When will the EU chat control rules start applying to member states and ISPs?
This fact-check may be outdated. Consider refreshing it to get the most current information.
Executive summary
EU governments reached a political compromise on the so-called “Chat Control” (Child Sexual Abuse — CSA — regulation) on 26 November 2025, replacing a mandatory scanning requirement with language that makes on‑device scanning and other measures voluntary for Member States and providers; the Council move removed the previously insisted mandatory interception of encrypted messages [1] [2]. The Parliament and digital‑rights groups remain opposed to indiscriminate scanning and have pushed for protections; the legislative file’s status is uncertain and timing for any entry into force or obligations on ISPs/providers is not yet specified in available sources [3] [4].
1. What the Council agreed — political compromise, not an immediate obligation
On 26 November 2025 EU governments “cleared the way” by agreeing a Council position that drops the previous requirement to force end‑to‑end encrypted services like Signal and WhatsApp to scan messages, instead converting the most controversial elements into voluntary or risk‑mitigation obligations that states and providers may choose to implement [1] [5]. Multiple summaries and commentators say the Danish presidency rewrote the text to make scanning voluntary, which was decisive in securing the Council’s backing [6] [7].
2. Why “when will it start applying” has no single-date answer
Available reporting describes a Council political agreement, not a final regulation with an entry‑into‑force date. The EU lawmaking process requires further steps: the Council position must still be reconciled with the European Parliament’s position and legal drafting completed before a final text can be adopted and published — only then will precise timelines (implementation periods, transposition deadlines for directives, or direct applicability for regulations) appear in the legal text [4] [2]. Available sources do not provide a date when Member States or ISPs must begin complying because the final legal act has not been published in the sources provided [1] [4].
3. What “voluntary” actually means in practice — competing views
Council texts and media reports characterise the new approach as voluntary for Member States and less prescriptive about forced client‑side scanning [1] [5]. Digital‑rights groups and privacy experts warn that “voluntary” can be illusory: providers may face commercial or legal pressure, and national authorities could still incentivise or require measures short of outright mandatory client‑side scanning — a concern raised repeatedly by campaigners and experts [8] [3] [9]. Tech industry voices argued that mandatory client‑side scanning would undermine encryption and digital sovereignty [3].
4. Who would be affected — Member States, service providers, possibly ISPs
The proposal targets online service providers that host interpersonal communications and platforms where Child Sexual Abuse Material (CSAM) can appear; earlier drafts envisaged scanning within messaging services and cloud backups, but the Council compromise removes an across‑the‑board forced scanning mechanism and instead obliges providers to assess misuse risks and implement mitigating measures where needed [5] [10]. Some civil society sources framed the proposal as potentially making all private communications subject to surveillance; Parliament questions and petitions emphasise the high stakes for privacy rights [11] [12].
5. Political and legal friction that will determine final timing
The European Parliament has repeatedly positioned itself against indiscriminate, generalised chat scanning and has voted to remove mandatory chat control in past stages; that institutional disagreement is a major brake on rapid implementation and guarantees more negotiations and legal scrutiny before any law becomes binding [3] [13]. Council legal services and privacy experts previously flagged conflicts with EU Charter rights and the Court of Justice jurisprudence on general retention and interception — such legal objections can delay final adoption and shape compliance timelines [2] [12].
6. Bottom line for ISPs and citizens now
There is no immediate compliance deadline in the available reporting; Member States and providers should expect further negotiation and legal drafting that will spell out obligations and schedules if a final law is adopted [1] [4]. Stakeholders — companies, ISPs, civil‑society groups and national authorities — will watch the Parliament’s response and any trilogue negotiations closely because those steps will determine if and when concrete obligations apply [3] [4].
Limitations and what’s missing from current reporting
The sources collectively document a Council political agreement (late Nov 2025), Parliament opposition, and ongoing controversy, but none publish the final legal text with entry‑into‑force or compliance deadlines. Available sources do not mention a concrete start date for Member State or ISP obligations because final legislative adoption and formal publication have not been reported in the materials supplied [1] [4].