Which parts of the EU chat control law entered into force immediately and which have phased implementation dates?
This fact-check may be outdated. Consider refreshing it to get the most current information.
Executive summary
Key elements of the EU “Chat Control” (Child Sexual Abuse Regulation / CSAR) text remain in negotiation; Council members agreed a compromise text on 26 November 2025 that removed a binding, EU‑wide obligation to force client‑side scanning and instead left scanning and certain measures subject to voluntary or member‑state choices, with trilogue talks and final votes still required [1] [2] [3]. Available sources do not provide a definitive list of which individual Articles entered into force immediately versus which will phase in on set dates because the regulation had not completed final adoption and publication by the time of these reports [2] [4].
1. What “entered into force immediately” — short answer and why that’s hard to pin down
There is no clear, authoritative list in the available reporting showing any provisions of the CSAR that “entered into force immediately.” Multiple outlets describe Council agreement on a November 26, 2025 compromise and point to remaining legislative steps (trilogue with Parliament, final votes, publication in the Official Journal) before any dates of application are set; hence, the law’s entry into force and application timetable were to be fixed in the final text after those steps [1] [2] [4].
2. The November 26 Council compromise — what changed immediately in political terms
On 26 November 2025 the Council adopted a compromise text that removed a Council‑level mandatory obligation to scan encrypted messages and instead reframed scanning as voluntary or as a measure subject to member‑state choices; reporting treats that as a political turning point, not as immediate legal entry into force of operational measures for providers [1] [3] [5]. The immediate effect was political: the most controversial mandatory scanning language was dropped from the Council draft and momentum moved to trilogue negotiations with Parliament and Commission [1] [2].
3. What’s left to do before any provisions can legally apply
Multiple sources say the Council text still needed trilogue negotiations and final votes in both Parliament and Council, after which the regulation would be published in the Official Journal and only then could application dates be set in the text — meaning implementation timing depends on the final adopted wording [2] [4]. Reporting emphasises that technical and legal questions — for example on client‑side scanning, age verification, and “risk mitigation” obligations — remained contested and thus affect any phased implementation timeline [2] [6].
4. Voluntary vs mandatory: who decides to scan and when
After the late‑November compromise, several outlets describe scanning as no longer a binding EU‑wide duty; instead member states or providers may face new duties to assess platform risks and implement mitigation measures based on those assessments, with scanning framed as voluntary or conditional rather than an immediate, across‑the‑board mandate [1] [7] [3]. That distinction matters: voluntary or member‑state‑led options mean implementation timing will vary by country and by provider, rather than a single EU phase‑in date [1] [7].
5. Technical and legal obstacles that delay fixed roll‑out dates
Independent analyses cited in the sources stress technological unreliability of detection tools and high false‑positive rates, and national and Union‑level legal concerns about fundamental rights protections — factors that make negotiators reluctant to lock in immediate application dates without further safeguards [2] [4]. Those technical and rights questions were explicitly flagged as reasons why the final text must specify when — if at all — measures start to apply [2] [4].
6. Competing narratives and hidden agendas to watch for
Advocacy groups (digital‑rights and industry) portray the November change as a victory that preserves encryption; governments and child‑protection advocates frame the compromise as a pragmatic step to keep momentum against online child abuse while addressing feasibility concerns [1] [8] [9]. Some sources document lobbying and intergovernmental dynamics — for example Denmark’s shifting position and Council presidencies steering texts — indicating political negotiation, not purely technical drafting, shaped which obligations appear and which were delayed [9] [10].
7. Bottom line for readers who want dates
If you seek a concrete list of provisions that “entered into force immediately” or a calendar of phased implementation dates, the available reporting does not contain that information: the law had not been finally adopted and published, and implementation dates were to be set in the final text after trilogue and final votes [2] [4]. Expect any actual application schedule to depend on the final compromise text and on separate national choices where the Council text leaves measures voluntary [1] [7].