Child Safety at Risk as EU CSAM Detection Law Lapses, Reporting Concerns Rise

The European Union’s temporary derogation that permitted online services to scan private communications for child sexual abuse material (CSAM) expired on 3 April 2026, leaving a regulatory vacuum. Introduced in 2021 under the ePrivacy framework, the measure authorized the use of hash‑matching and other forensic tools that can flag known illegal files without exposing user content. Proponents argue that this approach strikes a balance between child safety and privacy, as the technology compares encrypted hashes rather than reading messages. With the legal basis now gone, providers must decide whether to continue these practices at their own risk.

The cessation of a clear legal mandate is expected to translate into a steep decline in CSAM reports submitted to law‑enforcement agencies. In 2025, Europol processed roughly 1.1 million tips from the U.S. National Center for Missing & Exploited Children, supporting investigations in 24 European states. Historical data show that the 2021 lapse already produced a measurable drop in submissions, underscoring the dependence of police work on platform cooperation. Fewer reports mean fewer digital fingerprints for investigators, slowing the identification of perpetrators and the rescue of victims.

Tech giants such as Google, Meta, Microsoft and Snap have publicly pledged to maintain voluntary detection, citing two decades of experience and the essential role of hash‑matching in curbing the circulation of abusive content. Nevertheless, industry leaders warn that ad‑hoc efforts cannot replace a stable, EU‑wide framework, which would provide legal certainty and protect companies from litigation. Policymakers face pressure to craft legislation that preserves privacy safeguards while granting explicit authority for child‑protection tools. Until such a regime is enacted, the gap threatens both online safety and the credibility of the EU’s digital strategy.