ABSTRACT
The European Commission tabled its proposal for a Regulation laying down rules to prevent and combat child sexual abuse in May 2022. Member states in the Council of the European Union adopted their general approach on 26 November 2025, enabling the commencement of interinstitutional negotiations with the European Parliament. The Parliament had established its negotiating mandate in November 2023. Trilogue discussions began on 9 December 2025.
The Commission’s original text imposed obligations on providers of interpersonal communications services to assess risks of misuse for child sexual abuse material dissemination or child solicitation, and, where risks were identified, to implement mitigation measures. In cases of significant residual risk, national authorities could issue detection orders requiring providers to scan for known or unknown child sexual abuse material or grooming activities. The proposal envisioned the establishment of an EU Centre on Child Sexual Abuse to facilitate reporting, indicator databases, and victim support.
Critics, including the European Data Protection Supervisor and the European Data Protection Board, identified risks of disproportionate interference with Articles 7, 8, and 11 of the Charter of Fundamental Rights of the European Union. The European Data Protection Supervisor highlighted in successive opinions that generalised content analysis, particularly through client-side mechanisms, would undermine the confidentiality of communications and the essence of end-to-end encryption.
The Council’s November 2025 position eliminated mandatory detection orders for interpersonal communications services. Providers retain the option to conduct voluntary detection using indicators from the EU Centre. National authorities gain powers to require removal or blocking of identified material. The text classifies services by risk level—low, medium, high—and mandates corresponding mitigation measures, including safety-by-design features and age assurance tools for high-risk platforms. The position explicitly states that measures must not undermine end-to-end encryption.
This retreat from compulsory scanning followed sustained opposition from several member states and civil society assessments that no reliable technology exists for detecting unknown material or grooming without unacceptable false-positive rates. Parliamentary questions throughout 2025 reflected concerns that earlier drafts risked mass surveillance incompatible with Court of Justice of the European Union jurisprudence on proportionality.
The Parliament’s 2023 mandate narrowed detection obligations to targeted, judicially authorised measures and strengthened encryption safeguards. Ongoing trilogues must reconcile these positions. The interim derogation from the ePrivacy Directive, permitting voluntary scanning, remains extended pending final adoption.
The regulation addresses a documented increase in reported child sexual abuse material online. Europol and national authorities note millions of reports annually, though quantitative data on prevalence within end-to-end encrypted services remain limited in public sources. The Council’s approach prioritises removal obligations, risk mitigation, and victim assistance over preventive scanning.
Key tensions persist. Risk mitigation requirements could incentivise providers to adopt broad scanning to limit liability, potentially recreating de facto generalised analysis. The introduction of age verification mechanisms raises additional data protection considerations. The EU Centre’s role in maintaining indicator databases and processing reports requires robust oversight to prevent function creep.
As of 28 December 2025, the legislative process continues in trilogue. No final text has been agreed. The outcome will determine whether the European Union establishes a framework that balances child protection with fundamental rights or sets precedents for expanded content moderation infrastructures.
EU Regulation on Child Sexual Abuse Prevention: Analytical Overview (December 2025)
Divergence: Institutional Positions and Evolution
The proposed regulation reveals deep institutional divergences on balancing child protection with fundamental rights.
Commission (2022)
Mandatory detection orders for high-risk services, including unknown CSAM and grooming via client-side scanning.
Parliament (2023)
Targeted, suspicion-based detection limited to known CSAM; strong encryption safeguards.
Council (Nov 2025)
Voluntary detection made permanent; tiered risk mitigation with age assurance for high-risk services.
Bias: Stakeholder Perspectives
Stakeholders exhibit clear biases: child protection advocates prioritise prevention; privacy groups emphasise rights erosion.
| Stakeholder | Primary Concern | Position |
|---|---|---|
| Victim Organisations | Effective removal & prevention | Support strong measures including voluntary detection |
| Tech Industry | Encryption integrity & liability | Favour voluntary, targeted approaches |
| Privacy Advocates (EDPB/EDPS) | Proportionality & chilling effects | Strong opposition to broad scanning |
| Law Enforcement | Investigative access | Support expanded tools |
Risk: Technical & Rights Risks
Core technical risks centre on detection accuracy and encryption compatibility.
False Positives (Classifiers)
Unknown material/grooming detection prone to errors at scale.
False Positives (Hashing)
Known CSAM hashing highly reliable.
Cybersecurity Risk
Client-side code introduces new attack surfaces.
Conclusion/Action: Path Forward
As trilogues continue (started 9 December 2025), the final text must prioritise targeted measures preserving encryption while strengthening alternatives.
Recommended Actions
- Retain voluntary detection with strict oversight
- Reject measures undermining encryption
- Fund specialist investigations & international cooperation
- Enhance user reporting & safety-by-design
Key Watchpoint
Prevent function creep through narrow scoping and sunset reviews.
Table of Contents
Core Concepts in Review: What We Know and Why It Matters
- Legislative Origins and Commission Proposal
- Council Negotiating Position of November 2025
- European Parliament Mandate and Safeguards
- Technical Mechanisms and Encryption Compatibility
- Fundamental Rights Assessments by Supervisory Bodies
- Implications for Future Digital Regulation
Core Concepts in Review: What We Know and Why It Matters
The European Union’s effort to combat online child sexual abuse has produced one of the most contentious digital policy debates in recent years. At its heart lies a proposed regulation—formally titled the Regulation laying down rules to prevent and combat child sexual abuse—that the European Commission first put forward in May 2022. The goal is straightforward and urgent: stop the spread of child sexual abuse material (often abbreviated as CSAM) and the online solicitation of children, known as grooming.
The original Commission proposal would have required online service providers—messaging apps, hosting services, app stores, and others—to assess risks on their platforms. If significant risks remained after initial mitigation, national authorities could issue detection orders forcing providers to scan for known CSAM (using reliable hashing technology) and, in some cases, for new or unknown material and grooming patterns (using AI classifiers). To make this work in encrypted environments, scanning would often need to happen on users’ devices before messages are encrypted—a technique called client-side scanning.
Privacy advocates quickly labelled this “Chat Control” because it raised the prospect of systematic checking of private communications. Data protection authorities weighed in forcefully. In a joint opinion issued in July 2022, the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) warned that broad scanning, even with safeguards, risked disproportionate interference with the rights to privacy and data protection enshrined in Articles 7 and 8 of the EU Charter of Fundamental Rights. They argued that client-side scanning effectively undermines the confidentiality of communications, regardless of where the processing occurs.
The European Parliament took a cautious stance when it adopted its negotiating mandate in November 2023. MEPs rejected indiscriminate scanning and measures that would weaken end-to-end encryption. Their position limited detection orders to targeted cases based on reasonable suspicion, confined them largely to known CSAM, and insisted on strong judicial oversight. Parliament also emphasised alternatives like better user reporting tools, age-appropriate design, and focused law-enforcement investigations.
