European small and medium-sized enterprises (SMEs) have sounded the alarm over a proposed EU law that would require chat services and hosting platforms to monitor all user content — including messages — warning that the plan could have far-reaching economic risks.
Under the draft legislation, often referred to by critics as “Chat Control”, platforms that facilitate communication would be required to scan or monitor private messages to detect child sexual abuse material (CSAM), even if those messages are end-to-end encrypted.
The mechanism envisioned is “client-side scanning,” meaning that content would be scanned on user devices (before encryption) rather than on the server side. Critics argue this approach inherently conflicts with strong encryption.
The legislative process is ongoing. The European Parliament has previously rejected versions of the proposal that include indiscriminate scanning, and its adopted position insists that encryption should not be weakened. Meanwhile, EU member states have yet to reach agreement. A vote is scheduled for 14 October 2025 under the Danish EU Presidency’s proposal.
SMEs raise economic and operational concerns
In an open letter, European SMEs and industry organizations representing roughly 45,000 digital firms have urged EU governments to reject mandates for chat monitoring.
Their main arguments include:
- High compliance cost and technical burden: SMEs often lack the financial and engineering resources of large tech firms. Implementing intrusive surveillance mechanisms would impose significant new costs, or force some out of the EU market.
- Damage to competitive advantage in privacy: Many European tech companies differentiate themselves by offering privacy-first, encrypted services. Mandating scanning would undermine that proposition and weaken trust in European solutions.
- Risk of market consolidation in favour of Big Tech: SMEs warn that only large firms, especially non-European ones with more resources (notably in the US or China), would be able to absorb the costs and technical complexity. This could further entrench foreign dominance in the digital sector.
The letter is signed by many well-known privacy-focused companies (such as Proton, Nextcloud, Threema, Wire, Tuta Mail) and by the European Digital SME Alliance.
Together with more than 40 European privacy-first companies as well as the European Digital SME Alliance, representing more than 45.000 digital SMEs, Tuta urges ministers of EU member states to defend Europe’s digital sovereignty and reject this draft law that normalizes mass surveillance and weakens encryption.
Broader criticism from the tech and scientific community
Beyond the SMEs, opponents of Chat Control include cryptographers, security researchers, and digital rights groups. More than 500 scientists have signed an open letter calling the proposal “technically infeasible” and warning that it would “completely undermine” digital security.
Key technical criticisms include:
- False positives and inaccuracy: Automated scanning is prone to errors, potentially flagging lawful content as illicit.
- Weakening encryption: Any scanning mechanism that inspects content before encryption is essentially a backdoor, creating new vulnerabilities that malicious actors or foreign governments might exploit.
- Conflicts with fundamental rights and security goals: The proposed law may be incompatible with EU guarantees of privacy and data security.
The EU’s legislative process requires agreement between the European Commission, the Parliament, and the Council of Ministers (i.e. the member states).
- The European Parliament’s adopted position forbids mass surveillance and protects encrypted services.
- On the Council side, EU member states are divided. Some countries support the Danish proposal or variations thereof, others oppose it or remain undecided
- A key vote is scheduled for 14 October 2025. If adopted, the law would move into trilogue negotiations to reconcile the positions of the Parliament, Commission, and Council.
- Update: Germany has withdrawn its support for the bill thanks to citizen protest. This happened a few hours after publishing this story – read the full report here.
If the legislation passes in a form that requires mandatory scanning, the economic implications might include:
- Entrants leaving the EU market: SMEs unable to comply may exit or scale down operations in Europe.
- Reduced innovation in privacy sectors: Firms specializing in encrypted or privacy-preserving services could lose their edge.
- Greater dependence on non-European infrastructure: European users might shift toward large foreign providers that can absorb compliance burdens, undermining digital sovereignty.
European SMEs argue that trust is one of their few distinct competitive advantages in a global digital economy — and legislation that undermines that trust may damage not just individual firms, but Europe’s digital sovereignty.
