Introduction

It is one of the oldest law-and-order questions: How does society strike balance between an individual’s right to privacy and the need for society to protect itself? Recent iterations of this debate revolve around encryption, a technology that ensures information stays private — or secret — for secure communications, storage, or transactions. Encryption protects messages on personal devices, but it can also be used to hide crimes.

Countries around the world are imposing new regulations to limit encryption. CEPA’s new Encryption Debate map tracks the state of these rules.

Among democracies, the United Kingdom has staked out the most aggressive attempts to curtail encryption. Its 2016 Investigatory Powers Act gave government the power to require digital platforms to decrypt encrypted information. The 2023 Online Safety Act goes further, allowing the Ofcom telecom regulator to require platforms to detect and remove unlawful content, even when shared using end-to-end encryption.

The US Congress and law enforcement agencies have both attempted to break encryption. In a high-profile 2016 case, the FBI demanded that Apple create a backdoor to access encrypted information on an iPhone used in a terrorist attack. Apple refused, and the FBI unlocked the phone independently. Legislators have introduced bills such as the Lawful Access to Encrypted Data Act or the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act, but they have failed to clear Congress.

CEPA’s will update the map periodically. Please get in touch if you are aware of any new developments that should be included.

A few notes:

The European Union (EU) is the source of many tech regulations that have spread globally through the so-called Brussels Effect. Denmark and Ireland are the only EU member states that have not ratified the European Investigation Order (EIO),1 which allows state authorities to request information necessary for an ongoing criminal investigation, including intercepted and decrypted telecommunications, from other member states without any need for further domestic authorization. Member states may also request technical assistance to decrypt, decode, or transcribe intercepted communications from other member states. All countries that are able to request decrypted content from other states under the EIO are noted below.

The European Electronic Communications Code (EECC) was created by EU directive and allows EU member states to adopt necessary, appropriate, and proportionate measures to intercept confidential communications for national security and criminal investigation purposes.2 This is strictly regulated: Domestic courts have struck down cases seeking to allow broader interception of communications, such as in Romania. However, the EECC also encourages the use of encryption to protect communications.

Countries

Argentina

Argentina’s 1972 National Telecommunications Law requires telecom providers to maintain interception capabilities and provide data and communications content; however, providers are not obligated to decrypt their data as a consequence of the interception.3 The more recent Data Retention Law of 2004 initially required internet service providers to decrypt communications if they provided encryption tools, but the Supreme Court found this unconstitutional.4

Australia

The 2001 Cybercrime Act requires providers to hand over stored data to law enforcement.5  The 2018 Telecommunications and Other Legislation Amendment (Assistance and Access) Act (TOLA) allows law enforcement and intelligence agencies to compel access to encrypted data.6 Under TOLA, agencies can issue Technical Assistance Notices requiring companies to decrypt data, or Technical Capability Notices mandating they build new tools to enable access. The government may request data in any form.

Austria

Austria adopted its Telecommunications Act in 2021, which requires service providers to occasionally monitor certain encrypted conversations in the context of criminal investigations.7 Providers must also provide technical support for the monitoring exercise. Austria has ratified the European Investigation Order and can request decrypted content from other EU states without further domestic authorization.

Belgium

The Belgian Code of Criminal Instruction empowers authorities to compel individuals with knowledge of encrypted systems to provide access to or decrypt data.8 Authorities can also order them to operate the system themselves to render the data accessible. Refusal to assist is a criminal offence, with harsher penalties if the assistance could have prevented a crime. Belgium has ratified the European Investigation Order and can request decrypted content from other EU states without further domestic authorization.

Brazil

The Brazilian Constitution guarantees the protection of the confidentiality for all communications, though it explicitly makes an exception for criminal investigations.9 WhatsApp is contesting a judicial order to shut down its services in Brazil that, according to the company, required a redesign its end-to-end encryption protocols and structures to comply with an order in a criminal case.10

Bulgaria

In Bulgaria, no law directly requires service providers to decrypt personal data. The Personal Data Protection Act (PDPA) obliges controllers to protect data, but gives no power to demand private keys or decrypted content.11

Decryption duties stem instead from the Electronic Communications Act of 2007, which allows judges to order telecom or online service providers to maintain interception interfaces and hand over any traffic that they themselves can decrypt.12 This enables authorities to obtain metadata and some decrypted data, which can be crucial in investigations involving encrypted data, but stops short of obliging providers to break end-to-end encryption. Bulgaria has ratified the European Investigation Order and can request decrypted content from other EU states without further domestic authorization.

