
Chat Control: More MEPs Voted No Than Yes, and It Passed Anyway
By, zero-adm
- 13 Jul, 2026
- 13 Views
On 9 July 2026, more members of the European Parliament voted to reject the EU’s Chat Control scanning derogation than to keep it: 314 against, 276 in favour. It passed anyway. Blocking the Council’s position at second reading required an absolute majority of 361 out of 720 MEPs, and the opposition fell 47 votes short, so the voluntary scanning rule stands, reinstated and extended until 3 April 2028.
Chat Control 2.0 is the separate, permanent CSA Regulation still under negotiation. It is the one that could force even end-to-end-encrypted platforms to scan your private messages on your own device before they are sent. It is not law yet. Trilogue talks resume in September 2026, which is why the time to set policy is now, while the outcome is still open.
What actually passed in the EU Parliament last week?
The 9 July vote was about Chat Control 1.0: a temporary, voluntary exception to the EU’s ePrivacy rules that lets certain providers scan for child sexual abuse material. It permits scanning. It does not mandate it.
A plain majority of MEPs, 314, voted to reject it, and only 276 wanted to keep it. But under the second-reading procedure, stopping the Council’s position needs an absolute majority of the full chamber: 361 of 720. A plurality was not enough, so a measure most voting members opposed was reinstated by procedure and extended to 3 April 2028.
It passed not because Parliament wanted it, but because not enough of Parliament could clear a procedural bar. That is why coverage described it as passing through the back door.
What 1.0 actually covers is narrow. It permits voluntary scanning of non-encrypted services only: direct messages on Instagram, Discord, Snapchat, Skype and Xbox, plus email on Gmail and iCloud. It does not touch end-to-end-encrypted messages. Parliament even adopted a Renew-proposed amendment that explicitly excludes anything end-to-end encrypted from scope, so WhatsApp, Signal and Telegram are formally out.
Critics including the EFF and former MEP Patrick Breyer call that exclusion largely symbolic, because encrypted services were not being scanned in the first place. The amended text now returns to the Council, which has roughly three months, until around 9 October 2026, to accept or reject it.
Why is Chat Control 2.0 the version that should worry a decision-maker?
If you only track version 1.0, you are watching the sideshow. The genuinely contested fight is Chat Control 2.0, the permanent CSA Regulation (CSAR).
Unlike 1.0, 2.0 would empower detection orders: legal instruments that could compel a platform, including an end-to-end-encrypted one, to search users’ private messages for illegal material. Because you cannot read an encrypted message in transit, the only realistic way to comply is client-side scanning, inspecting the content directly on your phone or laptop, before it is encrypted and sent.
The scan happens on your device, on your side of the encryption. The message stays technically encrypted end to end and is also inspected before the envelope is ever sealed. For a business, the confidentiality guarantee you rely on is checked at the one point encryption cannot protect: the endpoint you do not control. Security researchers have warned about this for years, because a scanner sitting on the device is a general-purpose surveillance capability that does not care what it is told to look for next.
Two facts keep this honest. First, mandatory client-side scanning is not part of any version currently in force, not 1.0, not anything. It exists only as a live possibility inside the 2.0 negotiation. Second, 2.0 has not been agreed: the fifth and supposedly final trilogue, on 29 June 2026, ended without agreement. Talks resume in September 2026.
So the accurate framing is not that the EU approved scanning of encrypted chats. It didn’t. The EU keeps trying, the latest attempt stalled, and it returns in the autumn. That is exactly why now is the moment to set policy rather than react.
Chat Control 1.0 vs 2.0, side by side
| Dimension | Chat Control 1.0 (in force) | Chat Control 2.0 (CSAR, proposed) |
|---|---|---|
| Status | Law, extended to 3 April 2028 | Not agreed; trilogues resume Sept 2026 |
| Nature | Temporary derogation | Permanent regulation |
| Scanning | Voluntary | Mandatory via detection orders |
| Encrypted messages | Explicitly excluded | Could be forced into scope |
| Method | Server-side, non-encrypted services | Client-side scanning, on the device |
| Covers | Instagram, Discord, Snapchat, Skype, Xbox DMs; Gmail, iCloud email | Potentially any platform, including E2EE |
What does this mean for your business communications?
Start with what is already true today, before 2.0 decides anything. If your team runs confidential conversations with EU counterparties through Gmail, iCloud mail, Instagram DMs or Discord, those channels already sit inside the surface that voluntary scanning can touch. That is the current 1.0 scope, not a future scenario.
A supplier negotiation, a due-diligence thread, sensitive client data: none of it belongs in a consumer inbox a provider may screen.
Now look forward to 2.0. If a future detection order mandates client-side scanning on a major platform, the control lives in the client software your people run: the app on the laptop, the messenger on the phone. A scanning obligation attached to the software travels with the software, largely independent of where your company is legally headquartered.
That is the strategic point for any CISO or IT manager. The question is no longer only whether your data is encrypted in transit, but who controls the endpoints where your data is readable, and what can be compelled to run there. Genuine end-to-end encryption is necessary and, against client-side scanning, not sufficient on its own. The fix is a data-classification decision you make now, not a September panic purchase.
