Chat Control 1.0 and 2.0 Explained
There is not one proposed “Chat Control” law — there
are two, and they are moving
through the EU institutions
in parallel. This is why the news
can seem contradictory: one Chat Control was
"stopped" in March 2026, yet another is still being
negotiated, and the first is now being revived. This
page untangles the two.
Chat Control 1.0
Regulation (EU) 2021/1232 — the
"temporary" law
Chat Control 2.0
CSA Regulation (CSAR) — the permanent
proposal
Timeline: Chat Control 1.0
The temporary, voluntary scanning regime —
adopted in 2021, rejected by Parliament in March
2026, expired in April 2026, and now the subject of
an unprecedented revival attempt.
Temporary derogation adopted
Regulation (EU) 2021/1232 creates a
temporary exception to the ePrivacy
Directive, giving providers a legal
basis to voluntarily scan
private messages for child sexual abuse
material. Originally set to expire 3
August 2024.
First extension
With the permanent regulation (Chat
Control 2.0) nowhere near agreement, the
derogation is extended until 3 April
2026.
Commission proposes second extension
The Commission proposes extending the
derogation by another two years, to
April 2028.
LIBE committee rejects the extension
In a surprise vote, the Parliament's
civil liberties committee rejects the
draft extension by 38 votes to 28.
Parliament adopts a protective position
The plenary votes 458–103 for a
compromise: extend to 2027, but only
with targeted and proportionate
detection of known content, no
end-to-end encrypted communications,
and limiting scanning to suspected users
or groups identified by the competent
judicial authority.
Trilogue on the extension collapses
The Council rejects Parliament's
conditions and shows no flexibility in
negotiations; talks on the extension
break down.
Parliament rejects the extension
outright
311 MEPs vote against extending the
derogation (228 in favour, 92
abstentions). The critical Amendment 34,
rejecting automated assessment of
unknown photos and texts, passes by a
single vote (307–306).
Chat Control 1.0 expires
The legal ground for voluntary,
indiscriminate scanning ends. Google,
Meta, Microsoft, and Snap state they
will continue scanning private messages
regardless.
Council moves to resurrect the expired
law
EU ambassadors agree to push a temporary
revival — unprecedented, as
Parliament's rejection was considered
final. Because an expired regulation
cannot be extended, the Council
proposes a formally
new law with identical
content via an expedited procedure.
Council adopts its position
The Council adopts its position on the
"new" regulation via written procedure.
Urgency procedure approved
Parliament voted
331–303 (11
abstentions) to fast-track the expired
derogation, skipping the responsible
Committee. A binding vote follows on
Thursday, 9 July, where an
absolute majority of 361
MEPs
is needed to stop it.
Timeline: Chat Control 2.0
The permanent CSA Regulation — proposed in
2022, deadlocked for years, and still unagreed after
five rounds of trilogue negotiations. Encryption
remains the red line.
Commission proposes the CSA Regulation
Home Affairs Commissioner Ylva Johansson
unveils a proposal for a permanent regulation making
detection and reporting of child sexual
abuse material a legal requirement for
platforms — including a requirement
to bypass end-to-end encryption.
Parliament adopts a protective mandate
No scanning of end-to-end encrypted
services, detection limited to visual
material, judicial
warrants targeted at specific suspects,
and no mandatory age verification.
Germany breaks the Council deadlock
After years of Council deadlock, Germany
announces it will vote against mandatory
suspicionless scanning. The Danish
presidency drops detection orders and
shifts to risk assessment and mitigation
obligations for providers, while
proposing to make the voluntary
suspicionless scanning (interim
regulation) permanent.
Council endorses its position
The Council adopts the softened Danish
compromise, opening trilogue
negotiations. Critics note the text
still allows “voluntary”
suspicionless detection and imposes
broad risk-mitigation duties, including
mandatory age verification, that could
reshape private messaging in practice.
Four trilogue rounds
Negotiations between Parliament,
Council, and Commission take place on 9
December 2025, 26 February, 16 April,
and 11 May 2026 — without
agreement on the core issues.
Council's own lawyers raise the alarm
The Council Legal Service states that
the "voluntary" scanning proposal still
constitutes generalised scanning of
communications — incompatible with
Article 7 of the EU Charter absent
reasonable suspicion and prior judicial
authorisation.
"Final" trilogue fails
The fifth trilogue, billed as the last
with adoption targeted for July,
produces no deal. Negotiators cannot
agree on making suspicionless scanning
permanent, as requested by Council.
Progress is reported on excluding
mandatory age verification, but
agreement is postponed and talks
continue under the incoming Irish
presidency.