Member states in the Council of the European Union struggled for years to find common ground, with several countries—including Germany at various points—blocking progress over encryption concerns. A breakthrough finally came on 26 November 2025, when the Council agreed its general approach. Crucially, it dropped any mandatory detection orders for interpersonal communications services. Instead, scanning remains voluntary, but the temporary derogation from the ePrivacy Directive that has allowed voluntary efforts since 2021 becomes permanent.
The Council’s text introduces a tiered risk classification for services—low, medium, and high—and requires escalating mitigation measures, such as safety-by-design features and, for high-risk platforms, robust age assurance systems. National authorities gain stronger powers to order removal or blocking of identified material. A new EU Centre on Child Sexual Abuse will maintain databases of indicators, filter reports, and support victims seeking to have images of their abuse taken down.
As of late December 2025, inter-institutional trilogue negotiations between the Parliament, Council, and Commission have begun, with the first session held on 9 December 2025. The final shape of the law remains uncertain, but the removal of compulsory scanning marks a significant retreat from the original vision.
Why does this matter so deeply? First, the scale of the problem is undeniable. Every year, millions of files depicting child sexual abuse circulate online, and reports to hotlines have risen sharply. Yet the technical reality is that no scanning system is perfect. Hashing for known material is highly accurate, but classifiers for new images or grooming behaviour produce false positives—a statistical certainty when applied at billions of messages daily. Those errors can lead to wrongful reports, blocked accounts, and unnecessary trauma for innocent users.
Second, the debate exposes a core tension in digital regulation: how to protect the most vulnerable without eroding protections for everyone else. End-to-end encryption is not a luxury; it safeguards journalists, activists, businesses, and ordinary citizens from surveillance and cyberattacks. Weakening it—even indirectly through client-side mandates—creates vulnerabilities that authoritarian regimes or criminals could exploit.
Third, the precedent is profound. Once infrastructure exists for centralised indicator databases, risk-based mitigation mandates, and rapid removal orders, extending it to other harms—terrorism, disinformation, hate speech—becomes administratively straightforward. The Council’s decision to make voluntary detection permanent effectively normalises tools that were once exceptional.
Finally, alternatives exist that respect rights while advancing protection: stronger international cooperation, better-funded specialist investigative units, rapid takedown procedures for identified material, and platform design that makes grooming harder without scanning private content. The ongoing trilogues will determine whether the EU lands on a framework that truly balances these imperatives or sets a template for broader content control.
As negotiations continue into 2026, policymakers face a clear choice: prioritise targeted, rights-respecting measures that build trust in digital services, or risk a system where privacy becomes the exception rather than the rule. The outcome will shape online safety—and online freedom—for years to come.
Legislative Origins and Commission Proposal
The European Commission adopted its proposal for a regulation laying down rules to prevent and combat child sexual abuse on 11 May 2022. This initiative responded directly to commitments in the EU Strategy for a More Effective Fight Against Child Sexual Abuse, published in July 2020, which identified gaps in provider obligations and the need for a permanent framework beyond temporary derogations from the ePrivacy Directive.
The proposal established harmonised obligations for providers of hosting services, interpersonal communications services, app stores, and internet access services. Providers conduct risk assessments to determine the likelihood that their services facilitate the dissemination of known or new child sexual abuse material or the solicitation of children. Where significant risk persists after mitigation, national coordinating authorities issue detection orders requiring providers to scan for such material using indicators supplied by a newly created EU Centre on Child Sexual Abuse.
Detection orders require judicial or independent administrative authorisation. Providers deploy technologies with human oversight to minimise errors, limit duration to a maximum of 24 months for material dissemination and 12 months for solicitation, and target specific service components. The EU Centre generates and maintains databases of reliable indicators for known and new material, derived from verified submissions by coordinating authorities. Providers access these indicators free of charge and receive technical assistance from the Centre.
Reports of potential child sexual abuse flow immediately to the EU Centre, which assesses validity, removes duplicates, filters unfounded reports, and forwards credible ones to law enforcement or Europol. The Centre also supports victim requests for removal of depicted material and compiles transparency statistics on detection, reporting, and removal activities.
The proposal complemented existing instruments, including Directive 2011/93/EU on combating sexual abuse and exploitation of children and Regulation (EU) 2021/1232, the interim derogation permitting voluntary detection until August 2024. Because divergent national approaches risked fragmenting the digital single market, the Commission invoked Articles 114 and 16 of the Treaty on the Functioning of the European Union as legal bases.
Risk mitigation measures include age-appropriate design features, user reporting tools, and content controls. Removal and blocking orders apply to identified material, with providers required to execute them promptly. The EU Centre facilitates cross-border cooperation, shares best practices, and conducts research to improve prevention.
The Commission emphasised proportionality: measures apply only where risks justify them, with safeguards against overreach. Detection technologies must prove effective yet least intrusive, incorporating auditing and error-rate monitoring. Providers challenge orders before courts, and the Centre advises on compliance without overriding national data protection authorities.
Accompanying the proposal, the impact assessment examined voluntary detection practices under the interim regime. Providers of certain services already deployed hashing for known material and classifiers for unknown content, though error rates for the latter remained higher. The assessment concluded that without harmonised rules, gaps in coverage would persist, particularly on encrypted or emerging platforms.
The proposal built on Council of Europe standards, including the Lanzarote Convention and Budapest Convention on Cybercrime, both ratified by all member states. Providers bear primary responsibility for risk assessment, with coordinating authorities enforcing through penalties where necessary.
Critics highlighted tensions with the confidentiality of communications under Article 7 of the Charter of Fundamental Rights. The Commission argued that targeted, safeguarded detection preserves the essence of rights, as orders issue only after risk evaluation and judicial review.
The EU Centre operates as a decentralised agency with a management board, executive director, and technology committee. Providers submit annual reports on activities, including detection volumes, false positives, and mitigation effectiveness. The Centre aggregates these for public transparency reports.
Because child sexual abuse material dissemination exploits service differences, the proposal classified interpersonal communications separately, allowing detection only under orders for high-risk cases. App stores and access providers face ancillary obligations, such as delisting or blocking.
The Commission consulted stakeholders extensively, including victim organisations, law enforcement, providers, and civil society. Feedback revealed consensus on the need for action but divergence on detection scope, particularly client-side methods required for end-to-end encrypted services.
The proposal prohibited general monitoring under Article 15 of the eCommerce Directive, limiting obligations to specific risks and services. Indicators for known material rely on hashing databases, while new material detection uses classifiers trained on verified examples.
The European Centre on Child Sexual Abuse maintains dedicated channels through which victims residing in the Union submit requests for the removal or disabling of access to known child sexual abuse material depicting them, with the Centre verifying the authenticity of such depictions by comparing submitted images, videos, URLs, or other identifiers against its databases of indicators before assisting providers in executing swift takedowns and confirming completion to the requesting victim via the relevant national coordinating authority.
