Developers keep users safe by building security-by-design with tools like encryption, authentication, and abuse-prevention protections that are the front line of protection. However, proposals currently being considered in Sweden and at the European Union level could threaten those tools and the critical protections startups and small and medium-sized enterprises (SMEs) and their users rely on.

The European Commission’s draft Child Sexual Abuse Material (CSAM) Regulation would require online services, from messaging apps to cloud platforms, to scan, report, and remove harmful content. Crucially, it would extend to encrypted communications, forcing providers to weaken one of the most important tools developers utilize to keep users safe. While protecting children needs to be a top priority, undermining encryption is a misguided approach that ultimately compromises the safety of everyone, rather than enhancing it.

‘As a company helping startups and other organizations build scalable and secure cloud solutions, we firmly oppose attempts to weaken encryption. Introducing backdoors and dismantling crucial privacy tools compromises user privacy and security. We believe in robust end-to-end encryption to safeguard sensitive data, maintain user trust, and keep you safe.’ – Robert Folkesson, Active Solution, Sweden-based App Association member company

The European Parliament has stressed that encryption must be protected, but the EU Council is divided. Under the Danish Presidency’s proposed compromise, national governments could mandate the scanning of encrypted messages before being sent. The proposal is set to be debated on 12 September and could be adopted by the Justice and Home Affairs Council as soon as 14 October 2025.

At the same time, Sweden has proposed new national rules on data storage and access to electronic information. These rules would compel providers to store, and give law enforcement access to, user communications, including those protected by end-to-end encryption. If adopted, the new rules could take effect on 1 March 2026.

Why it matters for startups

For startups, scaleups, and SMEs, the risk is double exposure. EU-wide rules could force them to weaken encryption everywhere, while national laws, like Sweden’s, could impose even stricter local requirements. The result is fragmentation, higher compliance costs, and greater uncertainty about how to serve users across the European ‘single’ market.

‘As a small tech startup, our reputation depends on trust. Enterprises using Qlerify rely on us to safeguard sensitive data, and that makes encryption non-negotiable. Weakening it would create a backdoor for cybercriminals, exposing our users’ most private information. Encryption is what keeps that data secure and inaccessible to anyone who isn’t authorised. Without encryption, both our customers and our business are put at risk.’ – Nikolaus Varzakako, Qlerify, Sweden-based App Association member company

As we highlighted in our discussions on cybersecurity and data privacy at SXSW, developers already keep users safe by building in security tools like encryption and authentication. Weakening those protections doesn’t make people safer; it makes them more vulnerable to identity theft, financial fraud, blackmail, account takeovers, and stalking. And for smaller companies, the costs of compliance could be so high that they are pushed out of the market entirely.

What comes next

The coming year will be decisive. The EU Council is expected to adopt a position on the proposed compromise in October, setting up trilateral negotiations. Meanwhile, Sweden’s law could enter into force in March 2026. There is currently a temporary framework in place under the ePrivacy Directive that allows providers to voluntarily detect harmful content, though not to conduct mass scanning of encrypted communications. This framework is set to expire on 3 April 2026, which puts additional pressure on policymakers to agree on a permanent solution before that deadline.

Startups and SMEs must make their voices heard now. Encryption is not merely a technical safeguard; it is the trust foundation that allows smaller companies to compete with bigger players. Undermining it will harm innovation, weaken security, empower bad actors, and put small tech businesses at a structural disadvantage.

‘A backdoor for the ‘good guys’ is an open door for criminals. Encryption is security, not an obstacle.’ – Mara Vendramin, My-Money, Italy-based App Association member company

We’ve already raised these concerns directly with the Swedish Parliament, making clear that weakening encryption is not a path to safety but a threat to security and innovation. Now, we need startups, scaleups, and SMEs to add their voices. Reach out to Brad Simonich to get involved and ensure that small tech voices are represented in these critical debates.