Skip to content
BriefingsRSS · DSI
The Sixth Attempt
EU Regulatory LandscapeJuly 8, 20268 min read

The Sixth Attempt

The EU's 'Chat Control' is back for the sixth time - and the way it is coming back matters more than whether it passes. Chat Control 1.0, the interim derogation letting US platforms voluntarily scan unencrypted messages for CSAM, expired on 3 April 2026 after Parliament rejected an extension 311-228 (not, as claimed, by a single vote). The Council is reviving it through a formally 'new' law with identical content: an urgent-procedure vote cleared the way 331-304 on 7 July, with the substantive vote on Thursday 10 July - the last sitting day before recess, when 361 members (an absolute majority) would be needed to stop it. Whose interest does this serve? Several at once: a genuine child-protection case; institutional pressure (four Commissioners lobbied MEPs); the EPP closing a 'legal gap' while dodging the Chat Control 2.0 vote its members are blocking; and - the interest nobody names - legal-cover restoration for Meta, Google, Microsoft and Snap, who have scanned without authorisation since April. My assessment: this is not the EU overriding democracy but circumventing it through procedure while keeping formal cover - harder to name, and harder to stop. And the surveillance architecture (EUDI Wallet, age verification, ADDW cameras) keeps building regardless of Thursday's vote. Every box is governed; the intersection is no one's job.

~12 min

This piece continues the EU regulatory-landscape series — directly from “Chat Control Is Dead. Long Live Chat Control,” which argued the regulation would keep returning, narrower each time, until the political moment aligned with the technical infrastructure. The political moment is this Thursday. The infrastructure — the EUDI Wallet, age verification, and now the ADDW driver-monitoring camera — is already being built.

What is happening this week — precisely

Two parallel things are happening at once, and conflating them — as most coverage does — produces analytical confusion that serves nobody.

Chat Control 1.0, the interim derogation (Regulation (EU) 2021/1232) that let mostly US platforms voluntarily scan unencrypted messages for child sexual abuse material, expired on 3 April 2026 after the European Parliament rejected an extension by 311 votes to 228, with 92 abstentions — a decisive margin, not the single vote some accounts have claimed. The Council is now attempting to revive it through a formally “new” law with essentially identical content. An urgent-procedure vote on Tuesday 7 July cleared the way narrowly, 331 to 304 with 11 abstentions; the substantive vote falls on Thursday 10 July, the Parliament’s last sitting day before summer recess.

Chat Control 2.0, the permanent CSA Regulation, is a separate track, still in trilogue. Successive rounds through the first half of 2026 have failed to close the gap between the Parliament’s position — scanning limited to suspects, under a court order — and the Council’s, which in its November 2025 common position retreated from mandatory scanning to “voluntary” suspicionless detection paired with mandatory age verification. As of this writing, negotiations continue, now under the Irish Council presidency that took over on 1 July.

The European People’s Party stands accused of abusing its position as the largest group to bring back a proposal Parliament had already rejected. The Czech Pirate MEP Markéta Gregorová called it “unprecedented — no longer just about protecting privacy… No means no.” Two Die PARTEI MEPs, Martin Sonneborn and Sibylle Berg, wrote to President Roberta Metsola arguing the fast-track proceedings breach the Parliament’s own Rules of Procedure; when Sonneborn tried to raise the point in the chamber, his microphone was cut. To stop the file on Thursday, 361 members — an absolute majority of the Parliament’s 720 seats — would have to vote against it, on the day many members are already leaving for the recess. The scheduling is the most honest part of the operation.

Whose interest is this serving? The honest answer

The question deserves a direct answer rather than a politically convenient one, and the honest answer is that several interests are being served at once. Disentangling them is the analytical work most coverage refuses to do, because a single villain is more satisfying than the truth.

The child-protection interest is genuine. The voluntary regime the Parliament first authorised in July 2021 produced real CSAM reports leading to real investigations. The claim that the lapse since 3 April has harmed detection is not fabricated. But note what actually happened after the lapse: Google, Meta, Microsoft, and Snap have continued scanning private messages anyway, now without any legal basis rather than with one — which is, from a rule-of-law perspective, worse.

The institutional interest is genuine and more troubling. Four Commissioners wrote to MEPs this week urging them to back the revival: “Disrupting detection seriously weakens our collective ability to identify abuse, support victims, and stop offenders.” Executive pressure on a legislature is normal in most democracies. What is not normal is that the specific text being revived was defeated by Parliament’s own vote three months ago, and is being reintroduced by fast-track procedure on the last day before recess.

The EPP interest is the most opaque and the most significant. The reopening traces to Parliament’s own president, Metsola, who urged EU leaders in June to press ahead despite her chamber’s stated position and her own group’s vote against the text. The stated justification is the “legal gap.” The unstated calculation is that reviving the technically-voluntary, unencrypted-only 1.0 lets the EPP close that gap while avoiding the vote on the permanent regulation its own members have been blocking in trilogue.

The US tech interest is the one nobody is discussing. Chat Control 1.0 never applied to Signal, to WhatsApp’s end-to-end encrypted messages, or to any genuinely encrypted service. It applied to US Big Tech’s existing voluntary scanning — Gmail, Messenger, Skype, Snapchat, iCloud Mail, Xbox — giving legal cover to what those firms were already commercially motivated to do. My assessment is that the revival is, in operational terms, a legal-cover restoration for Meta, Google, Microsoft, and Snap: companies that have scanned without authorisation since April and whose liability is reduced by having a basis rather than a grey zone. Whether that is a feature or a bug depends entirely on whose interests you are prioritising — and the debate almost never names them.

Why they keep coming back

The earlier piece in this series predicted that the regulation would return in narrower, more legally defensible form until the political moment aligned with the technical infrastructure. Each iteration strips out the element that produced the blocking minority, adds language that keeps enough member states on board, and reappears with a narrower target and stronger framing. The Council’s late-2025 shift — from mandatory scanning to “voluntary” detection plus heavy risk-mitigation duties and mandatory age verification — is exactly that manoeuvre.

The former MEP Patrick Breyer, now a digital-rights campaigner and the fight’s most persistent chronicler, has made the sharpest structural point: the proposal “includes overly heavy and complex risk-mitigation measures that punish privacy-respecting services, effectively forcing them to implement surveillance tools to avoid liability.” A regulation that forces privacy-preserving services to adopt surveillance to escape liability does not need to mandate surveillance. It mandates the conditions under which the only commercially viable choice is surveillance — and it defines non-compliance as the service that does not scan.

The infrastructure convergence the series flagged is now visible. The EUDI Wallet is being rolled out across all 27 member states, with availability mandated by December 2026; the age-verification app is interoperable with its technical specification; the ADDW camera became mandatory in every new EU car yesterday. Each is, on its own, a legitimate objective — identity, age-gating, road safety. Together they are components of a unified identity-and-behaviour monitoring architecture that did not exist five years ago and will be substantially complete before 2028.

Is the EU undemocratic? The more precise answer

The viral framing — “reject a law, then resubmit it until nobody is watching” — is emotionally resonant and analytically incomplete.

DSI Advisory

Need intelligence like this on a decision you're facing?

DSI Advisory Services helps boards, business leaders, defence institutions, and security leaders understand threats before they reach the horizon — where cyber, geopolitics, and business risk converge.

Commission a bespoke intelligence productExplore advisory