Download original attachment
(PDF file)

This is an HTML version of an attachment to the Freedom of Information request 'WK documents on CSAM Regulation'.


Brussels, 08 February 2023
WK 1901/2023 INIT
LIMITE
JAI
FREMP
ENFOPOL
TELECOM
CRIMORG
COMPET
IXIM
MI
DATAPROTECT
CONSOM
CYBER
DIGIT
COPEN
CODEC
This is a paper intended for a specific community of recipients. Handling and
further distribution are under the sole responsibility of community members.
MEETING DOCUMENT
From:
General Secretariat of the Council
To:
Law Enforcement Working Party (Police)
Subject:
Proposal for a Regulation of the European Parliament and of the Council laying
down rules to prevent and combat child sexual abuse
- Diagrams
Delegations will find attached diagrams depicting the functioning of key provisions of the proposal,
prepared by the Commission services.
WK 1901/2023 INIT
LIMITE
EN
Risk assessment,
mitigation and reporting*
Assess risk of CSA
Companies
Propose mitigating
(A3)
measures
Report on risk assessment
Assist upon request
EU Centre
and measures
(A5)
Review reports, assess
MS Coordinating
proposed measures
Authorities
(A5)
Determine need to trigger
detection order process
* The Commission, in cooperation with Coordinating Authorities and the EU Centre, will issue guidelines for companies and authorities on how to assess risk 
and how to review reports
Process for CSA detection
Detection order
Implementation Plan
issued by judicial 
by the provider
Comments
authority to start 
Removal Orders
by the provider
(including data
in min 3 months*
(if needed)
Risk assessment
issued by judicial authority 
and the EU centre
protection impact 
providers submit
on request by Coordinating 
(4 weeks)
assessment
a risk assessment
Reporting
Authorities, providers to 
if for solicitation)
by providers to 
to Coordinating 
+ DPA opinion
remove within 24 hours*
the EU centre
Authority
Check
Detection
Mitigation
by the competent 
by providers
providers implement 
Check reports 
Check and 
authority
using identifiers and 
measures to limit
Renewed check 
by EU centre:
classifiers from the 
the risk
draſt request 
by competent 
stop false positives 
for detection
EU centre
authority
and forward 
order by
confirmed reports 
Coordinating 
to law enforcement
Authority
* Appeal/redress possibilities 
DETECTION OF CSA
Detection
order
Users
Hotlines
Other
Victims
Service provider 
Becomes aware of
possible CSA
Notify for removal 
(A48&49)
Report (A12&13)
EU Centre
Reporting obligations
Assess reports and submit 
when needed (A43)
Law enforcement
Removal obligations
inform
judicial or independent
Coordinating Authority
Removal /
administrative authority
requests issue of a
Service providers
disabling content
issues a removal order
removal order* (A14(1))
(A14(3))
(A14&15)
Hotlines
EU Centre
inform
Inform CA if no removal 
Conducts proactive searches to inform CA (A49):
by service provider aer 
•  If removal not done (existing orders)
being notified by hotline 
•  If CSAM is hosted and the provider has not removed it
(R69&71)
   aer Centre notified it
* The Commission, in cooperation with Coordinating Authorities and the EU Centre, will issue guidelines on assessing the need for a removal order
Blocking obligations
Coordinating Authority (CA)
EU Centre (A16&43)
preparation* (A16)
Works with CA to verify the list
Verifies the list of uniform resource locators 
of uniform resource locators
Asks SP for information on attempted access,
Provides CA with information on accuracy
SP policy and SP capabilities, requests
of resource locators, quantity and
information from any other relevant
nature of content, verification
national authorities/experts.