Because victims often lack direct access to platforms hosting abusive material or face barriers in navigating provider-specific procedures, the Centre bridges this gap by centralising verification processes, reducing duplicate efforts across member states, and ensuring that providers receive substantiated requests accompanied by precise indicators, thereby accelerating removal while minimising erroneous takedowns that could infringe legitimate content. The Centre cooperates with Europol through a memorandum of understanding that governs the exchange of non-personal data on emerging trends in child sexual abuse material dissemination and indicator refinements, allowing Europol observers on the Centre’s management board to access aggregated intelligence for operational planning without compromising individual report confidentiality. This cooperation leverages Europol’s existing criminal intelligence databases to facilitate swift identification of competent national law enforcement authorities when report jurisdiction remains unclear, ensuring that forwarded cases reach investigators equipped to pursue cross-border offenders efficiently.
Member states designate one or more coordinating authorities endowed with comprehensive investigative powers, including the ability to conduct compliance searches utilising Centre-provided indicators of known material, to issue binding removal or blocking orders with execution timelines as short as 24 hours for verified content, and to impose interim measures restricting service access pending full compliance. These authorities exercise enforcement through penalties calibrated to provider turnover—reaching up to 6 % of global annual revenue for systemic failures in risk mitigation or order execution—while factoring in provider size, recurrence of violations, and public interest in child protection to guarantee deterrence without disproportionate burden on smaller entities. Because non-compliance risks fragmenting enforcement across the Union and allowing offenders to exploit lax jurisdictions, uniform penalty scales aligned with those in complementary frameworks ensure consistent accountability.
The regulation establishes a lex specialis relationship with the Digital Services Act, building upon its horizontal notice-and-action mechanisms for illegal content by introducing child-specific obligations that override general provisions where necessary, permitting providers classified as very large online platforms to integrate existing compliance structures—such as designated contact points and legal representatives—into the new framework without duplicative appointments. Providers leverage Digital Services Act risk assessments on systemic illegal content dissemination to inform child sexual abuse-specific evaluations, avoiding redundant analyses while tailoring mitigation to grooming or material circulation patterns unique to minors.
The Commission structured implementation cost projections around offsetting mechanisms, anticipating that enhanced detection and reporting facilitated by the Centre would reduce law enforcement investigative burdens through higher-quality leads and fewer resource-intensive manual searches, with the Centre’s budget derived primarily from Union contributions under Heading 7 of the multiannual financial framework supplemented by targeted fees from providers for advanced indicator analysis services, excluding microenterprises and small enterprises to preserve innovation incentives. Shared administrative functions with Europol—including human resources management, information technology infrastructure, cybersecurity provisions, building facilities, and communication services—generate efficiencies that constrain the Centre’s operational expenditure below standalone agency levels.
Because voluntary detection efforts under prior interim derogations exhibited wide variation in adoption rates, technological sophistication, and geographic coverage, the proposal mandated harmonised risk assessment methodologies jointly developed by the Centre in consultation with coordinating authorities and stakeholders, encompassing non-exhaustive criteria such as service design features enabling private interactions, user base demographics including minor proportions, prior misuse incidents, and business model incentives for content virality. Providers document these assessments publicly with sufficient granularity for authority review, updating them at least triennially or upon significant service modifications, thereby enabling proactive identification of residual risks warranting escalated mitigation.
The legislative process encountered protracted delays stemming from member state divisions over encryption compatibility, with several delegations initially resisting mandatory detection obligations for interpersonal communications services on grounds that client-side implementation circumvented end-to-end encryption safeguards upheld in Court of Justice jurisprudence on data retention proportionality. These concerns necessitated iterative compromise formulations that preserved voluntary detection while prohibiting measures undermining encryption essence.
The explanatory memorandum underscored necessity by documenting how fragmented national tools and voluntary regimes permitted offender migration to minimally monitored platforms, creating enforcement gaps that harmonised obligations close without instituting general monitoring prohibited under Article 15 of the eCommerce Directive. Detection orders incorporate mandatory sunset clauses limiting duration to 24 months for material dissemination and 12 months for solicitation, coupled with periodic proportionality reviews by issuing authorities to prevent indefinite scrutiny.
Providers subject to orders report detected error rates transparently to coordinating authorities and the Centre, enabling iterative indicator refinements that constrain false positives through state-of-the-art classifier adjustments and human oversight mandates. The Centre maintains strictly segregated databases—one for incoming reports pending validation, another for vetted indicators distributed to providers, and a third for victim assistance records—with granular access controls ensuring that personal data processing adheres fully to Regulation (EU) 2018/1725 governing Union institutions.
The proposal aligned explicitly with the simultaneously adopted European Strategy for a Better Internet for Children, requiring providers to embed child protection by design through default privacy settings restricting adult-minor interactions, integrated parental oversight tools, and age-appropriate content controls that prioritise minor safety without mandating universal age verification.
Because grooming predominantly manifests through interpersonal communications exploiting child accessibility features, the proposal authorised solicitation detection under judicially reviewed orders utilising vetted behavioural indicators that flag patterns such as persistent contact attempts or explicit language escalation while excluding broad conversational analysis.
The Commission explicitly rejected pure self-regulation alternatives, citing empirical evidence of inconsistent voluntary adoption that left coverage gaps exploitable by offenders, instead imposing targeted obligations calibrated to demonstrated risk levels to balance effectiveness with fundamental rights preservation. The regulation extends extraterritorially to all providers offering services within the Union regardless of establishment location, compelling appointment of legal representatives in member states for service of process and enforcement coordination channelled through the Centre’s network of national authorities.
The proposal successfully navigated Regulatory Scrutiny Board scrutiny, securing a positive opinion with reservations in February 2022 after addressing initial concerns on cost estimation methodologies and technological feasibility assumptions through revised modelling and stakeholder validation. Providers of number-independent interpersonal communications services, previously reliant solely on voluntary measures under interim derogations, transition to structured risk-triggered obligations that maintain detection discretion while standardising mitigation expectations.
The Commission originally projected adoption by 2024 with Centre operationalisation within 18 months thereafter, though interinstitutional delays necessitated multiple extensions of the interim regime bridging the legislative vacuum. Recitals affirm that end-to-end encryption deployment remains fully permissible, acknowledging that effective detection in encrypted environments may necessitate client-side processing prior to encryption application without constituting breakage of the cryptographic seal.
Law enforcement authorities accrue accelerated access to actionable reports via the Centre’s filtering and forwarding mechanism, substantially compressing cross-border referral timelines that previously routed through third-country intermediaries. Victim organisations broadly endorsed the framework for empowering direct removal channels and elevating prevention priorities, whereas providers articulated reservations centred on expanded liability exposure and technical challenges in achieving negligible error rates for unknown material classification.
The proposal instituted mandatory independent audits of deployed detection technologies conducted by qualified entities, with audit outcomes shared via the Centre to inform best-practice dissemination and error mitigation protocols incorporating obligatory human review of flagged content prior to external reporting. Coordinating authorities compile and publish annual activity reports enumerating orders issued, compliance rates monitored, and penalties levied, which the Centre synthesises into comprehensive Union-level overviews supporting evidence-based policy iteration.
