Chat Control 1.0: Does EU Law Break Encrypted Chats?

Sergii Muliarchuk

EU Parliament extended Chat Control 1.0 until 2028. What it means for encrypted messengers, AI scanning, and your business data in Ukraine.

Chat Control 1.0: Does EU Law Break Encrypted Chats?

TL;DR: On July 9, 2026, the European Parliament extended Chat Control 1.0 until 2028 — the regulation allowing platforms to voluntarily scan user messages for child sexual abuse material. This is not the feared Chat Control 2.0 mandate, but it keeps the legal framework alive for another two years while the more controversial mandatory-scanning proposal remains in negotiation. For Ukrainian businesses running communication infrastructure on EU platforms, the distinction matters enormously.


At a glance

  • July 9, 2026 — EU Parliament voted to extend Chat Control 1.0 until end of 2028.
  • Chat Control 1.0 was originally adopted in 2021 as a temporary derogation from the ePrivacy Directive.
  • The extension covers voluntary CSAM scanning — platforms are not legally required to scan.
  • Chat Control 2.0 (the mandatory version) has been stalled in EU Council since 2023, blocked by a coalition of at least 15 member states.
  • Signal CEO Meredith Whittaker publicly stated in 2023 the app would exit EU markets rather than implement client-side scanning.
  • GDPR Article 5(1)(c) (data minimisation principle) is cited by European Data Protection Board as potentially incompatible with bulk message scanning.
  • FlipFactory’s email and n8n MCP servers route notification and client communication data through EU-based infrastructure — making this directly relevant to our architecture decisions.

Q: What exactly did the EU Parliament vote for on July 9?

The July 9, 2026 vote extended the temporary derogation from Article 5(1) of the ePrivacy Directive — the legal window that lets platforms like Meta, Google, and Microsoft voluntarily scan private messages for CSAM without violating EU privacy law. Without this extension, that derogation would have expired, and even voluntary scanning programs would have faced legal uncertainty.

This is fundamentally different from what critics feared. No new obligations were created. No backdoors were mandated. The vote essentially hit “pause and extend” on a framework that has existed since 2021.

At FlipFactory, we run a Slack-to-n8n webhook pipeline for client project notifications — stood up in February 2026 — that routes through EU-region Cloudflare Workers before hitting our n8n instance. In our June 2026 architecture review, we flagged that any shift toward mandatory message scanning would require us to evaluate whether notification content (which sometimes includes truncated API responses and client domain names) needed additional encryption layers at rest. The Chat Control 1.0 extension, as voted, does not trigger that review. Chat Control 2.0 would.


Q: Why does the “voluntary” label matter for encrypted messengers?

The word “voluntary” carries enormous technical weight. End-to-end encrypted (E2EE) messengers like Signal, WhatsApp (partially), and iMessage are architecturally incompatible with server-side scanning — the server never sees plaintext. Voluntary compliance for these platforms would require client-side scanning (CSS): scanning the message on your device before encryption, then reporting matches to the platform.

Security researchers at Johns Hopkins University (specifically the team behind the 2021 paper “Bugs in our Pockets”) demonstrated that CSS is functionally equivalent to installing surveillance software on every device. Once the infrastructure exists, the scope of what gets scanned can be expanded by legal order.

Under Chat Control 1.0’s voluntary model, Signal simply opts out. Under a hypothetical Chat Control 2.0 mandate, Signal’s stated position is market exit.

For our FlipFactory competitive-intel MCP server, which we use to scan public competitor content and feed structured data into client strategy workflows, this distinction is operational. That server processes public data — no message scanning involved. But several clients have asked whether we can build internal knowledge bases fed from Slack or Teams channels. Our answer in Q2 2026 has consistently been: not until the EU regulatory picture on message data is settled.


Q: How should Ukrainian SaaS and fintech teams respond right now?

Practically: audit your communication stack’s EU exposure. If your team uses Slack, Teams, or Google Chat and your clients are EU-based, understand those platforms’ voluntary scanning participation status. As of July 2026, none of the major B2B communication platforms have implemented CSAM scanning for business accounts — but policies can change with 30-day notice clauses buried in ToS.

We ran this audit internally in May 2026 across our 12+ MCP server infrastructure. The email MCP (which handles automated client report delivery via SMTP relay through an EU-region provider) was the only component we flagged for enhanced logging — not because of Chat Control, but because it transits client-identifiable data and we wanted audit trails consistent with GDPR Article 30 record-keeping obligations.

For fintech clients specifically: if you’re passing transaction confirmation strings or partial card data through any messaging layer (even internally), the potential expansion of scanning scope in Chat Control 2.0 is a risk worth modelling. The EDPB’s 2023 Opinion 5/2023 on Chat Control explicitly warned that financial and legal communications could be caught in overly broad scanning implementations.


Deep dive: The architecture of surveillance creep and why 2028 matters

The 2028 deadline is not arbitrary. It aligns with the anticipated completion of the EU’s renegotiation of Chat Control 2.0 — a process that has been one of the most contested digital policy battles in European history.

The original Chat Control 2.0 proposal, published by the European Commission in May 2022, would have required all communication platforms operating in the EU to implement automated scanning for CSAM, grooming behaviour, and — in some drafts — terrorism-related content. The proposal triggered immediate pushback from cryptographers, civil liberties organisations, and a significant bloc of member states.

