Regulation to Prevent and Combat Child Sexual Abuse
European Union regulation proposal on child pornography detection
From Wikipedia, the free encyclopedia
The Regulation to Prevent and Combat Child Sexual Abuse (Child Sexual Abuse Regulation, or CSAR), commonly referred to by critics as Chat Control, is a European Union regulation proposal to enable lawful detection of child sexual abuse material through limited privacy exclusions, reporting obligations and detection orders applying to digital platforms.[1][2]
| European Union regulation | |
| Text with EEA relevance | |
| Title | Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down rules to prevent and combat child sexual abuse |
|---|---|
| Journal reference | |
| Preparative texts | |
| Commission proposal | COM/2022/209 final |
| Proposed | |
Supporters include child advocacy groups[3] and a moderate majority of the public[4], while opponents include civil society organisations and privacy activists[5] who argue it could undermine end-to-end encryption and violate rights to privacy and data protection through enabling indiscriminate computer and network surveillance.[6][7]
Expert assessments, including a European Parliament study, conclude that although established technology for detecting known child pornography with relatively high accuracy is practical, no reliable way exists to detect unknown child pornography without high error rates, but that such unknown detections were "overwhelmingly confirmed" upon human review.[8][9]
Background
The ePrivacy Directive was introduced in 2002 to regularize digital communications confidentiality, initially covering services like telephone, but extended by the Electronic Communications Code to include services like instant messaging in rules that entered force by December 2020.[10] A derogation was proposed in September 2020 enabling digital platforms to continue pre-existing lawful scanning for abuse material without falling afoul of the extended rules.[11]
The European Commission adopted its strategy for "a more effective fight against child sexual abuse" on 24 July 2020[12], establishing a policy basis for existing scanning practice, setting goals to strengthen law-enforcement technology, and create legislation requiring digital platforms to detect and report known abuse material.
The proposed derogation, often known as "Chat Control 1.0", entered force in 2021.[13][14] This did not mandate automatic scanning, but placed limits on what scanning was permitted and how it must be implemented, including mandating privacy-preserving technologies in line with the ePrivacy Directive. It expired on 26 March 2026, when its further extension was rejected by one vote.
In line with the 2020 policy, legislation often known as "Chat Control 2.0" is proposed[15], with mandated risk-assessments and mitigations, and enabling competent authorities such as a government regulator to seek detection orders against specific services with judicial oversight[16]. Exceptions are included for politicians and certain classes of personnel such as police and military. On 7 July 2026 it was revived and fast-tracked for decisive vote on 9 July 2026.[17]
Support for the proposal
The European Commission's Directorate-General for Migration and Home Affairs argues that voluntary actions by online service providers to detect online child sexual abuse are insufficient. They emphasise that some service providers are less involved in combating such abuse, leading to gaps where abuse can go undetected. Moreover, they highlight that companies can change their policies, making it challenging for authorities to prevent and combat child sexual abuse effectively. The EU currently relies on other countries, primarily the United States, to launch investigations into abuse occurring within the EU, resulting in delays and inefficiencies.[18]
Several bodies within the EU claim the establishment of a centralized organization, the EU Centre on Child Sexual Abuse, would create a single point of contact for receiving reports of child sexual abuse.[18][1] It is claimed this centralization would streamline the process by eliminating the need to send reports to multiple entities and would enable more efficient allocation of resources for investigation and response.[18] Proponents also argue for the need to improve the transparency of the process of finding, reporting, and removing online child pornography. They claim that there is currently limited oversight of voluntary efforts in this regard. The EU Centre would collect data for transparency reports, provide clear information about the use of tools, and support audits of data and processes. It aims to prevent the unintended removal of legitimate content and address concerns about potential abuse or misuse of search tools.[18]
Another aspect highlighted by supporters is the necessity for improved cooperation between online service providers, civil society organizations, and public authorities. The EU Centre is envisioned as a facilitator, enhancing communication efficiency between service providers and EU countries. By minimizing the risk of data leaks, the Centre aims to ensure the secure exchange of sensitive information. This cooperation is crucial for sharing best practices, information, and research across different countries, thereby strengthening prevention efforts and victim support.[18]
Criticism of the proposal

Groups opposed to this proposal often highlight that it would impose mandatory chat control for all digital private communications, and as such commonly refer to the proposed legislation by the name "Chat Control".[6][19][7] Some civil society organisations and activists have argued that the proposal is not compatible with fundamental rights, infringing on the right to privacy.[20][21]
