The EU ePrivacy Derogation Has Lapsed. Here’s What That Means for Your CSAM Detection Program.

On April 3, 2026, the European Union allowed its temporary derogation to the ePrivacy Directive to expire without replacement. The practical effect: tech companies operating interpersonal communication services in the EU lost the clear, harmonised legal basis they had relied on to voluntarily detect and remove CSAM. The permanent Child Sexual Abuse Regulation (CSAR) that was supposed to provide that framework has stalled, leaving a gap.

For Trust & Safety and compliance teams at content platforms, this creates an immediate question: what do we do now? The answer depends heavily on your platform’s architecture, the nature of the communications you host, and where your users are located. But the regulatory trajectory outside the EU points firmly toward more detection obligation, not less.

What the ePrivacy Derogation Actually Covered

EU privacy law generally restricts the scanning of interpersonal communications. The derogation created a temporary carve-out, allowing platforms to use privacy-preserving detection tools (perceptual hashing, hash-matching against IWF and NCMEC databases, AI-based classifiers) to identify CSAM in those communications voluntarily.

Without that derogation, platforms face legal ambiguity about whether even voluntary, privacy-preserving CSAM scanning of communications content is permissible under EU law. The IWF, which holds one of the most authoritative CSAM hash databases in the world and counts CaseScan as a member, has described the situation plainly: companies in the EU no longer have the legal basis to protect children online effectively.

The practical consequences aren’t hypothetical. During a comparable period of legal uncertainty in 2020, CSAM reports from EU-based services dropped 58% in 18 weeks. That figure reflects detection capacity collapsing, not abuse declining.

What This Means for Platforms Right Now

The impact varies by platform type. File hosting, image sharing, and UGC platforms that scan uploads rather than communications content sit in a somewhat different position than messaging services. The ePrivacy Directive’s stricter restrictions apply specifically to interpersonal communications. But the legal landscape is unsettled enough that any platform with EU users and communication features should be getting legal counsel on current obligations.

Two things are clear regardless of how the EU situation resolves:

• NCMEC reporting requirements remain in force for US-based platforms and companies with US nexus. NCMEC received 36.2 million CyberTipline reports in 2023, more than double the 2019 level (16.9 million), though more recent data shows 20.5 million in 2024 and 21.3 million in 2025, with NCMEC noting bundling changes and underreporting concerns. Under 18 U.S.C. 2258A, US providers must report to NCMEC when they become aware of apparent CSAM on their platforms. Scaling back detection may reduce visibility, but it does not remove reporting duties once a platform becomes aware of apparent CSAM.
• The UK Online Safety Act imposes illegal-content duties on in-scope services, including CSAM risk assessment, proportionate mitigation measures, and swift takedown once illegal content is identified. Ofcom enforcement powers include significant fines. The OSA is not contingent on the EU’s regulatory trajectory.

The direction of travel globally is toward mandatory detection with enforceable consequences. The EU situation is a setback, not a signal that the compliance calculus has changed.

The CSAR and What Comes Next

The proposed EU Child Sexual Abuse Regulation has been politically contentious primarily because its original scope included client-side scanning of encrypted communications, a provision that drew opposition from privacy advocates, security researchers, and several member states. That dispute has slowed the entire regulation, leaving the ePrivacy derogation to expire without a successor in place.

The IWF and child safety organisations have been explicit that the impasse on encryption scanning should not block a framework covering detection in non-encrypted contexts. Whether the EU legislates a narrower version of the CSAR that sidesteps the encryption question remains to be seen, but the political pressure to restore some legal basis for voluntary detection is genuine.

In the interim, platforms should be documenting their detection programs thoroughly. If a new EU framework arrives, platforms that can demonstrate an existing, well-governed CSAM detection capability will be better positioned to comply quickly than those that let their programs atrophy during the gap.

