"Weakening encryption would make European security worse" – the VPN industry reacts to the EU's plan for end-to-end encryption backdoors
ProtectEU is the first step into the EU Commission's strategy to lawful and effective access to data for law enforcement

No one sends SMS anymore; instead, most use WhatsApp or Signal. Encrypted calls, securely sharing files, and pictures are day-to-day actions we all do, with the promise that our online communications will stay private between us and who we are talking to.
This could soon change for people in the EU, though. ProtectEU is the EU Commission's new collaborative strategy exactly tasked to create a roadmap for "lawful and effective access to data for law enforcement" – especially encrypted data.
While messaging apps and email providers are set to be the main target of lawmakers, another popular software may be the next in line. All the best VPN services use end-to-end encryption to secure users' anonymity under strict no-log policies. So, to understand what's at stake, I spoke with some EU-based VPN providers who might soon be impacted.
Encryption backdoor, a security conundrum
Unveiled on April 1, 2025, ProtectEU is the first step in the EU Commission's plan to bolster the security of the European block in the years to come. A "new European internal security strategy," as lawmakers described it, that yet doesn't reveal much at this early stage.
What we do know so far, though, is that the EU Commission wants to give more tools to law enforcement to lawfully access people's online data. This would include finding a technical way to create encryption backdoors into software. All "while safeguarding cybersecurity and fundamental rights."
Yet, experts have long argued that encryption – the act of scrambling the data into an unreadable form to prevent third-party access – cannot be weakened safely. That's because once an entry point for law enforcement is created, other malicious actors could also exploit it.
Commenting on this point, Proton's Head of Public Policy (the provider behind Proton VPN and Proton Mail), Jurgita Miseviciute, told TechRadar: "Weakening encryption would not magically solve the internal security challenges this report outlines but, in fact, would only make European security worse."
The EU initiative Going Dark has now been launched by the EU Commission. They call it ProtectEU.It’s a rebranding of Chat Control. New name. Same old propaganda.The EU Commission’s goal is to “access encrypted data in a lawful manner, safeguarding cybersecurity and…April 4, 2025
Miseviciute said Proton is closely following the ProtectEU strategy and its implications, recognizing how the plan doesn't define a concrete policy direction yet.
"Now that the European Commission will start working on concrete reports and legal texts, we hope they will take an open-minded approach to find a solution that preserves encryption," she added.
The head of Legal at Surfshark, Gytis Malinauskas, believes it is still too early to express any concerns at this stage, considering that only a broad strategy has been unveiled so far. However, Surfshark feels more optimistic about the EU's plan.
"Given the ProtectEU Strategy’s focus on cybersecurity and protection against emerging security threats, we believe that privacy-enhancing tools like ours will become even more relevant and widely adopted by EU users," said Malinauskas.
Mullvad VPN, which strongly opposed proposals to scan citizens' private chats unveiled back in 2022, deemed the ProtectEU plan only a mere rebranding of the old bill and something that will struggle to attract the majority among EU representatives. "New name. Same old propaganda," tweeted the provider.
The end of no-log VPNs?
The next contentious point of the ProtectEU strategy is around data retention. Subject to an impact assessment, there is the possibility that the EU will decide to expand on current laws to require service providers to collect more data on users.
Again, this could mean completely overturing the policies and technical infrastructure of many security software – no-log VPNs included.
Many VPN services pride themselves on not collecting any information that could link their users to their activities. Something that might become incompatible with stringent data retention obligation.
As AdGuard VPN's Chief Product Officer, Denis Vyazovoy, explains, no-log VPNs won't be able to provide users' data to law enforcement unless they make some crucial changes to their design.
"A legal framework that forces VPNs to retain user metadata – potentially for a prolonged period – could make such services untenable, leading to the withdrawal of VPN providers from the EU" he said.
Security is closely linked to privacy
NordVPN
For example, India provoked an exodus of VPN companies from the country in 2022 when authorities passed a new data retention law requiring providers to retain users' logs for at least five years and to hand over this data to authorities upon request.
Again, it's still too early to say how the ProtectEU's plan would play out and whether VPNs will be affected by potential changes at all.
Nonetheless, according to NordVPN, more data would still lead to a higher risk for people's security.
"Security is closely linked to privacy. It is still too early to judge how this high-level strategy will materialize. However, if it results in blatant requirements to store large amounts of personal data, this could lead to misuse, breaches, and threats to internet users," a NordVPN spokesperson told TechRadar.
VPNs, a "key challenge"
As mentioned, encrypted communications apps have been largely lawmakers' target so far.
That said, an EU expert group has, for the very first time, explicitly referred to VPN services as "key challenges" to the investigative work of law enforcement agencies, alongside encrypted devices, apps, and new communications operators.
The High-Level Group (HLG) final report is the bedrock upon which the ProtecEU strategy was formed. So, how likely is it for VPN providers to become the next target?
Once thought to be the paradise for online privacy, Switzerland is also considering amending its surveillance law to expand into new types of monitoring and data collection. The changes will make it impossible for the likes of Proton, NymVPN, and Threema to operate in the country.
As Mullvad's CEO Jan Jonsson points out, VPNs aren't yet included in the HLG recommendations, unlike Signal-like apps. "It’s still concerning that they mention VPN as a challenge. The world needs less mass surveillance, not more," he said.
Also, Vyazovoy from AdGuard VPN found it worrying to see VPN services in the crosshairs of this debate. He believes that if VPNs had to be included in future data sharing obligations, this could drive away privacy-focused services from the EU altogether.
He said: "The questions are: Is it truly worth compromising the privacy of tens of millions for the sake of (potentially) catching a few criminals? Is this level of surveillance truly necessary?"
Again, Surfshark is looking at the debate as an opportunity rather than a threat.
"We do not interpret [mention of VPNs] as a signal that VPN providers will be directly targeted by new regulations. On the contrary, the group acknowledged VPNs as one of several tools used to protect the privacy of legitimate users," said Malinauskas.
It is certainly difficult to predict what will come next in this space, with the ProtectEU being based more on intentions rather than actions. What's certain, though, is that politicians and lawmakers have been trying to find a way to balance privacy and security for years. Will this be finally it?
You might also like

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life – wherever cybersecurity, markets, and politics tangle up. She believes an open, uncensored, and private internet is a basic human need and wants to use her knowledge of VPNs to help readers take back control. She writes news, interviews, and analysis on data privacy, online censorship, digital rights, tech policies, and security software, with a special focus on VPNs, for TechRadar and TechRadar Pro. Got a story, tip-off, or something tech-interesting to say? Reach out to chiara.castro@futurenet.com
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.