Together with Heinlein Group and numerous other European technology companies, mailbox has signed an open letter taking an unequivocal stance against these plans. The goal of protecting children from abuse is undeniably of the utmost importance. However, the proposed approach endangers everyone's digital security without effectively solving the actual problem.
What is chat control and who does it affect?
The CSA Regulation would require email and messaging services to automatically scan private messages for child sexual abuse material – before encryption, on the user's device (known as client-side scanning). All communication services in the EU would be affected, including encrypted platforms. The scanning would affect every EU citizen – without cause, without suspicion, without a court order.
mailbox and Heinlein take a clear position
Peer Heinlein, founder and managing director of Heinlein Group (which includes mailbox), puts the fundamental problem clearly: "Effective encryption must never be weakened by mandated workarounds: there's no such thing as a little backdoor. If technical access points are built into an encryption system, it's only a matter of time before unauthorised parties exploit them, undermining end-to-end encryption entirely."
In an open letter dated 7 October 2025, signed by the entire Heinlein Group alongside other European technology companies, the strategic risks of the regulation are clearly outlined:
- Digital sovereignty: Europe needs its own secure digital infrastructure, particularly in an unstable world. Client-side scanning would weaken European services in global competition and increase dependence on American and Chinese monopolies.
- National security: Encryption is essential for protecting critical infrastructure. Built-in vulnerabilities would be exploited by criminals and hostile states.
- Trust as competitive advantage: Europe's high data protection standards are a hard-won competitive advantage that the CSA Regulation would destroy.
- Burden on SMEs: Small and medium-sized enterprises in particular would struggle to meet the technical and financial requirements, stifling innovation and encouraging market concentration.
- Contradictory regulation: Whilst legislation such as NIS2 and the Cyber Resilience Act aim to strengthen cybersecurity, chat control would force systemic vulnerabilities.
Germany's vote could be decisive
A qualified majority in the EU Council requires 55 per cent of member states representing 65 per cent of the EU population. Germany, as the EU's most populous country, has previously rejected the proposal on constitutional grounds under the previous government and was crucial to the "blocking minority" that prevented chat control in December 2024. However, the new federal government's position is unclear: behind the scenes, compromises are apparently being negotiated. Even a simple abstention by Germany could be enough to give proponents the majority they need.
When holiday photos lead to investigations
Should the proposal pass, users could theoretically opt out of having their communications scanned, but only at the cost of no longer being able to send images, videos or links. The consequences of this alternative become particularly clear when you look at the details. Every private message, every photo would be analysed by machine – by algorithms with considerable error rates.
The implications: holiday photos of children on the beach could lead to false accusations. Private images would be viewed by unknown third parties. Confidential communication – whether between lawyers and clients, doctors and patients, or journalists and sources – would no longer be protected. The fact that EU governments want to exempt their own accounts from scanning for "security reasons" reveals the fundamental problem with this measure.
What happens next and the legal context
14 October is decision day in the EU Council. If the proposal is adopted, trilogue negotiations will follow – talks between the European Parliament, Council and Commission to agree on the final version. These could continue until spring 2026. If passed, member states would have 24 months to implement it. The European Court of Justice has repeatedly ruled that indiscriminate mass surveillance violates fundamental rights, but it remains to be seen whether this barrier will hold.
What users can do themselves
The coming days are crucial. Companies and individuals can still make a difference:
- Direct contact: Platforms such as fightchatcontrol.eu allow you to call national ministries and MEPs directly. Phone calls demonstrably have more impact than emails. The relevant ministries are Interior, Justice and Digital Affairs.
- Public pressure: Campaigns such as stopchatcontrol.eu offer petitions and information materials. Sharing on social media with the hashtags #chatcontrol and #StopScanningMe increases reach.
- Activate national parliaments: Members of the Bundestag or state parliaments can table resolutions putting pressure on the federal government to clarify and maintain its position.
- Prepare legal action: If the regulation is passed, constitutional complaints are possible, as European Court of Justice case law draws a clear line against indiscriminate surveillance.
Europe needs strength, not weakening
The coming weeks will show whether Europe is prepared to defend its digital sovereignty or whether it will give up its only strategic advantage in global technology competition. European providers have earned a trust advantage through data protection and security that is crucial in competing with tech giants from the US and China. Chat control would destroy precisely this advantage and push innovative companies out of the market. For mailbox, one thing is clear: Europe needs strong, trustworthy digital infrastructure, not systematic vulnerabilities in everyone's communication security.
Open letter to EU Member States on the proposed CSA regulation
Dear Ministers and Ambassadors of EU Member States,
We, the undersigned European enterprises, as well as the European DIGITAL SME Alliance - which represents more than 45.000 digital SMEs across Europe, write to you with deep concern regarding the proposed Regulation on Child Sexual Abuse (CSA). Protecting children and ensuring that everyone is safe on our services and on the internet in general is at the core of our mission as privacy-focused companies. We see privacy as a fundamental right, one that underpins trust, security and freedom online for adults and children alike. However, we are convinced that the current approach followed by the Danish Presidency would not only make the internet less safe for everyone, but also undermine one of the EU’s most important strategic goals: progressing towards higher levels of digital sovereignty.
