Position on proposed EU CSAR regulation and implications for secure cloud infrastructure
Summary
WAYSCloud has submitted a formal position to Norwegian authorities regarding the proposed EU regulation on combating child sexual abuse material (CSAR).
This report outlines our technical, legal, and ethical assessment of the potential implications for encryption, data sovereignty, and infrastructure providers.
Background
The proposed regulation introduces mechanisms for detection and reporting of potentially illegal content, including the possibility of mandatory scanning obligations.
While the objective of protecting children is essential, WAYSCloud has raised concerns regarding how such measures may impact fundamental security principles and trust in digital infrastructure.
Clarification on detection and infrastructure responsibilities
WAYSCloud operates systems for detecting potentially illegal content in specific, controlled contexts where data is explicitly uploaded to services under our management. These mechanisms are limited to environments where WAYSCloud has legitimate technical access to the data and where such processing is part of the service functionality.
This differs fundamentally from proposals that would require scanning of encrypted or private communications, or the introduction of mechanisms that weaken end-to-end encryption.
WAYSCloud does not support measures that require infrastructure providers to access or inspect data that is designed to remain confidential and inaccessible by design.
Key considerations
WAYSCloud's position is based on the following principles:
- Infrastructure providers without access to customer data should not be required to perform content inspection
- Strong encryption is a fundamental requirement for secure digital systems
- Responsibility should follow actual control over data, not infrastructure ownership
- Regulatory measures must remain compatible with GDPR and established data protection principles
Technical and legal concerns
Modern cloud infrastructure is built on end-to-end encryption and customer-controlled access models.
Introducing scanning requirements at the infrastructure level may:
- undermine confidentiality guarantees
- conflict with GDPR obligations
- introduce security vulnerabilities
- reduce trust in European cloud providers
Recommended approach
WAYSCloud supports efforts to combat illegal content but recommends:
- targeted detection mechanisms limited to relevant contexts
- clear separation between infrastructure and application responsibilities
- independent oversight and transparency in enforcement
- safeguards to prevent weakening of encryption
Current status
This position was formally submitted to Norwegian authorities, including the Ministry of Justice and Public Security and the Norwegian Data Protection Authority.
Timeline
Attachments
Redacted supporting documentation from regulatory communication is available below.