Open letter to EU Member States on the proposed CSA Regulation or «Chat Control» law

Nextcloud joins dozens of European technology companies and the European Digital SME Alliance in urging the EU member states to reject CSA Regulation also known as the “Chat Control“ law. 

Europe should protect encryption and the fundamental right to privacy, while building trust in the European providers.

Read the full text of the open letter and find the list of signatories below.

Dear Ministers and Ambassadors of EU Member States,

We, the undersigned European enterprises, as well as the European DIGITAL SME Alliance –
which represents more than 45.000 digital SMEs across Europe, write to you with deep concern
regarding the proposed Regulation on Child Sexual Abuse (CSA). Protecting children and
ensuring that everyone is safe on our services and on the internet in general is at the core of our
mission as privacy-focused companies. We see privacy as a fundamental right, one that
underpins trust, security and freedom online for adults and children alike. However, we are
convinced that the current approach followed by the Danish Presidency would not only make
the internet less safe for everyone but also undermine one of the EU’s most important strategic
goals: progressing towards higher levels of digital sovereignty.

Digital sovereignty is Europe’s strategic future
In an increasingly unstable world, Europe needs to be able to develop and control its own secure
digital infrastructure, services, and technologies in line with European values. The only way to
mitigate these risks is to empower innovative European technology providers.
Digital sovereignty matters for two key reasons:

• Economic independence: Europe’s digital future depends on the competitiveness of its own businesses. But forcing European services to undermine their security standards by scanning all messages, even encrypted ones, using client-side scanning would undermine users’ safety online and go against Europe’s high data protection standards. Therefore, European users – individuals and businesses alike – and global customers will lose trust in our services and turn to foreign providers. This will make Europe even more dependent on American and Chinese tech giants that currently do not respect our rules, undermining the bloc’s ability to compete.
• National security: Encryption is essential for national security. Mandating what would essentially amount to backdoors or other scanning technologies inevitably creates vulnerabilities that can and will be exploited by hostile state actors and criminals. For this exact reason, governments exempted themselves from the proposed CSA scanning obligations. Nevertheless, a lot of sensitive information from businesses, politicians and citizens will be at risk, should the CSA Regulation move forward. It will weaken Europe’s ability to protect its critical infrastructure, its companies, and its people.

The CSA Regulation will undermine trust in European businesses
Trust is Europe’s competitive advantage. Thanks to the GDPR and Europe’s strong data protection framework, European companies have built services that users worldwide rely on for data protection, security and integrity. This reputation is hard-earned and gives European-based services a unique selling point Big Tech monopolies will never be able to match. This is one of the few, if not the only competitive advantage Europe has over the US and China in the tech sector, but the CSA Regulation risks reversing this success.
This legal text would undermine European ethical and privacy-first services by forcing them to weaken the very security guarantees that differentiate European businesses internationally. This is particularly problematic in a context where the US administration explicitly forbids its companies to weaken encryption, even if mandated to do so by EU law1.
Ultimately, the CSA Regulation will be a blessing for US and Chinese companies, as it will make Europe kill its only competitive advantage and open even wider the doors to Big Tech.

Contradictions weaken Europe’s digital ambitions
The EU has committed itself to strengthening cybersecurity through measures such as NIS2, the Cyber Resilience Act, and the Cybersecurity Act2. These policies recognize encryption as essential to Europe’s digital independence. The CSA Regulation should not undermine these achievements by effectively mandating systemic vulnerabilities.
It is incoherent for Europe to invest in cybersecurity with one hand, while legislating against it with the other.

European SMEs will be hit the hardest
Small and medium-sized enterprises (SMEs) would be hit hardest if obliged to implement client-side scanning. Unlike large technology corporations, SMEs often do not have the financial and technical resources to develop and maintain intrusive surveillance mechanisms, meaning compliance would impose prohibitive costs or force market exit. Moreover, many SMEs build their unique market position on offering the highest levels of data protection and privacy; which particularly in Europe is a decisive factor for many to choose their products over the counterparts of Big Tech. Mandating client-side scanning would undermine this core value proposition of many European companies.
This will suffocate European innovation and cement the dominance of foreign providers. Instead of building a vibrant, independent digital ecosystem, Europe risks legislating its own companies out of the market.

For these reasons, we call on you to:

• Reject measures that would force the implementation of client-side scanning, backdoors, or mass surveillance of private communications, such as we currently see in the Danish proposal for a Council position on the CSA Regulation.
• Protect encryption to strengthen European cybersecurity and digital sovereignty.
• Preserve the trust that European businesses have built internationally.
• Ensure that EU regulation strengthens, rather than undermines, the competitiveness of European SMEs.
• Pursue child protection measures that are effective, proportionate, and compatible with Europe’s strategic goal of digital sovereignty.

Digital sovereignty cannot be achieved if Europe undermines the security and integrity of its own businesses by mandating client-side scanning or other similar tools or methodologies designed to scan encrypted environments, which technologists have once again confirmed cannot be done
without weakening or undermining encryption. To lead in the global digital economy, the EU must protect privacy, trust, and encryption.

Signatories (as of October 7, 2025):

Sources:

FTC Chairman Ferguson Warns Companies Against Censoring or Weakening the Data Security of Americans at the Behest of Foreign Powers. (2025, August 21). Federal Trade Commission. https://www.ftc.gov/news-events/news/press-releases/2025/08/ftc-chairman-ferguson-warns-companies-against-censoring-or-weakening-data-security-americans-behest

European Commission. (2024). A Europe fit for the digital age. Commission.europa.eu. https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age_en