by Centre and audits
CA informs service provider (SP)
of intention to issue blocking order (A16)
CA assesses
any changes
that could lead
SP comments /
to modification /
additional information (A16)
revoking of the order
(at least 1/year)
(A16&18)
CA requests issuing
of blocking order (A16&17)
Judicial / Independent MS authority
issues blocking order (A16-18)
Obligations on soware
application stores (app stores) 
Assess risk of grooming
Identify child users
Prevent child users
Make information
for apps1
(age verification)2
from accessing apps for
on the measures
(A6(1)(a))
(A6(1)(c))
which significant risk
publicly available
was identified
(A6(3))
(A6(1)(b))
If possible,
in cooperation
with app providers
1The Commission, in cooperation with Coordinating Authorities and the EU Centre, will issue guidelines for companies and authorities on 
how to assess risk and how to review reports (A6(4))
2See the proposed action, under the new European strategy for a better internet for kids (BIK+), COM(2022) 212, to “encourage and facilitate 
the design of a comprehensive EU code of conduct on age appropriate design building on the framework provided in the DSA, by 2024
Transmits received 
Victim of CSA
results to the victim / 
residing
appointed entity
in the EU
1
Requests to receive information 
when the known material 
depicting them is reported
to the EU Centre
Coordinating
Victims’ rights
Coordinating
Authority in MS where
ARTICLE 20 VICTIMS’
Authority in MS where
the victim resides 4
RIGHT TO INFORMATION
the victim resides 2
Shares information 
Transmits the 
when relevant 
EU Centre
request to the EU 
material is reported
3
Centre
Transmits received 
Victim of CSA
results to the victim / 
residing
appointed entity
in the EU 1
Requests assistance in having 
material depicting them 
removed by providers
May request 
Coordinating
Victims’ rights
Coordinating
the issuance 
Authority in MS where
ARTICLE 21 VICTIMS’ RIGHT
of a removal 
Authority in MS where
order
the victim resides 4
OF ASSISTANCE AND SUPPORT
the victim resides 2
FOR REMOVAL 
Informs of the 
Transmits the 
presence of relevant 
EU Centre
request to the EU 
material
3
Centre
- Supports in requesting provider’s assistance
- Verifies whether material is removed/disabled (proactive searches)
- Notifies material to the provider, requesting removal/disabling
Service provider
Coordinating Authorities (CAs):
Role, Requirements and Powers
Requests, reviews and validates (updated) risk assessment reports
Risk assessment
EU Centre
CA can request additional information related to risk and mitigating 
consultation
measures from the provider (A5)
EU Centre and
Detection order: requests 
DPA feedback
CA can proactively 
Submits confirmed* CSA to
Detection
Input to
issuance/modification/ 
search for known or 
the EU Centre to update
revoking of orders (A6, 7)
Request to
EU Centre 
new CSA (A31, 32)
the database of indicators (A36)
judicial authority
Reporting
Reports any known or new CSA
it finds to the EU Centre
Removal/blocking
orders: requests issuance/
EU Centre and DPA feedback
Transmits a copy of orders to other 
modification/ revoking (A14)
Request to judicial authority
CAs and the EU Centre (A14)
CA can use its investigative powers to verify if a provider complies
Compliance
with a detection /removal / blocking order (A31, 32)
Possible EU Centre 
with orders
Can impose penalties on providers that do not comply with received orders 
consultation
(fines, periodic penalty payment, restriction of access to a service) (A28, 29)
*specific items of material and transcripts of conversations that Coordinating Authorities or that the competent judicial authorities or other independent administrative authorities of 
a Member State have identified, aer a diligent assessment, as constituting child sexual abuse material or the solicitation of children, or exact uniform resource locators indicating 
such specific items of material.