The regulation reinforces substantive criminal law harmonisation under Directive 2011/93/EU by concentrating on platform prevention and facilitation responsibilities rather than redefining offences, thereby avoiding overlap while enabling proactive disruption.
Because technological evolution continuously generates novel dissemination vectors, the proposal delegates to the Commission authority for updating indicator specifications and methodological guidelines via implementing acts responsive to Centre research outputs. Providers implement risk mitigation through multifaceted measures encompassing staff training in content moderation protocols, algorithmic recalibration to elevate child safety signals, and enhanced reporting interfaces that lower user friction for flagging suspected abuse, with high-risk classifications automatically triggering augmented obligations including dedicated child protection teams.
The Centre facilitates structured international cooperation by establishing liaison channels with non-EU hotlines and law enforcement entities under bilateral or multilateral agreements, exchanging anonymised trend data to combat global material circulation. Annexes to the proposal standardise reporting templates for detection volumes, removal requests incorporating username or email identifiers, indicator formats distinguishing hashes from classifiers, and procedural workflows that streamline administrative processes across jurisdictions.
Member states preserve exclusive competence over criminal investigations and prosecutions, with the regulation supplying enabling platform cooperation mechanisms that the Centre operationalises as a neutral bridge between prevention imperatives and enforcement necessities. The Commission undertook to conduct a comprehensive evaluation five years following application, scrutinising effectiveness metrics against abuse prevalence indicators, rights impacts, and cost-benefit ratios to inform potential adjustments.
Because online child sexual abuse adapts rapidly to countermeasures, the proposal embedded flexible adaptive mechanisms—including delegated acts for indicator evolution and Centre-led research—that preclude recurrent full legislative revisions while sustaining responsiveness. Providers of software application stores bear distinct obligations to assess intermediated applications for inherent child abuse risks, potentially mandating developer attestations of safety-by-design compliance or delisting non-conforming offerings. Internet access providers execute blocking orders targeting specific URLs hosting known material upon coordinating authority instruction, with execution reporting integrated into transparency obligations.
Standard procedures govern the regulation’s entry into force twenty days post-publication, featuring staggered application timelines that prioritise Centre establishment before imposing full provider duties to ensure operational readiness. The proposal constituted the Commission’s direct response to documented surges in online child sexual abuse reports, establishing comprehensive ecosystem coverage that integrates prevention, detection, victim support, and enforcement into a coherent Union framework.
Council Negotiating Position of November 2025
The Council of the European Union reached its general approach on the proposed regulation to prevent and combat child sexual abuse on 26 November 2025, following prolonged negotiations among member states that had stalled progress for over three years since the Commission’s submission. This agreement enabled the commencement of interinstitutional trilogue negotiations with the European Parliament, which had adopted its mandate in November 2023, and the Commission.
Member state representatives endorsed a negotiating mandate that eliminated the Commission’s provisions for mandatory detection orders applicable to interpersonal communications services, thereby removing any obligation for providers to implement systematic scanning of private messages upon authority request. Because several member states, including those forming blocking minorities in prior iterations, insisted on safeguards against generalised surveillance incompatible with end-to-end encryption, the Council position rendered detection activities strictly voluntary for providers of such services. Providers retain discretion to deploy technologies for identifying known or unknown child sexual abuse material or solicitation, utilising indicators supplied by the envisaged EU Centre on Child Sexual Abuse. National authorities gain enhanced powers to issue removal orders for identified material, blocking orders for access, or delisting directives for search engines, ensuring swift execution across the Union.
The Council introduced a tiered risk classification system for online services, categorising them as low-risk, medium-risk, or high-risk based on assessed potential for misuse in disseminating child sexual abuse material or facilitating solicitation. Low-risk services face minimal obligations limited to basic user reporting tools and cooperation with removal requests. Medium-risk services must implement additional mitigation measures, such as enhanced content moderation staffing and algorithmic monitoring for flagged patterns. High-risk services, typically those featuring user-generated content or interpersonal interactions accessible to minors, incur the most stringent requirements, including mandatory safety-by-design features, default privacy controls for child users, and robust age assurance mechanisms to restrict access to age-inappropriate functionalities. Because risk assessments originate from provider self-evaluations subject to national authority review, deviations from accurate classification trigger penalties scaled to turnover, incentivising conservative high-risk designations that broaden mitigation scope.
The position mandates that all providers conduct annual risk assessments documenting service-specific vulnerabilities, with submissions to designated national coordinating authorities for validation. Where assessments reveal significant residual risk after initial mitigation, providers must escalate measures proportionally, though without recourse to compulsory detection for encrypted communications. The Council explicitly prohibited measures that undermine the essence of end-to-end encryption, requiring any voluntary detection to occur in compliance with confidentiality guarantees. Providers opting for voluntary scanning access a centralised database of indicators maintained by the EU Centre, comprising hashes for known material and classifiers for unknown content, vetted for reliability through independent verification processes.
The EU Centre on Child Sexual Abuse emerges as a decentralised agency tasked with generating, updating, and distributing indicators, processing victim removal requests, aggregating transparency reports, and facilitating cross-border cooperation among national authorities. The Centre filters incoming reports from providers, discards duplicates or unfounded submissions, and forwards credible cases to law enforcement or Europol, while supporting victims in exercising rights to erasure of depicted material. Because the Commission’s draft specified The Hague as seat, the Council deferred location decisions to trilogue negotiations, avoiding unilateral commitments that could complicate consensus. The Centre operates under a management board comprising member state representatives, Commission observers, and stakeholder consultations, with funding from Union budget contributions supplemented by fees from certain providers.
National coordinating authorities receive expanded investigative competencies, including powers to compel compliance with removal or blocking orders within specified timelines, typically 24 hours for known material. Authorities publish annual activity reports detailing orders issued, executions monitored, and penalties imposed, feeding into Centre-compiled Union-wide statistics for public transparency. Providers face obligations to assist victims directly upon substantiated requests for content removal depicting them, bypassing authority intermediation where depictions verify unambiguously.
The Council position strengthened prevention elements by requiring high-risk services to deploy age verification systems calibrated to service functionality, employing methods ranging from self-declaration for low-sensitivity areas to biometric or document-based checks for high-exposure interactions. Such systems aim to prevent minor access to grooming-prone features while minimising data retention through privacy-preserving designs. Providers integrate parental oversight tools and educational resources on online risks as standard mitigation.
Because voluntary detection under the interim derogation from the ePrivacy Directive had proven uneven across providers, the Council standardised access to Centre indicators, ensuring equitable technological capabilities without mandating uptake. Indicators for known material rely exclusively on perceptual hashing technologies with established low collision rates, while unknown material classifiers undergo periodic accuracy audits to constrain false positives. The position prohibits deployment of indicators lacking demonstrated effectiveness or proportionality certifications.
