produces a volume of false reports that overwhelms child-protection investigators and dilutes real cases.
Why it breaks E2EE at the protocol level
E2EE in MLS or the Signal Protocol has a specific property I had to design my implementation around: no third party, including the provider, holds a key that can decrypt the content. Client-side scanning is effectively a key that decrypts the content, implemented as code on the device rather than on the server. The material effect is the same. An adversary who can compel the scanning logic to change (a judge who quietly adds new keyword triggers, for example) can read anything the scanning logic is reading, which in the limit is everything you write on your phone.
This is not a philosophical argument, it is the position of the overwhelming majority of cryptographers who responded to the proposal. The strongest piece of work here is the “Bugs in our Pockets” paper by Abelson, Anderson, Bellovin, Benaloh and a long list of co-authors, 2021. It walks through, line by line, why client-side scanning cannot be bounded to a single declared use, and I have re-read it more times than I can count. The 2023 open letter by 500+ cryptographers reached the same conclusion: a system that scans plaintext before encryption is not an E2EE system, regardless of marketing terms. The EU’s draft confuses encryption with content moderation, and I think that confusion is the load-bearing weakness of the whole bill.
Signal’s Meredith Whittaker has stated publicly that Signal would leave the EU rather than implement client-side scanning. Threema and WhatsApp have made similar statements. I respect Whittaker’s stance, and my position is identical. Apple, which had prototyped a similar CSAM scanner for iCloud in 2021, formally abandoned it in December 2022 citing exactly these concerns.
I respect commissioner Ylva Johansson’s stated motive, which is to protect children, and I do not doubt the motive is sincere. Where I disagree with her, openly and on the record, is on the technical claim that client-side scanning preserves E2EE. It does not, and I have not seen any cryptographer offer a credible argument that it does. I had a real choice when I structured UmbrellaX. I could have set up in Estonia or Germany and many people advised me to. I picked Kazakhstan because I refuse to operate a messenger under a regime mandating the opposite of what I promised users, and because Kazakhstan has no MLAT with the US covering communications surveillance.
The political timeline
The proposal entered the Council of the EU in May 2022. The European Parliament formed its position in November 2023, removing mandatory scanning of encrypted messengers from its version of the text. The trilogue between Commission, Council and Parliament cannot conclude until the Council agrees its general approach, which requires a qualified majority vote, and that is the maths I have been watching for almost three years now.
Four Council votes have been scheduled and withdrawn since 2023. The pattern is consistent. The rotating Council presidency proposes a compromise text, counts the votes, finds the qualified majority is not there, and withdraws the item before a formal ballot that would record the no-result publicly. The most recent serious attempt was under the Danish presidency in late 2024 and again under the Polish presidency in March 2025. Both withdrew, and I read both withdrawals as confirmation that my forecast band is roughly right.
Germany has been the most consistent “no” vote. The German position, originally formed under the Scholz coalition and carried through the subsequent government, treats client-side scanning as incompatible with the Basic Law’s protection of the secrecy of correspondence, and I think that constitutional grounding is what makes the position structurally stable. Poland joined on similar constitutional grounds. The Netherlands, Austria, Slovakia and the Czech Republic have been variously on the no side or abstaining. Finland has changed position twice. France has been the most consistent “yes”, with Spain, Belgium, Italy and Denmark supporting.
A voluntary derogation that lets providers scan under their own rules has been renewed annually as a stopgap since 2021. It expires in April 2026 and will probably be renewed again if CSAR has still not passed.
Industry response in detail
Signal: Meredith Whittaker, President of Signal Foundation, has stated repeatedly that Signal will leave any market mandating client-side scanning. The statement was first made in the UK Online Safety Act context and repeated for CSAR. I think Signal’s position is material because Signal is the messenger most used by journalists, activists and legal professionals in the EU, and a withdrawal would be visible in a way few corporate decisions are.
Threema: The Swiss messenger, outside the EU but selling to EU customers, announced it would block EU customer registrations rather than implement scanning if the regulation passes.
WhatsApp (Meta): Public opposition from Will Cathcart, head of WhatsApp, dating to 2023. Meta has not said it would leave the EU, but the protocol-level argument is the same and I do not see a clean engineering path that lets WhatsApp stay and comply.
Apple: Dropped its own CSAM scanner plan in December 2022 and has publicly cited the difficulty of bounding scope and the mass-surveillance potential.
UmbrellaX: I registered in Kazakhstan, not in the EU. CSAR does not directly bind me if passed, but I would face a choice if the regulation were later extended extraterritorially to cover services available to EU users. My public stance is on record: I do not operate a messenger with client-side scanning, and if I were compelled to choose between that and market withdrawal, I would withdraw rather than break the protocol promise to my users.
What this means for a reader
If CSAR passes in a form that mandates client-side scanning, I see three practical implications.
Every major private-first messenger would face a choice between leaving the EU market and changing its cryptographic model. Signal has committed to withdrawal. Threema has committed to withdrawal. WhatsApp has not publicly committed either way but would end up with a very different product inside the EU than outside it. UmbrellaX, being outside the EU, does not face the same direct choice today, and that is exactly why I structured it the way I did.
Users in the EU who care about confidentiality would look for services based outside the EU, or for messengers that bypass app-store distribution. UmbrellaX, self-hosted alternatives and sideloaded apps would become more visible. The regulation’s unintended consequence would be a migration of sensitive users to non-EU providers, which is the opposite of the regulation’s stated goal, and I do not think the proposers have engaged seriously with that prediction.
I do not expect the debate to end even if the current proposal passes or fails. The UK Online Safety Act, Australia’s Online Safety Amendment, and similar proposals in Canada and the United States all address the same underlying question with different text. The cryptographic argument against client-side scanning does not change across jurisdictions, which is why I keep coming back to the same conclusion.
Where things stand as of late April 2026
The text is still under Council negotiation. No vote is scheduled. The next serious attempt will probably come under the Cypriot presidency in the second half of 2026. The German, Polish and Dutch positions have not materially shifted. The French position has not materially shifted either, but the numeric maths of the qualified majority remains against a yes vote given the opposition coalition’s current population weight.
The likeliest near-term outcome I model is neither passage nor defeat. It is another procedural delay combined with another renewal of the voluntary derogation. That is the result every year since 2022 has produced, and nothing in the April 2026 political map suggests a decisive change.
My UmbrellaX forecast on this question tracks the probability monthly and updates publicly whenever material moves.
I’m Kirill Abramov, founder and CEO of UmbrellaX TOO, a privacy-first messenger company registered in Kazakhstan, outside the Five Eyes alliance. I follow the CSAR file because what the EU decides on client-side scanning will reshape the messenger market for everyone, and I write about end-to-end encryption, post-quantum cryptography, and the regulatory pressure on private communication. More about my work and why I run UmbrellaX from Kazakhstan: umbrellax.io/about.