Canada

In Canada, while there is no law that directly compels individuals or providers to decrypt data, courts can require third parties to assist law enforcement or produce information, including access to encrypted data, under the Criminal Code.13 These orders must comply with the Canadian Charter of Rights and Freedoms, which requires prior judicial authorization and that any search be reasonable.14

China

The Chinese Criminal Code requires decryption for any criminal investigation.15 The Cryptography Law requires all foreign manufacturers of encryption products to acquire a license from the government, after which the State Cryptography Administration and the government have access to and can inspect and further regulate encrypted platforms.16 The 2024 Network Data Security Management Regulations empower police and national security agencies to access decrypted information.17

Get the Latest
Sign up to receive regular Bandwidth emails and stay informed about CEPA's work.

Croatia

Croatia’s Law on Criminal Procedure allows law enforcement to search computer systems and other devices used to collect, store, or transmit data.18 However, the law does not include an explicit obligation to decrypt encrypted data or to hand over decryption keys. Croatia has ratified the European Investigation Order and can request decrypted content from other EU states without further domestic authorization.

Cyprus

The Criminal Procedure Law of Cyprus empowers a judge to search for evidence in a specific place, sometimes without a search warrant.19 However, it does not explicitly mention any restriction on the encryption of communications or obligation to decrypt that information with a search warrant. Cyprus has ratified the European Investigation Order and can request decrypted content from other EU states without further domestic authorization.

Czech Republic

The Czech Criminal Procedure Code requires all actors to comply with law enforcement requests.20 While the Criminal Procedure Code does not specifically mention encryption, Law No. 127 on Electronic Communications explicitly requires service providers to disable encryption when requested by the police and to ensure intercepted communications are comprehensible.21 Additionally, the Criminal Procedure Code requires providers of public communication networks or services to install interception interfaces and ensure that any encrypted, compressed, or coded data, including traffic and location data, are rendered comprehensible at designated network points.22 The Czech Republic has ratified the European Investigation Order and can request decrypted content from other EU states without further domestic authorization.

Denmark

The Electronic Communications Networks and Services Act  requires service providers to design their products so that both the provider and police can gain access to the flow of transmission and the content of past communications, as well as intercept ongoing communications.23 Denmark has not ratified the European Investigation Order.

Estonia

Estonian criminal law allows law enforcement to compel service providers to produce evidence necessary for investigations, including encrypted content.24 Estonia has ratified the European Investigation Order and can request decrypted content from other EU states without further domestic authorization.

Finland

The 2004 Protection of Privacy in Electronic Communications Act guarantees users the right to protect their communications and identification data using any technical means, including encryption, unless otherwise restricted by law.25 However, the Coercive Measures Act allows authorities to compel third parties to provide passwords or decryption keys when needed to execute a lawful data search, creating a limited framework that enables access to encrypted data with judicial authorization.26 Finland has ratified the European Investigation Order and can request decrypted content from other EU states without further domestic authorization.

France

France adopted measures to ensure access to encrypted messages under judicial authorization for the investigation of a serious crime. There are, however, efforts to push back on this. A law introduced in March 2025 prohibits backdoors of any form in areas of “critical infrastructure.”27 During discussions surrounding another bill aimed at combatting drug trafficking, Parliament did not reach a common consensus on mandatory universal backdoors to encrypted messages.28 France has ratified the European Investigation Order and can request decrypted content from other EU states without further domestic authorization.

Germany

Germany has broad authority to decrypt information. German criminal law allows law enforcement to conduct mass surveillance or access encrypted messages and content if it is related to the ongoing investigation of a serious crime.29   Reacting to a major 2015 cyberattack, the German federal government permitted broad monitoring of messaging services before their encryption.30  Policymakers introduced a statutory right for users to encrypt messages and cloud content, but it was not integrated into the Telecommunications Digital Services Data Protection Act, a key piece of German legislation on digital privacy rights.31 Germany has ratified the European Investigation Order and can request decrypted content from other EU states without further domestic authorization.

Greece

Presidential Decree 47 compels service providers to decrypt communications and stored data if a competent authority requests.32 Providers must produce the decrypted content as ordered or will fall into noncompliance. Greece has ratified the European Investigation Order and can request decrypted content from other EU states without further domestic authorization.

Hungary

The E-Commerce Act orders end-to-end encryption service providers to supply relevant intelligence agencies with the content and metadata of specific encrypted communications.33 Hungary has ratified the European Investigation Order and can request decrypted content from other EU states without further domestic authorization.

