← Back to blog

EU Chat Control 1.0 reinstated: what actually passed in July 2026

On 9 July 2026 the European Parliament failed to reach the majority needed to block the reinstatement of Chat Control 1.0. More MEPs voted against it than for it, yet it stands. Here is a precise, source-based account of what changed, what did not, and why it matters for private communication and digital evidence.

EU regulation ePrivacy Digital evidence Encryption

What happened on 9 July 2026

On 9 July 2026, the European Parliament voted on whether to block the reinstatement of a temporary EU rule that lets online platforms voluntarily scan private communications for child sexual abuse material (CSAM). The rule is widely known by its critics' label, Chat Control 1.0.

The outcome was unusual. A majority of the Members of the European Parliament who voted wanted to reject the rule: 314 voted to reject it, 276 voted against rejection, and 17 abstained. Despite more votes to reject than to keep, the rule was reinstated.

The reason lies in the procedure. This was a second-reading vote under the EU's ordinary legislative procedure, where rejecting the Council's position requires an absolute majority of all Members of Parliament, currently 361 of 720, not just a majority of those present. The rejection reached 314, falling 47 votes short of that threshold, so the Council's text stood.

The practical effect is that the voluntary scanning framework, which had lapsed on 3 April 2026, is set to run again until 3 April 2028, subject to a final step involving the Council. This article explains precisely what that means, and separates the reliable facts from the considerable amount of exaggeration that has surrounded the story.

What Chat Control 1.0 actually is

Chat Control 1.0 is not a mass-surveillance mandate, and understanding what it is prevents most of the confusion around it. It is a temporary derogation, a legal exception, formally Regulation (EU) 2021/1232, from parts of the EU's ePrivacy Directive.

Voluntary, not mandatory

The derogation permits, but does not require, providers of certain communication services to scan for known CSAM and to report matches to authorities. Platforms may opt in; they are not compelled to scan. In practice, mainly large US-based services such as Gmail, Meta's messengers, Skype, and Xbox have used it.

Known material, unencrypted channels

In its core form the derogation targets already-identified images and videos on services that can read the content, meaning unencrypted or server-side-readable communications. It has never applied to end-to-end encrypted traffic, because a provider that cannot read a message has nothing to scan.

Why it exists at all

The derogation was introduced in 2021 to give platforms a clear legal basis under EU privacy law to continue existing voluntary detection while a permanent framework was negotiated. It was always framed as a temporary bridge, not a permanent regime.

The vote that passed by failing

The July 2026 outcome is best understood as a procedural result rather than a fresh political endorsement of scanning. Three steps produced it.

March 2026: Parliament said no

On 26 March 2026, Parliament rejected extending the derogation by 311 votes to 228, with 92 abstentions. As a result, the rule lapsed on 3 April 2026, and for three months there was no EU legal basis for this voluntary scanning.

July 2026: the Council revived the text

On 2 July 2026, the Council adopted its own first-reading position that largely restored the original text, sending the file to Parliament for a second reading. On 7 July, a fast-track urgency procedure was approved by 331 votes to 304, scheduling the decisive vote for 9 July, just before the summer recess.

The threshold did the work

Because a second-reading rejection needs an absolute majority of all seats, absences and abstentions effectively counted in favour of the Council's text. More Members wanted to reject the rule than to keep it, but the rejection did not clear 361 votes, so it failed and the text was reinstated.

Why critics call it undemocratic

Several Members and digital-rights groups objected to reopening a file Parliament had already rejected, and to scheduling the vote for the last day before recess. Supporters countered that the lapse had left a gap in child-protection tools and that a legal basis was needed while permanent rules are negotiated. Both framings appear across the coverage; the procedural facts above are not in dispute.

The end-to-end encryption carve-out

Alongside the main text, Parliament adopted an amendment stating that communications protected by end-to-end encryption should be excluded from the scope of the voluntary scanning. On its face this protects services such as WhatsApp, Signal, and Telegram's encrypted chats.

Why some call it symbolic

Critics, including former MEP and jurist Patrick Breyer, note that providers do not scan end-to-end encrypted content anyway, because they cannot read it. On that view the amendment confirms existing reality rather than adding a new protection.

Why it still matters

Even a declaratory carve-out has value: it puts Parliament on record against extending scanning into encrypted channels, which becomes relevant to the far more consequential permanent regulation still under negotiation.

