In April 2026, the European Parliament voted down the message scanning at the heart of Chat Control. Privacy advocates celebrated for about a week. Then everyone read the fine print of what the Commission had already lined up next.
It’s called Going Dark, rebranded as ProtectEU. And unlike Chat Control, this one names VPN services directly.
What just happened with Chat Control
Quick recap for anyone who tuned out of this saga. Chat Control was the nickname for the EU’s CSAR proposal, which would have required platforms to scan private messages, including end-to-end encrypted ones, for child abuse material. Security researchers spent three years explaining that you cannot scan encrypted messages without breaking encryption for everyone.
The Parliament listened. MEPs rejected the mass scanning provisions and refused to extend the temporary exemption that had allowed companies like Meta to scan private messages voluntarily. The EFF called it a blow to mass surveillance, while warning the fight wasn’t over.
That warning aged well. It took about two months.
Going Dark: the rebrand of the decade
“Going dark” is law enforcement jargon for the claim that encryption is making criminals invisible to investigators. The European Commission turned the complaint into a program: launched in April 2025 under the ProtectEU banner, it is a six-pillar strategy covering data retention, lawful interception, digital forensics, decryption, standardisation, and AI tools for police.
The headline goal, according to TechRadar’s reporting, is the ability to access encrypted data by 2030. A Technology Roadmap on decryption is due in 2026. The Commission’s language promises this will happen while “safeguarding cybersecurity and fundamental rights,” which is the policy equivalent of promising dry water. Every serious cryptographer who has reviewed lawful access schemes has reached the same conclusion: a backdoor for police is a backdoor for everyone.
The six pillars, decoded
The official documents describe ProtectEU in procurement language, so here’s the plain version of each pillar.
Data retention is the requirement that services log who used what, when, and from where. This is the pillar with its own separate legislative track, and the one that hits VPNs first.
Lawful interception means standardized ways for police to tap communications across borders. Today, a French warrant served on a German service involves months of paperwork. The plan is to make it fast and uniform.
Digital forensics covers extracting evidence from seized devices. Decryption is the famous one: the Commission wants technical “solutions” for accessing encrypted data, with a Technology Roadmap due in 2026 and operational capability targeted for 2030.
Standardisation means baking police access requirements into technical standards while they’re being written, instead of fighting about them afterwards. And AI tools for law enforcement covers automated analysis of all the data the other five pillars produce.
Read together, the pillars are not six separate ideas. They’re one idea, expressed six ways: communications infrastructure should be legible to the state by design. Each pillar looks procedural on its own. The sum is an architecture decision about the European internet, made without ever holding a single vote on the question itself.
Where VPNs come in
Chat Control was about messaging apps. Going Dark is broader, and this is the part that matters for readers of this site: several member states want VPN services included in the scope.
Mullvad has been the loudest provider on this, stating plainly that after losing the Chat Control battle, the EU will return by summer 2026 with Going Dark, and that this time VPN services are a target. Mullvad frames the whole effort as a war on encryption coordinated between the US and the EU. Strong words from a company that historically avoids drama.
What would “including VPNs” actually mean? The realistic options are connection metadata retention (covered in our article on the EU data retention push), mandatory identification of users, or technical access requirements on the tunnel itself. The first two destroy the no-log model. The third breaks the product entirely.
Why “lawful access” and a working VPN can’t coexist
A VPN does one thing: it encrypts the path between you and a server, so your ISP, your network admin, and anyone in between sees nothing. The provider can’t selectively weaken that for “bad” users while keeping it strong for everyone else. Encryption doesn’t check your criminal record.
So any lawful access mandate lands in one of two places. Either the provider keeps records about who connected where and when, which is surveillance of the 99.9% of users who are watching Netflix and checking their bank account from hotel Wi-Fi. Or the encryption itself gets a hole drilled in it, which every hostile government and ransomware crew on earth will eventually find. There is no third option. There never has been.
The EU’s own history proves the point from the other direction. The CJEU struck down blanket data retention twice on fundamental rights grounds. The Parliament just refused mass message scanning. Each time, the institutions closest to the law concluded that surveillance of everyone, all the time, by default is not compatible with European rights. Going Dark is an attempt to reach the same destination through quieter procedural roads.
Want to compare all VPNs side by side? Check our full VPN comparison table with scores across 18 criteria.
What this means for VPN users right now
Nothing in Going Dark is law yet. The decryption roadmap is due this year, legislative proposals targeting VPNs are expected from summer 2026, and the full legislative cycle takes years. Your VPN works today exactly as it did last month.
But the direction of travel is clear, and it makes two boring criteria suddenly interesting: jurisdiction and infrastructure. A provider incorporated outside the EU, with RAM-only servers and audited no-logs, has both legal and technical distance from whatever Brussels eventually passes. Our guide to Five Eyes, Nine Eyes and Fourteen Eyes explains why the country on the legal paperwork matters as much as the tech.
If you want to pressure-test your current provider, ask one question: if an EU retention order arrived tomorrow, what could they technically hand over? For a provider like NordVPN, based in Panama with audited RAM-only servers, the honest answer is: almost nothing. That’s the answer you want.
For readers tracking the file: the milestones to watch are the Technology Roadmap’s publication, the first legislative text naming service categories, and the Parliament’s composition on the day it votes. We’ll cover each as it lands; the pattern of the last decade says the fight will be long, procedural and winnable, which is precisely why attention is the relevant currency.
(Coverage continues as the file moves; the related EU data retention article tracks the parallel legislative lane, and both pages carry lastmod dates as the freshness contract.)
Chat Control's defeat was real, and the people who fought it earned the win. But Going Dark is the more dangerous project precisely because it's duller: roadmaps, working groups, and standardisation bodies instead of one big scary scanning law. The VPN industry is now formally part of the EU's lawful access conversation, and that has never been true before. Expect the first concrete legislative text by late 2026. We'll cover it when it lands.
Sources: EFF on the Parliament vote | TechRadar: the EU wants to decrypt your data by 2030 | Mullvad: Chat Control and Going Dark | Computer Weekly on the Chat Control rejection