India

The Information Technology (IT)  Act gives the central government the authority to prescribe methods of encryption.34 However, the government has yet to consolidate anything on this matter while only announcing a draft law on 2015.35 The Act allows the government to restrict encryption and to intercept, monitor, or decrypt any computerized information. The law mandates that service providers power the government with interception and decryption. Additionally, India has adopted additional provisions that allow the government to trace messages to their originator. The Act allows the government to restrict encryption and to intercept, monitor, or decrypt any computerized information.36

Indonesia

In Indonesia, Ministerial Regulation No. 5 from 2020 requires private electronic system operators to provide law enforcement with access to user traffic data, subscriber information, communication content, and specific personal data with a court order.37 This law can undermine end-to-end encryption by creating backdoors or weakening cryptographic protections to comply with access demands.

Ireland

The Electronic Commerce Act 2000 allows law enforcement to seize electronic information and require it to be rendered intelligible with a search warrant from a district court.38 Separately, the Criminal Justice Act of 2017 allows courts to compel individuals to provide passwords or encryption keys, with noncompliance constituting a criminal offence.39  Ireland has not ratified the European Investigation Order.

Italy

Italy’s Criminal Procedure Code authorizes judges to tap computer and telematic communications,40 while the Electronic Communications Code requires telecom and online operators to maintain interception interfaces and supply any provider-encrypted traffic in clear form under penalty of fines.41 Users themselves are not forced to surrender end-to-end keys. Italy has ratified the European Investigation Order and can request decrypted content from other EU states without further domestic authorization.42

Japan

Japan adopted the Communications Interception for Criminal Investigation Act in 2018, which allows law enforcement to intercept and decrypt encrypted online content with a judge’s authorization.43

Latvia

In Latvia, the Criminal Procedure Law gives courts the authority to seize and examine electronic data, including communications, during investigations.44 Under the Electronic Communications Law, providers must install and maintain interception points that enable state access to communications when ordered by a judge.45 However, the law does not explicitly obligate telecom providers to decrypt data or to break end-to-end encryption. Latvia has ratified the European Investigation Order and can request decrypted content from other EU states without further domestic authorization.42

Liechtenstein

Liechtenstein’s current regulations reflect EU principles on proportionate privacy protection using encryption technologies. Service providers are required to notify the National Cyber Security Unit about security incidents and produce any information necessary to assess and identify cybersecurity risks.46 Law enforcement in Liechtenstein has the power to obtain all information necessary to carry out their duties; however, regulations do not explicitly mention encryption.47

Lithuania

Both the Lithuanian Law on Cyber Security and Law on Electronic Communications compel service providers to give law enforcement the information necessary to prevent and investigate criminal activities.48 Additionally, the latter regulation requires providers to conduct content scans and regularly submit information to “forecast, identify or eliminate threats” to Lithuania.49 Lithuania has ratified the European Investigation Order and can request decrypted content from other EU states without further domestic authorization.

Luxembourg

Individuals are entitled to encrypt data when necessary for the protection of their fundamental rights.50 Regardless of this right, judges can order access to encrypted online services for criminal investigations.51">https://legilux.public.lu/eli/etat/leg/loi/2025/04/04/a125/jo)) The Prime Minister has proposed an amendment to encourage encryption against the risks of cyberattacks.52 Luxembourg has ratified the European Investigation Order and can request decrypted content from other EU states without further domestic authorization.

Malta

Malta’s Electronic Communications Networks and Services Regulations empower the Malta Communications Authority set criteria on intercepting of personal communications.53 Additionally, the Security Service Act authorizes the Security Service to intercept communications in the interest of national security.54 However, the regulations do not restrict encrypted data or obligate the decryption of data in the context of telecom interceptions. Malta has ratified the European Investigation Order and can request decrypted content from other EU states without further domestic authorization.

Mexico

Mexican law does not compel providers or users to decrypt data or surrender encryption keys. The National Code of Criminal Procedure lets prosecutors tap private communications with a judge’s approval or in case of emergency.55 The Federal Telecommunications and Broadcasting Law obliges telecom operators to give authorities stored metadata, real-time geolocation, and any data they can already access. Because neither statute mandates decryption, end-to-end encrypted messages remain beyond mandatory reach; any decoding assistance is voluntary.

Netherlands

The Criminal Procedure Code allows a judge to order someone to decrypt any encrypted data, or provide information on how to do so, in a criminal investigation.56 The Netherlands has ratified the European Investigation Order and can request decrypted content from other EU states without further domestic authorization.