The catch

The exclusion applies only to this temporary, voluntary track. It does not bind the separate permanent proposal, where the question of scanning encrypted messages, potentially through client-side scanning on the device before encryption, remains open.

What is not affected: Chat Control 2.0

The single most important thing to understand is that the July 2026 vote concerned only the temporary 1.0 derogation. The permanent regulation is a separate file with a very different reach.

A different, mandatory instrument

The permanent Child Sexual Abuse Regulation (CSAR), labelled Chat Control 2.0 by critics, would, in its most contested forms, create detection obligations rather than a voluntary option, and could reach encrypted services. It has not been adopted.

Still stuck in negotiation

Five rounds of three-way trilogue negotiations between Parliament, Council, and Commission have not produced a deal. The fifth round, on 29 June 2026, ended without agreement, specifically over suspicionless scanning. Talks are expected to resume in September 2026.

The core dispute

The unresolved question is whether scanning should be broad and provider-driven, as parts of the Council prefer, or narrow and ordered by a judge against identified suspects, as Parliament has insisted. That disagreement, not the July 2026 vote, is where the future of private messaging in the EU will actually be decided.

Timeline of the derogation

The path from 2021 to today is easy to lose in the headlines. Here is the sequence in plain terms.

2021 to 2024: introduction and extension

Regulation (EU) 2021/1232 entered into force in 2021, giving platforms a voluntary legal basis to scan unencrypted messages for CSAM. In 2024 it was extended to 3 April 2026.

March to April 2026: rejection and lapse

On 26 March 2026 Parliament rejected a further extension, and the derogation expired on 3 April 2026. For three months there was no legal basis for this scanning under EU law, though some providers stated they would continue regardless.

July 2026: revival

The Council revived the text on 2 July, the urgency procedure passed on 7 July, and the rejection failed to reach the threshold on 9 July, reinstating the derogation pending the Council's final step, with an intended end date of 3 April 2028.

What it means for private messages

For everyday users, the concrete effect is narrower than many headlines suggest, but it is not nothing.

If you use unencrypted services

On services that voluntarily opt in and can read your content, such as certain webmail and social messengers, providers may continue scanning for known CSAM and reporting matches. This has been the situation, on and off, since 2021.

If you use encrypted messengers

End-to-end encrypted messages remain outside the scope of this derogation, reinforced by the July amendment. Providers that cannot read your messages cannot scan their content.

What has not changed

This derogation does not create device-level scanning, does not require identity verification of every user, and does not mandate any provider to scan. Those more far-reaching ideas live in the permanent proposal, which has not passed.

What it means for digital evidence

For anyone who preserves online content as evidence, the Chat Control debate is a useful reminder of a deeper principle: how content is captured and authenticated matters as much as what the content is.

Scanning is not evidence

Automated CSAM detection produces a report to authorities; it does not produce court-ready, tamper-evident evidence with a verifiable chain of custody. The two are different activities with different legal standards.

Provenance and integrity still decide admissibility

Whether online material stands up in a legal or regulatory proceeding depends on provenance, integrity, and reproducibility: a cryptographic hash of what was captured, a qualified timestamp proving when, and a method that a third party can independently verify.

Why independent verification matters more, not less

As the legal environment around online communication grows more contested and fast-moving, evidence that can be verified without trusting any single vendor or platform becomes more valuable. A sealed evidence package anchored by an eIDAS-qualified timestamp and independently checkable hashes does not depend on who scanned what, or on any provider's cooperation.

The Council's three-month window

The July 2026 vote did not fully close the file. Because Parliament amended the Council's position rather than simply approving it, the amended text returns to the Council.

Accept or reject

The Council has roughly three months, until approximately 9 October 2026, to accept Parliament's amendments, including the encryption carve-out, or to reject them.

If the Council accepts

If the Council accepts all amendments, the regulation, including the end-to-end encryption exclusion, is formally adopted and runs to 3 April 2028.

If the Council rejects

If the Council rejects any amendment, a conciliation procedure begins, in which equal numbers of Parliament and Council representatives try to agree a joint text. That would extend the process by months, and is a realistic scenario given past disagreements.

What to watch next

The July vote generated dramatic headlines, but the decisions that will actually shape private communication in the EU are still ahead.

The Council's October decision

Whether the Council accepts or rejects the encryption amendment will signal how seriously the institutions treat encrypted-channel protection, and whether a conciliation fight is coming.