The Electronic Frontier Foundation (EFF), in its 2022 analysis “Chat Control: The EU’s Surveillance Proposal Explained”, called the mandatory scanning framework “one of the most dangerous pieces of surveillance legislation to emerge from a democratic government.” The EFF’s specific concern: once client-side scanning infrastructure is legally mandated for one category of content, expanding it to others (political speech, financial dissent, national security definitions) requires only a legislative amendment, not a new technical deployment.

The European Data Protection Supervisor (EDPS) issued Opinion 26/2022 calling the proposal “neither necessary nor proportionate” — unusually strong language from an EU supervisory body. The EDPS specifically cited the incompatibility of bulk scanning with GDPR’s data minimisation and purpose limitation principles.

What killed Chat Control 2.0’s progress — temporarily — was a blocking minority in the EU Council in June 2024, when Germany switched its position to abstention, denying the presidency the qualified majority needed to proceed. As of July 2026, the Belgian and Polish presidencies’ successive attempts to find compromise text have not produced a votable draft.

The Chat Control 1.0 extension to 2028 serves a dual purpose: it keeps the voluntary framework legally operational (which the EU Commission argues is better than no framework for platforms already doing CSAM detection), and it buys time for Chat Control 2.0 to be renegotiated into something that can achieve qualified majority support.

For the Ukrainian tech market, the 2028 window is the operative planning horizon. Ukrainian SaaS companies serving EU clients — and there are hundreds operating under EU legal entities or processing EU personal data under GDPR adequacy considerations — need to build data architecture that can accommodate either outcome: a Chat Control 2.0 that mandates scanning, or a collapsed framework that leaves the space to voluntary action and GDPR.

The strategic bet we’re making at FlipFactory (flipfactory.it.com): design client communication workflows so that sensitive data never transits a scanning-compatible channel. That means structured API payloads over encrypted HTTPS with no readable message bodies, rather than notifications through consumer-grade messaging platforms. Our n8n MCP server is configured to push client alerts to dedicated webhook endpoints rather than Slack channels — a decision made in March 2026 that now looks prescient.


Key takeaways

  • EU Parliament extended Chat Control 1.0 on July 9, 2026 — voluntary scanning only, no mandate.
  • Chat Control 2.0 remains stalled in EU Council since June 2024 blocking vote.
  • Signal will exit EU rather than implement client-side scanning, per CEO statement.
  • EDPS Opinion 26/2022 calls mandatory scanning disproportionate under GDPR.
  • Ukrainian B2B teams should audit EU-platform message routing before 2028 deadline.

FAQ

Q: Does Chat Control 1.0 mean my messages are being read right now?

Not mandatorily. Chat Control 1.0 is a temporary regulation allowing platforms to voluntarily scan for CSAM (child sexual abuse material). It does not require encryption backdoors. Companies like Meta may opt in; Signal and WhatsApp have not implemented mandatory scanning. The extension to 2028 keeps this voluntary framework alive while Chat Control 2.0 negotiations continue.

Q: Should Ukrainian businesses using EU cloud services worry about Chat Control?

Yes, with nuance. If your SaaS or communication tool is hosted in the EU and used by EU residents, voluntary scanning policies of that platform apply. For B2B tools processing sensitive client data — contracts, financial flows, API keys in chat — it’s worth auditing which platforms your team uses and whether they participate in voluntary CSAM scanning programs. We reviewed our own n8n workflow notification channels in June 2026 for exactly this reason.

Q: What is the difference between Chat Control 1.0 and Chat Control 2.0?

Chat Control 1.0 (extended to 2028) allows voluntary scanning by platforms. Chat Control 2.0 — the controversial draft still under EU Council negotiation — would mandate scanning of all messages, including end-to-end encrypted ones, requiring client-side scanning. Security researchers from the Electronic Frontier Foundation and Johns Hopkins University have called client-side scanning technically equivalent to a backdoor.


About the author

Sergii Muliarchuk — founder of FlipFactory.it.com. Building production AI systems for fintech, e-commerce, and SaaS clients. We run 12+ MCP servers, n8n workflows, and FrontDeskPilot voice agents in production.

We’ve routed client data through EU-region infrastructure since 2024 — Chat Control isn’t theoretical for us, it’s an architecture constraint we actively design around.

Frequently Asked Questions

Does Chat Control 1.0 mean my messages are being read right now?

Not mandatorily. Chat Control 1.0 is a temporary regulation allowing platforms to voluntarily scan for CSAM (child sexual abuse material). It does not require encryption backdoors. Companies like Meta may opt in; Signal and WhatsApp have not implemented mandatory scanning. The extension to 2028 keeps this voluntary framework alive while Chat Control 2.0 negotiations continue.

Should Ukrainian businesses using EU cloud services worry about Chat Control?

Yes, with nuance. If your SaaS or communication tool is hosted in the EU and used by EU residents, voluntary scanning policies of that platform apply. For B2B tools processing sensitive client data — contracts, financial flows, API keys in chat — it's worth auditing which platforms your team uses and whether they participate in voluntary CSAM scanning programs. We reviewed our own n8n workflow notification channels in June 2026 for exactly this reason.

What is the difference between Chat Control 1.0 and Chat Control 2.0?

Chat Control 1.0 (extended to 2028) allows voluntary scanning by platforms. Chat Control 2.0 — the controversial draft still under EU Council negotiation — would mandate scanning of all messages, including end-to-end encrypted ones, requiring client-side scanning. Security researchers from the Electronic Frontier Foundation and Johns Hopkins University have called client-side scanning technically equivalent to a backdoor.

Related Articles