End-to-end encryption: obstacle or pillar of national security?

End-to-end encryption: a legal and technical security standard

End-to-end encryption (E2EE) is a security methodology based on a simple principle: only the sender and the recipient of information can access it in plain text, as the data is encrypted using attributes unique to their correspondence. No third party — not even the service provider acting as an intermediary, nor public authorities — can technically access the content, even under a judicial order.

This technology has become a cornerstone of the digital ecosystem, embedded in instant messaging apps (such as Signal, WhatsApp, iMessage, or Threema), data storage tools, file-sharing services, and password managers.

The integrity of end-to-end encryption is explicitly supported by national and European authorities, such as France’s National Cybersecurity Agency (ANSSI), as well as under Directive (EU) 2022/2555, known as NIS 2, which recommends the implementation of robust encryption mechanisms as a cybersecurity measure.

Challenging encryption in the name of public security: a worldwide trend

Despite its technical and legal legitimacy, end-to-end encryption (E2EE) is increasingly being challenged in several countries on the grounds of public security. The desire to access encrypted information is not limited to authoritarian regimes or democratic governments — it is shared by criminals, foreign intelligence services, and even well-intentioned investigators seeking to combat the most heinous crimes.

As early as 2022, a joint international statement—signed by countries including Canada, the United Kingdom, India, Japan, and Singapore—called for effective access by competent authorities to encrypted content, including communications protected by E2EE. This trend has since materialized into concrete legislative initiatives, such as:

• the United Kingdom’s Online Safety Act (2023), which requires digital platforms to detect and address illegal content, even within encrypted communications;
• the proposed European regulation on child sexual abuse material ("Chat Control"), which would empower authorities to compel providers of interpersonal communication services to implement content detection tools.

In France, a broad interpretation of a provision in the draft law on terrorism prevention and intelligence once envisaged the use of encryption backdoors under the cooperation obligations of electronic communications operators.

In response to this growing trend among governments, electronic communication service providers have had to react. Apple disabled certain data protection features for its UK users and initiated legal action against the government. In Sweden, the Signal app threatened to withdraw from the national market following a legislative proposal to require a backdoor in secure communication systems.

Major legal, technical, and systemic risks

Deliberate vulnerabilities with unpredictable consequences

Technical authorities and cybersecurity experts continue to stress that there is no such thing as a “controlled security flaw” (e.g. ANSSI). Introducing backdoors would create vulnerabilities that could be exploited not only by legitimate authorities, but also by malicious actors — cybercriminals, foreign powers, and others.

The joint statement issued by Europol and the European Union Agency for cybersecurity (“ENISA”) on 20 May 2016 (“Joint Statement on Lawful Criminal Investigation That Respects 21st Century Data Protection”), Resolution 2045 (2015) of the Council of Europe, and the report of the United Nations High Commissioner for Human Rights (A/HRC/51/17 of 4 August 2022) converge on the same conclusion: backdoors represent a direct and unacceptable threat to the security of all users —not just criminals.

In the United States, expert groups from the House Judiciary Committee and the House Energy and Commerce Committee have issued a clear warning: “any measure that weakens encryption works against the national interest.”

A disproportionate infringement of fundamental rights

From a legal standpoint, the implementation of backdoors also raises concerns regarding their impact on fundamental rights. The Court of Justice of the European Union (“CJEU”) has made it clear, in the rulings La Quadrature du Net (C-511/18) and Digital Rights Ireland (C-293/12) , that the both generalized retention of connection data and decryption obligations infringe Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, which protect the right to privacy and personal data. These rights are subject to a proportionality test when interfered with. Similarly, in the case Podchasov v. Russia (2024), the European Court of Human Rights (“ECHR”) explicitly found that requiring a messaging platform to provide the authorities with the means to decrypt users’ communications violated Article 8 of the European Convention on Human Rights, which guarantees the right to privacy and the confidentiality of correspondence.

It is not the principle of decryption itself that is at issue — but rather its systematic nature, applied indiscriminately to all users, without the ability to target specific individuals under investigation by an authorised authority.

Such measures would therefore not only be technically questionable, but also legally vulnerable to challenges based on fundamental rights and proportionality.

A threat to European technological sovereignty

The adoption of measures that weaken encryption would stand in direct contradiction to the principles of the General Data Protection Regulation (“GDPR”), the security requirements established under the NIS2 Directive, and, more broadly, the European Union’s strategic ambitions in the area of digital sovereignty. Such measures could lead major operators to withdraw from certain markets and weaken Europe’s technological competitiveness.

The security paradox: weakening security in the name of security?

Measures intended to circumvent or weaken encryption are often presented as tools to fight serious threats (organised crime, terrorism, child sexual abuse). Yet they in fact create:

• a systemic vulnerability exploitable by malicious third parties;
• a potentially disproportionate interference with fundamental rights, in violation of European case law;
• adverse consequences on the digital economy and the European Union’s technological sovereignty.

The legal framework governing encryption sits at the crossroads of security law, data protection law, and digital regulation. Any attempt to restrict end-to-end encryption must undergo a rigorous proportionality assessment, and respect the hierarchy of European norms.

In a digital world where threats are multifaceted, weakening the confidentiality of communications means weakening the very secrets, sovereignty, and security we are trying to protect.

If you have any questions on this subject, please do not hesitate to contact Charlotte Le Roux or one of the authors or your usual Hogan Lovells contact.

Authored by Charlotte Le Roux, Léanne Fortuna, Etienne Drouard, and Camille Raymond.