Why Detection Strategy Matters More Than the Regulatory Gap

One operational reality that the EU debate tends to obscure: hash matching alone was never sufficient, even when the legal environment was clear. As covered in our earlier piece on why hash matching won’t stop AI-generated CSAM, the NCMEC CyberTipline recorded a 1,325% increase in CSAM reports involving generative AI in 2024 alone. Novel or AI-generated CSAM cannot be caught by hash matching alone. It requires additional layers: AI classifiers, human review, user reporting, and other detection workflows.

Platforms re-evaluating their detection programs in light of the EU situation should be asking two questions: what are we legally required to scan, and what are we capable of detecting. Those are different questions, and the gap between them represents real exposure, particularly as plaintiff attorneys and state attorneys general have grown more willing to pursue platforms on child safety grounds.

The New Mexico jury’s $375 million verdict against Meta in March 2026 is the clearest recent signal of where that enforcement appetite is heading.

Detection that covers known CSAM via perceptual hashing and unknown or AI-generated CSAM via deep-learning classification provides the most defensible posture, technically and legally. CaseScan’s API handles both: billions of files per day, P95 latency under one second, a false-positive rate verified at 1 in 45 million images in Maximum Precision mode. The Zero Media Retention architecture means files are processed in volatile memory and never stored, which matters for platforms managing GDPR data minimisation obligations alongside their detection programs.

Build the Program Now, Not When the Regulation Arrives

Regulatory frameworks have consistently followed platforms that invested in detection ahead of mandates, rather than scrambling to retrofit compliance after the fact. The EU’s legislative gap is frustrating for child safety advocates and for platforms that want legal clarity. But it doesn’t change the underlying risk calculus for global platforms operating under UK and US law.

Platforms that treat the EU situation as an opportunity to pause their detection programs will be behind when CSAR or its successor arrives, and exposed in the meantime.

To see how CaseScan performs in your environment, book a demo.

Frequently Asked Questions

What is the EU ePrivacy derogation and why did it matter for CSAM detection?

The ePrivacy Directive generally restricts the scanning of interpersonal communications in the EU. The temporary derogation created a legal carve-out allowing platforms to voluntarily use privacy-preserving tools (hash matching, AI classifiers) to detect CSAM in those communications. When it expired on April 3, 2026, platforms lost that clear legal basis, creating uncertainty about whether voluntary scanning remains permissible under EU law.

Does the EU ePrivacy derogation lapse affect platforms outside the EU?

Not directly. Platforms with EU users hosting interpersonal communications face the legal uncertainty; platforms in the US and UK remain subject to their own obligations. US platforms must report apparent CSAM to the NCMEC CyberTipline when they become aware of it, and UK in-scope services face illegal-content duties under the Online Safety Act including risk assessment, proportionate mitigation, and swift takedown. The EU situation does not create permission to reduce detection globally.

What is the difference between CSAM detection via hash matching and AI-based detection?

Hash matching compares uploaded files against databases of known CSAM using cryptographic or perceptual fingerprints. It catches material that has been previously identified and hashed, but misses anything that has never entered those databases, including first-generation material and AI-generated CSAM. AI-based deep-learning classifiers detect novel content based on its visual characteristics, regardless of whether it appears in any hash database. A production-grade detection program needs both.

What are platforms required to report to NCMEC?

Under 18 U.S.C. 2258A, US-based electronic service providers must report to NCMEC when they become aware of apparent CSAM on their platforms. Failure to report is a federal offense. The obligation attaches on awareness, not on whether a platform runs active detection. Platforms that do detect CSAM must follow through with reporting.

What is CSAM detection at scale, and how do platforms manage false positives?

At the volumes major platforms handle (billions of file uploads per day), even a very low false-positive rate can generate substantial review queues without proper management. Production-grade systems like CaseScan use a Context Analysis layer that reduces false alerts by up to 98.5% in Maximum Precision mode, reaching a verified false-positive rate of 1 in 45 million images. That level of precision lets platforms act on high-confidence detections autonomously while keeping the human review queue manageable.

Ready to evaluate your platform’s CSAM detection capabilities? Learn more about CaseScan for UGC platforms or contact our team to schedule a demo.