On 26 November 2025, the Council reached a long-delayed position on the draft regulation to prevent and combat online child sexual abuse (CSA), signalling renewed momentum in a legislative process that had been stalled for years over privacy, encryption, and surveillance concerns.

Core elements of the Council’s position

The agreement sets out obligations for online platforms to assess the risk that their services could be misused for the dissemination of child sexual abuse material (CSAM) or for grooming, and it empowers national authorities to order the removal or blocking of illegal content. It also confirms the creation of a new EU agency (the EU Centre on Child Sexual Abuse) to support implementation, maintain a central database of verified CSAM indicators, and channel reports to Europol and national law enforcement.

The Council text introduced three risk categories for online services allowing proportional obligations, particularly for high-risk platforms, which could be required to contribute to the development of mitigation technologies. Victims would be able to request the removal or disabling of content depicting them, with the EU Centre checking whether providers comply. The Council also decided to make permanent the existing temporary regime (which would otherwise expire in April 2026) that allows providers to voluntarily scan for CSAM.

From mandatory detection orders to a softening approach

This shift was closely linked to political developments in the Danish Council Presidency. Earlier in the year, Denmark had attempted to revive mandatory detection orders, even for end-to-end encrypted services, as foreseen in the Commission’s 2022 proposal. Strong opposition from several Member States, coupled with concerns about compatibility with EU data-protection rules and the risk of mass surveillance, made an agreement in the Council impossible. In particular, the German government and the German Lawyer Association expressed their concerns regarding the introduction of mandatory CSAM detection orders for online platforms, including services protected by end-to-end encryption. In autumn 2025, Denmark had formally abandoned the push for mandatory scanning and steered the Council toward a compromise centred on voluntary detection and risk-mitigation obligations.

The Council’s position also brought the file back full circle to the Commission’s original proposal of May 2022, which had been framed as a response to the rapid growth of online CSAM and the inadequacy of the voluntary-only system in place at the time. As reported by eucrim (→ eucrim 2/2022, 91-92), the 2022 draft regulation was conceived as a comprehensive framework combining two elements:

• Obligations for providers to detect, report, remove, and block CSAM;
• The establishment of the EU Centre as a decentralised agency providing verified indicators, technological support, and operational coordination.

However, the detection-order mechanism at the heart of the original proposal quickly became the focal point of intense criticism, with NGOs, academics, privacy advocates, and several Member States warning that it risked creating a de facto system of blanket communications surveillance, including within encrypted channels (→eucrim 1/2023, 13-14).

Next steps

The Council’s 2025 position reflects this debate. It preserves the structural elements of the 2022 proposal – risk assessment, risk mitigation, removal orders, oversight mechanisms, and the EU Centre – while deliberately excluding mandatory detection orders. The latter is in conflict with the Commission's and European Parliament's position (the EP had already adopted its position in 2023 (→eucrim 3/2023, 246)). However trilogue negotiations started on 9 December 2025.

In parallel, on 19 December 2025, the Commission tabled a proposal to extend the interim regulation governing the voluntary control of child abuse content (due to expire on 3 April 2026) until 3 April 2028.

The Commission proposal for long-term rules to prevent and combat child abuse is currently one of the most controversial legislative dossiers in Brussels in the area of justice and home affairs. The European Parliamentary Research Service (EPRS) monitors the debate and regularly updates on the different positions.