Comment by thecopy

It's one of those things that will obviously be used to boil the frog over time via beurocratic rules.

Year 1 a minimum viable effort manual process will be fine. But they'll say "not good enough" to someone every now and then and the minimum can do in order to get a) permission b) enforcers not crawling up your ass (IDK if it will be permission based or enforcement after the fact based) will ratchet up.

By year 10 or 20 "everyone" will have an API or a portal or whatever.

And worse, by creating a compliance industry they create a whole suite of business and people who will ask for more, more, more more.

Yes, I see this as the people pushing for surveillance and control taking what they can get for now, with the view to bring it back to mandatory scanning before all is said and done.

No, because EUCJ still have power to interpret the laws, or to declare the laws illegal. And the EUCJ, while incredibly pro-consummer, seems to really, really dislike the police state.

It will happen only if the council manage to defang the EUCJ (it does try, regularly, to reduce the judiciary power by forcing it to make unpopular statements on obviously illegal laws, so it might be a long term goal).

Sadly, another attempt will likely be made at some point. At least the regulation is quite explicit:

> This Regulation shall not prohibit, make impossible, weaken, circumvent or otherwise undermine cybersecurity measures, in particular encryption, including end-to-end encryption, implemented by the relevant information society services or by the users. This Regulation shall not create any obligation that would require a provider of hosting services or a provider of interpersonal communications services to decrypt data or create access to end-to-end encrypted data, or that would prevent providers from offering end-to-end encrypted services.