New Zealand

Under the Search and Surveillance Act of 2012, authorities can require individuals to provide the information or assistance needed to access data if it does not compel self-incrimination – this includes decryption.57 Additionally, the Telecommunications Act of 2013 obliges network operators to maintain full interception capability and decrypt communications if they provided the encryption, effectively preventing them from offering true end-to-end encryption.58

Norway

The Criminal Procedure Act empowers courts to compel individuals or entities to provide the information necessary to access computer systems, which may include encrypted data.59 This provision applies when the conditions for a lawful search are satisfied, ensuring that any access complies with constitutional safeguards.

Poland

The Criminal Code requires that law enforcement can access necessary evidence for criminal investigations, including encrypted content, upon court order.60 Additionally, an amendment in 2016 expanded police power to allow automatic downloads of metadata from communications unrelated to any crime.61 Poland has ratified the European Investigation Order and can request decrypted content from other EU states without further domestic authorization.

Portugal

The Cybercrime Law includes provisions that allow judicial authorities to request access to encrypted information and require individuals or service providers to provide encrypted data when technically feasible and legally authorized.62 Portugal has ratified the European Investigation Order and can request decrypted content from other EU states without further domestic authorization.

Romania

The Romanian Penal Code allows law enforcement to obtain encrypted communications with judicial authorization while investigating a serious crime.63 The government intended to transpose the European Electronic Communications Code, which enables the interception of encrypted messages, but the Constitutional Court of Romania overruled this in 2022.64

Romania has ratified the European Investigation Order and can request decrypted content from other EU states without further domestic authorization.

Russia

The Yarovaya Law, enacted in 2016, mandates that Russian telecommunications providers store metadata for three years and the content of communications for six months.65 It also requires service providers using encryption to supply the Federal Security Service (FSB) with the information necessary to decrypt user messages upon request.

Credit: Center for European Policy Analysis
Credit: Center for European Policy Analysis

South Africa

South Africa’s Cybercrimes Act 19 of 2020 allows law enforcement to search any data medium and seize and decrypt data for a criminal investigation with a search warrant or if a person who has lawful authority consents to search and seizure.66 Decryption is performed as needed, and the key must be destroyed after the investigation. Law enforcement can apply for a court order to acquire encrypted data.

South Korea

South Korean law does not empower authorities to directly decrypt communications or force providers or users to surrender encryption keys. The Criminal Procedure Act permits courts to seize stored digital communications, including metadata held by telecom providers,67 while the Protection of Communications Secrets Act authorizes court-approved wiretapping through telecom providers and obliges them to install the necessary interfaces and hand over intercepted content and metadata.68 However, all laws stop short of granting the government authority to mandate decryption.

Spain

Spain reformed its Criminal Procedure Act in 2015. The amendment empowers judicial authorities to request encrypted information from companies and establishes a duty of cooperation, requiring companies to provide encrypted data when technically feasible and legally authorized.69 Spain has ratified the European Investigation Order and can request decrypted content from other EU states without further domestic authorization.

Sweden

Swedish law does not generally require backdoor access to encrypted platforms. Proposed legislation suggests the creation of a “master key” for authorities to access encrypted information if necessary for public interest – but this has garnered strong criticism.70 Sweden has ratified the European Investigation Order and can request decrypted content from other EU states without further domestic authorization.

Switzerland

Swiss law allows authorities to compel service providers to decrypt any data they themselves encrypt. The Federal Act on the Surveillance of Post and Telecommunications requires telecom and internet providers to enable real-time interception, store metadata, and provide both content and access to their systems on request.71 End-to-end encryption applied by users or on behalf of users by providers is not subject to decryption mandates.

Turkey

Under its Electronic Communications Law, Turkey requires network operators to ensure interception capabilities and, where they provide encryption, to decrypt communications upon lawful request.72 The Turkish Criminal Procedure Code allows authorities to compel individuals to provide access to encrypted data as long as it does not infringe upon the right against self-incrimination.73

United Kingdom

The United Kingdom enacted its Investigatory Powers Act in 2016 and Online Safety Act in 2023. The Online Safety Act empowers regulator Ofcom to require service providers to use accredited technology to detect and remove unlawful content, such as that related to child sexual abuse and terrorism, even when shared through end-to-end encrypted services.74 The Investigatory Powers Act states that the secretary of state may require service operators to provide and maintain the capability to remove any electronic protection applied to communications or data.75

United States

No US law mandates providers to create encryption backdoors. The 1994 Communications Assistance for Law Enforcement Act (CALEA) only requires carriers to make networks interception-ready and decrypt traffic if they already control the keys.76 In 2016 the Justice Department tried, and failed, to force Apple—via the All Writs Act—to decrypt the San Bernardino shooter’s iPhone; however, Apple refused. Ultimately, the government withdrew after finding its own workaround.77 Authorities can thus intercept warrant-approved data and metadata, but end-to-end encrypted content remains beyond compulsory reach.

