Offener Brief zur Europäischen Strategie für innere Sicherheit

Heute haben wir gemeinsam mit 89 zivilgesellschaftlichen Organisationen, Unternehmen und Cybersicherheitsexperten, darunter auch Mitglieder der Global Encryption Coalition, ein gemeinsames Schreiben an die Europäische Kommission veröffentlicht, in dem wir diese auffordern, auf die Bedenken hinsichtlich der Auswirkungen der Europäischen Strategie der inneren Sicherheit (Protect EU) auf die Ende-zu-Ende-Verschlüsselung einzugehen. Die Fokussierung der Strategie der inneren Sicherheit auf Verschlüsselung wird der Nutzung von Ende-zu-Ende-Verschlüsselung in Europa schaden und das Netz für alle Europäer weniger sicher machen.

hier geht es direkt zum .pdf

To:
Henna Virkkunen,
Executive Vice President for Tech Sovereignty, Security and Democracy
European Commission

Magnus Brunner,
Commission for Internal Affairs and Migration 
European Commission

26 May 2025

The undersigned civil society organizations, companies, and cybersecurity experts, including members of the Global Encryption Coalition,¹ urgently share their concerns regarding aspects of the recently announced European Internal Security Strategy (Protect EU)² due to its potential impact on end-to-end encryption.  

On April 1st the European Commission shared its new five-year strategy, ProtectEU, to address elevated security concerns for the European Union in the midst of a rapidly evolving geopolitical landscape. Included in the strategy is the European Commission’s intent to develop a “Technology Roadmap on encryption, to identify and assess technological solutions that would enable law enforcement authorities to access encrypted data in a lawful manner.”

While we recognise the importance of elevating security efforts during moments of increased geopolitical instability, we are concerned by the framing of the technology roadmap. Government agencies elsewhere in the world³ actively encourage more usage of end-to-end encryption, not less, to protect the integrity of cyberspace against increased security threats. Strong encryption, including end-to-end encryption, is a key cybersecurity tool that protects the European Union against cyberattacks, hybrid threats, espionage, and attacks on critical infrastructure. 

The European Commission itself has acknowledged the need to step up efforts and investment to protect the integrity of cyberspace as reflected in the Revised Directive on Security of Network and Information (NIS2).⁴ The Revised Directive introduces obligations for platforms and service providers to implement appropriate and proportionate cybersecurity risk-management measures, including encryption, to protect the confidentiality, integrity, and availability of their systems and services. The European Data Protection Supervisor echoes this message, stating that “restrictions on encryption pose significant risks to the economy and society in general.”⁵

Yet, against this backdrop, we are deeply concerned by the Commission’s continued focus on identifying ways to weaken or circumvent encryption. This undermines its own security objectives under the ProtectEU strategy, which emphasises the importance of resilience and preparedness in the face of more sophisticated cyber threats. Undermining encryption weakens the very foundation of secure communications and systems, leaving individuals, businesses, and public institutions more vulnerable to attacks. 

Past⁶ and ongoing⁷ efforts in the European Union to grant law enforcement access to encrypted data have primarily focused on client-side scanning, a technology that circumvents encryption by scanning user devices before the encryption mechanism starts. Scanning not only violates the promises of end-to-end encryption but also creates vulnerabilities that could be exploited by criminals and hostile state actors.⁸ There is widespread consensus among technical experts that encryption circumvention tools create new risks that threaten national security, concerns recently echoed by member state authorities in Sweden⁹ and the Netherlands¹⁰. The European Court of Human Rights and European Union Agency for Fundamental Rights have emphasized that statutory requirements that “weaken the encryption mechanism for all users” would be disproportionate under the Charter of the Fundamental Rights of the EU.¹¹

The technology roadmap announced by the European Commission mirrors efforts taken by other governments to identify encryption circumvention tools, such as the UK’s “Safety Tech Challenge,”¹² which pledged funding for proof-of-concept tools for preventing and detecting child sexual abuse material in end-to-end encrypted environments.  In the case of UK efforts, the selected independent third party reviewer, REPHRAIN, found that none of the resulting proofs of concept fulfilled their evaluation framework for human rights, security, accountability, and other criteria.¹³ We believe that any similar EU approach would produce the same results, wasting valuable resources. 

We call on the European Commission to:

• Acknowledge that strong encryption is not an obstacle to EU security but a prerequisite for it, positioning the widespread use of end-to-end encryption as a tool for advancing cybersecurity and EU’s resilience in the current geopolitical context. 
• Reframe the Technology Roadmap on Encryption, highlighting the benefits of encryption and identifying areas for increased usage to strengthen cyber defense in alignment with the European Union’s existing security strategies. 
• Develop the Technology Roadmap by drawing on a wide range of perspectives, not only those of law enforcement, but also cybersecurity experts, civil society, digital rights advocates and private companies. Any future roadmap that aspires to be credible and balanced must consider the feasibility of any potential technological capabilities and their societal, technical, and legal impact. 

Sincerely,