WZ-IT Logo

Chat Control: These alternatives are available for companies

Timo Wevelsiep
Timo Wevelsiep
Updated: 10.07.2026
#ChatControl #Matrix #Element #Mattermost #RocketChat #Zulip #E2EE #Encryption #GDPR #Privacy #DigitalSovereignty

Editorial note: The information in this article was compiled to the best of our knowledge at the time of publication. Technical details, prices, versions, licensing terms, and external content may change. Please verify the information provided independently, particularly before making business-critical or security-related decisions. This article does not replace individual professional, legal, or tax advice.

Chat Control: These alternatives are available for companies

Update July 10, 2026: The EU regulation on "preventing and combating child sexual abuse" - better known as Chat Control - has taken a new turn: on July 9, 2026, the attempt to stop the return of voluntary chat control failed in the EU Parliament. The reinstatement of the interim rules until 2028 is thus effectively waved through - at least with an explicit exemption for end-to-end encrypted services. The permanent regulation, meanwhile, remains stuck in the trilogue. Read on to find out what this means for companies and why self-hosted communication remains the most robust answer.


Table of Contents

Chat Control in 2026: Where Do We Stand?

A lot has happened since the original version of this article (September 2025). The key milestones:

  • October 9/14, 2025: The Danish Council Presidency takes the planned vote on mandatory scanning off the agenda - Germany's no to indiscriminate chat control made a qualified majority impossible.
  • November 26, 2025: The Council adopts its position - mandatory scanning is scrapped (and with it forced client-side scanning). In return, voluntary scanning is to be made permanent and expanded (to include text and video), plus mandatory age verification and an EU centre. A review clause lets the Commission examine after three years whether mandatory scanning should be introduced after all.
  • December 2025 to June 2026: Five trilogue rounds between Council, Parliament and Commission - without agreement. The only provisional consensus is to exempt encrypted content; indiscriminate scanning remains contested. Negotiations continue under the Irish Council Presidency, expected in September 2026.
  • April 3, 2026: The interim regulation ("Chat Control 1.0") expires after Parliament rejected an extension at the end of March - Google, Meta, Microsoft and Snap kept scanning anyway, without a legal basis.
  • July 2-9, 2026: Using a procedural trick, the Council and the Parliament's leadership bring back the textually identical old proposal. On July 9, the motion to reject it falls short of the required absolute majority in Parliament (314 votes in favor) - voluntary chat control returns until 2028. At least an amendment was adopted that explicitly exempts end-to-end encrypted services from scanning (the Council's confirmation of this change is still pending).

For companies, this means as of today: no scanning obligation for providers, E2EE services are exempt from voluntary scanning - but indiscriminate voluntary screening by the big US platforms is back, and the review clause keeps the door open for mandatory scanning. If you do not want your business communication to depend on this back and forth, move it onto your own infrastructure.

What is Chat Control?

Chat Control (officially: the CSAR Regulation) is an EU legislative project that was meant to oblige messaging services and email providers to scan all messages from their users for suspicious content - this obligation has been off the table since the Council position of November 2025, but the review clause keeps it lurking as a potential comeback. Affected would be:

  • WhatsApp, Signal, Telegram and other messengers
  • E-mail communication
  • Cloud storage and file sharing
  • Even encrypted communication is to be screened

The technical problem: client-side scanning

The proposed technology is called Client-Side Scanning (CSS). Messages and files are scanned directly on your device before they are encrypted and sent. This means that

  • End-to-end encryption is effectively undermined
  • A backdoor to all private data is created
  • The security of all EU citizens is compromised

As Patrick Breyer, former EU parliamentarian for the Pirate Party, warns: "With demonstrably false claims, the Danish Council Presidency is trying to push through the controversial Chat Control 2.0."

Why chat control is dangerous

1. Undermining the encryption

The Internet Architecture Board (IAB) clarifies: Chat Control would "impose unrestricted access to private content and thus undermine end-to-end encryption."

2. Mass surveillance

Every message, every image, every file would be scanned - without suspicion, without a court order. This is mass surveillance without cause.

3. Technical uncertainty

Over 470 scientists from 34 countries have taken a stand against chat control. The technology is prone to errors and opens the door to abuse.

4. False Positives

Automated scans produce false hits. Vacation photos of your own children could be incorrectly marked.

Germany's position

Officially, the German government rejects indiscriminate mandatory scanning. Federal Minister of Justice Stefanie Hubig put it succinctly in October 2025: "Indiscriminate chat control must be taboo in a state governed by the rule of law." That rejection derailed the planned Council vote in October 2025.

The full picture is less clear-cut, however: according to internal documents, the Federal Ministry of the Interior, which leads the Council negotiations, supports the broadest possible voluntary, indiscriminate scanning with minimal restrictions - and Germany backed both the Council position of November 2025 and the reinstatement of the interim rules in July 2026. Germany's data protection authorities, by contrast, are calling for chat control to be abandoned entirely. No one should count on a stable political no.

What does this mean for companies?

