TL;DR:
Several EU countries are quietly pushing to weaken encryption through laws like the CSA Regulation, which mandates client-side scanning. France, Ireland, and Belgium lead the charge for backdoors, while Germany, Austria, the Netherlands, Finland, and the Czech Republic resist. The fight over encryption is now playing out through obscure Council votes and vague “lawful access” language. What looks like child protection on paper risks becoming mass surveillance in practice. Czechia, where I’m relocating, remains cautiously privacy-aligned—for now.
The Return of Lawful Access: Why the EU’s Encryption Roadmap Is a Trojan Horse
On April 1st, the European Commission released its five-year internal security strategy, ProtectEU. Buried among its various goals — from fighting terrorism to improving border control — lies a quiet but deeply troubling initiative: a “Technology Roadmap on Encryption.”
The debate over encryption in the EU is no longer hypothetical. While public statements still pay lip service to privacy, the reality beneath the surface is that several EU member states are quietly laying the groundwork to weaken, bypass, or override end-to-end encryption. Others are pushing back. And the difference between those two camps will shape the future of secure communication in Europe.
The Trojan Horse: CSA Regulation (Chat Control)
The CSA Regulation is the most visible attempt to undermine encryption in the EU today. Pitched as a child safety measure, it would mandate client-side scanning of private messages and content, before encryption is applied. That effectively turns devices into surveillance tools.
End-to-End Encryption Under Fire: The Trojan Horse of “Public Safety”
On 11 October 2020, a coalition of governments led by major Western powers issued an International Statement on End-to-End Encryption and Public Safety. At first glance, it reads like a balanced attempt to reconcile privacy and national security. In reality, it’s a diplomatically worded attempt to undermine strong encryption — dressed up as a plea for “lawful access.”
The European Commission is pushing hard. So are some governments. But resistance is building.
Who’s Pushing for Backdoors?
Let’s name names.
🇫🇷 France
Wants "balanced solutions" — code for encryption with access mechanisms.
Historically aggressive on surveillance post-Charlie Hebdo.
Leads the “lawful access” camp within the Council.
🇮🇪 Ireland
Justice Minister Jim O’Callaghan has been publicly hostile to privacy protections, claiming the rights of the accused and of suspects are over-prioritised.
Has supported the CSA proposal and client-side scanning in Council discussions.
🇧🇪 Belgium
Backed the original CSA push.
Quietly supports stronger surveillance powers in EU-wide decisions.
🇵🇱 Poland and 🇭🇺 Hungary
Expected to exploit any legal backdoors for internal political control.
While not vocal, they're unlikely to resist CSA-style regulations.
Who’s Pushing Back?
Some member states are showing real backbone.
🇩🇪 Germany
Constitutional and civil society resistance is strong.
Has openly questioned the legality and proportionality of Chat Control.
Internal pushback from Greens, FDP, and privacy commissioners.
🇦🇹 Austria
Consistently vocal in Council against client-side scanning.
Rejects any mandate that would break end-to-end encryption.
🇳🇱 Netherlands
Resists EU-wide mandates that bypass local judicial oversight.
Generally pro-encryption, careful with data sovereignty.
🇫🇮 Finland and 🇸🇮 Slovenia
Have taken stances in favour of protecting encryption and privacy, especially in context of fundamental rights.
🇨🇿 Czech Republic
Quiet but steady resistance.
No laws mandating backdoor access.
Opposed or abstained in Council votes on CSA Regulation.
Law enforcement can compel access for telecoms in limited circumstances, but there is no mandate to break encryption for general platforms.
What This Means for Users and Companies
The language is getting sneakier: “balanced access,” “technical neutrality,” “child protection.” But the outcome is clear. If backdoors are mandated or “technical access” becomes law, encryption is no longer encryption. It’s just theatre.
Companies like Signal, Proton, Tuta, or PrivID will face legal pressure not to secure users but to surveil them. And once one country folds, the enforcement creep begins.
What to Watch
Council of the EU meetings: Votes on CSA are ongoing and frequently reshaped.
Domestic laws with vague “lawful access” terms.
Statements from justice or interior ministers — they often reveal more than the draft legislation does.
Final Thought
This is about power, nothing more, nothing less. Secure encryption protects not just data, but autonomy. The fact that the fight is happening through obscure Council votes and bland press releases tells you everything about how dangerous this is.