On 16 July 2026, the Council published a Commission opinion accepting three European Parliament amendments that exclude number-independent interpersonal communications services applying end-to-end encryption from the scope of a proposed temporary Regulation. The Regulation would extend the lapsed Interim Regulation (EU) 2021/1232 until 3 April 2028, allowing providers of such services to voluntarily process personal and other data to detect, report, and remove online child sexual abuse material, subject to strict safeguards. The Commission supports the exclusion as an exceptional, strictly temporary measure to restore legal certainty without retroactive effect, while noting that the exclusion's scope would benefit from more precision but remains acceptable. This agreement does not affect the Commission's position on the ongoing long-term Regulation negotiations.
The proposed Regulation is a temporary derogation from Directive 2002/58/EC (the ePrivacy Directive), which lapsed in 2024. The Commission's opinion, issued under Article 294(7)(c) TFEU, formally endorses the Parliament's three amendments adopted in plenary. The amendments exclude from the Regulation's scope services that apply, have applied, or will apply end-to-end encryption, effectively carving out encrypted messaging platforms from the voluntary detection regime. The Commission argues that the exclusion is justified given the exceptional and temporary nature of the measure, which aims to provide legal certainty for providers that had relied on the lapsed Interim Regulation. The Commission also stresses that the exclusion does not prejudge the long-term legislative framework, which remains under negotiation.
The decision reflects a trade-off between child protection and privacy. By excluding encrypted services, the Regulation prioritises user privacy and security over the ability to scan encrypted communications for child abuse material. This benefits providers of end-to-end encrypted services, such as Signal or WhatsApp, by shielding them from legal uncertainty and potential liability, but may reduce the volume of abuse material detected voluntarily. Conversely, non-encrypted services remain covered, allowing them to continue voluntary detection activities under clear legal conditions. National authorities gain legal clarity for enforcement, while child protection advocates may view the exclusion as a limitation on detection capabilities. The Regulation is expected to be formally adopted by the Council and Parliament in the coming weeks, with the long-term Regulation negotiations continuing separately.