1. Introduction

On 11 May 2022, the European Commission presented the proposal for a Regulation on preventing and combating child sexual abuse (Regulation to Prevent and Combat Child Sexual Abuse – CSA Regulation), with reference number 2022/0155(COD). The proposal aims to create a mandatory Union framework for the detection, reporting and removal of child sexual abuse material (CSAM) from online communication services.

The need to protect children is self-evident and legitimate. However, the proposed solution raises serious legal and technical issues related to respect for fundamental rights, cybersecurity and the jurisprudential tradition of the European Union.

2. Background – Current Legislative Status

The path towards the proposed Regulation for the prevention and combating of child sexual abuse began with the EU Strategy (2020-2025), which laid the foundations for a permanent legislative framework. This was followed by the transitional regime of the “interim derogation” (Chat Control 1.0), which allows providers to continue voluntary detection practices until 2026.

On 11 May 2022, the Commission presented the main regulatory proposal (2022/0155 COD), introducing the obligation to detect and report CSAM and grooming. The proposal provoked intense reactions: the European Data Protection Supervisor (hereinafter “EDPS”) and the European Data Protection Board (hereinafter “EDPB”) warned of violations of fundamental rights, while journalistic investigations and interventions by civil society organisations highlighted issues of transparency and conflicts of interest.

The European Parliament adopted its position in November 2023, introducing critical amendments: exemption of end-to-end encryption, restriction of detection orders (explained below) to cases of specific suspicion and strengthening of safeguards. Conversely, in the EU Council, successive presidencies (Belgium, Hungary, Poland) failed to secure consensus, as a strong “blocking minority” of Member States (Germany, Luxembourg, Austria, Netherlands and others) opposed generalised scanning.

The Danish Presidency (2025) is again attempting a compromise, with a vote expected in October 2025. In parallel, developments such as the proposed revision of Directive 2011/93/EU and jurisprudential decisions (e.g. by the ECtHR in 2024, which rejected the obligation to downgrade encryption) are shaping the environment of the discussion.

Greece remains officially undecided, highlighting the need for transparency and public accountability.

3. Detection Orders – What They Are and What the Procedure Is

3.1. What is a Detection Order?

The issuance of detection orders constitutes the most controversial element of the proposed regulation. Specifically, it constitutes the legal tool by which competent authorities can oblige a communication service provider to implement technological measures.

3.2. What Will Be the Procedure for Issuing a Detection Order?

Authority Request: The competent national authority (judicial or independent administrative authority) determines that a provider poses a serious risk of being used for the dissemination of CSAM and that general compliance measures are insufficient.

Issuance of Order: The detection order defines the scope (type of content: known CSAM, new CSAM or grooming), duration (time-limited), and measures to be taken.

Implementation by Provider: The provider is obliged to install relevant scanning tools, which may operate even on end-to-end encrypted services through technologies such as client-side scanning.

Reporting: The provider must report any findings to the authorities. However, there is no clear framework regarding providers’ obligations when there are no findings.

Control & Supervision: Theoretically, the order is subject to judicial or administrative review to ensure legality and proportionality.

Limitations

Limitations on the procedure, many of which were imposed by the European Parliament, include:

Principle of Last Resort: According to the European Commission, detection is imposed as a measure of last resort on service providers. A detection order would be imposed only after it is determined that the service provider’s risk assessment and mitigation measures are insufficient to protect children’s fundamental rights.

Targeted Application: The European Parliament’s position provides that detection orders would be used only if there is reasonable suspicion that individual users or groups are connected to child sexual abuse material. The orders would be time-limited, with end-to-end encrypted communications and text messages excluded from their scope.

Illegal Material: According to the European Commission, detection would theoretically concern clearly illegal content, namely child sexual abuse material. The distinction between known and new child sexual abuse material (CSAM) is critical for legal assessment, as detection of new material entails significantly higher risks to fundamental rights due to high rates of false positives.

Additionally, flagging of potential conversations for child sexual abuse purposes would be based on artificial intelligence classifiers trained on confirmed cases of child sexual abuse. However, no information is provided regarding measures to safeguard users’ fundamental rights.

Time Limitation: According to the European Commission, detection orders would be time-limited and subject to reviews. This procedural safeguard aims to ensure that measures remain proportionate and necessary throughout their implementation.

3.3. Supervisory Authority

According to the European Commission, the proposed EU Centre for the Prevention and Combating of Child Sexual Abuse would play a central role in the procedure as it would cooperate with corresponding centres such as those of the USA, Canada, Australia, and would support the private sector by providing it with a database containing indicators for detecting child sexual abuse online. However, no information is provided regarding this Centre’s cooperation with Member States’ Data Protection Authorities as well as supervisory authorities designated to ensure fundamental rights protection from AI models in Member States, raising issues of institutional balance and control.