Member states retain flexibility in designating coordinating authorities, often aligning with existing data protection or law enforcement bodies, provided independence and resource adequacy guarantee effective enforcement. Penalties for non-compliance with risk mitigation or removal obligations align with Digital Services Act scales, reaching up to 6 percent of global annual turnover for systemic failures.
The Council emphasised complementarity with the Digital Services Act, leveraging its notice-and-action mechanisms for illegal content while tailoring obligations to child sexual abuse specificities. Very large online platforms classified high-risk inherit amplified duties, including accelerated removal timelines and dedicated child protection liaison officers.
Trilogue negotiations commenced on 9 December 2025, addressing divergences such as the Parliament’s stricter limits on voluntary detection scope and stronger encryption safeguards versus the Council’s broader risk mitigation incentives. Because the Parliament mandate prioritised targeted judicial authorisation for any detection beyond known material hashing, reconciling positions required concessions on age verification intrusiveness and Centre governance.
The position maintains extraterritorial application to providers targeting Union users, requiring representative appointments in member states for enforcement purposes. Annual transparency reports from providers detail mitigation measures implemented, risk assessment outcomes, and voluntary detection statistics where applicable, anonymised to protect operational security.
National authorities coordinate via the Centre’s secure platform for sharing non-personal trend data, enabling adaptive indicator refinements responsive to emerging dissemination vectors. The Council rejected provisions for automatic reporting channels bypassing human review, mandating oversight to mitigate error cascades.
High-risk designations trigger obligations for algorithmic transparency filings with authorities, disclosing training datasets and bias mitigation strategies relevant to child safety. Providers demonstrate compliance through independent audits submitted biennially.
The position integrates victim support enhancements, compelling providers to establish dedicated channels for removal requests with response deadlines of 72 hours for initial acknowledgements. The Centre verifies requests centrally, reducing provider verification burdens while ensuring authenticity.
Because grooming solicitation often evades hashing detection, the Council permitted voluntary behavioural classifiers under strict accuracy thresholds, with deployment notifications to authorities for oversight.
Member states commit to funding specialised investigative units through national budgets augmented by Centre technical assistance. The position foresees evaluation five years post-application, assessing mitigation efficacy against abuse prevalence indicators.
Coordinating authorities gain access to Centre research outputs on technological advancements, informing order proportionality. Providers challenge authority decisions before national courts, with suspension possibilities pending review.
The Council position balances prevention imperatives with rights protections by shifting emphasis from detection to mitigation and removal, rendering voluntary measures permanent infrastructure without compulsory expansion.
European Parliament Mandate and Safeguards
The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs adopted its report on the proposed regulation laying down rules to prevent and combat child sexual abuse on 14 November 2023, with the plenary confirming the decision to enter interinstitutional negotiations on 22 November 2023, thereby establishing the Parliament’s negotiating mandate under Rule 71 of its Rules of Procedure.
Because the Commission’s original text authorised national authorities to issue detection orders compelling providers to scan for known and unknown child sexual abuse material or solicitation even in end-to-end encrypted environments, the Parliament’s mandate eliminated any possibility of measures that undermine the confidentiality of communications guaranteed by Article 7 of the Charter of Fundamental Rights, explicitly prohibiting generalised or indiscriminate scanning of private messages and requiring that detection technologies preserve encryption integrity without introducing vulnerabilities exploitable for circumvention. Providers retain obligations to conduct risk assessments identifying service-specific vulnerabilities to misuse for disseminating child sexual abuse material or facilitating solicitation, but mitigation measures remain targeted and proportionate, selected from an extensive non-exhaustive list that prioritises user empowerment tools, content moderation enhancements, and age-appropriate design features over intrusive automated analysis.
The mandate restricts detection orders to a last-resort mechanism activated only after providers exhaust all reasonable mitigation options or fail to implement them adequately, limiting such orders exclusively to known child sexual abuse material identified through reliable hashing indicators while deferring application to unknown material or grooming detection until independent evaluations confirm technologies achieve negligible false-positive rates and full compatibility with fundamental rights protections. Judicial authorities issue these time-bound orders—capped at durations necessary for proportionality—targeting specific users or user groups where reasonable grounds establish suspicion of involvement, thereby replacing the Commission’s broader significant-risk threshold with a suspicion-based criterion that aligns obligations more closely with Court of Justice jurisprudence on targeted surveillance.
Because voluntary detection practices under interim derogations demonstrated varying effectiveness without compromising encryption, the Parliament’s position reinforces safeguards by mandating human oversight of any flagged content before reporting, compulsory data protection impact assessments for deployed technologies, and exclusion of audio communications from scope to constrain intrusiveness. Providers of interpersonal communications services face no compulsory scanning, preserving end-to-end encryption as the default standard that detection cannot functionally weaken through client-side mandates or backdoor requirements.
The mandate establishes an EU Centre on Child Sexual Abuse as an independent authority facilitating provider access to vetted indicators of known material, filtering reports to eliminate unfounded submissions, and supporting victim removal requests through centralised verification processes that expedite takedowns without burdening individual platforms disproportionately. The Centre maintains databases segregated by function—indicators, reports, and victim assistance—with strict access controls and transparency obligations ensuring aggregated statistics inform policy without revealing operational details exploitable by offenders.
Providers implement mitigation through measures such as default privacy settings restricting minor-adult interactions, integrated flagging interfaces lowering reporting barriers for users, parental control integration, and age verification calibrated to service risk profiles, particularly for platforms hosting pornographic content or child-targeted functionalities. High-risk services, including online games with interpersonal chat components, incur enhanced obligations for safety-by-design principles that embed protection from conception rather than retrofitting.
Because grooming exploits service features enabling anonymous or persistent contact, the mandate postpones behavioural classifier deployment until accuracy thresholds demonstrate statistical reliability, avoiding collateral damage from probabilistic errors that characterise current machine-learning approaches to solicitation detection. Detection orders incorporate mandatory error-rate reporting and independent audits, with results submitted to the Centre for iterative improvements.
The Parliament strengthened victim rights by creating dedicated channels for removal requests depicting survivors, empowering the Centre to verify authenticity and compel provider execution within accelerated timelines, complemented by support services linking victims to national assistance programmes. Providers publish annual transparency reports detailing risk assessments, mitigation deployed, and voluntary detection outcomes where undertaken, fostering accountability without mandating uptake.
Because fragmented national approaches risked creating safe havens for offenders migrating to lenient jurisdictions, the mandate harmonises obligations extraterritorially for providers targeting Union users, requiring legal representatives and compliance with Centre-facilitated enforcement. Coordinating authorities gain powers to compel mitigation where assessments reveal inadequacies, with penalties aligned to turnover scales ensuring deterrence.
The mandate complements the Digital Services Act by leveraging its systemic risk frameworks for very large platforms while tailoring child-specific duties, avoiding duplication through cross-references to existing notice-and-action mechanisms. Providers integrate child protection into algorithmic design, elevating safety signals in recommendation systems and demoting abusive content proactively.