Ronan Murphy is the Director of the Tech Policy Program at the Center for European Policy Analysis (CEPA).

Heather West is a non-resident senior fellow at CEPA and a Senior Director of Cybersecurity and Privacy Services at Venable law firm in Washington. Equipped with degrees in both computer and cognitive science, she focuses on data governance, data security, artificial intelligence, and privacy in the digital age.

Gabriel Rodriguez Leva and Claire Cheng provided research. Gabriel is a student at Columbia University and Claire studies law at the Georgetown University Law Center.

CEPA is a nonpartisan, nonprofit, public policy institution. All opinions expressed are those of the author(s) alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.

Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions expressed on Bandwidth are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.

2025 CEPA Forum Tech & Security Conference

Explore the latest from the conference.

Learn More
Read More From Bandwidth
CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy.
Read More
  1. “Directive 2014/41/EU of 3 April 2014 Regarding the European Investigation Order in Criminal Matters,” European Judicial Network, April 3, 2014, https://www.ejn-crimjust.europa.eu/ejn/EJN_Library_StatusOfImpByCat.aspx?CategoryId=120. []
  2. “European Electronic Communications Code,” EUR-Lex, December 11, 2018, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=legissum%3A4379983. []
  3. Argentina, Ley No. 19.798 de Telecomunicaciones, accessed July 21, 2025, https://www.argentina.gob.ar/normativa/nacional/ley-19798-31922/actualizacion. []
  4. Galexia, 2016 Country Report: Argentina, accessed July 21, 2025, https://www.galexia.com/public/research/assets/cloud_scorecard_2016/2016_Country_Report_Argentina.pdf. []
  5. Australia, Cybercrime Act 2001 (Cth), accessed July 21, 2025, https://www.legislation.gov.au/C2004A00937/latest/text. []
  6. Australia, Assistance and Access Act 2018 (Cth), accessed July 21, 2025, https://www.homeaffairs.gov.au/about-us/our-portfolios/national-security/lawful-access-telecommunications/assistance-and-access-overview. []
  7. Austria, §§ 160–162 Telekommunikationsgesetz (TKG), accessed July 21, 2025, https://www.ris.bka.gv.at/geltendefassung.wxe?abfrage=bundesnormen&gesetzesnummer=20011678. []
  8. Belgium, Art. 88quater C. instr. crim., accessed July 21, 2025, https://www.ejustice.just.fgov.be/eli/loi/1808/11/17/1808111701/justel#LNK0032. []
  9. Brazil, Constituição da República Federativa do Brasil de 1988, accessed July 21, 2025, https://www.planalto.gov.br/ccivil_03/Constituicao/Constituicao.htm []
  10. Brazil, Supreme Federal Court, ADPF 403, accessed July 21, 2025, https://portal.stf.jus.br/processos/detalhe.asp?incidente=4975500 []
  11. Bulgaria, Personal Data Protection Act ‘amended 2017’, accessed July 21, 2025, https://www.dlapiperdataprotection.com/t=enforcement&c=BG#insight. []
  12. DLA Piper, Data Protection Laws of the World: Bulgaria, accessed July 21, 2025, file:///Users/sofina/Desktop/DLA-Piper-Data-Protection-Laws-of-the-World-Bulgaria.pdf []
  13. Canada, Criminal Code, R.S.C. 1985, c. C-46, ss. 487.014, 487.02, accessed July 21, 2025, https://laws-lois.justice.gc.ca/eng/acts/c-46/ []
  14. Canada, Canadian Charter of Rights and Freedoms, Part I of the Constitution Act, 1982, being Schedule B to the Canada Act 1982 (U.K.), 1982, c. 11, accessed July 21, 2025, https://www.justice.gc.ca/eng/csj-sjc/rfc-dlc/ccrf-ccdl/ []
  15. China, Criminal Code of the People’s Republic of China (1997), accessed July 21, 2025, http://www.npc.gov.cn/zgrdw/npc/xinwen/2016-11/07/content_2001605.htm# []
  16. China, Cryptography Law of the People’s Republic of China (2019), accessed July 21, 2025, http://www.npc.gov.cn/englishnpc/c2759/c23934/202009/t20200929_384279.html []
