Legislators within the European Union have recently presented a comprehensive counter-terrorism strategy, outlining initiatives to strengthen security across the region.

This plan addresses several important technological issues, with encryption receiving the most significant attention.

Growing anxieties exist regarding the possibility of the EU enacting legislation that restricts end-to-end encryption, responding to demands from certain Member States for greater access to encrypted data for law enforcement and security agencies.

However, this pressure is not a new development. History demonstrates that debates surrounding access to encrypted information repeatedly resurface. Last month, a preliminary resolution from the Council of the European Union sparked renewed concerns about a potential EU-wide prohibition of end-to-end encryption.

The Commission’s current agenda is unlikely to fully alleviate these concerns.

This is largely due to its ambiguous wording, which includes contradictory statements about “enhanced access” to encrypted information while simultaneously emphasizing “respect for the right to privacy”.

The Commission addresses this complex issue as follows [emphasis theirs]:

Discussions among EU lawmakers regarding potential “technical solutions” for “lawful access” to encrypted data will likely not reassure those who fear the EU is progressing towards implementing mandatory backdoors.

It is important to note that “lawful access” within the framework of EU law has consistently been interpreted as targeted access. (For example, in October, the CJEU clarified that national security considerations do not exempt EU Member States from adhering to general legal principles—including proportionality and respect for fundamental rights to privacy, data protection, and freedom of expression.)

In essence, a targeted backdoor is not feasible.

A backdoor inherently involves broad intervention and is disproportionate by nature. A “backdoor” providing access to a single user on a one-time basis does not exist. Such a scenario would essentially equate to legally authorized hacking of a specific suspect, which presents a separate set of security challenges.

The Commission’s agenda also commits EU lawmakers to preserving “the effectiveness of encryption in protecting the privacy and security of communications”.

However, their attempt to demonstrate balance between seemingly conflicting goals—by simultaneously pledging to “provide an effective response to crime and terrorism”—may diminish the strength of this reassurance. An effective response to crime and terrorism can be achieved through various means, such as adequate funding and training for agents, improved information sharing among EU nations, and other strategies that do not involve compromising encryption.

Indeed, the Commission’s agenda includes numerous (non-encryption-breaking) proposals to bolster the bloc’s counter-terrorism efforts, such as an “EU police cooperation code” to improve collaboration between law enforcement authorities, strengthening Europol, and increasing engagement with international organizations.

Encryption is frequently used as a convenient explanation for governmental security shortcomings. The Commission’s agenda appears aware of this tendency—though it avoids directly criticizing any Member States responsible for such failures. Therefore, the statement “we’ll work to identify possibilities” seems to be a diplomatic way of acknowledging that achieving the impossible is unlikely.

Regarding other technological aspects, the Commission is strongly advocating for the swift adoption of its 2018 legislative proposal to expedite the removal of terrorist content by other EU institutions, allowing it to be applied to online platforms.

This proposal has generated some debate and concern, particularly regarding its potential impact on smaller websites and the definition of “terrorism content”.

“To counter the spread of extremist ideologies online, it is important that the European Parliament and the Council adopt the rules on removing terrorist content online as a matter of urgency,” the Commission states.

The EU Internet Forum will be responsible for developing “guidance on moderation for publicly available content for extremist material online”, it adds.

*Setting aside theoretical NOBUS security vulnerabilities.