Because technological evolution continuously introduces novel abuse vectors, the Parliament empowers the Centre to conduct ongoing research into detection efficacy, advising on indicator updates via delegated acts that respond dynamically without necessitating full legislative revisions. The position prohibits measures creating surveillance infrastructures extendable beyond child protection, explicitly rejecting function creep toward broader content moderation.
Providers of app stores assess distributed applications for inherent risks, mandating developer attestations of child-safe design or imposing delisting for non-compliance. Internet access providers execute blocking orders for verified material URLs, integrating execution into transparency reporting.
The mandate aligns with the European Strategy for a Better Internet for Kids by embedding prevention education resources and awareness campaigns within service interfaces. Because false positives disproportionately affect legitimate users, human review precedes any external report, mitigating reputational and legal harms from automated misclassifications.
The Parliament’s rapporteur incorporated amendments from associated committees, strengthening gender dimensions in victim support and cultural considerations in prevention programming. The position received broad cross-party support in committee, reflecting consensus on balancing child protection imperatives with privacy preservation.
Because end-to-end encryption constitutes a cornerstone of digital security protecting journalists, activists, and citizens from authoritarian overreach, the mandate declares any detection incompatible with encryption essence impermissible, closing pathways to client-side scanning that functionally replicate breakage. Providers challenge orders before courts with suspension rights pending review, ensuring judicial oversight.
The mandate foresees Centre governance incorporating stakeholder consultations, including civil society and data protection experts, to constrain institutional capture risks. Annual evaluations assess regulation impacts on abuse prevalence and rights observance, informing adjustments.
Because voluntary efforts proved insufficient against scale, targeted obligations calibrated to suspicion levels close gaps without blanket scrutiny. The position awaits Council alignment in trilogue, where encryption safeguards form non-negotiable red lines.
Technical Mechanisms and Encryption Compatibility
The European Commission’s proposal for a regulation laying down rules to prevent and combat child sexual abuse specifies detection technologies that providers deploy under orders, distinguishing between indicators for known child sexual abuse material—relying on perceptual hashing algorithms that generate unique fingerprints from verified images or videos—and classifiers for unknown material or solicitation patterns trained on labelled datasets to identify novel content or behavioural signals.
Because end-to-end encryption renders content inaccessible to providers during transit, the proposal permits client-side implementation where detection occurs on user devices prior to encryption or after decryption, ensuring that hashing or classification executes locally without transmitting plaintext to servers. Providers select technologies demonstrating high accuracy and low error rates, subject to independent verification, with orders requiring human review of flagged items before reporting to constrain false positives that arise from hash collisions or classifier misidentifications.
The impact assessment accompanying the proposal evaluates technical options, concluding that hashing for known material achieves reliability exceeding 99 % in controlled tests while classifiers for unknown material exhibit higher variability dependent on training data quality and model architecture. Because no technology eliminates errors entirely at scale, the proposal mandates transparency on error rates, periodic audits, and limitations on order duration to maintain proportionality under Charter Articles 7 and 8.
End-to-end encryption preserves confidentiality by encrypting data on the sender’s device and decrypting solely on the recipient’s, preventing intermediary access including by the provider itself. The proposal asserts compatibility by confining detection to device-level processing, avoiding server-side decryption or backdoor insertion that would weaken cryptographic guarantees. Recital 26 clarifies that providers may offer encrypted services provided detection obligations apply where risks justify them, utilising client-side mechanisms that introduce local code execution without altering encryption protocols.
The European Data Protection Board and European Data Protection Supervisor jointly assess that client-side scanning functionally equates to generalised monitoring when applied broadly, risking indiscriminate interference with communications confidentiality irrespective of implementation locus. Because device-resident analysis accesses content before encryption, users face continuous scrutiny equivalent to breaking encryption essence for affected services.
Hashing indicators derive from databases of verified material maintained by the EU Centre, employing algorithms resistant to minor alterations such as resizing or cropping, with collision probabilities minimised through multi-hash variants. Classifiers for unknown material rely on machine learning models, typically convolutional neural networks, achieving detection rates above 90 % on benchmarks but generating false positives at rates necessitating human oversight to prevent erroneous reports.
Because grooming detection targets textual or behavioural indicators, the proposal restricts such orders to stricter criteria, acknowledging lower classifier precision for conversational nuance compared to visual matching. Providers report deployment details annually, including technology versions, error metrics, and mitigation against adversarial evasion attempts that manipulate inputs to bypass detection.
The Council’s general approach of November 2025 eliminates mandatory detection orders for interpersonal communications, rendering scanning voluntary while preserving access to Centre indicators for providers electing implementation. This shift addresses encryption concerns by removing compulsion, allowing services to maintain uncompromised end-to-end encryption absent voluntary adoption.
The European Parliament’s mandate of November 2023 excludes end-to-end encrypted communications from detection order scope entirely, prohibiting measures that circumvent or undermine encryption integrity. Amendments require targeted orders limited to known material hashing on suspicious accounts, with judicial authorisation predicated on concrete indications rather than service-wide risk.
Because client-side code introduces new attack surfaces—enabling potential exploitation by malware or state actors to access unencrypted content—the proposal mandates security audits demonstrating resistance to reverse engineering or tampering. Providers bear liability for vulnerabilities arising from detection implementations, incentivising robust hardening.
Technical safeguards include error mitigation protocols whereby flagged content undergoes automated de-duplication and contextual review before escalation, reducing volumes forwarded to the Centre. The Centre evaluates indicator accuracy continuously, withdrawing unreliable entries that exceed defined false-positive thresholds.
Because volumetric scaling amplifies absolute error counts even at low percentages, the proposal caps order applicability to specific service segments, avoiding blanket device scanning across entire user bases. Providers document technological choices publicly, enabling oversight by coordinating authorities.
The interplay between detection efficacy and encryption preservation reveals inherent tension: effective unknown material or grooming identification demands content access incompatible with strong end-to-end encryption absent client-side intervention. The Commission’s position maintains that localised processing preserves encryption for transit while fulfilling prevention obligations.
Independent analyses confirm that perceptual hashing achieves negligible collision rates for known material when databases incorporate verified sources exclusively, whereas unknown classifiers remain prone to dataset biases yielding disproportionate impacts on certain content types. Because adolescent self-generated imagery increasingly constitutes reported material, classifiers risk conflating consensual exploration with abuse absent nuanced training.
Providers deploying voluntary detection post-Council approach access standardised indicators through secure channels, ensuring uniform technological baselines without mandating uptake. The Centre facilitates research into privacy-enhancing techniques, though current implementations rely predominantly on established hashing and classification paradigms.
Because adversarial examples demonstrate classifier bypass through minor perturbations, orders require resilience testing against known evasion methods. Providers integrate updates seamlessly via app distribution mechanisms, balancing security with detection continuity.