And in Switzerland — does any of this reach a Swiss firm?
Switzerland is not in the EU, so Chat Control does not directly bind Swiss providers or Swiss users. There is no equivalent scanning mandate under Swiss law, and the revised Federal Act on Data Protection (nLPD) is already in force with nothing comparable.
That is the clean part. The exposure is indirect, and it is real, for three reasons.
First, a firm in Chiasso or anywhere in Ticino that emails an EU partner through Gmail, or trades messages over Instagram, is communicating on the same platforms 1.0 covers. The Swiss end of the conversation does not stay outside the scanned surface just because the company is Swiss.
Second, if 2.0 ever mandates client-side scanning on the big messengers, the software carrying that scanner is the same software Swiss users install. The app does not check your passport, and jurisdiction does not uninstall it.
Third, this sharpens rather than settles the digital-sovereignty question. The sensible response is not alarm, it is architecture: keep genuinely sensitive communication on real end-to-end encryption, running on sovereign, self-hosted infrastructure with Swiss data residency you actually control, rather than assuming a consumer platform’s promises will hold through the next legislative cycle. This is the same logic that already drives nLPD and NIS-2 decisions: know where your data lives and who can reach it. Being outside the EU is an option, but not automatic protection.
What should you do now, before the September talks?
The negotiation timeline is doing you a favour: you have the summer to decide policy while the outcome is still open. Four concrete moves, framed through data sovereignty rather than headlines.
- Classify your communications. Draw a hard line between conversations that can tolerate scanning risk and those that cannot: deal-making, legal, financial, HR, IP, regulated client data. You cannot protect what you have not sorted.
- Map your channels to that classification. List every tool your teams actually use for the sensitive tier and flag which sit inside the current 1.0 surface, such as Gmail, iCloud email, Instagram and Discord, or the plausible 2.0 one.
- Move the sensitive tier onto controlled ground. Route the conversations that must stay confidential onto genuine end-to-end encryption on infrastructure you host or control, with data residency you can name. Endpoint control is the part legislation reaches; own it, and stop treating consumer inboxes as private by default.
- Write the policy down and set a September review. A one-page data policy your staff can follow beats a scramble when 2.0 moves. Diary the trilogue restart and revisit the plan against whatever the Council actually agrees.
None of this requires the regulation to pass. It is basic hygiene that pays off either way, and it converts a Brussels headline into a decision you own.
If more elected representatives can vote against a measure than for it and it still becomes law, how much of your confidential communication are you willing to leave on infrastructure you do not control?
Frequently asked questions
Is Chat Control law now?
Yes, but only version 1.0. On 9 July 2026 the EU reinstated the voluntary CSAM-scanning derogation, extended to 3 April 2028, even though 314 MEPs voted against it and 276 in favour: the opposition needed an absolute majority of 361 to block it and fell 47 short. Chat Control 2.0, the permanent regulation, is not law: negotiations stalled on 29 June and resume in September 2026.
Does Chat Control ban or break encryption?
No version currently in force breaks encryption. Chat Control 1.0 explicitly excludes end-to-end-encrypted chats like WhatsApp, Signal and Telegram, and only covers voluntary scanning of non-encrypted services. The threat to encryption lives in the proposed Chat Control 2.0, which could force client-side scanning, but 2.0 is not agreed and remains under negotiation.
What is client-side scanning?
Client-side scanning inspects a message on your own device, before it is encrypted and sent. It is the mechanism Chat Control 2.0 could mandate to check messages even on end-to-end-encrypted apps. It is not part of any law currently in force, only a possibility inside the 2.0 talks resuming in September 2026.
Does Chat Control apply in Switzerland?
Not directly. Switzerland is not in the EU and has no equivalent scanning mandate; the revised nLPD is in force instead. But Swiss firms using platforms like Gmail or Instagram to reach EU partners sit inside the scanned surface, and any future client-side scanning would travel in the app software itself, regardless of jurisdiction.
What should businesses do before the September talks?
Classify which communications must stay confidential, map which tools expose them to scanning, move the sensitive tier onto controlled end-to-end-encrypted infrastructure with known data residency, and write a data policy you review when trilogues resume. None of it depends on the regulation passing; it is worthwhile either way.
Recent Posts
- Chat Control: More MEPs Voted No Than Yes, and It Passed Anyway
- Time-to-Exploit Just Went Negative: Why Patching Is No Longer Enough in 2026
- EU AI Act: from 2 August 2026 you must disclose AI-generated content — what your business has to do
- Digital Sovereignty in Switzerland: Why 2026 Rewrites the Cloud Rulebook for Government and Business
- IoT Security Risks: How Connected Devices Are Expanding the Cyberattack Surface
Category
- Cyber Security (90)
- Vulnerability Assessment (71)
Newest Posts
All Tag
2025 AI Automation Awareness Business CISO Compliance Cybercriminals CyberSecurity Academy Cybersecurity Awareness CyberSecurityRating Dataprotection EU AI Act Future GDPR Malware nFADP NIS2 nLPD Phishing Privacy Ramsonware Ransomware Supply Chain Threat Intelligence Treat Detection Vulnerability Assessment Vulnerability Management Zero-Day Zeroedge Academy
