IntroductionIn early September 2025, over 500 cryptography experts and researchers publicly condemned a proposal from the European Union that would require messaging apps (including those with end-to-end encryption) to scan all user content for child sexual abuse material (CSAM). Dubbed “Chat Control” by critics, the law is under review by EU Council members, with a final vote possible as soon as October 2025. TechRadar Simultaneously, the EU’s long-awaited General‑Purpose AI (GPAI) obligations under the AI Act officially came into force on August 2, 2025, bringing mandatory transparency, documentation, and accountability rules for providers of large, multipurpose AI models. DLA Piper+1

Why it matters now

• It marks the first significant attempt to legally require scanning of encrypted communications, risking undermining widely used systems such as WhatsApp, Signal, and iMessage. TechRadar
• The implementation of GPAI rules means that AI model providers must now meet compliance obligations, including training data disclosure, risk assessment, and oversight—even for models already in the market. DLA Piper+2Eversheds Sutherland+2
• The combined pressure of privacy vs safety is coming to a head: governments want child protection and security, while experts warn about encryption weakening and false positives/ abuser misuse. TechRadar
• These regulatory changes carry fines and legal risk; non-compliance is no longer theoretical. Businesses must adapt now to avoid penalties and reputational harm. DLA Piper+1

Call‑out
Privacy and AI oversight caught in a regulatory crossfire.

Business implications
Messaging app providers and platforms handling encrypted communications are entering a new era of legal uncertainty. Requiring the scanning of encrypted chats for CSAM introduces both technical and trust challenges, including building or integrating detection tools that respect encryption (or rewriting protocols), as well as handling false positives and legal exposure. Companies will face potential backlash from privacy advocates and users who may view such scanning as a breach of fundamental digital rights. Beyond technology, brand trust and market positioning could be adversely impacted.

For AI model developers and providers, the phase-in of GPAI obligations means more rigorous compliance burdens. Transparency of training data, risk assessments for systemic impacts, governance structures, and oversight mechanisms are now mandatory. This increases costs, slows product launches, and shifts competitive advantage toward those with deeper resources. Open‑source and smaller model makers will be especially challenged to comply without losing agility.

Enterprises consuming AI, from startups to large incumbents, must begin auditing the AI tools they use. They will require legal, security, and data teams to verify that any AI component—especially general-purpose models—meets EU standards. Procurement processes will need reforms; due diligence must include regulatory compliance, which may require documentation previously regarded as optional. Non-EU companies that serve EU customers must comply or risk exclusion or sanctions.

Looking ahead
Near term (next 3‑12 months): EU Council votes on the Chat Control proposal may lead to legal mandates, or conversely, more substantial amendments to preserve encryption; companies may begin building or offering opt-out or alternate architectures. AI service providers will publish compliance documents, adjust model release cycles to meet transparency obligations, and begin internal policies to manage risk.

Longer term (1‑- 2 years): Portfolios of AI tools will bifurcate—those that are compliant with the EU’s rigorous standards, and those for markets with looser regulation. Privacy-preserving technologies and encrypted computation (e.g., zero-knowledge proofs, secure enclaves) will become key differentiators. Global norms may shift: other jurisdictions may emulate EU rules, or conversely, diverge in response if they see such regulation as a drag on innovation. Consumer expectations about privacy and AI safety will become a central brand and regulatory risk.

The upshot
The convergence of the EU’s Chat Control debate and the activation of GPAI obligations under the AI Act signals that regulation in AI and privacy is no longer in the future—it’s here, and it’s binding. For companies, the message is clear: adapt now or be left facing compliance risk, legal exposure, and loss of trust. The playing field is being remodeled, with privacy, transparency, and ethics becoming not optional extras but core business requirements.

References

• TechRadar — “It’s just smoke and mirrors – Over 500 cryptography scientists and researchers slam the EU proposal to scan all your WhatsApp chats.” (Sept. 9, 2025) TechRadar
• DLA Piper — “Latest wave of obligations under the EU AI Act take effect: Key considerations.” (Aug. 7, 2025) DLA Piper
• Financial Times — “EU pushes ahead with AI code of practice.” (July 10, 2025) ft.com