The regulation’s technical framework interacts with broader cybersecurity imperatives: weakened device trust from mandatory client code erodes overall ecosystem security, potentially amplifying risks from state-sponsored intrusions targeting detection backdoors. Because no zero-knowledge proof enables reliable unknown material detection without content revelation, alternatives remain exploratory.
Coordinating authorities oversee technology deployments nationally, compelling adjustments where error rates exceed proportionality bounds. The Centre aggregates anonymised performance data to inform Union-wide refinements, fostering iterative improvement without centralising sensitive content.
Because audio communications exhibit distinct classification challenges, the Parliament mandate excludes them from scope, concentrating obligations on visual and textual modalities with mature technological foundations.
Providers challenge detection technologies before courts where implementations infringe rights, with suspension available pending resolution. The framework embeds adaptability through delegated acts updating indicator specifications responsive to technological evolution.
Fundamental Rights Assessments by Supervisory Bodies
The European Data Protection Board and European Data Protection Supervisor issued a joint opinion on 28 July 2022 assessing the Commission’s proposal for a regulation laying down rules to prevent and combat child sexual abuse, concluding that detection obligations risk disproportionate interference with Articles 7, 8, and 11 of the Charter of Fundamental Rights through generalised content analysis incompatible with necessity and proportionality principles established in Court of Justice jurisprudence.
Because the proposal authorised detection orders compelling providers to scan interpersonal communications for unknown material and solicitation using classifiers prone to error rates exceeding acceptable thresholds for mass application, the supervisory bodies determined that such measures undermine the essence of confidentiality guarantees by enabling indiscriminate scrutiny of private exchanges absent targeted suspicion. The joint opinion emphasises that limitations on fundamental rights must preserve their core substance, requiring interventions confined to strictly necessary scopes where less intrusive alternatives suffice for child protection objectives.
The supervisory bodies acknowledge the legitimate aim of combating child sexual abuse as an objective of general interest capable of justifying restrictions, yet stress that the proposal’s breadth—encompassing all users of affected services regardless of individual risk—deviates from Court of Justice precedents prohibiting general monitoring or retention obligations. Because client-side scanning accesses content prior to encryption, the opinion equates such implementation to functional circumvention of end-to-end protections, eroding trust in digital communications essential for freedom of expression and journalistic sources.
The joint opinion critiques vagueness in detection order conditions, noting insufficient precision on risk thresholds, technology accuracy requirements, and judicial oversight mechanisms that fail to ensure targeted application. Providers receive orders based on significant residual risk post-mitigation, yet without quantifiable error benchmarks or mandatory independent validation, classifiers for unknown material generate false positives at scales rendering human review impractical.
Because grooming detection relies on behavioural indicators with inherently lower precision than hashing known material, the supervisory bodies highlight elevated risks of misclassification chilling legitimate discussions on sexual health or identity among minors. The opinion recommends confining obligations to known material hashing under strict judicial authorisation predicated on concrete indications rather than service-wide assessments.
The European Data Protection Board adopted a subsequent statement on 14 February 2024 addressing legislative developments, regretting persistence of detection orders extending beyond known material despite documented classifier inaccuracies and welcoming Parliament amendments limiting scope while urging further safeguards against voluntary measures recreating de facto generalised analysis.
Because Council positions rendered detection voluntary for interpersonal communications while retaining risk mitigation incentives potentially pressuring providers toward broad implementation, the statement warns of indirect compulsion undermining encryption integrity. The supervisory body reiterates that technologies lacking negligible error rates violate proportionality, particularly where false reports overwhelm law enforcement capacity without commensurate investigative gains.
The joint opinion underscores chilling effects whereby pervasive scrutiny alters user behaviour, suppressing open discourse on sensitive topics and disproportionately impacting vulnerable groups reliant on confidential channels. Because encryption constitutes a critical safeguard for data security and democratic processes, measures weakening its deployment risk broader societal harms exceeding child protection benefits.
Supervisory assessments align with Court of Justice rulings invalidating generalised data retention schemes for lacking sufficient targeting and oversight, extending analogous reasoning to content scanning obligations. The opinion cites precedents requiring interventions demonstrate empirical necessity through evidence that voluntary or targeted approaches fail to address substantiated threats.
Because the proposal establishes an EU Centre processing reports and indicators, the supervisory bodies demand robust governance separating prevention from enforcement functions to prevent function creep toward expanded surveillance mandates. Data minimisation principles necessitate filtering unfounded reports prior to law enforcement forwarding, with aggregated transparency excluding personal identifiers.
The European Data Protection Supervisor issued separate analyses reinforcing joint positions, emphasising that client-side mechanisms introduce device vulnerabilities exploitable by malicious actors, compounding cybersecurity risks antithetical to Charter protections. Because no detection technology achieves perfect accuracy at scale, systemic false positives infringe presumption of innocence by subjecting innocent communications to authority review.
Supervisory bodies recommend alternatives emphasising provider mitigation through design features, user reporting enhancements, and targeted investigations authorised judicially on specific intelligence. Because voluntary detection under interim derogations demonstrated feasibility without mandatory scanning, permanent frameworks should prioritise encryption-preserving tools over intrusive classifiers.
The joint opinion concludes that the proposal, absent substantial revisions confining detection to known material under suspicion-based orders with verifiable low-error technologies, presents greater risks to fundamental rights than benefits to child victims. Supervisory interventions inform trilogue negotiations, shaping safeguards against disproportionate interference.
Implications for Future Digital Regulation
The Council of the European Union’s general approach adopted on 26 November 2025 establishes voluntary detection for interpersonal communications services while mandating risk mitigation measures across classified service tiers and empowering national authorities to issue removal and blocking orders, thereby creating administrative infrastructure that normalises provider cooperation in content analysis without compulsory scanning thresholds.
Because the position renders permanent the previously temporary derogation permitting voluntary detection, providers gain indefinite access to EU Centre indicators for known material hashing and potential classifiers, shifting the normative baseline from exceptional to routine deployment of content moderation tools originally justified by child protection exigencies. Risk classification systems—distinguishing low, medium, and high tiers based on misuse potential—impose escalating mitigation obligations, including age assurance mechanisms and safety-by-design features that require proactive algorithmic interventions, effectively embedding preventive scrutiny into service architectures.
Trilogue negotiations initiated following the Council’s mandate reconcile divergences with the Parliament’s 2023 position limiting detection to targeted, judicially authorised known material hashing, determining whether final text preserves encryption safeguards or expands voluntary frameworks incentivising broad adoption. Because voluntary measures avoid direct compulsion yet align liability reduction with detection uptake, providers face structural pressures to implement scanning exceeding minimal compliance, establishing de facto generalised analysis absent explicit mandates.
The EU Centre’s role in maintaining indicator databases, filtering reports, and facilitating victim removal requests creates centralised technical capacity transferable to adjacent policy domains once operationalised. Because indicators derive from verified submissions vetted for reliability, extensions to other illegal content categories—such as terrorist material or disinformation—require only procedural adjustments rather than legislative overhauls, lowering political barriers to scope expansion.