The September trilogues on 2.0

The permanent regulation resumes negotiation in September 2026. The unresolved core, suspicionless versus judicially targeted scanning, and the treatment of encryption, is the file that carries the real long-term stakes.

A likely legal challenge

The Council's own Legal Service has questioned whether generalised voluntary scanning is compatible with Article 7 of the EU Charter of Fundamental Rights absent reasonable suspicion and prior judicial authorisation. A challenge before the Court of Justice of the EU remains possible, whichever way the permanent file lands.

Frequently asked questions

Clear answers to the questions people are asking about the July 2026 Chat Control vote, based on official procedure and reliable reporting.

Did the EU just legalise mass surveillance of all messages?
No. The July 2026 vote reinstated a voluntary derogation that lets certain platforms scan for known CSAM on services they can already read. It does not mandate scanning, does not cover end-to-end encrypted messages, and does not create device-level surveillance. Those broader ideas belong to the separate permanent proposal, which has not been adopted.
What is the difference between Chat Control 1.0 and 2.0?
Chat Control 1.0 is the temporary, voluntary derogation reinstated in July 2026: platforms may opt in to scan unencrypted content for known CSAM. Chat Control 2.0 is the permanent Child Sexual Abuse Regulation still under negotiation, which in its most contested forms would impose detection obligations and could reach encrypted services. Only 1.0 was decided in July 2026.
How did it pass if more MEPs voted against it?
It was a second-reading vote. Rejecting the Council's position required an absolute majority of all 720 seats, that is 361 votes. The rejection got 314, falling 47 short, so it failed and the Council's text stood. Under this procedure, absences and abstentions effectively favour the Council's position.
Are WhatsApp, Signal, and Telegram affected?
End-to-end encrypted communications are excluded from the scope of this voluntary derogation, and Parliament adopted an amendment reinforcing that. Providers that cannot read message content cannot scan it. The encrypted-messaging question remains open only in the separate permanent proposal.
Is scanning happening right now?
The legal basis lapsed on 3 April 2026 and is being reinstated through this process, with a final Council step expected by around October 2026. Some providers stated they continued voluntary detection during the gap. The intended end date for the reinstated derogation is 3 April 2028.
What happens in the Council's three-month window?
Because Parliament amended the Council's position, the text returns to the Council, which has until roughly 9 October 2026 to accept or reject the amendments, including the encryption carve-out. Acceptance finalises the regulation; rejection triggers a conciliation procedure that could add months.
Does this kill end-to-end encryption in Europe?
No. This derogation does not touch encryption's technical foundations, and the July amendment explicitly excludes encrypted channels. The real risk to encryption, through possible client-side scanning obligations, lives in the permanent regulation, which has not passed and remains contested.
Is automated scanning the same as legal evidence?
No. Automated detection produces reports to authorities. It does not produce court-admissible, tamper-evident evidence with a verifiable chain of custody. Admissibility depends on provenance, cryptographic integrity, a qualified timestamp, and a method a third party can independently verify.
How does this affect businesses that preserve online evidence?
It does not change the standards for evidence. If anything, a more contested and fast-changing legal environment makes independently verifiable evidence more valuable: a sealed package with hashes and an eIDAS-qualified timestamp that anyone can check without trusting a single vendor or platform.
When will the permanent Chat Control 2.0 be decided?
There is no fixed date. Five trilogue rounds have failed to agree, most recently on 29 June 2026, with talks resuming in September 2026. The core dispute over suspicionless versus judicially targeted scanning remains unresolved, so any final adoption is likely months away and far from certain.
Where can I read the primary sources?
The underlying instrument is Regulation (EU) 2021/1232, available on EUR-Lex. Parliament's legislative observatory and the Council's document register track the current file's state of play. For balance, consult both institutional sources and independent digital-rights analyses, as coverage varies widely in framing.
What is the single most important takeaway?
Be precise. A temporary, voluntary derogation was reinstated on a procedural threshold; encrypted messages are excluded; and the far more consequential permanent regulation has not passed and is still being fought over. Headlines conflating the two overstate what actually happened in July 2026.

Preserve online evidence that stands on its own

Whatever happens with EU communication rules, admissibility depends on integrity you can prove. Capture any web page as a tamper-evident package with an eIDAS-qualified timestamp and hashes anyone can verify independently.

No account needed to verify. Independent verification with open-source tools.