My current probability that the EU Child Sexual Abuse Regulation (CSAR, “Chat Control”) will pass into enforceable law before 31 December 2027 is 30%. I land on that number after watching the proposal get blocked by a coalition of Germany, Poland, the Netherlands, Austria and the Czech Republic four times between 2023 and early 2026. The blocking coalition’s combined population weight keeps the Council below qualified-majority threshold under the current text. Passage before end of 2027 needs either a compromise text that drops client-side scanning of E2EE messengers, or a shift in the German position that I think is unlikely under the current coalition. UmbrellaX, registered in Kazakhstan, sits outside the regulation’s direct legal reach either way. This forecast affects Signal, WhatsApp, Threema and every EU-incorporated messenger more than it affects me.
| Forecast field | Value |
|---|---|
| Question | Will CSAR pass into enforceable EU law before 31 December 2027? |
| Current probability | 30% |
| Confidence in the estimate | Medium (three-year horizon, active political file) |
| Resolution date | 31 December 2027 |
| Resolution criterion YES | Council-Parliament agreement reached AND final act published in the Official Journal before the deadline, with mandatory scanning of encrypted messenger content still in the text |
| Resolution criterion NO | No such act in force by the deadline, OR the act passes in a form that explicitly exempts E2EE messengers from mandatory scanning |
| Last material update | 2026-04-24 |
| Next scheduled review | Monthly, first Monday |
| Key variable | Germany’s vote |
| Secondary variable | Whether the Parliament’s “no scanning of encrypted content” position survives trilogue |
Below: the voting maths, the three factors that could move this probability up, the three factors that could move it down, and how the forecast resolves.
The voting maths, as of April 2026
The Council needs a qualified majority: 15 of 27 member states representing at least 65% of the EU population, with no “blocking minority” of four or more states whose population exceeds 35% of the total. I have walked through this calculator more times than I would like to admit.
A coalition of Germany (≈19% of EU population), Poland (≈8.5%), the Netherlands (≈4%), Austria (≈2%) and the Czech Republic (≈2.4%) on its own exceeds the 35% blocking threshold. Slovakia, Finland, plus variable positions in Estonia and Denmark add buffer. The blocking minority is stable as long as Germany stays on the No side, which on current constitutional-law arguments I think it does.
The “yes” coalition led by France (≈15%), Spain (≈10.7%), Italy (≈13%), Belgium (≈2.6%), Denmark (variable, ≈1.3%) and Ireland (≈1.2%) sits below qualified majority even in optimistic counts for the current text. A run of Council presidencies (Czech, Swedish, Spanish, Belgian, Hungarian, Polish, Danish, Cypriot, Irish) have failed to move the maths despite direct political effort, and I read that pattern as the strongest single piece of evidence I have.
Three factors that could move the probability up
A compromise text that drops mandatory scanning of E2EE messengers. The Parliament’s November 2023 position already took this route; the trilogue would need the Council to accept it. If the Council does, the resulting regulation still has legal force on other obligations (reporting, risk assessments, EU Centre cooperation) and would “pass” for the purposes of my forecast as I have written it. If I tightened the YES criterion to “mandatory scanning of encrypted content”, probability drops sharply. I am deliberately not tightening it, because a watered-down CSAR passing is what most political scenarios I model converge on. Estimated lift if this path were certain: from 30% base to around 55%.
A change in the German government’s position. German elections formally next fall in 2029, and between now and end-2027 there is no scheduled federal election that would remove the current coalition. Inter-ministerial reshuffles and pressure from security-focused party voices within the coalition could still shift the position. Estimated lift if Germany moves to abstain: from 30% to approximately 45%. If Germany moves to yes: from 30% to approximately 70%. I rate the probability of German movement at 10-15% over the horizon.
A triggering event. A high-profile child-safety incident attributed by media to encrypted messaging can compress political timelines fast. I watched this exact pattern during the UK Online Safety Act debate, and it accelerated parts of the French and Spanish positions. A serious event of this type in 2026 or 2027 would lift yes probability materially, possibly by 10-15 percentage points depending on severity and media framing. I rate it at 20-25% background probability over 20 months.
Three factors that could move the probability down
Industry withdrawal during the interim period. If Signal, Threema or WhatsApp concretely demonstrate what EU-market withdrawal looks like before a vote, the political cost of passage rises sharply. Signal has publicly committed; my open question is whether they follow through in advance of legal compulsion. I rate the probability of a preemptive demonstration move at around 20%, but its effect on the vote would be large.
