Chat Control 1.0 and 2.0 Explained

The European Union is concurrently advancing two controversial messaging-scanning proposals known as 'Chat Control'. This article untangles the differences between the temporary Chat Control 1.0 and the permanent Chat Control 2.0.
Chat Control 1.0 and 2.0 Explained
There is not one proposed “Chat Control” law — there are two, and they are moving through the EU institutions in parallel. This is why the news can seem contradictory: one Chat Control was "stopped" in March 2026, yet another is still being negotiated, and the first is now being revived. This page untangles the two.
Chat Control 1.0
Regulation (EU) 2021/1232 — the "temporary" law
Expired 4 April 2026 — revival in progress- What is it?
A temporary derogation from the ePrivacy Directive that allowed(but did not require) providers to scan private messages of unsuspected users for potential child sexual abuse material. - Is scanning mandatory?
- No — voluntary. In practice used mainly by unencrypted US services such as Gmail, Facebook/Instagram Messenger, Skype, Snapchat, iCloud Mail, and Xbox.
- Does it touch encrypted messages?
- No. End-to-end encrypted communications were never scanned but providers could deploy client-side scanning under this law.
- Status today
- Legally expired since 4 April 2026 after Parliament refused to extend it. The Council is now attempting an unprecedented fast-track revival via a formally "new" law with identical content.
Chat Control 2.0
CSA Regulation (CSAR) — the permanent proposal
In trilogue negotiations — no agreement- What is it?
A proposed permanent regulation that would make detection and reporting of child sexual abuse material a legal requirementfor digital platforms. - Is scanning mandatory?
- That is the core of the fight. The original proposal mandated scanning of private communications; the Council’s 2025 position shifted to “voluntary” suspicionless detection plus broad risk-mitigation duties that incentivise scanning anyway. The Parliament’s position is that scanning of private communications must be limited to individual users or a specific group of users suspected of links to child sexual abuse, and that a court order is required; implementation of the order would then be mandatory.
- Does it touch encrypted messages?
- Potentially yes — inclusion of end-to-end encrypted messengers remains contentious between Parliament and the Council.
- Status today
- Five trilogue rounds have failed to produce a deal. The supposedly final trilogue on 29 June 2026 collapsed over suspicionless scanning; negotiations continue under the Irish presidency.
Timeline: Chat Control 1.0
The temporary, voluntary scanning regime — adopted in 2021, rejected by Parliament in March 2026, expired in April 2026, and now the subject of an unprecedented revival attempt.
Temporary derogation adopted
Regulation (EU) 2021/1232 creates a temporary exception to the ePrivacy Directive, giving providers a legal basis to voluntarily scan private messages for child sexual abuse material. Originally set to expire 3 August 2024.
First extension
With the permanent regulation (Chat Control 2.0) nowhere near agreement, the derogation is extended until 3 April 2026.
Commission proposes second extension
The Commission proposes extending the derogation by another two years, to April 2028.
LIBE committee rejects the extension
In a surprise vote, the Parliament's civil liberties committee rejects the draft extension by 38 votes to 28.
Parliament adopts a protective position
The plenary votes 458–103 for a compromise: extend to 2027, but only with targeted and proportionate detection of known content, no end-to-end encrypted communications, and limiting scanning to suspected users or groups identified by the competent judicial authority.
Trilogue on the extension collapses
The Council rejects Parliament's conditions and shows no flexibility in negotiations; talks on the extension break down.
Parliament rejects the extension outright
311 MEPs vote against extending the derogation (228 in favour, 92 abstentions). The critical Amendment 34, rejecting automated assessment of unknown photos and texts, passes by a single vote (307–306).
Chat Control 1.0 expires
The legal ground for voluntary, indiscriminate scanning ends. Google, Meta, Microsoft, and Snap state they will continue scanning private messages regardless.
Council moves to resurrect the expired law
EU ambassadors agree to push a temporary revival — unprecedented, as Parliament's rejection was considered final. Because an expired regulation cannot be extended, the Council proposes a formally new law with identical content via an expedited procedure.
Council adopts its position
The Council adopts its position on the "new" regulation via written procedure.
Urgency procedure approved
Parliament voted 331–303 (11 abstentions) to fast-track the expired derogation, skipping the responsible Committee. A binding vote follows on Thursday, 9 July, where an absolute majority of 361 MEPs is needed to stop it.
Timeline: Chat Control 2.0
The permanent CSA Regulation — proposed in 2022, deadlocked for years, and still unagreed after five rounds of trilogue negotiations. Encryption remains the red line.
Commission proposes the CSA Regulation
Home Affairs Commissioner Ylva Johansson unveils a proposal for a permanent regulation making detection and reporting of child sexual abuse material a legal requirement for platforms — including a requirement to bypass end-to-end encryption.
Parliament adopts a protective mandate
No scanning of end-to-end encrypted services, detection limited to visual material, judicial warrants targeted at specific suspects, and no mandatory age verification.
Germany breaks the Council deadlock
After years of Council deadlock, Germany announces it will vote against mandatory suspicionless scanning. The Danish presidency drops detection orders and shifts to risk assessment and mitigation obligations for providers, while proposing to make the voluntary suspicionless scanning (interim regulation) permanent.
Council endorses its position
The Council adopts the softened Danish compromise, opening trilogue negotiations. Critics note the text still allows “voluntary” suspicionless detection and imposes broad risk-mitigation duties, including mandatory age verification, that could reshape private messaging in practice.
Four trilogue rounds
Negotiations between Parliament, Council, and Commission take place on 9 December 2025, 26 February, 16 April, and 11 May 2026 — without agreement on the core issues.
Council's own lawyers raise the alarm
The Council Legal Service states that the "voluntary" scanning proposal still constitutes generalised scanning of communications — incompatible with Article 7 of the EU Charter absent reasonable suspicion and prior judicial authorisation.
"Final" trilogue fails
The fifth trilogue, billed as the last with adoption targeted for July, produces no deal. Negotiators cannot agree on making suspicionless scanning permanent, as requested by Council. Progress is reported on excluding mandatory age verification, but agreement is postponed and talks continue under the incoming Irish presidency.
Source: Hacker News
















