- The EU Council reached an agreement on the Child Sexual Abuse Regulation
- Voluntary chat scanning remains in the bill despite privacy backlash
- The Council now prepares to start negotiations with the Parliament
The EU Council has finally reached an agreement on the controversial Child Sexual Abuse Regulation (CSAR) after more than three years of failed attempts.
Nicknamed Chat Control by its critics, the agreement has kept cryptographers, technologists, encrypted service providers, and privacy experts alike in turmoil since its inception.
Presidency after presidency, the bill has taken many shapes. But its most controversial feature is an obligation for all messaging service providers operating in the EU – including those using end-to-end-encryption – to scan their users' private chats on the lookout for child sexual abuse material (CSAM).
At the beginning of the month, the Danish Presidency decided to change its approach with a new compromise text that makes the chat scanning voluntary, instead. That turned to be a winning move, with the proposal managing to reach an agreement in the Council on Wednesday, November 26, 2025.
Privacy experts are unlikely to celebrate, though. The decision came a few days after a group of scientists wrote yet another open letter warning that the latest text still "brings high risks to society." That's after other privacy experts deemed the new proposal a "political deception" rather than an actual fix.
The EU Council is now preparing to start negotiations with the European Parliament, hoping to agree on the final terms of the regulation.
What we know about the Council agreement
As per the EU Council announcement, the new law imposes a series of obligations on digital companies. Under the new rules, online service providers will be required to assess how their platforms could be misused and, based on the results, may need to "implement mitigating measures to counter that risk," the Council notes.
The Council also introduces three risk categories of online services. Those deemed to be a high-risk can be forced "to contribute to the development of technologies to mitigate the risks relating to their services." Voluntary scanning also remains in the bill.
A new EU agency is then tasked to oversee the implementation of the new rules.
"I'm glad that the member states have finally agreed on a way forward that includes a number of obligations for providers of communication services to combat the spread of child sexual abuse material," said Danish Minister for Justice, Peter Hummelgaard.
But concerns about how the agreement threatens our digital rights persist, with one person on the forum, Hacker News, saying the Danish "government has today turned the EU into a tool for total surveillance, I don't know if there can be any return from."
As trilogue negotiations approach, the ongoing challenge for legislators remains striking the right balance between halting abuse online, without compromising on fundamental rights and strong encryption.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.