The European Commission proposed on December 21, 2025, a further extension of interim rules permitting online providers to voluntarily detect and remove child sexual abuse material (CSAM) from private messages until April 3, 2028. This move addresses a looming legislative gap as permanent regulations from the 2022 Child Sexual Abuse proposal remain stalled in trilogues, following a November 2025 Council agreement that dropped mandatory scanning. With 62% of 2024 abuse content hosted on EU servers and one in five European children affected by sexual abuse, the extension ensures continuity of proactive measures operational for over 15 years.
Proposal Details and Legislative Timeline
The extension derogates from the ePrivacy Directive, enabling number-independent services like messaging apps to scan for known CSAM hashes without breaking end-to-end encryption. Without renewal, these voluntary tools—key to child rescues and prosecutions—would lapse on April 3, 2026, potentially emboldening predators.
Key timelines include:
- Original interim rules: Introduced in 2021, extended to August 2024, then to 2026.
- Council mandate (Nov 26, 2025): Secured despite opposition from Czech Republic, Netherlands, and Poland; mandates victim support via a new EU Centre on Child Sexual Abuse.
- Parliament endorsements: Supported one-off extensions as temporary bridges to permanent rules.
- Next steps: Trilogues with Parliament and Commission begin in 2026, targeting resolution before expiry.
The 2022 proposal initially sought mandatory detection of CSAM and grooming but evolved to voluntary measures after privacy backlash.
Scale of the Child Abuse Threat
Statistics underscore urgency. In 2024, the Internet Watch Foundation flagged content where 62% resided on EU-based servers. Across Europe, one in five children experiences sexual abuse, fueling demands for robust online safeguards.
Proactive detection has proven effective for 15+ years, contributing to identifications and legal actions without mass surveillance mandates. The Council’s framework requires platforms to remove or block CSAM upon request, complementing the EU Centre’s role in victim aid.
Official Statements from EU Institutions
The Commission emphasized practical imperatives: “Proactive detection… has been instrumental for more than 15 years in rescuing children… To avoid a legislative gap… proposed a further extension until 3 April 2028.” It pledged support for co-legislators to craft an “effective and sustainable solution.”
Council representatives highlighted balance: The agreement preserves end-to-end encryption while advancing child protection, marking a compromise after years of deadlock. Parliament’s prior stance framed extensions as “temporary and singular,” prioritizing prevention in final rules.
Privacy Concerns and Opposition Reactions
Critics, including privacy advocates and tech firms, labeled early proposals “chat control,” fearing backdoor scanning precedents. Germany opposed in 2025 over “unwarranted monitoring”; Czech Republic, Netherlands, and Poland blocked initial votes.
Industry group CCIA Europe praised the November text: It strikes “a true balance – protecting minors while maintaining… end-to-end encryption,” urging its adoption in trilogues. Big Tech broadly endorsed the voluntary pivot, though vigilance persists on scope creep.
Media outlets like Euronews noted the mandatory scanning drop as pivotal, enabling progress amid diplomatic frictions. Le Monde reported in October 2025 that EU leaders rejected forced platform scans, reinforcing voluntary paths.
Broader Context and Industry Implications
The saga reflects tensions between child safety and digital rights since the 2022 regulation’s launch. Earlier extensions, like 2023’s to combat sexual abuse, set precedents for interim fixes. Austria’s Parliament adopted positions aligning with balanced approaches.
For providers, continuity means sustained voluntary programs without legal voids, aiding compliance amid rising CSAM reports. The EU Centre promises enhanced coordination, potentially boosting reporting efficiency.
Stakeholders anticipate 2026 trilogues as decisive. Proponents stress data-driven needs—one in five children at risk—while opponents safeguard encryption as fundamental. No widespread public protests emerged, but debates shape EU digital policy.
Future Outlook for Permanent Rules
Success hinges on trilogue consensus, with the extension buying critical time. Permanent framework likely incorporates voluntary detection, blocking mandates, and the EU Centre, evolving from initial mass-scan ideas.
This positions the EU as a leader in balancing protections without overreach, influencing global standards. As negotiations loom, the proposal sustains safeguards, ensuring detected CSAM leads to action rather than evasion.
