The temporary, voluntary scanning regime — adopted in 2021, rejected by Parliament in March 2026, expired in April 2026, and now the subject of an unprecedented revival attempt.
Jul 14, 2021
Temporary derogation adopted
Regulation (EU) 2021/1232 creates a temporary exception to the ePrivacy Directive, giving providers a legal basis to voluntarily scan private messages for child sexual abuse material. Originally set to expire 3 August 2024.
Apr 29, 2024
First extension
With the permanent regulation (Chat Control 2.0) nowhere near agreement, the derogation is extended until 3 April 2026.
Dec 18, 2025
Commission proposes second extension
The Commission proposes extending the derogation by another two years, to April 2028.
Mar 2, 2026
LIBE committee rejects the extension
In a surprise vote, the Parliament’s civil liberties committee rejects the draft extension by 38 votes to 28.
Mar 11, 2026
Parliament adopts a protective position
The plenary votes 458 – 103 for a compromise: extend to 2027, but only with targeted and proportionate detection of known content, no end-to-end encrypted communications, and limiting scanning to suspected users or groups identified by the competent judicial authority.
Mid-Mar 2026
Trilogue on the extension collapses
The Council rejects Parliament’s conditions and shows no flexibility in negotiations; talks on the extension break down.
Mar 26, 2026
Parliament rejects the extension outright
311 MEPs vote against extending the derogation (228 in favour, 92 abstentions). The critical Amendment 34, rejecting automated assessment of unknown photos and texts, passes by a single vote (307 – 306).
Apr 4, 2026
Chat Control 1.0 expires
The legal ground for voluntary, indiscriminate scanning ends. Google, Meta, Microsoft, and Snap state they will continue scanning private messages regardless.
Jun 26, 2026
Council moves to resurrect the expired law
EU ambassadors agree to push a temporary revival — unprecedented, as Parliament’s rejection was considered final. Because an expired regulation cannot be extended, the Council proposes a formally new law with identical content via an expedited procedure.
Jul 2, 2026
Council adopts its position
The Council adopts its position on the “new” regulation via written procedure.
Jul 7, 2026
Urgency procedure approved
Parliament voted 331 – 303 (11 abstentions) to fast-track the expired derogation, skipping the responsible Committee. A binding vote follows on Thursday, 9 July, where an absolute majority of 361 MEPs is needed to stop it.
The permanent CSA Regulation — proposed in 2022, deadlocked for years, and still unagreed after five rounds of trilogue negotiations. Encryption remains the red line.
May 11, 2022
Commission proposes the CSA Regulation
Home Affairs Commissioner Ylva Johansson unveils a proposal for a permanent regulation making detection and reporting of child sexual abuse material a legal requirement for platforms — including a requirement to bypass end-to-end encryption.
Nov 2023
Parliament adopts a protective mandate
No scanning of end-to-end encrypted services, detection limited to visual material, judicial warrants targeted at specific suspects, and no mandatory age verification.
Oct 2025
Germany breaks the Council deadlock
After years of Council deadlock, Germany announces it will vote against mandatory suspicionless scanning. The Danish presidency drops detection orders and shifts to risk assessment and mitigation obligations for providers, while proposing to make the voluntary suspicionless scanning (interim regulation) permanent.
Nov 26, 2025
Council endorses its position
The Council adopts the softened Danish compromise, opening trilogue negotiations. Critics note the text still allows “voluntary” suspicionless detection and imposes broad risk-mitigation duties, including mandatory age verification, that could reshape private messaging in practice.
Dec 2025 — May 2026
Four trilogue rounds
Negotiations between Parliament, Council, and Commission take place on 9 December 2025, 26 February, 16 April, and 11 May 2026 — without agreement on the core issues.
Jun 10, 2026
Council’s own lawyers raise the alarm
The Council Legal Service states that the “voluntary” scanning proposal still constitutes generalised scanning of communications — incompatible with Article 7 of the EU Charter absent reasonable suspicion and prior judicial authorisation.
Jun 29, 2026
“Final” trilogue fails
The fifth trilogue, billed as the last with adoption targeted for July, produces no deal. Negotiators cannot agree on making suspicionless scanning permanent, as requested by Council. Progress is reported on excluding mandatory age verification, but agreement is postponed and talks continue under the incoming Irish presidency.
Jul 14, 2021
Chat Control 1.0
Temporary derogation adopted
Regulation (EU) 2021/1232 creates a temporary exception to the ePrivacy Directive, giving providers a legal basis to voluntarily scan private messages for child sexual abuse material. Originally set to expire 3 August 2024.
May 11, 2022
Chat Control 2.0
Commission proposes the CSA Regulation
Home Affairs Commissioner Ylva Johansson unveils a proposal for a permanent regulation making detection and reporting of child sexual abuse material a legal requirement for platforms — including a requirement to bypass end-to-end encryption.
Nov 2023
Chat Control 2.0
Parliament adopts a protective mandate
No scanning of end-to-end encrypted services, detection limited to visual material, judicial warrants targeted at specific suspects, and no mandatory age verification.
Apr 29, 2024
Chat Control 1.0
First extension
With the permanent regulation (Chat Control 2.0) nowhere near agreement, the derogation is extended until 3 April 2026.
Oct 2025
Chat Control 2.0
Germany breaks the Council deadlock
After years of Council deadlock, Germany announces it will vote against mandatory suspicionless scanning. The Danish presidency drops detection orders and shifts to risk assessment and mitigation obligations for providers, while proposing to make the voluntary suspicionless scanning (interim regulation) permanent.
Nov 26, 2025
Chat Control 2.0
Council endorses its position
The Council adopts the softened Danish compromise, opening trilogue negotiations. Critics note the text still allows “voluntary” suspicionless detection and imposes broad risk-mitigation duties, including mandatory age verification, that could reshape private messaging in practice.
Dec 18, 2025
Chat Control 1.0
Commission proposes second extension
The Commission proposes extending the derogation by another two years, to April 2028.
Dec 2025 — May 2026
Chat Control 2.0
Four trilogue rounds
Negotiations between Parliament, Council, and Commission take place on 9 December 2025, 26 February, 16 April, and 11 May 2026 — without agreement on the core issues.
Mar 2, 2026
Chat Control 1.0
LIBE committee rejects the extension
In a surprise vote, the Parliament’s civil liberties committee rejects the draft extension by 38 votes to 28.
Mar 11, 2026
Chat Control 1.0
Parliament adopts a protective position
The plenary votes 458 – 103 for a compromise: extend to 2027, but only with targeted and proportionate detection of known content, no end-to-end encrypted communications, and limiting scanning to suspected users or groups identified by the competent judicial authority.
Mid-Mar 2026
Chat Control 1.0
Trilogue on the extension collapses
The Council rejects Parliament’s conditions and shows no flexibility in negotiations; talks on the extension break down.