Commission proposes extending interim CSAM detection rules until 2028

The European Commission has put forward a proposal to extend the EU’s Interim Regulation allowing online service providers to voluntarily detect and report child sexual abuse material. The extension would run until April 2028, aiming to avoid a legal gap while negotiations on permanent legislation continue.
Commission proposes extending interim CSAM detection rules until 2028

The European Commission has proposed amending Regulation (EU) 2021/1232 to extend its period of application until 3 April 2028. The Interim Regulation provides a temporary and narrowly defined derogation from certain provisions of the ePrivacy Directive, enabling providers of number-independent interpersonal communications services to voluntarily use specific technologies to detect and report online child sexual abuse and to remove child sexual abuse material from their services.

The Interim Regulation was originally adopted as a stopgap measure pending the adoption of a long-term EU legal framework to prevent and combat child sexual abuse online. Its application period, initially set to expire in August 2024, was already extended once and is currently due to end on 3 April 2026. According to the Commission, ongoing interinstitutional negotiations on the proposed permanent regulation, first introduced in May 2022, are unlikely to conclude in time for the new rules to enter into force before the current expiry date.

The proposed extension is presented as a limited and targeted measure to ensure continuity. Without it, providers would no longer be able to carry out voluntary detection and reporting activities under EU law once the Interim Regulation expires. The Commission argues that such an interruption would undermine efforts to combat online child sexual abuse and create legal uncertainty for service providers operating across the internal market.

The proposal does not alter the substance of the existing Interim Regulation. It extends only its duration, maintaining the requirement that any data processing must remain strictly necessary for the stated purpose and continue to comply with the General Data Protection Regulation. The Commission also stresses that the extension is coherent with other EU digital legislation, including the Digital Services Act, and does not affect ongoing negotiations on revisions to the ePrivacy framework.

From a legal perspective, the proposal is based on Articles 16 and 114 of the Treaty on the Functioning of the European Union, the same legal bases as the original Interim Regulation. The Commission maintains that EU-level action is necessary to preserve a uniform legal framework across member states and that the extension is proportionate, as it is limited to the period deemed necessary for the adoption of the long-term legislation.

The proposal will now be examined by the European Parliament and the Council under the ordinary legislative procedure. If adopted, the amended regulation would enter into force immediately after publication in the Official Journal and apply until April 2028, unless the long-term legal framework is agreed and takes effect earlier.

Civil Society Alliances for Digital Empowerment (CADE) is a project co-funded by the European Union.

Civil Society Alliances for Digital Empowerment (CADE) 2024. All rights reserved.

This website is co-funded by the European Union. Its contents are the sole responsibility of CADE and do not necessarily reflect the views of the European Union.

Web accessibility | Privacy policy

Go to Top