EU legislative monitor

EU Chat Control

A clear, source-backed view of the EU proposal to prevent and combat child sexual abuse online, and the unresolved choices around private communications, detection, and encryption.

Parliament vote: 9 July Interim file 2025/0429(COD) Checked 10 July 2026
01 / Current position

What Parliament approved

The 9 July vote concerns the temporary ePrivacy derogation, sometimes called "mini Chat Control" in media coverage. It is separate from the permanent regulation and is not yet final EU law.

Interim ePrivacy track Parliament adopted amendments 9 July 2026
Stage
EP second reading closed
Next institution
Council: three months
Permanent track
Still in negotiation

What the nickname covers

"Chat Control" is not an official title. It is used for related EU work on online child sexual abuse, including both the temporary voluntary detection derogation and the proposed permanent framework.

Official policy objective

Detect, report, prevent, remove, block, or delist child sexual abuse material; address solicitation of children; and improve support for victims and authorities.

Who may be affected

Hosting, messaging, gaming, social, search, safety, trust-and-safety, and age-assurance services operating in Europe may face different duties.

02 / Mechanism

How the original proposal works

The Commission model is a sequence of provider duties, supervisory review, and targeted orders rather than a single technical mandate.

  1. 1
    Assess risk

    Providers assess how their service could be misused for known or new material or solicitation.

  2. 2
    Mitigate

    Services document proportionate product, safety, reporting, and operational safeguards.

  3. 3
    Review

    A competent authority considers whether the mitigation is sufficient.

  4. 4
    Targeted order

    A judicial or independent authority could issue a time-limited detection order under the Commission model.

This mechanism is not settled. Parliament's 2023 position treats detection orders as a last resort and seeks to exclude end-to-end encrypted material. The Council's November 2025 mandate deleted detection obligations from the permanent text, retained risk assessment and mitigation, added service risk categories, and proposed making the voluntary ePrivacy derogation permanent.

03 / The policy split

Why private communications are controversial

The dispute is primarily about proportionality and technical means, not the objective of protecting children.

Child-safety case

Child-safety organisations, victims' advocates, and law-enforcement bodies stress the need to identify abuse, rescue victims, prevent recirculation, and avoid safe havens for offenders.

Rights and security case

Data-protection authorities, security researchers, civil-rights groups, providers, and encrypted-service builders warn that broad scanning or client-side analysis may become general monitoring, weaken confidentiality, create security risks, or conflict with privacy and expression rights.

04 / Legislative status

Parliament has acted; Council is next

The permanent framework and the temporary ePrivacy derogation are separate legal files. They should not be read as the same stage or the same text.

Interim ePrivacy derogation · 2025/0429(COD)

Amendments adopted on 9 July

Parliament amended the Council position, including an exclusion for communications to which end-to-end encryption is, has been, or will be applied. Parliament's second reading is closed. The Council now has three months to accept all amendments or the file moves to conciliation.

How the 9 July vote worked

Rejection of the Council position received 314 votes in favour, 276 against, and 17 abstentions. That was a majority of votes cast, but below the 360-member absolute majority required at second reading. A later attempt to reject the amended Parliament position also failed, by 276 votes to 286 with 30 abstentions.

Council position3 April 2028
Parliament March position3 August 2027
Read Parliament's 9 July update
Permanent framework · 2022/0155(COD)

Still under negotiation

The permanent regulation has not been adopted. Parliament entered negotiations on its 2023 mandate; the Council reached its position in November 2025. Parliament says most aspects were agreed under the Cyprus Presidency, with certain points still to discuss.

Open permanent procedure
Permanent file · 2022/0155(COD)
Commission proposalCOM(2022) 209
Parliament mandateNegotiations authorised
Council positionPermanent mandate
Trilogues ongoingPoints remain unresolved
Interim file · 2025/0429(COD)
Commission proposalExtension proposed
Parliament positionTo 3 August 2027
First reading closedExtension rejected
Derogation lapsedLegal gap opened
Council positionTo 3 April 2028
Parliament amendmentsCouncil decision next
05 / Builder watchlist

What product teams should monitor

The operational detail will matter more than the nickname. Track the final definitions, duties, safeguards, and application dates.

01

Current legal basis

The EU derogation has lapsed. Do not assume Regulation 2021/1232 still covers voluntary detection; assess applicable EU and national law for the service and processing involved.

02

Covered services

Hosting, messaging, webmail, gaming chat, social, search, app stores, and other user-content services.

03

Encrypted communications

Whether end-to-end encrypted services are excluded, included, limited to metadata, or addressed voluntarily.

04

Risk and mitigation

Documented assessments, safety-by-design choices, user reporting, age-related controls, and moderation.

05

Provider duties

Detection, reporting, removal, blocking, and delisting obligations in the eventual compromise.

06

Authority workflows

Report destinations, indicator distribution, redress, transparency, and law-enforcement cooperation.

07

Duration, application, and SMEs

Watch the 2027/2028 end-date disagreement, compliance lead time, risk categories, audit expectations, and small-provider simplifications.

06 / Development tracker

Current monitoring record

Verified against official EU institution pages and procedure records.

Status
Interim file 2025/0429(COD): Parliament adopted amendments on 9 July 2026. Parliament's second reading is closed. Permanent file 2022/0155(COD): ongoing and not adopted.
Current institution / stage
Interim derogation: back before the Council, which has three months to accept all Parliament amendments or move to conciliation. Permanent framework: interinstitutional negotiations continue.
Current legal gap
Regulation (EU) 2021/1232 lapsed on 3 April 2026. Its proposed replacement has not entered into force, so the specific EU temporary derogation for voluntary detection activities is not currently available.
Competing end dates
Council position: 3 April 2028. Parliament's March 2026 position: 3 August 2027.
Last verified
10 July 2026Europe/Luxembourg
Next things to watch
Whether Council accepts Parliament's amendments, the 2027/2028 duration disagreement, encryption carve-outs, voluntary scanning safeguards, EU Centre tasks, authority powers, application dates, and possible conciliation.
07 / Official sources

Read in this order

Start with adopted or tabled legal text and procedure files, then use institutional explanations and opinions for context.

Informational only. This page is a monitoring resource, not legal advice. Legislative text and procedure stages can change.