01.07.2025 15:43

Encryption vs. Lawful Interception: EU policy news

I’ve commented here on this blog (or its German twin) quite a few time already on various legislative proposals on how the law enforcement agencies can keep their traditional access to the communication of suspects. See

As the recent political agreement within the new Austrian government shows, this is still a hot topic. This does not only play out on the national side, also at EU level there is a hot debate on the right policy decisions regarding the challenges posed by new communication technology.

To be honest, the focus on interception and how law enforcement is now handicapped by the new technology is missing the real story: how the social media companies and their algorithms are fracturing society, causing parallel realities in the population and contribute to the radicalisation of a lot of vulnerable people. That will kill our democracy, not whether a police officer will continue to be able to wiretap a suspect.

Anyway, at EU level a new Roadmap was unveiled last week:

The European Commission presented today a Roadmap setting out the way forward to ensure law enforcement authorities in the EU have effective and lawful access to data. The roadmap is an important deliverable under ProtectEU – the EU's Internal Security Strategy which the Commission presented in April this year.

Terrorism, organised crime, online fraud, drug trafficking, child sexual abuse, sexual extortion, ransomware, and other offences all share a common feature: they leave digital traces. With 85% of criminal investigations now relying on electronic evidence, law enforcement authorities need better tools and a modernised legal framework to access digital data in a lawful manner while ensuring full respect of fundamental rights.

It covers the areas Data retention, Lawful interception, Digital forensics, Decryption, Standardisation, and AI solutions for law enforcement.

While I can understand the frustration on the LE side, some of the proposals run headlong into the core principles of the cyber security community. e.g., under “Decryption” the Commission writes “In 2026, the Commission will present a Technology Roadmap on encryption to identify and evaluate solutions that enable lawful access to encrypted data by law enforcement, while safeguarding cybersecurity and fundamental rights.“ which someone in the CSIRT community (to much applause) translated to „We have a roadmap for the development of a square that is also round.“.

To discuss the trade-offs between these worlds, the commission is creating an “Expert Group for a Technology Roadmap on Encryption (E04005)“ and is looking for people to work on the following tasks:

  • to assist the Commission’s Directorate-General for Migration and Home Affairs (‘DG HOME’) and Directorate General for Communications Networks, Content and Technology (‘DG CNECT) in the preparation of policy initiatives on lawful access to data through the identification of technical options to address encryption challenges and the assessment of their suitability; while ensuring observance of fundamental rights, including privacy and data protection, and without undermining cybersecurity.
  • to assist the Commission to elaborate a Technology Roadmap, by providing expert input that shall outline and assess the technical options as well as the corresponding resources and actions needed for lawful access to and processing of digital information, without undermining cybersecurity and while respecting fundamental rights, taking into account the relevant recommendations of the High-Level Group of Experts for Access to Data.

They are looking for people with diverse background: The selection shall prioritise experts with technical profiles, coming from either public or private sector, whilst aiming to ensure proportional representation across the following fields of expertise:

  • Home affairs, ideally with an experience in fighting high-tech crime, and/or a background in the area of decryption and artifact extraction, computer forensics, network forensics, smartphone forensics, cloud forensics, IoT forensics, memory forensics and/or lawful interception;
  • Cybersecurity. with diverse backgrounds including but not limited to vulnerability management, evaluation of cybersecurity risks and certification and encryption (including quantum and post-quantum cryptography);
  • Telecommunication, including with experience in computer networks/Internet, 5G/6G, IoT, VoIP, Satellite, Quantum communication and/or encrypted communication applications;
  • Big data analysis, including with expertise in AI technologies;
  • Standardisation, notably in relation with cybersecurity and/or telecommunication technologies, including protocol networks, exchanges of digital data, and lawful interception;
  • Justice and fundamental rights, including experience in data protection and privacy, as well as experience in criminal justice, such as cyber-enabled and/or cyber-dependent crimes

Yes, bitching about EU policy is cherished hobby for a lot of people, but why not get engaged and try to get the EU to do the right thing in the first place?

Written by: Otmar Lendl