  17. China, Regulations on Network Data Security Management (2024), accessed July 21, 2025, https://www.gov.cn/zhengce/content/202409/content_6977766.htm?utm.com []
  18. Republic of Croatia, Criminal Procedure Act, Art. 257(1), accessed July 21, 2025, https://www.zakon.hr/z/174/zakon-o-kaznenom-postupku []
  19. Republic of Cyprus, Criminal Procedure Law, CAP. 155, Arts. 25 and 27, accessed July 21, 2025, https://www.cylaw.org/nomoi/arith/CAP155.pdf []
  20. Czech Republic, § 8 TrŘ, Zákon č. 141/1961 Sb., o trestním řízení soudním (Trestní řád), accessed July 21, 2025, https://www.zakonyprolidi.cz/cs/1961-141 []
  21. Czech Republic, § 75 ZoEK, Zákon č. 127/2005 Sb., o elektronických komunikacích, accessed July 21, 2025, https://www.zakonyprolidi.cz/cs/2005-127 []
  22. Czech Republic, Zákon č. 141/1961 Sb., o trestním řízení soudním (Trestní řád), accessed July 21, 2025, https://www.zakonyprolidi.cz/cs/1961-141 []
  23. Denmark, Lov om elektroniske kommunikationsnet og -tjenester, LBK nr. 128 af 7. februar 2014, accessed July 21, 2025, https://www.retsinformation.dk/eli/lta/2014/128) Service providers are also required to produce necessary information for criminal investigation. ((Denmark, Retsplejeloven (Lov om administration af rettergang), LBK nr. 1101 af 7. november 2017, § 804, accessed July 21, 2025, https://www.retsinformation.dk/eli/lta/2017/1101 []
  24. Estonia, § 215 Kriminaalmenetluse seadustik, Riigi Teataja, accessed July 21, 2025, https://www.riigiteataja.ee/akt/106012016019. []
  25. Finland, 516/2004 Laki työaikalain muuttamisesta, § 6, Finlex, accessed July 21, 2025, https://www.finlex.fi/fi/lainsaadanto/saadoskokoelma/2004/516. []
  26. Finland, 806/2011 Laki pakkokeinoista rikosasiassa, 8 luku, § 23, Finlex, accessed July 21, 2025, https://www.finlex.fi/fi/lainsaadanto/2011/806. []
  27. Vie publique, “Projet de loi relatif à la résilience des infrastructures critiques et au renforcement de la cybersécurité,” Vie‑publique.fr, March 13, 2025, accessed July 21, 2025, https://www.vie-publique.fr/loi/295752-projet-de-loi-resilience-infrastructures-critiques-cybersecurite. []
  28. Vie publique, “Projet de loi visant à sortir la France du piège du narcotrafic,” Vie‑publique.fr, June 15, 2025, accessed July 21, 2025, https://www.vie-publique.fr/loi/297230-narcotrafic-proposition-de-loi-sortir-du-piege-du-trafic-de-drogue. []
  29. Germany, § 100a Strafprozeßordnung (StPO), accessed July 21, 2025, https://www.gesetze-im-internet.de/stpo/__100a.html. []
  30. Politico, “German government to spy on encrypted messaging services,” July 20, 2025, accessed July 21, 2025, https://www.politico.eu/article/german-government-to-spy-on-encrypted-messaging-services/. []
  31. Germany, Änderung des Gesetzes über den Datenschutz und den Schutz der Privatsphäre in der Telekommunikation und bei digitalen Diensten (Lobbyregister RV0010901), accessed July 21, 2025, https://www.lobbyregister.bundestag.de/inhalte-der-interessenvertretung/regelungsvorhabensuche/RV0010901/152823. []
  32. Greece, Presidential Decree 47/2005, Article 8, accessed July 21, 2025, https://www.lawspot.gr/nomikes-plirofories/nomothesia/pd-47-2005/arthro-8-proedriko-diatagma-47-2005-ypochreoseis-ton []
  33. Hungary, Act CVIII of 2001 on Electronic Commerce, accessed July 21, 2025, https://net.jogtar.hu/jogszabaly?docid=a0100108.tv []
  34. India, Information Technology Act 2000, accessed July 21, 2025, https://www.indiacode.nic.in/handle/123456789/1999 []
  35. India, Draft National Encryption Policy, accessed July 21, 2025, https://publicintelligence.net/india-draft-encryption-policy/ []
  36. India, Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 (updated April 6, 2023), accessed July 21, 2025, https://www.meity.gov.in/static/uploads/2024/02/Information-Technology-Intermediary-Guidelines-and-Digital-Media-Ethics-Code-Rules-2021-updated-06.04.2023-.pdf []