The Council of the European Union's Legal Service also criticised the impact of the Commission's proposal on the right to privacy. The Council's legal opinion emphasized that the screening of interpersonal communications of all citizens affects the fundamental right to respect for private life as well as the right to the protection of personal data.[22] The legal experts of the Council also referenced the jurisprudence of the EU Court of Justice, which has ruled out against generalised data retention.[23]
The European Parliament commissioned an additional impact assessment on the proposed regulation which was presented in the Committee on Civil Liberties, Justice, and Home Affairs.[24] The European Parliament's study heavily critiqued the Commission's proposal. According to the Parliament's study, there aren't currently any technological solutions that can detect child sexual abuse material, without resulting in a high error rate which would affect all messages, files and data in a particular platform.[8] The high false positive rate despite low false negative rate is caused due to the base rate problem.[25] In Ireland, 852 out of 4192 (20.3%) of the reports received by the Irish police forces turned out to be actual exploitation material, with 471 (11.2%) being marked as false positives.[26] Lastly, the study highlighted that the proposed regulation would make teenagers "feel uncomfortable when consensually shared images could be classified as CSAM [child sexual abuse material]".[8]
The European Data Protection Supervisor (EDPS) together with the European Data Protection Board (EDPB) stated, in a joint opinion, that "the Proposal could become the basis for de facto generalized and indiscriminate scanning of the content of virtually all types of electronic communications", which could hinder sharing legal content due to the chilling effect.[27] In April 2023, the European Parliament confirmed that they had received messages calling to vote against the European Commission's chat control proposal.[28] EU Commissioner Ylva Johansson has also been heavily criticised regarding the process in which the proposal was drafted and promoted. A transnational investigation by European media outlets revealed the close involvement of foreign technology and law enforcement lobbyists in the preparation of the proposal.[29] This was also highlighted by digital rights organisations, which Johansson rejected to meet on three occasions.[30] Commissioner Johansson was also criticised for the use of micro-targeting techniques to promote its controversial draft proposal, which violated the EU's data protection and privacy rules.[31]
Legislative process
In March 2023, a revised version of the proposal was introduced.[13] On 14 November 2023, the European Parliament's Committee on Civil Liberties, Justice, and Home Affairs (LIBE), voted to remove indiscriminate chat control and allow for the targeted surveillance of specific individual and groups which are reasonably suspicious. Moreover, Members of the European Parliament voted in favour of the protection of encrypted communications.[32]
In February 2024, the European Court of Human Rights ruled, in an unrelated case, that requiring degraded end-to-end encryption "cannot be regarded as necessary in a democratic society". This underlined the European Parliament's decision to protect encrypted communications.[33] In May 2024, Patrick Breyer reported that moves were again being made to restore indiscriminate message scanning to the legislation, under the name of "upload moderation".[34] On 21 June 2024, it was reported that voting on the legislation had been temporarily withdrawn by the EU Council, in a move that is believed to be the result of pushback by critics of the proposal including software vendors.[35][36]
Denmark, which assumed the presidency of the European Council in July 2025, wrote in their programme that "the Presidency will give the work on the Child Sexual Abuse (CSA) Regulation and Directive high priority".[37] In early October 2025, in the face of concerted public opposition, the German government stated that it would vote against the proposal.[38] Later that month, the Danish government backed down from its position on making monitoring and scanning mandatory, in effect reducing this aspect of the proposal to the maintenance of the status quo.[39]
In early November 2025, Patrick Breyer described what he believes is a back-door attempt to revive Chat Control 2.0 by means of a new text containing wording obliging providers to take "all appropriate risk mitigation measures" to ensure safety, effectively indirectly introducing an obligation to scan content.[40][41] According to Breyer, "Following loud public protests, several member states, including Germany, the Netherlands, Poland, and Austria, said 'No' to indiscriminate Chat Control. Now it's coming back through the back door disguised, more dangerous, and more comprehensive than ever. The public is being played for fools."[40] On 26 March 2026, the European Parliament voted to reject any further extensions of the first iteration of Chat Control.[15] On 7 July 2026, the European Parliament approved an urgent procedure under Rule 170 of Rules of Procedure of the European Parliament to vote on Chat Control regulations.[42]
See also
- Digital Services Act, an EU regulation
- General Data Protection Regulation
- Online Safety Act 2023, a UK Act of Parliament
- UploadFilter, part of the Directive on Copyright in the Digital Single Market
- Patriot Act, US anti-privacy law