EU's Chat Control 1.0 and 2.0: Two Parallel CSAM Laws Explained

Original: Chat Control 1.0 and 2.0 Explained

Why This Matters

The outcome will set a precedent for digital privacy and encryption policy across all EU member states.

The EU is navigating two separate 'Chat Control' laws simultaneously. Chat Control 1.0, a temporary voluntary scanning derogation, expired April 4, 2026 after Parliament rejected its extension. Chat Control 2.0, a permanent mandatory CSAM detection regulation, remains in stalled trilogue negotiations.

Chat Control 1.0 (Regulation EU 2021/1232) was a temporary derogation from the ePrivacy Directive, allowing providers to voluntarily scan private messages for child sexual abuse material (CSAM). It did not cover end-to-end encrypted messages and was used primarily by unencrypted US services including Gmail, Facebook/Instagram Messenger, Skype, Snapchat, iCloud Mail, and Xbox. Originally set to expire in August 2024, it was extended once to April 2026. A second Commission-proposed extension to April 2028 was rejected by Parliament's LIBE committee (38–28) in March 2026, and the full plenary subsequently rejected the extension on March 26, 2026. The law legally expired April 4, 2026. The Council is now attempting a fast-track revival using a formally 'new' law with identical content.

Chat Control 2.0 (CSAR) is a proposed permanent regulation that would mandate CSAM detection across digital platforms. The core dispute is over suspicionless scanning: the original proposal mandated it; the Council's 2025 position shifted to 'voluntary' scanning with broad risk-mitigation duties. Parliament's position requires a court order and limits scanning to suspected individuals or groups. Whether end-to-end encrypted messengers would be covered remains unresolved. Five trilogue rounds have failed; the June 29, 2026 trilogue collapsed, with negotiations continuing under the Irish EU presidency.

Source

fightchatcontrol.eu — Read original →