On 11 May 2026, EU negotiators held the fourth trilogue on the long-disputed Child Sexual Abuse Regulation — the file critics call "Chat Control 2.0" — with the fifth and final session scheduled for 29 June. The headline outcome is a genuine win for the open internet: the Danish presidency's negotiating text has dropped mandatory client-side scanning and will not compel providers to break end-to-end encryption. The Netherlands, which has held a formal no-backdoors doctrine since 2016, is among the member-state voices that made that retreat stick. But the fight has shifted, not ended. What remains on the table — a permanent "voluntary" scanning regime and a sweeping age-verification mandate — deserves the same scrutiny the encryption-breaking provisions received.
Steelmanning the regulation
The case for the original proposal is not frivolous. The interim derogation that let platforms voluntarily scan for known child sexual abuse material expired on 3 April 2026, after the European Parliament declined to extend it on 26 March. Without a legal basis, even the voluntary detection that services like Meta and Google already perform sits on shaky ground. Child-protection advocates argue, reasonably, that a permanent EU framework — paired with a dedicated EU Centre to vet reports and reduce false positives — would give that work firmer footing and stop abuse material circulating across borders. The goal is legitimate and urgent. The disagreement is about means and proportionality.
What the Dutch doctrine actually says
The Netherlands was the first government in the world to take an unambiguous public position against weakening encryption. In its January 2016 cabinet statement, endorsed by then-justice minister Ard van der Steur, the government concluded that "it is not desirable to take restrictive legal measures as regards the development, availability and use of encryption in the Netherlands," citing strong encryption as essential to citizens' privacy, the security of government and business communications, and the wider economy. That position was not rhetorical. It has anchored Dutch opposition to successive mandatory-detection drafts of the CSAM Regulation, and it gave the Netherlands a credible, principled basis to push back when the Commission's 2022 proposal would have forced providers to install detection functionality on encrypted services.
The technical logic behind the doctrine is sound and has not changed. Client-side scanning — inspecting messages on the device before they are encrypted — does not preserve end-to-end encryption; it relocates the surveillance point. As the EFF reiterated in May 2026, the entire value of end-to-end encryption is that "only the intended recipients" can read a message, shielding it from "tech companies, governments, and other eavesdroppers." A mandated scanning hook is a standing vulnerability that cannot, by design, distinguish a lawful warrant from an abusive one. Removing that mandate from the Council text is therefore the correct outcome on both rights and security grounds.
The two provisions still worth fighting
First, the Council's text legitimises and makes permanent "voluntary" scanning at providers' discretion. The Parliament's own negotiating mandate is markedly more protective: it excludes end-to-end encrypted services, rejects mandatory age verification, and demands judicial authorisation before any scanning. The risk is institutional drift. A regime nominally voluntary but embedded in permanent law, backed by risk-assessment and mitigation duties, creates structural pressure to scan — turning an emergency stopgap into a fixture. MEP Patrick Breyer, who has tracked the file closely, warns the text would extend monitoring "far beyond visual content" to text and metadata pattern analysis. Proportionality requires the opposite default: detection tied to individualised suspicion and judicial warrants, not blanket infrastructure.
Second, all three institutional positions still contemplate age-verification duties — and here the Council and Commission want them mandatory. The practical problem is that robust age verification is itself a privacy and security hazard. It pushes platforms toward identity collection or document checks that end anonymous communication and create fresh honeypots of sensitive data. The point is not academic: the EU's own age-verification pilot app, unveiled on 15 April 2026, was reportedly defeated within minutes of release. A mandate that forces every communications service to gate access behind brittle identity checks trades a real harm against a speculative protection while manufacturing new attack surfaces.
A proportionate path through 29 June
The Dutch position points to the better template. Protecting children online is compatible with — and ultimately depends on — secure communications that families, journalists, and businesses can trust. The constructive endgame for the final trilogue is to lock in the encryption gains the Netherlands and allied states secured, align the text with Parliament's warrant-based, suspicion-driven model rather than the Council's permanent voluntary-scanning architecture, and strip mandatory age verification in favour of privacy-preserving, opt-in approaches that do not require mass identity collection.
The encryption battle inside Chat Control appears, for now, to be won. The Netherlands deserves real credit for holding a line it drew a decade ago. But the regulation that emerges on 29 June will be judged on whether it resists the quieter forms of overreach — permanent scanning by default and identity gates on private speech — that survive precisely because they are less conspicuous than a backdoor.