4. Technical Aspects – Inadequacies and Security Risks

4.1. Undermining Encryption

Content detection in services with end-to-end encryption requires the implementation of “client-side scanning” technologies. This creates systemic security vulnerabilities that can be exploited by criminal organisations or hostile actors.

4.2. What is Client-Side Scanning

Client-side scanning (CSS) is the technological method by which implementation of detection orders on platforms with end-to-end encryption is sought. Instead of scanning being performed on the server, it is carried out on the user’s device (e.g. mobile phone, computer), before or during the sending of a message or file. The device compares content with databases of “digital fingerprints” of known CSAM. If identification occurs, a notification is sent to authorities. In practice, CSS bypasses encryption, as detection occurs before it is activated.

5. Legal Basis and Procedural Issues

5.1. Legal Basis

The proposal is based on Article 114 TFEU (internal market), operating as lex specialis against the Digital Services Act (DSA), which affects the entirety of European digital legislation. However, this is a legal basis traditionally used for market issues, not for such intrusive regulations affecting fundamental rights.

5.2. Violation of Fundamental Rights

5.2.1. Violation of Articles 7 and 8 of the Charter

The proposal raises serious questions regarding its compatibility with Articles 7 (respect for private and family life) and 8 (protection of personal data) of the Charter of Fundamental Rights of the European Union (hereinafter “Charter”). The European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB), in their joint opinion 04/2022, concluded that the proposal could become the basis for de facto generalised and indiscriminate scanning of content from almost all types of private electronic communications of application users.

5.2.2. Jurisprudential Framework of the Court of Justice of the European Union

The Court of Justice of the European Union (hereinafter “CJEU”) has established consistent jurisprudence against generalised surveillance. In the cases Digital Rights Ireland (C-293/12), Tele2 Sverige (C-203/15) and La Quadrature du Net (C-511/18, C-512/18, C-520/18), the CJEU ruled that Union law precludes national legislative measures providing, as a preventive measure, for general and indiscriminate retention of traffic and location data relating to electronic communications, for purposes of combating serious crime.

5.2.3. The Criterion of Article 52(1) of the Charter

Beyond the specific jurisprudence on generalised surveillance, the proposal faces a fundamental problem regarding the proportionality test provided for in Article 52(1) of the Charter, which requires that any limitation on fundamental rights be provided for by law, respect the essence of those rights, and under the principle of proportionality, be imposed only if necessary and genuinely meeting objectives of general interest recognised by the Union. The detection orders procedure, even with the proposed safeguards, fails to pass the triple test of legality, necessity and proportionality stricto sensu required by Article 52(1).

5.2.4. Violation of Article 11 of the Charter

The potential “chilling effect” on freedom of expression and information (Article 11 of the Charter) constitutes an additional problematic dimension of the proposal, as citizens may self-limit their digital expression under fear of surveillance.

6. Practical Implications and Socio-Economic Consequences

The adoption of the proposed regulation would bring serious practical consequences for businesses, citizens and broader society:

Business Implications: Service providers would be forced to radically restructure their security architecture, with increased compliance costs passed on to consumers. Uncertainty regarding technical implementation would discourage investment in innovative security technologies.

Social Implications: The creation of a climate of suspicion would disproportionately affect vulnerable groups that rely on anonymous communication for their protection, including journalists, human rights activists and victims of domestic violence.

Geopolitical Implications: The EU would lose its moral advantage in international discussions on digital rights, providing valuable arguments to authoritarian regimes for justifying their own surveillance measures. Additionally, there would now be a vulnerability in all communication infrastructures regarding encryption, which could lead to serious defence issues for Member States.

7. Conclusions

The protection of children is non-negotiable, but pursuing this goal cannot be based on measures that violate fundamental rights and undermine digital security. Despite procedural safeguards, the proposed procedure raises serious questions of proportionality. Implementation on encrypted services through client-side scanning renders privacy by design ineffective, while the generalised nature of scanning does not satisfy the criterion of targeted intervention required by CJEU jurisprudence.

In practice, the nature of detection orders resembles generalised surveillance more than targeted measures, something that CJEU jurisprudence has repeatedly rejected. The proposed regulation, in its current form, fails to satisfy the criteria of necessity and proportionality required by CJEU jurisprudence. Its adoption would constitute a violation of the essential content of fundamental rights such as private and family life and the protection of personal data.

Stergios Konstantinou
Lawyer, Advanced LLM – IP & ICT Law
CIPP/E, CIPM, FIP

The original version of the above article was published (in Greek) on the website of Homo Digitalis which is available here 👇

Moreover, on this subject, Stergios Konstantinou, gave an interview to journalist Sotiris Kyriakidis on “Praktoreio 104.9 FM” of the Athens – Macedonian News Agency, analysing the legal and technical dimensions of the proposal.
The full interview is available (in Greek) here 👇