The European Commission, in an opinion published on 15 July 2026, accepted the European Parliament's three amendments to the temporary derogation Regulation, which exclude from its scope number-independent interpersonal communications services that apply, have applied, or will apply end-to-end encryption. The Regulation extends the Interim Regulation (Regulation (EU) 2021/1232) until 3 April 2028, allowing providers to voluntarily process personal and other data to detect, report, and remove online child sexual abuse, subject to strict safeguards. The Commission found the amendments acceptable as an exceptional, temporary measure to restore legal certainty without retroactive effect, though it noted the exclusion's scope could be more precise for child protection.
The Interim Regulation lapsed on 3 April 2026, creating a legal gap. The Council adopted its first-reading position on 2 July 2026, and the Commission gave its position on 3 July 2026. Parliament voted on 9 July 2026, introducing the encryption exclusion. The exclusion covers all number-independent interpersonal communications with end-to-end encryption (past, present, or future) – these services shall not be covered by the derogation. The Commission's opinion stresses that this agreement does not affect its position on the long-term Regulation, which it urges be agreed swiftly.
The decision reflects a trade-off between child protection and privacy. By excluding encrypted services, the Commission prioritises the security of communications for users of platforms like WhatsApp and Signal, but potentially limits the ability to detect child sexual abuse material in those channels. The temporary extension until 2028 provides legal certainty for providers that voluntarily participate, but the exclusion may reduce the overall effectiveness of the detection framework. The Commission's acceptance of Parliament's amendments signals a willingness to compromise on encryption, a politically sensitive issue, while pushing for a permanent solution.
Providers of number-independent interpersonal communications services that use end-to-end encryption are exempt from the derogation, avoiding compliance costs and preserving their encryption model. Providers without encryption remain eligible to participate voluntarily, facing potential operational costs for implementing detection technologies. Child protection organisations may see the exclusion as a limitation on detection capabilities, while privacy advocates welcome the protection of encryption. EU legislators face pressure to finalise the long-term Regulation, with the Commission urging swift agreement to avoid further legal uncertainty.