VPN services may soon become a new target of EU lawmakers after being deemed a "key challenge"

EU
Image credit: Pixabay (Image credit: Pixabay)

  • The EU's HLG (High Level Group) now considers VPNs among “key challenges” to investigative work.
  • End-to-end encryption is also mentioned in the final report as the biggest technical challenge
  • Experts are calling for restraint and consideration on the measures, fearing civilians will carry “state spyware in their pockets”

For the first time, an EU expert group has explicitly mentioned VPN services as "key challenges" to the investigative work of law enforcement agencies, alongside encrypted devices, apps, and new communications operators.

The group's final report also refers to end-to-end encryption as "the biggest technical challenge."

Known as the High-Level Group (HLG), the expert group was tasked by the EU Council in June 2023 to develop a strategic plan "on access to data for effective law enforcement."

Lawful data access by design

The HLG's first set of recommendations leaked to the public in June last year. The goal was simple – make the digital devices we use every day, from smartphones and smart homes to IoT devices and even cars, legally and technically monitorable at all times by law enforcement bodies.

Commenting on this plan, Mullvad VPN CEO Jan Jonsson told TechRadar at the time: "It would mean total surveillance and that Europe's inhabitants carry state spyware in their pockets."

The final wording of the LHG report from March 13, 2025, shows not much has changed from the original ethos. Yet, the recommendations on achieving"lawful data access by design" look more refined.

As mentioned, experts are now considering including VPN services among the key challenges to investigations.

Previously, concerns were mostly reserved for messaging apps or secure email software using encryption to scramble users' content into an unreadable form, de facto making it difficult (if not impossible) for authorities to successfully decrypt wanted information.

Widening the target to VPN services seems to align with experts' view on metadata access as "essential for identifying suspects."

Metadata refers to data not concerning the content, such as who's sending the message, who's receiving it, at what time, and from where. VPNs work to mask IP addresses, which provide the details of our location when we access the internet.

For experts, however, EU lawmakers need to find solutions to force service providers to retain some necessary metadata for a minimum time period. Thankfully, the need for a "harmonised and consistent" legal framework for data retention is among the latest LHG suggestions.

Introducing new obligations to collect users' identifiable metadata, however, would clash with the technical infrastructure and policies of many privacy-focused services. That's especially true for no-log VPNs that, as the name suggests, never collect information that can link users with their online activities.

The security conondrum

Despite the emphasis on the need for authorities to access people's data to carry out investigations, LHG experts recognize that "this must not be at the expense of fundamental rights or the cybersecurity of systems and products."

In particular, the report highlights on more than one occasion how encryption is also essential for people's security, protecting against data theft, state-sponsored espionage, and other forms of unauthorized data access.

Did you know?

malware

(Image credit: Shutterstock)

The aftermath of the Salt Typhoon attacks sparked an outcry from authorities for all citizens to switch to Signal-like messaging apps to improve their online security.

It remains to be seen how EU lawmakers will find a balance between the will of accessing people's data – no matter if these are encrypted – and preserving information security.

On their side, cryptographers and other tech experts have long argued that encryption either works as intended or is broken for everyone.

Commenting on the ongoing push for encryption backdoors, Proton CEO Andy Yen recently said, "Encryption is math – it either adds up or it doesn't. You're not able to create a backdoor that will preserve encryption. It is simply not possible."

You might also like

Chiara Castro
News Editor (Tech Software)

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life – wherever cybersecurity, markets, and politics tangle up. She writes news, interviews, and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar and TechRadar Pro. Got a story, tip-off, or something tech-interesting to say? Reach out to chiara.castro@futurenet.com

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.