  37. Republic of Indonesia, Regulation of the Minister of Communication and Informatics No. 5/2020, Art. 36, accessed July 21, 2025, https://peraturan.bpk.go.id/Details/203049/permenkominfo-no-5-tahun-2020 []
  38. Ireland, Electronic Commerce Act 2000, ss. 27–28, accessed July 21, 2025, https://www.irishstatutebook.ie/eli/2000/act/27/enacted/en/index.html. []
  39. Ireland, Criminal Justice (Offences Relating to Information Systems) Act 2017, s. 7, accessed July 21, 2025, https://www.irishstatutebook.ie/eli/2017/act/11/enacted/en/html. []
  40. Global Network Initiative, “Italy,” Global Principles & Rights in Practice, accessed July 21, 2025, https://clfr.globalnetworkinitiative.org/country/italy/ []
  41. Library of Congress, “Italy: Implementation of EU Legislation on Electronic Communications,” Global Legal Monitor, accessed July 21, 2025, https://www.loc.gov/item/global-legal-monitor/2024-05-30/italy-implementation-of-eu-legislation-on-electronic-communications []
  42. EU Innovation Hub, First Report on Encryption, date accessed July 21, 2025, 15, https://www.eurojust.europa.eu/sites/default/files/assets/eu-innovation-hub-first-report-on-encryption.pdf [] []
  43. Japanese Law Translation, Act on Communications Interception for Criminal Investigation, accessed July 21, 2025, https://www.japaneselawtranslation.go.jp/en/laws/view/3857/en []
  44. Wipo, Latvia: Criminal Procedure Act, Section 136, accessed July 21, 2025, https://www.wipo.int/wipolex/en/legislation/details/20920 []
  45. Latvia, Electronic Communications Law Section 19(1)(5), accessed July 21, 2025, https://www.inlatplus.lv/wp-content/uploads/2019/10/3533_Electronic_Communications_Law_.doc.pdf []
  46. Principality of Liechtenstein, Security Law, Art. 4(3)(h), accessed July 21, 2025, https://www.regierung.li/files/attachments/2025111000-csg-en.pdf []
  47. Principality of Liechtenstein, Police Act, Art. 24b, accessed July 21, 2025, https://www.regierung.li/files/attachments/1989-048-17-03-2025-en.pdf []
  48. Seimas of the Republic of Lithuania, Law on Cyber Security, accessed July 21, 2025, https://e-seimas.lrs.lt/portal/legalAct/lt/TAD/ceb0e7b291ad11e8aa33fe8f0fea665f []
  49. Seimas of the Republic of Lithuania, Law on Electronic Communications, accessed July 21, 2025, https://e-seimas.lrs.lt/portal/legalAct/lt/TAD/7d4338f0d89c11ef8658d66412ddcc51 []
  50. Gouvernement du Grand-Duché de Luxembourg, General Individuals’ Right to Encrypt Online Services, accessed July 21, 2025, https://legilux.public.lu/eli/etat/leg/loi/2000/08/14/n8/jo []
  51. Gouvernement du Grand-Duché de Luxembourg, Law of 4 April 2025 implementing Regulation (EU) 2022/2065, accessed July 21, 2025, []
  52. Luxembourg, Proposal 8364, accessed July 21, 2025, https://www.chd.lu/en/dossier/8364 []
  53. Government of Malta, Electronic Communications Networks and Services (General) Regulations, S.L. 399.28, Art. 86(1), accessed July 21, 2025, https://www.mca.org.mt/sites/default/files/pageattachments/SL%20399.28.pdf []
  54. Government of Malta, Security Services Act, Art. 22, accessed July 21, 2025, https://emr-sb.de/wp-content/uploads/2017/01/20170117-Gutachten_Forschungsprojekt-Invodas_INVODAS-Country-Report-Malta_Related-Document-7-Security-Service-Act.pdf []
  55. Mexico, Código Nacional de Procedimientos Penales, Libro Segundo, Título V, Capítulo II, accessed July 21, 2025, https://mexico.justia.com/federales/codigos/codigo-nacional-de-procedimientos-penales/libro-segundo/titulo-v/capitulo-ii/ []
  56. Netherlands, Art. 126nh Wetboek van Strafvordering (Sv.), accessed July 21, 2025, https://wetten.overheid.nl/BWBR0001903/2019-06-01. []
  57. New Zealand, Search and Surveillance Act 2012, s. 130, accessed July 21, 2025, https://www.legislation.govt.nz/act/public/2012/0024/175.0/DLM2136536.html []