Chat control would have disastrous consequences for companies:

  • Company secrets could be compromised
  • Confidential customer data would be at risk
  • Compliance issues with GDPR and other data protection regulations
  • Industrial espionage would open the floodgates
  • Legal and medical confidentiality could no longer be guaranteed

The solution: secure, self-hosted communication

The best protection against chat control and other surveillance measures is digital sovereignty through self-hosted communication solutions. WZ-IT offers you professional implementation and operation of the following secure alternatives:

1. Matrix with element

Matrix is an open standard for secure, decentralized communication. With Element as a professional client, you get:

  • Genuine end-to-end encryption without backdoors
  • Federation between different servers
  • Complete data sovereignty on your own infrastructure
  • GDPR-compliant and auditable
  • Voice & video calls encrypted
  • ✅ Used by NATO, the German Armed Forces and the French government

2. Mattermost

Mattermost is the open source alternative to Slack and Microsoft Teams:

  • Self-hosted on your infrastructure
  • End-to-end encryption available
  • Extensive integration into existing systems
  • DevOps features and workflow automation
  • GDPR-compliant without US cloud dependency

3. Rocket.Chat

Rocket.Chat offers a flexible communication platform:

  • Omnichannel communication (chat, e-mail, social media)
  • End-to-end encryption
  • White label-capable with own branding
  • LiveChat for customer service
  • Federation between servers possible

4. Zulip

Zulip revolutionizes team communication with thread-based conversations:

  • Topic-based organization instead of chronological chaos
  • Asynchronous communication perfect for distributed teams
  • Open source and transparent
  • Mobile and desktop apps
  • Powerful search across all messages

Why self-hosted solutions?

Complete control

You retain complete control over your data. No cloud providers, no third-party providers, no hidden access.

No back doors

Open source software is transparent and auditable. The code can be checked by experts - backdoors are ruled out.

GDPR-compliant

All data remains in Germany or your desired jurisdiction. No transfers to unsafe third countries.

Independence

No vendor lock-in, no dependence on US companies, no sudden price increases or service closures.

Act now: Protect your corporate communications

The permanent regulation has not been adopted yet - but voluntary chat control is back, and the development clearly shows that digital privacy is under attack. Companies that rely on secure, self-hosted solutions now are not only protected from chat control, but also from:

  • Industrial espionage
  • Data leaks
  • Compliance violations
  • Reputational damage

Our services for your secure communication

WZ-IT supports you in the implementation of secure communication solutions:

Consulting & conception

Installation & Setup

  • On-premise in your data center
  • Private cloud on dedicated servers
  • Hybrid solutions according to your requirements
  • Integration into existing IT infrastructure (LDAP, SSO, etc.)

Operation & maintenance

  • 24/7 monitoring
  • Automatic backups
  • Security updates
  • Performance optimization
  • SLA with guaranteed availability

Training & Support

  • Employee training
  • Admin training
  • Documentation
  • Personal contact person

Conclusion: Digital sovereignty is not a luxury, but a necessity

The Chat Control Regulation clearly shows that encryption and privacy can no longer be taken for granted. Companies that want to protect their communications must act now.

With self-hosted solutions such as Matrix, Mattermost, Rocket.Chat or Zulip, you not only secure your data, but also your independence and digital sovereignty.

"Privacy is not a crime - it is a fundamental right."

Get in touch with us

Would you like to secure your corporate communications? We will be happy to advise you on suitable solutions.

Arrange a free initial consultation


Frequently Asked Questions

Answers to important questions about this topic

No. The permanent CSA Regulation is still in trilogue negotiations; the fifth round on June 29, 2026 ended without agreement. All that was adopted is the return of the interim rules: providers may voluntarily scan for abuse material - there is no obligation to scan.

No. Mandatory detection orders were removed from the Council position of November 26, 2025. On July 9, 2026, the EU Parliament also pushed through an explicit exemption of end-to-end encrypted services from voluntary scanning.

Mandatory client-side scanning is not part of any version currently under negotiation; in the trilogue, the institutions have provisionally agreed to exempt encrypted content. However, a review clause obliges the EU Commission to assess after three years whether mandatory scanning should be introduced after all - so the issue can come back.

The old derogation expired on April 3, 2026. The Council (July 2, 2026) and Parliament (July 9, 2026) have put its reinstatement without substantial changes on track until 2028 - or until the permanent CSA Regulation enters into force.

Officially, Germany rejects indiscriminate mandatory scanning - that rejection derailed the planned Council vote in October 2025. However, the Federal Ministry of the Interior, which leads the negotiations, supports broad voluntary scanning and backed both the Council position of November 2025 and the reinstatement of the interim rules in 2026.

The trilogue negotiations continue under the Irish Council Presidency (second half of 2026), with the next round expected in September 2026. The main point of contention remains whether indiscriminate voluntary scanning will be enshrined permanently.

Timo Wevelsiep

Written by

Timo Wevelsiep

Co-Founder & CEO

Co-Founder of WZ-IT. Specialized in cloud infrastructure, open-source platforms and managed services for SMEs and enterprise clients worldwide.

LinkedIn

Let's Talk About Your Idea

Whether a specific IT challenge or just an idea - we look forward to the exchange. In a brief conversation, we'll evaluate together if and how your project fits with WZ-IT.

E-Mail
[email protected]

Leading companies trust WZ-IT

  • Rekorder
  • Keymate
  • Führerscheinmacher
  • SolidProof
  • ARGE
  • Boese VA
  • nextGYM
  • Maho Management
  • Golem.de
  • Millenium
  • Paritel
  • Yonju
  • EVADXB
  • Mr. Clipart
  • Aphy
  • Negosh
  • ABCO Water Systems
Timo Wevelsiep & Robin Zins - CEOs of WZ-IT

Timo Wevelsiep & Robin Zins

Managing Directors of WZ-IT

1/3 - Topic Selection33%

What is your inquiry about?

Select one or more areas where we can support you.