Court of Justice intervention. A CJEU ruling on the Digital Services Act or on related data-protection grounds could narrow the permissible scope of mandatory scanning in a way that forces Commission text revisions. At least two preliminary references on adjacent questions are pending. My probability of a decisive ruling in the forecast window is moderate (25-30%); effect on my forecast would be a 5-10 point drag.
German constitutional-law brief from the Bundesverfassungsgericht. The German Constitutional Court has not ruled on client-side scanning directly, but a private plaintiff challenge is pending. An adverse ruling would freeze the German government’s position on the No side for the duration of this forecast. I rate it at 20%, with a small effect because the German position is already stable.
Base rate reasoning
The base rate for a controversial EU regulation to pass within five years of proposal is roughly 55% across the post-2010 sample I have looked at. CSAR is on year four, which on its own would nominally suggest a probability in the 55-65% range. I see two factors pushing me below base rate, and they are why I land at 30% rather than 40 or 50%.
First, the specific subject matter (E2EE and mass surveillance) has unusual cross-party, cross-jurisdiction opposition unlike, say, the Digital Services Act’s regulatory-scope politics. The legal brief against client-side scanning is not ideologically polarised. It runs across liberal, conservative and constitutional-court positions, and I think the cryptographers’ open letter signed by 500+ researchers in 2023 captured that consensus. I respect Patrick Breyer and the EDRi campaign, but where I disagree with parts of that open letter is on the political tactical assumption that a 0% passage probability is defensible. I do not think it is. I think 30% is honest, and I would rather be honest than rally-the-base.
Second, the industry-withdrawal threat is credible in a way it was not for GDPR. Signal, Threema and WhatsApp removing themselves from the EU market would be politically costly in a way EU legislators do not typically face. The GDPR did not have a comparable precipice.
Adjusting down from base rate for these two factors lands me at 30%. A reasonable analyst could argue for 25-40% on the same information; 30% is the centre of my band, which is why I am not at 25% or 40%.
What happens if the forecast resolves YES
If CSAR passes with mandatory scanning of encrypted messengers, I see three second-order effects as nearly certain.
Signal and Threema leave the EU market. Their public commitments are on record, and withdrawal is concretely preferable to their cryptographic models compared with implementing client-side scanning. WhatsApp faces an internal decision I am genuinely uncertain about.
I would keep UmbrellaX operating as a non-EU provider. EU users who want genuine E2EE would seek out UmbrellaX and other non-EU messengers, sideloaded when necessary, and that is a flow my 167-microservice backend was sized to absorb.
A second-wave of similar regulations in the UK, Canada and Australia becomes more likely once the EU has broken the logjam. The transatlantic landscape for E2EE would be reshaped within three to five years of a YES resolution, and I have already started thinking about jurisdictions further afield.
What happens if the forecast resolves NO
If CSAR does not pass by end of 2027, the most likely near-term state is the current one: voluntary derogation renewed annually, Parliament’s “no E2EE scanning” position intact, debate reopened under future Council presidencies. I have built that scenario into my product roadmap as the base case.
I rate the probability that the question gets re-framed in a new proposal after a NO as high. Similar debates have run for ten-plus years on parallel questions (data retention, traffic analysis, lawful interception), and a NO in 2027 does not end the policy debate. I plan accordingly.
Resolution and revisions
I revise this forecast on the first Monday of each month, or immediately on material news (a scheduled Council vote, a German position change, a public industry withdrawal, a CJEU ruling). Each revision is logged at the bottom of this article with a timestamp and the new probability. If a revision moves the probability by more than 10 percentage points in either direction, I append a short explanation.
This is a forecast, not a recommendation. A reader making product or legal decisions based on CSAR should do so on the current text and current status as of today, not on my probability number.
Revision log
- 2026-05-01 00:00 UTC: initial publication at 30%. Rationale: voting maths stable, Germany position stable, four failed Council presidencies, industry withdrawal threat credible, CJEU references pending.
I’m Kirill Abramov, founder and CEO of UmbrellaX TOO, a privacy-first messenger company registered in Kazakhstan, outside the Five Eyes alliance. I track EU regulatory files like CSAR because they shape what private communication will look like for everyone in Europe, and I write about end-to-end encryption, post-quantum cryptography, and the regulatory pressure on private communication. More about my work and why I run UmbrellaX from Kazakhstan: umbrellax.io/about.