  58. New Zealand, Telecommunications Act 2013, s. 9(1), accessed July 21, 2025, https://www.legislation.govt.nz/act/public/2013/0091/latest/DLM5177923.html. []
  59. Norway, Straffeprosessloven, 22. may 1981 nr. 25, § 199a, accessed July 21, 2025, https://legislationline.org/sites/default/files/documents/30/Norway_Criminal_Procedure_Act_1981_am2013_en.pdf. []
  60. Poland, Art. 237 k.p.k., accessed July 21, 2025, https://lexlege.pl/kpk/art-237/. []
  61. Artur Gruszczak, Electronic Surveillance in Poland (University of Texas at Austin, 2023), https://www.researchgate.net/publication/382175670_Electronic_Surveillance_in_Poland. []
  62. Portugal, Lei da Criminalidade Informática, Lei n.º 109/2009 de 15 de setembro, art. 14, Diário da República, accessed July 22, 2025, https://diariodarepublica.pt/dr/detalhe/lei/109-2009-489693. []
  63. Romania, Law on Criminal Procedure (English version, as of 2018), accessed July 21, 2025, https://www.coe.int/en/web/venice-commission/-/cdl-ref-2018-043-e []
  64. Romania, Constitutional Court, Decision No. 295/2022 (May 18, 2022) on the unconstitutionality of general interception powers, accessed July 21, 2025, https://www.ccr.ro/wp-content/uploads/2022/06/Decizie_295_2022.pdf []
  65. Russia, Federal’nyj zakon ot 6 iyulya 2016 g. N 374-FZ “O vnesenii izmenenij v Federal’nyj zakon “O protivodejstvii terrorizmu” i otdel’nye zakonodatel’nye akty Rossijskoj Federacii v chasti ustanovlenija dopolnitel’nyh mer protivodejstvija terrorizmu i obespechenija obshhestvennoj bezopasnosti” // Sobranie zakonodatel’stva Rossiiskoi Federatsii, 2016, N 28, st. 4558, accessed July 22, 2025, https://ru.wikisource.org/wiki/Федеральный_закон_от_06.07.2016_№_374-ФЗ. []
  66. South Africa, Cybercrimes Act 19 of 2020 (English/Afrikaans, as enacted June 1, 2021), accessed July 21, 2025, https://www.gov.za/documents/acts/cybercrimes-act-19-2020-english-afrikaans-01-jun-2021 []
  67. Republic of South Korea, Criminal Procedure Act, Accessed July 22, 2025, https://elaw.klri.re.kr/eng_service/lawView.do?lang=ENG&hseq=22535 []
  68. Republic of Korea, Protection of Communications Secrets Act, 1993; amended 2017, accessed July 22, 2025, https://elaw.klri.re.kr/eng_service/lawView.do?hseq=31731&lang=ENG []
  69. Spain, Art. 588 ter E LECr, BOE-A-1882-6036, accessed July 21, 2025, https://www.boe.es/buscar/act.php?id=BOE-A-1882-6036. []
  70. Dhruv Raghav, “Sweden’s Proposed Law Threatens Encryption Security,” MediaNama, April 11, 2025, https://www.medianama.com/2025/04/223-sweden-encryption-backdoor-law-global-encryption-coalition-warning/. []
  71. Switzerland, Federal Act on the Surveillance of Post and Telecommunications (SPTA), SR 780.1, accessed July 21, 2025, https://www.fedlex.admin.ch/eli/cc/2018/31/en []
  72. Turkey, Electronic Communications Law, Law No. 5809, art. 12(1)(g), 12(5), accessed July 21, 2025, https://tahseen.ae/media/3385/turkey_electronic-communications-law.pdf. []
  73. Turkey, Criminal Procedure Code (CMK), Law No. 5271, art. 134, accessed July 21, 2025, https://sherloc.unodc.org/cld/uploads/res/document/tur/2005/turkish_criminal_procedure_code_html/2014_Criminal_Procedure_Code.pdf. []
  74. United Kingdom, Online Safety Act 2023, c. 50, s. 121, accessed July 21, 2025, https://www.legislation.gov.uk/ukpga/2023/50/enacted. []
  75. United Kingdom, Investigatory Powers Act 2016, c. 25, s. 253, accessed July 21, 2025, https://www.legislation.gov.uk/ukpga/2016/25/section/253/enacted. []
  76. United States, Communications Assistance for Law Enforcement Act (1994), accessed July 29 2025, https://www.congress.gov/103/statute/STATUTE-108/STATUTE-108-Pg4279.pdf []
  77. U.S. Dist. Ct., C.D. Cal., Order Compelling Apple Inc. to Assist Agents in Search, accessed July 29 2025, https://law.justia.com/cases/federal/district-courts/new-york/nyedce/1:2015mc01902/376325/29/ []