On 2 July 2026, the Council of the European Union adopted its first-reading position on a regulation that temporarily derogates from the ePrivacy Directive to allow providers of number-independent interpersonal communications services to process personal data for detecting and reporting online child sexual abuse. The regulation extends the temporary derogation until 3 April 2028, closing a legal gap created by the expiry of the previous interim regulation (EU 2021/1232) on 3 April 2026.
The Council's position adopts the expired interim regulation as a new self-standing regulation with updated dates and deletions of irrelevant provisions. It allows providers to voluntarily process personal and other data for detecting, reporting, and removing online child sexual abuse material, subject to additional safeguards. The Council emphasizes the need for the regulation to enter into force as soon as possible to provide legal certainty for providers and law enforcement.
This extension comes after the European Parliament rejected a previous proposal to extend the derogation, highlighting political challenges. The temporary measure is intended to bridge the gap until a long-term legal framework is adopted, with the deadline of 3 April 2028 underscoring the urgency for a permanent solution. The regulation aims to maintain the ability to identify and rescue victims of online child sexual abuse during the interim period.