This is a living post. I'll keep updating it as votes happen and the text changes — the newest developments sit at the top under Live Updates, and the evergreen explainer runs underneath so anyone landing here cold can get up to speed. Last updated: 30 June 2026.
Status at a glance: The fifth and expected-final trilogue on the permanent regulation ("Chat Control 2.0") was held 29 June 2026 under the Cyprus Council Presidency, with political agreement targeted for July if a deal was struck. As of this update, the outcome of that session is not yet publicly confirmed. Separately, the Council has been maneuvering to extend the temporary voluntary-scanning regime ("Chat Control 1.0") that Parliament voted to end by a single vote in March.
Live Updates
30 June 2026 — Awaiting the verdict. Negotiators were reported to reconvene today after yesterday's final scheduled trilogue. No confirmed "deal reached" or "talks collapsed" announcement has surfaced yet. If a political agreement was struck, formal adoption by Parliament and Council is expected in July. I'll update the moment there's a primary-source confirmation.
29 June 2026 — Final trilogue. Fifth round of closed-door negotiations between the Council, Parliament and Commission on the permanent CSA Regulation. This was billed as the last scheduled session before a political deal.
Late June 2026 — The Council's end-run. EU ambassadors moved to push forward a temporary extension of the "Chat Control 1.0" voluntary-scanning derogation — the same regime Parliament had already voted to let expire. Privacy advocates called this a direct challenge to Parliament's democratic authority.
26 March 2026 — The one-vote reprieve. The European Parliament voted 307–306, with 24 abstentions, to reject extending the temporary rules that let platforms scan private messages. The civil-liberties committee (LIBE) had already rejected the draft 38–28.
The one-sentence version
The EU is trying to pass a law that would legally require messaging services to scan your private conversations for child sexual abuse material (CSAM). Because most serious messengers are end-to-end encrypted, the only way to do that is to inspect your messages on your own device, before they're encrypted — which is why critics call it "Chat Control." Supporters call it child protection. The disagreement is about whether you can have both, and the cryptographers are fairly clear that you can't.
Why I keep coming back to this on the show
Almost everything we talk about here — Signal, encrypted messaging, threat modeling for ordinary people — runs straight into this proposal. If it passes in a strong form, "just use an encrypted app" stops being complete advice for anyone in the EU, because the law would reach inside the app, onto the device, before the encryption ever engages. Signal has already said it would leave the EU market rather than comply. This is the clearest real-world test of whether end-to-end encryption survives as a legal reality in a major democratic bloc.
Two things are happening at once (this is the confusing part)
Nearly every headline blurs these together. Keep them separate and the whole story snaps into focus.
Chat Control 1.0 — the temporary, voluntary regime. A time-limited derogation that permits platforms like WhatsApp and Messenger to voluntarily scan for CSAM. It expires and needs renewing. Parliament voted in March to let it lapse; the Council has been trying to keep it alive.
Chat Control 2.0 — the permanent regulation (the CSA Regulation, or CSAR). The big one. This would make scanning a legal obligation enforced through "detection orders," not a voluntary choice. This is the text being fought over in trilogue.
When someone tells you "Chat Control passed" or "Chat Control is dead," your first question should always be: which one?
The encryption problem, in plain terms
Here's the crux. If a message is end-to-end encrypted, nobody in the middle — not the network, not the platform — can read it in transit. That's the entire point. So to satisfy a scanning mandate, the inspection has to move to where the message is still readable: your device. Two approaches keep surfacing:
- Client-side scanning (CSS): software on your phone analyzes the content before it's encrypted and sent, or after it's decrypted on the other end. The encryption technically stays intact, but the private moment — the instant before the lock closes — gets inspected. Critics argue this hollows out E2E encryption entirely and bolts a permanent surveillance layer onto every phone.
- "Risk mitigation" pressure: even the softened drafts keep age-verification mandates and a "risk mitigation" obligation broad enough to push encrypted services toward weakening their own protocols — without ever writing the word encryption into the ban.
