The EU CSAM scanning law has taken an unexpected turn, as EU member states have stepped back from requiring tech companies to scan private messages for child sexual abuse material. Instead of strict obligations, the EU now proposes a model in which platforms conduct their own risk assessments and apply safety measures as they see fit. However, this shift has sparked immediate criticism — from privacy advocates to those who fear it could pave the way for future attempts at mass scanning.
The decision contrasts sharply with the European Parliament’s 2023 stance, which demanded strict enforcement. Lawmakers back then pushed for mandatory detection systems across messaging apps, ISPs and app stores. But the updated EU CSAM scanning law abandons those requirements and instead places responsibility on service providers to assess risks themselves — a move critics say hands too much power back to the tech industry.
Why the EU CSAM scanning law changed course
The earlier proposal sparked intense debate across Europe. Privacy advocates warned that blanket scanning would undermine encryption and open the door to mass surveillance. Meanwhile, child safety groups argued that detection tools were necessary to combat increasingly sophisticated exploitation networks.
The Council’s new position walks a careful line. Rather than forcing companies to scan encrypted communications, the updated language shifts the strategy toward risk assessments, mitigation plans and national-level enforcement. Each member state will appoint its own authority to evaluate whether a company’s safety measures are adequate, with penalties possible for non-compliance.
This approach avoids directly interfering with end-to-end encryption — a major sticking point for both lawmakers and civil rights advocates. Some countries insisted on preserving encryption protections, fearing that mandatory scanning tools could weaken citizen privacy. Others argued that a decentralized enforcement system gives platforms too much autonomy.
A win for tech giants — or a setback for privacy?
To many observers, the shift reflects the influence of global tech companies. Meta, Google and other major platforms have long resisted mandated scanning, arguing that such measures would break encryption and create dangerous vulnerabilities.
As a result, the change in direction is being described as a “big win” for US tech firms. Forced scanning would have required them to deploy intrusive monitoring technology across billions of devices. Instead, they now face a more flexible framework focused on internal policies rather than mandatory detection.
However, critics see the move differently. Some argue that the Council’s position creates the appearance of balance while opening the door to future scanning mandates. Because the proposal includes language about “mitigation measures,” detractors worry that countries might still push for scanning tools at a national level.
Czech politician Markéta Gregorová expressed sharp concern, warning that the compromise may ultimately pave the way for broad surveillance. Although the text avoids explicit scanning requirements, she argues that the lack of clarity could be used to pressure companies toward more invasive monitoring in the future.
What the EU CSAM scanning law means for encryption
One of the most contentious issues in the debate is encryption. The earlier proposal would have forced platforms to scan messages — including encrypted ones — for CSAM. Experts said this would undermine the core security model that protects journalists, activists and private citizens from government overreach.
The new draft includes wording that suggests encryption should be preserved. Nevertheless, the ambiguity in the language has left some policymakers uneasy. Some fear that granting platforms the authority to “self-assess” could create even greater risks if companies implement flawed or biased tools.
Although mandatory scanning has been removed for now, the debate around encryption is far from resolved. Several governments have already signaled that they want the option to pressure tech companies for deeper access in the future.
The EU Center on Child Sexual Abuse: A new institution with limited powers
Despite the softened stance, the proposal still includes one major change: the creation of an EU Center on Child Sexual Abuse. This new body would help member states enforce child protection laws, coordinate investigations and support victims. It will also assist national authorities in evaluating the risk assessments of tech providers.
Yet, some critics say the center will be largely symbolic unless scanning or reporting requirements are strengthened. Without mandatory detection tools, investigators may struggle to identify CSAM circulating on encrypted platforms.
What happens next
Although the Council has settled on its position, nothing is final. The next stage is trilogue negotiations, where the Council, Parliament and Commission attempt to reach a unified agreement. The gaps between their positions remain significant, and the battle between privacy advocates, governments and tech giants is far from over.
Given the stakes — children’s safety, mass surveillance fears and the future of encrypted communications — the final version of the EU CSAM scanning law will likely shape global tech policy for years.
Read also
Join the discussion in our Facebook community.