EuroISPA Position Paper on the CSAM Regulation
As trilogue negotiations on the CSAM Regulation continue, EuroISPA considers that the final framework should fully reflect the overall aim of protecting children online while preserving the security and privacy safeguards that already apply across the digital ecosystem. It should also enable effective and consistent application of the legal and technical framework already in place, addressing genuine gaps without duplicating existing legislation. Our members, from hosting providers to CDN operators, access providers, and VPN services, already run detection and reporting systems and act as trusted flaggers under the Digital Services Act, and the Regulation should build on that engagement rather than override it.
Before introducing new obligations, the Commission and co-legislators should ensure that the technical and legal conditions for compliance are firmly established, starting with a permanent legal basis for voluntary detection rather than one based on temporary derogations. Any new obligations should remain proportionate, targeted, and technologically neutral, and grounded in evidence of a genuine gap rather than assumption.
The Commission should first assess whether the objectives can be achieved through closer alignment with existing instruments, such as the DSA, NIS2, and the e-Evidence Regulation, rather than through additional, overlapping requirements. Coherence with this existing framework, not the creation of a parallel one, should guide the Regulation’s final shape.
Our key positions:
- Ensure the Regulation does not weaken, circumvent, or disable encryption even on a voluntary basis.
- Include a permanent legal basis for voluntary detection directly in the Regulation, rather than relying on the temporary ePrivacy derogation.
- Adopt a cascade approach so only the provider with direct control over the content is obligated to act.
- Remove provisions that duplicate or conflict with the DSA, the e-Evidence Regulation, the Cybersecurity Act, NIS2, and the GDPR.
- Align user notification and transparency requirements with the DSA instead of creating separate obligations.
- Streamline risk assessment and categorisation using the DSA’s staggered, proportionate approach.
- Strengthen and adequately resource national reporting hotlines and the INHOPE network.
- Ensure judicial oversight for competent authorities and keep any list of approved technologies voluntary.
- Avoid regulating data retention separately from the Commission’s ongoing data retention initiative.
- Treat age assurance as an optional mitigation measure, not a mandatory obligation.
- Align provider liability with the DSA and protect good-faith voluntary detection efforts from penalty.
- Conduct a renewed impact assessment given how substantially the text has changed since 2022.
We invite you to read our full position paper below.



