Summary
The proposed EU CSAR regulation introduces detection obligations that may fundamentally conflict with how modern cloud infrastructure is designed. From a provider perspective, the issue is not intent, but feasibility: systems built on strong encryption and customer-controlled access cannot be inspected without breaking their security model.
Introduction
The proposed EU regulation on combating child sexual abuse material (CSAR) aims to address a critical and legitimate societal issue. Few would argue against the objective. The challenge lies in how such measures intersect with the technical realities of modern digital infrastructure.
From a cloud perspective, the discussion is not abstract. It directly affects how systems are built, how data is protected, and where responsibility can realistically be placed.
Cloud infrastructure is designed for non-access
Modern cloud systems are increasingly built around a simple but fundamental principle: the provider does not have access to customer data.
This is not a policy choice alone. It is a technical property.
Data is encrypted:
- in transit
- at rest
- often at the application layer
In many cases, customers control their own encryption keys. When additional layers such as disk encryption, application-level encryption or customer-managed certificates are applied, the infrastructure provider no longer has the technical ability to inspect the underlying data without explicitly breaking that model.
This is by design.
The problem with infrastructure-level scanning
Proposals that introduce scanning obligations at the infrastructure level assume that providers can observe or analyze content as it flows through their systems.
In modern cloud architectures, that assumption often does not hold.
Inspecting data would require:
- access to decrypted content
- insertion of inspection mechanisms
- or weakening of encryption boundaries
Each of these actions has consequences.
They undermine confidentiality guarantees, introduce new attack surfaces, and shift the trust model between provider and customer. What is currently a system designed to prevent unauthorized access becomes a system that must actively enable it.
Responsibility must follow control
A central issue in the CSAR discussion is where responsibility should be placed.
In cloud environments, there is a clear distinction:
- infrastructure providers operate the underlying systems
- customers control the data and its meaning
- application providers interpret and process content
Requiring infrastructure providers to inspect data they cannot access places them in an impossible position. It effectively assigns responsibility without control.
This creates both technical and legal conflicts, particularly in relation to data protection frameworks such as GDPR, where responsibility is tied to actual data processing and decision-making.
Encryption is not optional
Encryption is often framed as a trade-off in regulatory discussions. In practice, it is not.
It is a foundational requirement for:
- secure communication
- financial systems
- healthcare data
- government infrastructure
Weakening encryption to enable scanning does not only affect specific use cases. It affects the entire security posture of digital systems.
In cloud environments, where multiple tenants share infrastructure, this impact is amplified. Any mechanism that enables inspection can potentially become a vector for misuse or unintended access.
The double-bind problem
One of the more problematic consequences of infrastructure-level obligations is the creation of a double-bind.
Providers are expected to:
- ensure confidentiality and data protection
- while simultaneously enabling access to the same data
This is not simply a policy contradiction. It is a technical one.
Systems cannot be both inaccessible by design and accessible on demand without introducing fundamental changes to their architecture.
Trust, sovereignty and unintended consequences
European cloud providers operate in an environment where trust, sovereignty and data protection are key differentiators.
Introducing requirements that weaken these properties may have unintended effects:
customers may move data to jurisdictions perceived as more secure, providers may face increased compliance complexity and cost, and the overall trust in European infrastructure may be reduced.
In a geopolitical context where digital sovereignty is increasingly important, these effects should not be underestimated.
A more viable approach
Addressing illegal content is necessary. The question is how to do so without undermining the systems that secure digital society.
A more viable approach would focus on detection mechanisms limited to contexts where data is already accessible and processed, a clear separation between infrastructure and application responsibilities, independent oversight and transparency in enforcement, and explicit safeguards that preserve strong encryption.
This aligns responsibility with actual control, rather than theoretical access.
Closing
The core issue is not whether action should be taken, but where and how it is applied.
Cloud infrastructure is built on the assumption that providers do not have access to customer data. Introducing obligations that depend on such access challenges that assumption at a fundamental level.
If regulation is to be effective without undermining security, it must account for how systems are actually designed — not how they are assumed to work.
For a formal position from WAYSCloud, including our submitted input to the Norwegian Ministry of Justice and Public Security, see: Position on proposed EU CSAR regulation and cloud implications