And the detection orders don't only target the big names. Smaller providers, unwilling to shoulder the legal and technical risk themselves, get nudged toward third-party scanning tools — which centralizes a sensitive capability in even fewer hands.
The line I'd put on a slide: more than 500 scientists and cryptographers have publicly called this approach "technically infeasible." You cannot build a scanning mechanism that only ever catches criminals. Anything that can inspect content before encryption can be repointed at other content later. It isn't a backdoor. It's a front door that's wired to stay open, and you don't control who walks through it next.
Where the member states stand
Blocking a proposal in the Council takes a blocking minority — at least four countries representing more than 35% of the EU population. That math is the whole game, and Germany is the linchpin.
Pushing for it: Denmark, Ireland, Spain and Italy have led the pro-scanning bloc, joined at various points by Bulgaria, Croatia, Cyprus, France, Hungary, Latvia, Lithuania, Malta, Portugal and Slovakia.
Resisting mandatory encryption-breaking: Germany, Poland, Austria, Estonia, Slovenia, Luxembourg, the Netherlands, Finland and the Czech Republic.
Germany alone is roughly 19% of the EU's population. When Berlin says no, a blocking minority becomes reachable; when Berlin wavers, the proposal is instantly back in play. If you only watch one thing, watch Germany's Interior Ministry.
Timeline
- Nov 2023 — Parliament adopts a negotiating position that blocks mandatory client-side scanning of encrypted messages.
- Oct 2025 — The Danish Council Presidency pushes a strong version. Germany and Luxembourg join a blocking minority of nine states (>35% of the population), and the October Council vote is effectively killed.
- 31 Oct 2025 — Denmark drops mandatory detection orders from its compromise, retreating to "voluntary" detection.
- 26 Mar 2026 — Parliament votes 307–306 to reject extending the temporary 1.0 derogation.
- 4 May 2026 — A trilogue round on the permanent 2.0 regulation.
- Late Jun 2026 — The Council moves to extend the temporary 1.0 regime anyway.
- 29 Jun 2026 — Fifth and expected-final trilogue on 2.0, under the Cyprus Presidency.
- Target: Jul 2026 — Political agreement and formal adoption expected if a trilogue deal was reached.
What you can actually do about it
If you're in the EU, this isn't settled, and public pressure has already moved it once — that 307–306 vote didn't happen by accident. Contacting your MEP genuinely matters here. Beyond that, the through-line of this whole show applies: wherever you reasonably can, own the thing instead of borrowing it. Understand that client-side scanning defeats app-level encryption by design, so the answer isn't only "which app" but also which jurisdiction, which device platform, and how much of your stack you control yourself. I'll dig into concrete defensive setups in a dedicated segment as the final text firms up.
Sources & further reading
- Patrick Breyer — Chat Control tracker: https://www.patrick-breyer.de/en/posts/chat-control/
- Patrick Breyer — the historic Parliament vote: https://www.patrick-breyer.de/en/historic-chat-control-vote-in-the-eu-parliament-meps-vote-to-end-untargeted-mass-scanning-of-private-chats/
- 500+ scientists' open letter: https://www.patrick-breyer.de/en/danger-to-democracy-500-top-scientists-urge-eu-governments-to-reject-technically-infeasible-chat-control/
- EDRi — CSA Regulation document pool: https://edri.org/our-work/csa-regulation-document-pool/
- CDT Europe — response to the 1.0 rejection: https://cdt.org/insights/cdt-europes-response-to-the-european-parliament-rejection-of-the-chat-control-1-0s-extension/
- European Parliament press room: https://www.europarl.europa.eu/news/en/press-room/20260306IPR37531/child-sexual-abuse-online-support-for-extending-rules-until-august-2027
I'll keep this page current as the vote resolves. If you want the fast version in your ears, it'll be a segment on an upcoming episode of Closed Network.
— Simon