This article updates and completes what was published in February 2022:
→ The proposed ePrivacy Regulation: the current status, timeline of events, and some considerations
Where we left off (February 2022)
In February 2022, we reviewed the entire process of the proposed ePrivacy Regulation — COM(2017) 10 final — from its presentation by the European Commission on January 10, 2017, to the trilogue drafts of November 2021. The picture was of negotiations formally launched on May 20, 2021, with the Council and Parliament holding distant positions on crucial points such as metadata processing, data retention, cookies, and the role of supervisory authorities. We concluded, with reasonable optimism, that a final version would be available by 2023.
That prediction did not come true. What happened over the following four years goes far beyond a simple delay: three developments of systemic importance that deserve separate examination.
1. The ePrivacy Regulation proposal was withdrawn
The deadlock in negotiations (2022–2024)
After the formal resumption of the trilogue in May 2021, negotiations continued to mark time. The French Presidency of the Council (first half of 2022) published the latest four-column table in preparation for the trilogues on March 28, 2022, noting limited technical progress. The subsequent presidencies — Czech (July–December 2022) and Swedish (January–June 2023) — failed to produce any substantial progress. The dossier was formally blocked.
Withdrawal (February–October 2025)
On February 11, 2025, the European Commission published the 2025 Work Program (COM(2025) Work Program), which included in its annex — among the dossiers to be withdrawn within six months — the proposed ePrivacy Regulation. The Commission’s reasoning was as follows:
“No foreseeable agreement — no agreement is expected from the co-legislators. Furthermore, the proposal is outdated in view of some recent legislation in both the technological and the legislative landscape.”
The Commission formally approved the withdrawal at its 2533rd meeting on July 16, 2025 and officially announced it in the Official Journal of the European Union on October 6, 2025 (C/2025/5423).
The legislative procedure initiated in 2017 under procedure 2017/0003(COD) is definitively closed.
Institutional source: Legislative Train Schedule — ePrivacy Reform (updated on January 22, 2026)
What remains in force
The withdrawal of the proposed Regulation has a direct and immediate consequence: Directive 2002/58/EC (ePrivacy Directive), in its current version — last amended by Directive 2009/136/EC — continues to apply and will not be repealed in the short term. The national transpositions in the individual Member States therefore remain the regulatory reference for the confidentiality of electronic communications, cookies, direct marketing, and the retention of traffic data.
2. The temporary derogation from the ePrivacy Directive (Chat Control 1.0): history and vote of March 11, 2026
Parallel to the ePrivacy Regulation process, a separate but closely related regulatory issue has developed, which has been at the center of the European debate on digital privacy in recent years.
The origins: Regulation (EU) 2021/1232
On July 14, 2021, Regulation (EU) 2021/1232 was adopted, entering into force on August 2, 2021, and remaining valid until August 3, 2024. It introduced a temporary derogation from Article 5(1) and Article 6 of the ePrivacy Directive, allowing number-independent interpersonal communication service providers — webmail, messaging, VoIP — to voluntarily continue to detect, report, and remove child sexual abuse material (CSAM) online, pending the adoption of a permanent regulatory framework.
This derogation has been dubbed “Chat Control 1.0” by critics because it opens the door to scanning the content of private communications, in derogation from confidentiality rules.
The first extension: Regulation (EU) 2024/1307
On February 15, 2024, the European Parliament and the Council reached a provisional agreement to extend the derogation until April 3, 2026. The Parliament approved the agreement on April 10, 2024, and the Council on April 29, 2024 (Regulation (EU) 2024/1307).
The proposal for a second extension (December 2025)
On December 19, 2025, the European Commission proposed a further extension of the derogation — due to expire on April 3, 2026 — until August 3, 2028, to allow for the conclusion of negotiations on the permanent framework. On January 28, 2026, COREPER approved the negotiating mandate with Parliament and accepted the Commission’s proposal.
The parliamentary process: February–March 2026
February 23, 2026 — Rapporteur Birgit Sippel (S&D, Germany) presented the draft report to the LIBE committee, including substantial amendments that significantly limited the scope of the extension compared to the Commission’s proposal.
March 2, 2026 — The LIBE committee voted against the draft position in favor of the extension (38 votes against, 28 in favor). The result took the chamber by surprise. Under the European Parliament’s Rules of Procedure, the lack of a majority in committee meant that a proposal to reject the dossier was automatically referred to plenary, with the possibility of political groups tabling amendments.
March 11, 2026 — The plenary overturned the committee’s decision: with 458 votes in favor, 103 against, and 63 abstentions, the European Parliament approved the extension of the derogation — but with significantly more restrictive conditions than the Commission’s original proposal.
Institutional source: European Parliament press release, March 11, 2026
The conditions of the approved extension
The text approved by Parliament stipulates that voluntary detection measures:
- remain proportionate and targeted and do not apply to end-to-end encrypted communications in the European Parliament’s negotiating position;
- do not allow traffic data to be scanned together with content data;
- apply technologically only to material already identified as CSAM or reported by a user, a trusted flagger, or an organization;
- are targeted at users or groups of users that a judicial authority has reasonably suspected of being linked to CSAM.
