The European Union is preparing legislation that would force technology companies to build backdoors into end-to-end encrypted messaging apps and extend mandatory data retention requirements to privacy-focused services across all 27 member states. The initiative, dubbed ProtectEU, has been described by digital rights experts as "Chat Control 2.0" and could make no-log services effectively illegal in Europe as early as 2026.
What Is ProtectEU?
ProtectEU is the EU's new Internal Security Strategy, formally adopted by the European Commission on April 1, 2025 (COM(2025) 148 final). On the surface, it frames itself as a response to rising terrorism threats, organized crime, and hybrid warfare. But buried within its pages is a plan that privacy advocates say fundamentally undermines the security architecture that protects hundreds of millions of Europeans online.
The strategy directs the Commission to develop a Technology Roadmap on Encryption, a technical blueprint for giving law enforcement agencies access to encrypted communications without requiring service providers to hand over plaintext. The roadmap is expected by the end of 2025, with draft legislation anticipated in June 2026.
The roadmap is being developed in close collaboration with the High-Level Group (HLG) on Access to Data for Effective Law Enforcement, an intergovernmental body that has long championed the concept of "lawful access by design." This means building access mechanisms directly into platforms at the architecture level, rather than adding them retroactively. Critics argue this is functionally identical to a backdoor, regardless of the terminology used.
The European Digital Rights (EDRi) network called the plan "a step further towards a digital dystopian future," warning that any technical backdoor built for police access will inevitably be exploited by criminal hackers and hostile intelligence services. ENISA, the EU's own cybersecurity agency, has repeatedly warned that weakening encryption increases risk rather than reducing it.
Mandatory Data Retention: The Quiet Threat
Alongside the encryption roadmap, ProtectEU proposes expanding the EU's data retention framework to explicitly cover providers of encrypted communications services, including those that currently operate on a strict no-log basis. Under current proposals, services operating in Europe could be required to log connection metadata: timestamps, server connections, and potentially subscriber identities, retaining that data for law enforcement access on demand.
For European users who rely on privacy-focused services precisely because those services collect nothing to hand over, this would represent an impossible compliance challenge. Either providers would have to start logging, destroying their core privacy promise, or exit the EU market entirely. Several major providers have already signaled they would choose exit over compliance if such requirements become law.
Why Experts Call It "Chat Control 2.0"
The nickname refers to the EU's previous attempt to mandate client-side scanning of encrypted messages, the so-called Chat Control regulation, which was rejected by member states in 2024 after widespread backlash from civil liberties organizations, security researchers, and technology companies alike. Critics argue that ProtectEU is simply Chat Control repackaged with softer language and a delayed timeline.
The fundamental cryptographic problem remains unchanged: there is no way to build a backdoor that only good actors can use. A mathematical flaw inserted to allow police access is equally accessible to Russian intelligence, Chinese state hackers, and criminal ransomware groups. This is not a theoretical concern. The Salt Typhoon breach of US telecom lawful intercept infrastructure in 2024 demonstrated precisely how backdoor mechanisms become entry points for hostile state actors.
The Broader Legislative Landscape
ProtectEU does not exist in isolation. Across the Atlantic, US lawmakers are debating similar surveillance expansion measures tied to Section 702 FISA reauthorization. In the UK, the Investigatory Powers Act has already been used to pressure Apple into weakening iCloud encryption for British users. Governments globally appear to be coordinating a push to roll back the privacy gains of the past decade.
The convergence of these initiatives across democratic governments signals that the current generation of privacy technology, strong encryption by default in messaging apps, browsers, and no-log services, faces its most serious regulatory threat since mass adoption began a decade ago.
Timeline and What Comes Next
- April 2025: ProtectEU strategy adopted (COM(2025) 148 final)
- End of 2025: Technology Roadmap on Encryption due from the Commission
- June 2026: Draft legislation expected covering encryption access and data retention
- 2027+: Potential transposition into national law across EU member states
Digital rights organizations including EDRi, Access Now, and Privacy International are coordinating opposition to the roadmap ahead of the June 2026 legislative proposal. A coalition of technology companies is expected to submit formal comments during the Commission's consultation period, which began in May 2026.
What This Means for Privacy in Europe
For everyday Europeans, the stakes are high. End-to-end encryption in apps like Signal and WhatsApp currently ensures that even the companies running those services cannot read user messages. Backdoors would change that: not just for law enforcement access, but for anyone who discovers or exploits the access mechanism. The same logic applies to private browsing tools and no-log services, which would be required to retain connection records they currently never create.
Mandatory logging requirements would eliminate one of the last remaining tools for anonymous internet use within the EU, a resource used not only by privacy-conscious consumers but also by journalists protecting sources, activists in repressive environments, and whistleblowers reporting corporate or state wrongdoing.
For users who take privacy seriously, now is the time to ensure the tools they rely on are based in jurisdictions outside the EU's regulatory reach. A no-log VPN operating under a strict privacy-first policy and headquartered outside the EU offers the strongest protection against the mandatory data retention ProtectEU envisions.