Digital sovereignty is Europe’s strategic future
In an increasingly unstable world, Europe needs to be able to develop and control its own secure digital infrastructure, services, and technologies in line with European values. The only way to mitigate these risks is to empower innovative European technology providers.
Digital sovereignty matters for two key reasons:
- Economic independence: Europe’s digital future depends on the competitiveness of its own businesses. But forcing European services to undermine their security standards by scanning all messages, even encrypted ones, using client-side scanning would undermine users’ safety online, rand go against Europe’s high data protection standards. Therefore European users - individuals and businesses alike - and global customers will lose trust in our services and turn to foreign providers. This will make Europe even more dependent on American and Chinese tech giants that currently do not respect our rules, undermining the bloc’s ability to compete.
- National security: Encryption is essential for national security. Mandating what would essentially amount to backdoors or other scanning technologies inevitably creates vulnerabilities that can and will be exploited by hostile state actors and criminals. For this exact reason, governments exempted themselves from the proposed CSA scanning obligations. Nevertheless, a lot of sensitive information from businesses, politicians and citizens will be at risk, should the CSA Regulation move forward. It will weaken Europe’s ability to protect its critical infrastructure, its companies, and its people.
The CSA Regulation will undermine trust in European businesses
Trust is Europe’s competitive advantage. Thanks to the GDPR and Europe’s strong data protection framework, European companies have built services that users worldwide rely on for data protection, security, and integrity. This reputation is hard-earned and gives European-based services a unique selling point Big Tech monopolies will never be able to match. This is one of the few, if not the only competitive advantage Europe has over the US and China in the tech sector but the CSA Regulation risks reversing this success.
This legal text would undermine European ethical and privacy-first services by forcing them to weaken the very security guarantees that differentiate European businesses internationally. This is particularly problematic in a context where the US administration explicitly forbids its companies to weaken encryption, even if mandated to do so by EU law.
Ultimately, the CSA Regulation will be a blessing for US and Chinese companies, as it will make Europe kill its only competitive advantage and open even wider the doors to Big Tech.
Contradictions weaken Europe’s digital ambitions
The EU has committed itself to strengthening cybersecurity through measures such as NIS2, the Cyber Resilience Act, and the Cybersecurity Act. These policies recognize encryption as essential to Europe’s digital independence. The CSA Regulation, however, must not undermine these achievements by effectively mandating systemic vulnerabilities.
It is incoherent for Europe to invest in cybersecurity with one hand, while legislating against it with the other.
European SMEs will be hit the hardest
Small and medium-sized enterprises (SMEs) would be hit hardest if obliged to implement client-side scanning. Unlike large technology corporations, SMEs often do not have the financial and technical resources to develop and maintain intrusive surveillance mechanisms, meaning compliance would impose prohibitive costs or force market exit. Moreover, many SMEs build their unique market position on offering the highest levels of data protection and privacy; which particularly in Europe is a decisive factor for many to choose their products over the counterparts of Big Tech. Mandating client-side scanning would undermine this core value proposition of many European companies.
This will suffocate European innovation and cement the dominance of foreign providers. Instead of building a vibrant, independent digital ecosystem, Europe risks legislating its own companies out of the market.
For these reasons, we call on you to:
- Reject measures that would force the implementation of client-side scanning, backdoors, or mass surveillance of private communications, such as we currently see in the Danish proposal for a Council position on the CSA Regulation.
- Protect encryption to strengthen European cybersecurity and digital sovereignty.
- Preserve the trust that European businesses have built internationally.
- Ensure that EU regulation strengthens, rather than undermines, the competitiveness of European SMEs.
- Pursue child protection measures that are effective, proportionate, and compatible with Europe’s strategic goal of digital sovereignty.
Digital sovereignty cannot be achieved if Europe undermines the security and integrity of its own businesses by mandating client-side scanning or other similar tools or methodologies designed to scan encrypted environments, which technologists have once again confirmed cannot be done without weakening or undermining encryption. To lead in the global digital economy, the EU must protect privacy, trust, and encryption.
Signatories:
Blacknight (Ireland)
Commown (France)
CryptPad (France)
Ecosia (Germany)
Element (Germany)
E-Foundation (France)
European Digital SME Alliance (EU trade association representing 45.000 EU SMEs)
Fabiano Law Firm (Italy)
FlokiNET (Iceland)
FFDN (France)
Gentils Nuages (France)
Hashbang (France)
Heinlein Group (Germany)
LeBureau.coop (France)
Logilab (France)
mailbox (Germany)
Mailfence (Belgium)
Mailo (France)
Murena (France)
Nextcloud (Germany)
Nord Security (Lithuania)
Nym (France / Switzerland)
Octopuce (France)
Olvid (France)OpenCloud (Germany)
OpenTalk (Germany)
Phoenix R&D (Germany)
Proton (Switzerland)
Serendipiware (Greece)
Skylabs (Ireland)
SMSPool (Netherlands)
Sorware Ay (Finland)
Soverin (Netherlands)
Startmail (Netherlands)
Surfshark (Netherlands)
TeleCoop (France)
The Good Cloud (Netherlands)
Threema (Switzerland)
Tuta Mail (Germany)
Volla Systeme GmbH (Germany)
WEtell (Germany)
Wire (Switzerland)
XWiki SAS (France)
zeitkapsl (Austria)