The rapporteur’s statement
Rapporteur Birgit Sippel stated after the vote:
“We have a responsibility to tackle the horrific crime of child sexual abuse while safeguarding the fundamental rights of all. This derogation is a temporary and strictly limited tool that allows providers to continue their voluntary detection measures under certain conditions. The extension must also protect end-to-end encryption. Limiting the scope of the extension to child sexual abuse material that has already been identified or reported is necessary and justified for a proportionate framework that can withstand judicial review and ensure sustainable protection of children.”
3. The permanent regulatory framework: CSAR and ongoing trilogues
In parallel with the derogation, the process of adopting the Regulation on preventing and combating child sexual abuse online (CSAR), proposed by the Commission on May 11, 2022 (COM(2022) 209), is ongoing.
That is the text that should permanently replace the temporary derogation and, for the part dedicated to combating CSAM, affect the communications confidentiality regime provided for in the ePrivacy Directive, introducing specific sectoral detection and reporting obligations.
The current state of negotiations, on an institutional basis:
- November 2023 — The European Parliament adopted its negotiating position (EP press release, November 2023), which excludes the scanning of end-to-end encrypted communications and makes any measures subject to reasonable suspicion.
- November 26, 2025 — The Council of the EU adopted its negotiating position (Council press release, November 26, 2025). The Council’s position eliminates mandatory detection orders but continues the voluntary detection regime and introduces risk mitigation measures.
- December 9, 2025 — First political trilogue between the three institutions.
- January 2026 — Preparatory technical meetings; second trilogue expected on February 26, 2026.
- Subsequent trilogues — ongoing; the schedule of meetings and the date of formal adoption have not yet been confirmed by published institutional sources.
Institutional source: Legislative Train Schedule — Combating child sexual abuse online
Summary table: what has changed between 2022 and 2026
| Item | Status in February 2022 | Status today (March 2026) |
|---|---|---|
| ePrivacy Regulation proposal (COM/2017/10) | Trilogue initiated, negotiations ongoing | Withdrawn — OJ October 6, 2025 |
| Directive 2002/58/EC | In force, intended for repeal | In force, will not be repealed in the short term |
| Temporary CSAM derogation (Reg. 2021/1232) | In force until August 2024 | Extension approved by the European Parliament (March 11, 2026) — process ongoing |
| CSAR (permanent framework) | EC proposal submitted (May 2022) | Trilogues ongoing — agreement not yet confirmed |
ePrivacy / CSAM regulatory timeline (2017–2026)
| Year / Date | Event | Institutional source |
|---|---|---|
| January 10, 2017 | European Commission presents ePrivacy Regulation proposal | COM(2017) 10 final |
| May 20, 2021 | Formal start of trilogues on the ePrivacy Regulation | EP — Legislative Train |
| July 14, 2021 | Adoption of Regulation (EU) 2021/1232 — temporary ePrivacy derogation for CSAM detection | OJEU — Regulation 2021/1232 |
| May 11, 2022 | The Commission presents the proposed CSAR Regulation | COM(2022) 209 |
| April 10, 2024 | European Parliament approves first extension of derogation | Reg. (EU) 2024/1307 |
| February 11, 2025 | The Commission announces the withdrawal of the ePrivacy Regulation proposal | Work Program 2025 |
| October 6, 2025 | Publication of the withdrawal in the EU Official Journal | C/2025/5423 |
| December 9, 2025 | First political trilogue on CSAR | EP — Legislative Train |
| March 11, 2026 | European Parliament approves second extension of CSAM derogation (legislative process ongoing) | EP press release, 11/03/2026 |
Observations
Four years after the 2022 article, the European regulatory landscape on the confidentiality of electronic communications has undergone profound, and in some ways unexpected, changes.
The most significant development is the withdrawal of the ePrivacy Regulation proposal, which brings to an end a process that lasted almost nine years without producing the expected text. The institutionally stated reasons — lack of foreseeable agreement between co-legislators and obsolescence of the proposal in relation to the technological and regulatory framework that has since emerged (GDPR, DSA, AI Act, European Electronic Communications Code) — reflect the structural complexity of a dossier on which national, industrial, and fundamental rights protection interests have overlapped, making it difficult to reconcile them in a single text.
On the derogation front, the vote on March 11, 2026, produced a significant technical outcome: end-to-end encryption is excluded in the European Parliament’s negotiating position from the scope of voluntary detection measures. The requirement of reasonable suspicion as a condition for activating the measures and the limitation to already identified material significantly restrict the scope of application of the derogation compared to the Commission’s original ambitions and, even more so, compared to the more invasive proposals that had fueled the public debate on “Chat Control.”
Negotiations on the CSAR remain open — and more politically relevant than ever. The positions of the Parliament and the Council remain divergent on crucial points, in particular on the scope of voluntary detection measures and their relationship with encryption. The outcome of the ongoing trilogues will be decisive for the European regulatory framework on the confidentiality of communications for the next European regulatory cycle.
Institutional sources
European Parliament
- Press release — Plenary vote March 11, 2026
- EP pre-vote news, March 9, 2026
- EP negotiating position on CSAR, November 2023
- Legislative Train — ePrivacy Reform (updated 01/22/2026)
- Legislative Train — Combating child sexual abuse online
- Amendments approved to the Commission proposal (PDF)
- Procedure 2025/0429(COD) — Legislative Observatory
European Commission
- Work Program 2025 — COM(2025) Work Program, February 11, 2025
- Withdrawal of proposals — C/2025/5423, OJ October 6, 2025
- CSAR proposal — COM(2022) 209
Council of the European Union
EUR-Lex