Council emphasis on complementarity with the Digital Services Act leverages existing systemic risk assessments for very large platforms, integrating child-specific obligations into horizontal frameworks that already mandate proactive content moderation. High-risk designations trigger enhanced transparency and auditing, normalising independent verification of detection technologies applicable beyond child abuse contexts.
Because age verification systems mandated for high-risk services process biometric or documentary data to restrict minor access, accumulated infrastructure supports cross-domain identity linkage, facilitating future mandates for authenticated interactions in regulated spaces. Providers implement privacy-preserving designs where feasible, yet scalability demands centralised validation channels expandable to broader user attribution requirements.
The position’s extraterritorial reach compels non-EU providers targeting Union users to appoint representatives and comply with Centre mechanisms, exporting administrative precedents globally through market access conditions. Because removal and blocking orders execute swiftly upon authority instruction, enforcement templates adapt readily to emergent threats prioritised politically.
Risk mitigation catalogues include non-exhaustive measures such as staff training, algorithmic recalibration, and user reporting enhancements, encouraging innovation in automated tools that refine over time for multifunction deployment. Because high-risk classifications incorporate service features enabling private interactions, classifications incentivise design alterations reducing confidentiality to minimise liability exposure.
Trilogue outcomes influence precedent value: retention of voluntary detection with strong encryption prohibitions constrains immediate function creep, whereas permissive risk mitigation enables incremental normalisation of preventive surveillance. Because the regulation establishes dedicated coordinating authorities with investigative powers, national capacities strengthen for coordinated responses to diverse online harms.
The framework’s evaluation clause commits to five-year reviews assessing effectiveness against prevalence metrics and rights impacts, providing institutionalised pathways for evidence-based expansions grounded in operational data. Because victim support channels centralise removal requests with verification protocols, processes streamline for analogous erasure rights in other domains.
Council rejection of mandatory orders for encrypted services preserves technical feasibility constraints, yet voluntary permanence signals acceptance of client-side mechanisms where providers elect implementation. Because indicators undergo continuous accuracy refinement, technological maturation reduces error barriers to broader application.
The regulation’s interaction with ePrivacy Directive derogations bridges interim regimes into permanent structures, entrenching exceptions as infrastructure components. Because penalties scale to turnover for mitigation failures, deterrence mechanisms align provider incentives with authority expectations across content categories.
| Concept | Description | Key Positions / Details | Institution / Stage | Source |
|---|---|---|---|---|
| Original Proposal | Comprehensive framework requiring providers to assess risks and mitigate; allows detection orders for known/unknown CSAM and grooming. | Risk assessments mandatory; detection orders (up to 24 months for material, 12 months for solicitation) with judicial authorisation; creation of EU Centre for indicators, report filtering, victim support. | European Commission | Proposal for a Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse – European Commission – May 2022 |
| Detection Obligations | Providers may be ordered to scan services using Centre-provided indicators. | Hashing for known material; classifiers for unknown material/grooming; client-side scanning for encrypted services; human oversight and error reporting required. | European Commission | Proposal for a Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse – European Commission – May 2022 |
| EU Centre Role | Decentralised agency to support prevention and enforcement. | Maintains indicator databases; filters reports; assists victim removals; provides technical assistance; cooperates with Europol. | European Commission / All positions | Proposal for a Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse – European Commission – May 2022 |
| Risk Mitigation | Providers must implement measures to reduce misuse risks. | Safety-by-design, user reporting tools, age-appropriate features, content controls. | European Commission | Proposal for a Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse – European Commission – May 2022 |
| Removal & Blocking | Authorities issue orders for identified material. | Prompt execution required; victim direct requests supported. | European Commission / Council | Proposal for a Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse – European Commission – May 2022 |
| Council Position | Eliminates mandatory detection for interpersonal communications. | Detection voluntary and permanent; tiered risk classification (low/medium/high); enhanced mitigation including age assurance for high-risk. | Council of the European Union | Child sexual abuse: Council reaches position on law protecting children from online abuse – Council of the European Union – November 2025 |
| Voluntary Detection | Providers may choose to scan using Centre indicators. | No compulsion for encrypted services; explicit prohibition on undermining end-to-end encryption. | Council of the European Union | Child sexual abuse: Council reaches position on law protecting children from online abuse – Council of the European Union – November 2025 |
| National Authorities | Designated coordinating authorities with enforcement powers. | Issue removal/blocking orders; oversee compliance; impose turnover-based penalties. | Council / Commission | Child sexual abuse: Council reaches position on law protecting children from online abuse – Council of the European Union – November 2025 |
| Parliament Mandate | Restricts detection to targeted, suspicion-based cases. | Limited to known CSAM; excludes measures undermining encryption; postpones unknown material/grooming until proven accurate. | European Parliament | REPORT on the proposal for a regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse – European Parliament – November 2023 |
| Encryption Safeguards | Strong protections against weakening end-to-end encryption. | Prohibits generalised scanning; client-side only if compatible with confidentiality. | Parliament / Council | REPORT on the proposal for a regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse – European Parliament – November 2023 |
| Technical Mechanisms | Hashing for known material; classifiers for unknown/grooming. | Client-side scanning for encrypted services; error mitigation via human review; accuracy audits required. | Commission / Supervisory bodies | Proposal for a Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse – European Commission – May 2022 |
| Error Rates & False Positives | No technology is error-free at scale. | Hashing highly reliable; classifiers higher error rates; false positives statistically inevitable in billions of messages. | Supervisory bodies | EDPB-EDPS Joint Opinion 4/2022 on the Proposal for a Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse – European Data Protection Board and European Data Protection Supervisor – July 2022 |
| Fundamental Rights Concerns | Risk of disproportionate interference with privacy and data protection. | Generalised scanning undermines Charter Articles 7, 8, 11; chilling effects on expression; incompatible with CJEU jurisprudence. | EDPB / EDPS | EDPB-EDPS Joint Opinion 4/2022 on the Proposal for a Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse – European Data Protection Board and European Data Protection Supervisor – July 2022 |
| Chilling Effects | Users self-censor when aware of potential scrutiny. | Reduces open communication; affects vulnerable groups disproportionately. | Supervisory bodies | EDPB-EDPS Joint Opinion 4/2022 on the Proposal for a Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse – European Data Protection Board and European Data Protection Supervisor – July 2022 |
| Precedent & Function Creep | Infrastructure easily extendable to other content types. | Central databases, risk mitigation mandates, removal orders adaptable to terrorism, disinformation, etc. | All positions (implied in Council permanence) | Child sexual abuse: Council reaches position on law protecting children from online abuse – Council of the European Union – November 2025 |
| Current Status | Trilogue negotiations ongoing as of December 2025. | Started December 2025; reconciliation of voluntary vs. targeted approaches pending. | Council / Parliament | Child sexual abuse: Council reaches position on law protecting children from online abuse – Council of the European Union – November 2025 |
