According to TechRadar, the EU Council finally reached agreement on the controversial Child Sexual Abuse Regulation after more than three years of failed attempts. The deal came on Wednesday, November 26, 2025 under the Danish Presidency, which introduced a new “voluntary” scanning compromise that proved successful. The legislation requires all messaging services operating in the EU to assess misuse risks and implement mitigation measures, including potential chat scanning. A new EU agency will oversee implementation, and high-risk services could be forced to develop scanning technologies. Danish Minister for Justice Peter Hummelgaard praised the agreement, but privacy experts immediately criticized it as “political deception” that brings “high risks to society.”
Voluntary Isn’t Really Voluntary
Here’s the thing about this “voluntary” scanning – it’s not actually voluntary for companies deemed high-risk. The Council’s official announcement makes it clear that high-risk services can be forced to “contribute to the development of technologies to mitigate the risks.” So basically, if you’re running a popular encrypted messaging service, you’re probably getting tagged as high-risk and suddenly that voluntary scanning becomes mandatory. It’s a classic bait-and-switch that privacy advocates have been warning about for years.
Encryption Backdoor By Another Name
And let’s be real – you can’t scan encrypted content without breaking encryption. That’s the whole point of end-to-end encryption. Either you’re scanning on the client side before encryption (which means building surveillance into the app itself) or you’re breaking the encryption server-side. Both approaches fundamentally undermine the security promises that services like Signal and WhatsApp make to their users. One commenter on Hacker News put it bluntly: the Danish “government has today turned the EU into a tool for total surveillance.” Strong words, but are they wrong?
What’s Next for Digital Rights
Now the real battle begins as trilogue negotiations with the European Parliament approach. The fundamental challenge remains the same: how do you stop actual child abuse without creating a mass surveillance infrastructure? Lawmakers keep trying to have their cake and eat it too – they want both strong encryption and the ability to scan private communications. But technically, that’s just not possible without creating vulnerabilities that bad actors will inevitably exploit. So we’re left with this political theater where “voluntary” becomes mandatory and “risk assessment” becomes a backdoor. The sad part? Everyone sees through it except the politicians pushing it forward.
