For years, Brussels has been divided over how far the European Union should go to combat the spread of child sexual abuse material, or CSAM.
Privacy advocates argue that scanning private messages would amount to mass surveillance, undermining digital rights. Child safety groups, and many tech companies, say that without such tools, illicit content will spread rampantly.
The dispute came to a head in March, when the European Parliament voted against extending a temporary exemption that had allowed platforms to scan communications, leaving companies without the legal basis to continue scanning for CSAM.
On June 22, trilogue negotiations successfully concluded between the institutions, charting a new path for combating child sexual abuse crimes. The deal criminalizes offences such as grooming, the use of artificial intelligence platforms to create CSAM content and extends the period during which victims can report abuse and authorities can launch investigations.
But the agreement sidestepped the most controversial questions: whether tech companies should be allowed or required to scan private communication for abuse material.
A separate set of negotiations focused on the issue is now unlikely to conclude before the Cyprus presidency ends in late June.
“With this agreement, we managed to significantly extend the limitation periods for serious crimes,” said MEP Jeroen Lenaers (EPP, NL). “The law also addresses grooming and the spread of abuse material online, and ensures that law enforcement can combat new forms of abuse — including AI systems and instruction manuals.”
What counts as CSAM, and how do companies remove it?
Child sexual abuse material is any content that shows a child being sexually abused or exploited according to Rainn, a sexual abuse advocacy group based in Washington D.C. CSAM is widely prevalent, with over 20.4 million cases reported in 2024 to the U.S. National Center for Missing and Exploited Children, an international clearinghouse for flagging CSAM material. In 2024, 70% of all such content globally originated in Europe, according to the Internet Watch Foundation.
Companies typically scan their platforms using a process called PhotoDNA, a form of hash matching that flags known CSAM by comparing digital fingerprints, without requiring a human to view the image.
How has the EU tried to regulate CSAM scanning?
In 2020, the Commission introduced a temporary measure allowing companies to scan for CSAM without breaching data privacy rules, but efforts to extend it failed in Parliament in March this year, with lawmakers rejecting a longer and broader exemption backed by the Commission and Council.
In 2022, the EU executive put forward a permanent framework to clarify what scanning is allowed and to establish a dedicated centre to combat child sexual abuse. But the plan has stalled, as EU institutions remain divided over how far those scanning powers should extend.
How did opposition to “chat control” gain momentum?
In 2020, digital privacy groups such as Stop Chat Control and Fight Chat Control began campaigning against scanning, arguing that exemptions to privacy rules amounted to mass surveillance. Civil society groups organized citizens to send thousands of emails to European lawmakers.
“We allowed providers to check all personal communications of all users at any time,” said MEP Birgit Sippel (S&D, DE), the rapporteur on the temporary exemption. “As a general matter, that is deeply affecting the rights of all the users, and most of them are not criminals, clearly.”
Basic user privacy is incompatible with broad scanning mandates, according to Patrick Grady, an EU policy manager at the Chamber of Progress. He said the original temporary exemption, which had more narrow mandates, was the right approach.
Where does the CSAM debate stand now?
When the exemption expired, tech companies accused the Parliament of failing to protect children. Yet firms including Snapchat, Meta, Google and Microsoft have continued to scan for CSAM regardless, according to a joint letter.
Lawmakers say that’s illegal. “I’m frustrated by companies that say we decide which laws we respect, and which laws we want to ignore,” Sippel said.
Those same companies are now advocating for the EU institutions to fast-track the permanent regulation instead of reviving the rejected extension, according to Chloe Setter, Google’s head of child safety policy in Europe.
While the new criminal laws are finalized, final trilogue talks on scanning are not expected to conclude before the end of the Cyprus presidency at the end of June, according to the Parliament’s press office.
This article was updated on June 22, 2026.
Sign up to The Parliament's weekly newsletter
Every Friday our editorial team goes behind the headlines to offer insight and analysis on the key stories driving the EU agenda. Subscribe for free here.