What the nickname covers
"Chat Control" is not an official title. It is used for related EU work on online child sexual abuse, including both the temporary voluntary detection derogation and the proposed permanent framework.
A clear, source-backed view of the EU proposal to prevent and combat child sexual abuse online, and the unresolved choices around private communications, detection, and encryption.
The 9 July vote concerns the temporary ePrivacy derogation, sometimes called "mini Chat Control" in media coverage. It is separate from the permanent regulation and is not yet final EU law.
"Chat Control" is not an official title. It is used for related EU work on online child sexual abuse, including both the temporary voluntary detection derogation and the proposed permanent framework.
Detect, report, prevent, remove, block, or delist child sexual abuse material; address solicitation of children; and improve support for victims and authorities.
Hosting, messaging, gaming, social, search, safety, trust-and-safety, and age-assurance services operating in Europe may face different duties.
The Commission model is a sequence of provider duties, supervisory review, and targeted orders rather than a single technical mandate.
Providers assess how their service could be misused for known or new material or solicitation.
Services document proportionate product, safety, reporting, and operational safeguards.
A competent authority considers whether the mitigation is sufficient.
A judicial or independent authority could issue a time-limited detection order under the Commission model.
This mechanism is not settled. Parliament's 2023 position treats detection orders as a last resort and seeks to exclude end-to-end encrypted material. The Council's November 2025 mandate deleted detection obligations from the permanent text, retained risk assessment and mitigation, added service risk categories, and proposed making the voluntary ePrivacy derogation permanent.
The dispute is primarily about proportionality and technical means, not the objective of protecting children.
Child-safety organisations, victims' advocates, and law-enforcement bodies stress the need to identify abuse, rescue victims, prevent recirculation, and avoid safe havens for offenders.
Data-protection authorities, security researchers, civil-rights groups, providers, and encrypted-service builders warn that broad scanning or client-side analysis may become general monitoring, weaken confidentiality, create security risks, or conflict with privacy and expression rights.
The permanent framework and the temporary ePrivacy derogation are separate legal files. They should not be read as the same stage or the same text.
Parliament amended the Council position, including an exclusion for communications to which end-to-end encryption is, has been, or will be applied. Parliament's second reading is closed. The Council now has three months to accept all amendments or the file moves to conciliation.
Rejection of the Council position received 314 votes in favour, 276 against, and 17 abstentions. That was a majority of votes cast, but below the 360-member absolute majority required at second reading. A later attempt to reject the amended Parliament position also failed, by 276 votes to 286 with 30 abstentions.
The permanent regulation has not been adopted. Parliament entered negotiations on its 2023 mandate; the Council reached its position in November 2025. Parliament says most aspects were agreed under the Cyprus Presidency, with certain points still to discuss.
Open permanent procedureThe operational detail will matter more than the nickname. Track the final definitions, duties, safeguards, and application dates.
The EU derogation has lapsed. Do not assume Regulation 2021/1232 still covers voluntary detection; assess applicable EU and national law for the service and processing involved.
Hosting, messaging, webmail, gaming chat, social, search, app stores, and other user-content services.
Whether end-to-end encrypted services are excluded, included, limited to metadata, or addressed voluntarily.
Documented assessments, safety-by-design choices, user reporting, age-related controls, and moderation.
Detection, reporting, removal, blocking, and delisting obligations in the eventual compromise.
Report destinations, indicator distribution, redress, transparency, and law-enforcement cooperation.
Watch the 2027/2028 end-date disagreement, compliance lead time, risk categories, audit expectations, and small-provider simplifications.
Verified against official EU institution pages and procedure records.
Start with adopted or tabled legal text and procedure files, then use institutional explanations and opinions for context.
The Commission proposal and the official 2022/0155(COD) procedure record.
The permanent-framework overview and the Commission's December 2025 proposal to extend the interim derogation.
The procedure chronology, Parliament's negotiating mandate, and its current interim-derogation position.
The Council policy summary, 2025 negotiating position, mandate text, and 2026 interim measure.
Official analysis of privacy, proportionality, general monitoring, fundamental rights, and encryption.