Timeline
Temporary derogation adopted
Regulation (EU) 2021/1232 creates a
temporary exception to the ePrivacy
Directive, giving providers a legal
basis to voluntarily scan
private messages for child sexual abuse
material. Originally set to expire 3
August 2024.
Commission proposes the CSA Regulation
Home Affairs Commissioner Ylva Johansson
unveils a proposal for a permanent regulation making
detection and reporting of child sexual
abuse material a legal requirement for
platforms — including a requirement
to bypass end-to-end encryption.
Parliament adopts a protective mandate
No scanning of end-to-end encrypted
services, detection limited to visual
material, judicial
warrants targeted at specific suspects,
and no mandatory age verification.
First extension
With the permanent regulation (Chat
Control 2.0) nowhere near agreement, the
derogation is extended until 3 April
2026.
Germany breaks the Council deadlock
After years of Council deadlock, Germany
announces it will vote against mandatory
suspicionless scanning. The Danish
presidency drops detection orders and
shifts to risk assessment and mitigation
obligations for providers, while
proposing to make the voluntary
suspicionless scanning (interim
regulation) permanent.
Council endorses its position
The Council adopts the softened Danish
compromise, opening trilogue
negotiations. Critics note the text
still allows “voluntary”
suspicionless detection and imposes
broad risk-mitigation duties, including
mandatory age verification, that could
reshape private messaging in practice.
Commission proposes second extension
The Commission proposes extending the
derogation by another two years, to
April 2028.
Four trilogue rounds
Negotiations between Parliament,
Council, and Commission take place on 9
December 2025, 26 February, 16 April,
and 11 May 2026 — without
agreement on the core issues.
LIBE committee rejects the extension
In a surprise vote, the
Parliament’s civil liberties
committee rejects the draft extension by
38 votes to 28.
Parliament adopts a protective position
The plenary votes 458–103 for a
compromise: extend to 2027, but only
with targeted and proportionate
detection of known content, no
end-to-end encrypted communications,
and limiting scanning to suspected users
or groups identified by the competent
judicial authority.
Trilogue on the extension collapses
The Council rejects Parliament’s
conditions and shows no flexibility in
negotiations; talks on the extension
break down.
Parliament rejects the extension
outright
311 MEPs vote against extending the
derogation (228 in favour, 92
abstentions). The critical Amendment 34,
rejecting automated assessment of
unknown photos and texts, passes by a
single vote (307–306).
Chat Control 1.0 expires
The legal ground for voluntary,
indiscriminate scanning ends. Google,
Meta, Microsoft, and Snap state they
will continue scanning private messages
regardless.
Council’s own lawyers raise the
alarm
The Council Legal Service states that
the “voluntary” scanning
proposal still constitutes generalised
scanning of communications —
incompatible with Article 7 of the EU
Charter absent reasonable suspicion and
prior judicial authorisation.
Council moves to resurrect the expired
law
EU ambassadors agree to push a temporary
revival — unprecedented, as
Parliament’s rejection was
considered final. Because an expired
regulation cannot be extended, the
Council proposes a formally
new law with identical content
via an expedited procedure.
“Final” trilogue fails
The fifth trilogue, billed as the last
with adoption targeted for July,
produces no deal. Negotiators cannot
agree on making suspicionless scanning
permanent, as requested by Council.
Progress is reported on excluding
mandatory age verification, but
agreement is postponed and talks
continue under the incoming Irish
presidency.
Council adopts its position
The Council adopts its position on the
“new” regulation via written
procedure.
Urgency procedure approved
Parliament voted
331–303 (11
abstentions) to fast-track the expired
derogation, skipping the responsible
Committee. A binding vote follows on
Thursday, 9 July, where an
absolute majority of 361
MEPs
is needed to stop it.
Where We Are Now
As of July 2026
Chat Control 1.0 is legally
expired, but the Council is fast-tracking an
unprecedented resurrection that Parliament may vote
on under urgency this very week — where an
absolute majority of all MEPs would be needed to
stop or amend it. If this threshold is not
reached, the law is automatically deemed adopted.
Thus, the expired “Chat Control 1.0”
regulation would be reinstated even without the
consent of the European Parliament.
Chat Control 2.0 remains unagreed
after five trilogue rounds. Scanning of
unsuspected citizens and of end-to-end
encrypted messages is the unresolved red line, and
negotiations continue under the Irish Council
presidency.
In short: the "temporary" law is being revived
through the back door while the permanent one is
still on the table. Both fights are happening at the
same time — and both need your voice.