INDUSTRY
Chat Control, the encryption line, and where your organisation’s plaintext actually lives
6 min read
On 9 July more MEPs voted to kill Chat Control 1.0 than to keep it — and it survived on a threshold. It is not law, and it never mandated scanning. What the vote did settle is that Europe’s legal line now runs through one architectural question: on whose server does a readable copy of your message come to rest?
On 9 July 2026 in Strasbourg, more members of the European Parliament voted to kill Chat Control 1.0 than to keep it — 314 to 276, with 17 abstentions — and it survived anyway. Rejecting a Council position at second reading requires an absolute majority of all members, not merely of those in the room (Parliament put the bar at 360; much of the press reported 361), so 314 fell some forty votes short. A file that a majority of the voting chamber opposed moved forward on a threshold. Almost everything written about it since has been wrong in the same two ways — and if you are responsible for an organisation’s communications, both errors matter.
Two things nearly every headline got wrong
The first is calling it law. It is not. Because Parliament amended the Council’s position, the text goes back to the Council, which has three months to accept or reject those amendments; if it does not accept all of them, the file goes to a conciliation committee. Nothing has been enacted and no provider has been granted anything. The second is calling it an extension. Chat Control 1.0 — Regulation (EU) 2021/1232 — expired on 3 April 2026, after Parliament refused to extend it on 26 March. July was an attempt to revive a lapsed law, not to roll a live one forward, and the proposed new end date of 3 April 2028 is exactly that: proposed.
What the law actually says
Chat Control 1.0 is a derogation, not a mandate. It suspends parts of the ePrivacy Directive so that providers of number-independent interpersonal communications services may voluntarily scan for child sexual abuse material. It has never obliged anyone to scan. It expressly does not cover audio. And its own recital 25 states that nothing in it “should be interpreted as prohibiting or weakening end-to-end encryption”. The mandatory version — detection orders, the proposal widely called Chat Control 2.0 — is a separate file that still has not been adopted, with negotiations resuming in September. Take one thing from the legal detail: the fight was never about whether encryption is banned. It is about who may read what, on whose server.
Encryption became the boundary line
The amendments Parliament did adopt came from Renew Europe, and they exclude from the law’s scope “communications to which end-to-end encryption is, has been or will be applied”. Those amendments cleared the very absolute-majority bar the rejection motion missed. Critics call the carve-out largely symbolic — providers running end-to-end encryption were not content-scanning in the first place — and the Council may still refuse it. That criticism is fair. But something durable was established regardless: when Europe’s legislature reached for a line, the line it drew was whether a message is readable on a server. That distinction is now load-bearing in European communications law, and it is an architectural one, not a policy one.
Vendor server · readable
Vendor server · ciphertext + metadata
Your server · inside your perimeter
The question underneath the politics
Strip the politics out and every one of these fights — voluntary scanning, lawful access, a vendor’s policy update, a foreign court order — turns on a single question that has nothing to do with anyone’s opinion: where does a readable copy of the conversation come to rest, and whose control plane is it in? If your organisation’s messages exist in plaintext on a third party’s server, then the policy governing them is that third party’s policy and the jurisdiction is that third party’s jurisdiction, and both can change without asking you. Encryption in transit does not alter this. It protects the wire, not the destination.
The other thing that happened this week
On 10 July, Progress told ShareFile customers to physically power off the Windows servers hosting their Storage Zone Controllers over what it described as a credible external security threat, and disabled the accounts that used them. No patch, no restart date. Storage Zone Controllers are precisely the component sold as “keep your data on your own infrastructure” — and the customers who had done exactly that still had no say in whether the service kept running. Data on your disks inside someone else’s control plane is not sovereignty. It is a hosting arrangement with a flattering diagram.
What this does — and does not — mean for an enterprise
Be careful with the conclusion, because there is a dishonest version of it. The derogation reaches publicly available number-independent interpersonal communications services — consumer messengers, in practice. A platform an organisation self-hosts for its own staff is a different category, and it gains nothing from that fact: Chat Control 1.0 confers a permission to scan, never a duty to scan. There is no obligation here to escape, and self-hosting would escape nothing in any case — criminal law, the GDPR and the DSA apply exactly as they did before. Anyone selling on-premise software as a way around child-protection law is selling you something false.
What self-hosting changes is narrower and far more useful: who decides. Where the plaintext rests. Who holds the keys. What the retention rule is. Who can be compelled, and by whom. And — as ShareFile customers learned on Friday — who gets to switch it off. None of those questions has a policy answer. They all have an architecture answer.
Sovereign by design, honest about the cost
Talky is the answer we built for our own communications and now run for other organisations: a communications workspace rather than a meeting tool — video conferencing in three room types, messaging and DMs, the ArpBoard whiteboard, calendar, notes, file sharing, screen share and recording. AES-256 encryption, a lobby, room-lock and RBAC keep each session under control, and it deploys on-premise behind your own SSO, reachable from web, iOS, Android and desktop. The plaintext rests on your servers for the simple reason that they are your servers.
And the honest half: that is a commitment, not a checkbox. You run it, you patch it, you back it up. The matrix above says so plainly, including the row where self-hosting loses. Sovereignty is an operating posture you keep paying for — which is precisely why it is still standing after the next policy change.
Encryption decides who can read the message. Architecture decides who can change the rules.
In Türkiye the requirement is already written down. The 2019/12 Presidential Circular on Information and Communication Security counts communication records among the critical data that must be held inside the country, and tells public bodies their data may not sit in cloud storage other than their own systems or those of institution-controlled domestic providers. The Cybersecurity Law No. 7545, in force since 19 March 2025, directs public bodies and critical-infrastructure operators to prefer domestic and national products. And because the Authority has to date issued no adequacy decision for any country, cross-border transfer under the KVKK runs in practice on standard contracts notified to the Authority. For a great many Turkish institutions, on-premise is not a preference — it is the shape of the obligation. Talky, from Arpanet Bilişim A.Ş., was engineered for the KVKK from its first line. Pricing depends on your deployment and scale — contact us and we will scope it with you.