Coordinating Authorities (CAs):
role, requirements and powers
REQUIREMENTS FOR THE CA A26
Qualifications, experience
Independence 
Duty of professional 
and technical skills
secrecy
• legally and functionally 
• free from any external influence, whether 
independent from any other 
direct or indirect
public authority
• neither seek nor take instructions from any 
• status enabling them to 
other public authority or any private party
objectively and impartially 
carry out their tasks
• not charged with tasks 
relating to the prevention or 
combating of child sexual 
abuse, other than their tasks 
under the Regulation
TASKS OF THE
EU center 
Risk Assessment
Detection
Reporting
Removal / Blocking
SERVICE PROVIDERS SPs
COORDINATING AUTHORITIES 
SERVICE PROVIDERS SPs
COORDINATING AUTHORITIES CAs
analysis of anonymised data 
CAs
maintain and operate the database of 
respond to requests of CAs on 
samples, upon request (A43)
provide the opinions on intended 
reports (A43)
intended blocking orders, (A43) verify 
detection orders (A43)
that removal orders have been 
EU COMMISSION
LAW ENFORCEMENT
executed (proactive searches) (A43, 
support the Commission in preparation 
SERVICE PROVIDERS SPS
assess and, if necessary, forward reports 
49)
of the guidelines (A43)
operate the databases of indicators, 
and provide feedback on their quality, 
give providers that received a detection 
maintain  the database of reports (A43)
VICTIMS
order access to the databases of 
EUROPOL
provide information and support to 
indivators (44,46), make detection 
Forward reports for enrichment (A48), 
victims regarding removal or blocking 
technologies available to providers A10, 
give Europol access to database of 
of content that depicts them (A21)
50) 
reports (A46)
Cooperation and communication
Knowledge sharing
COORDINATING AUTHORITIES CAS
LAW ENFORCEMENT
maintain an online register listing CAs’ contacts (A43) operate the system(s) for communication between relevant actors 
provide assistance to the CAs on cooperation with other relevant bodies provide information to CAs relevant for their tasks
collect information based on anonymised and non-personal data,  provide 
expertise on prevention and combating of online CSA (A43)
SERVICE PROVIDERS SPS
operate the system(s) for communication between relevant actors maintain up-to-date records of contact points and 
EUROPOL
legal representatives of relevant SPs
Collect provide information based on anonymised and non-personal data, 
provide expertise on prevention and combating of online CSA (A43)
EUROPOL
Establish channels of cooperation, conclude memorandum of understanding (A53), operate the system(s) for commu-
VICTIMS
nication between relevant actors, provide each other with the fullest possible access to relevant information (A46)
support research and expertise on assistance to victims, support 
VICTIMS
evidence-based policy (A43)
provide information to victims if content that depicts them is detectied (A20
EU COMMISSION
PROFESSIONALS  AND PRACTITONARS E.G. SOCIAL/HEALTH SERVICES
assist in tasks related to the cooperation mechanism among CAs operate the system(s) for communication between 
Collect and provide information based on anonymised and non-personal data, 
relevant actors assist in the preparation of legal acts and guidelines (A43)
provide expertise on prevention and combating of online CSA support research 
and expertise, support evidence-based policy (A43)
PROFESSIONALS AND PRACTITONARS E.G. SOCIAL/HEALTH SERVICES
Establish channels of cooperation, if relevant conclude memoranda of understanding, exchnage best practices and 
NGOS HOTLINES, CENTRES/SIMILAR BODIES GLOBALLY NCMEC ETC, 
lessons learned (A54)
provide expertise on prevention and combating of online CSA, support 
NGOS HOTLINES, CENTRES/SIMILAR BODIES GLOBALLY NCMEC ETC 
research and expertise, support evidence-based policy (A43)
Establish channels of cooperation, if relevant conclude memoranda of understanding and lessons learned (A54)
EU center 
ORGANISATION
Executive Director
Management
Technology
Executive Director
&
Europol
Board
Committee (A66)
&
EU Centre (A64-65)
Directorates
Executive Board (A61-63)
Management
Operations, Governance and Capabilities Directorate 
Budget & daily management
Board (A55-60)
Corporate Affairs Bureau
Operational Departments
Executive Director office and Corporate Communications
Detection and reporting, Prevention and Victim assistance
Shared services (A53)
Finance,
IT-Cybersecurity
procurement
HR
Legal
Internal & external
(excluding infrastructure
and travel 
communication, events
related to CSA reports)
Relations EU Centre – Europol – Coordinating Authorities
flow of CSA reports and information
• Provide Indicators (A44,46)
• Feedback on quality of reports (A48)
• Removal request on behalf of victim (A21)
Europol
Filtered Reports of suspected
Service
Reports of suspected
Enriched Reports
CSA (A12&13)
CSA (A43, 48)
of suspected CSA (A48)
providers (SP)
EU Centre
EU law
enforcement 
• Detection order (A7,8)
Report outcome of 
agencies
• Removal (A14)/ blocking orders (A16-18)
the referrals (A43)
• Opinion on risk assessment
   reports, proposed orders
• Input for indicators (A36)
• Technical expertise (A43)
• Inform about plans to issue detection /removal order 
• Report non-compliance
• Share final orders (A6,7)
  with removal order  by SPs
• Report CSA content identified resulting from searches (A31)
• Report content from proactive
Risk assessment 
  search (A49)
report (A3-6)
MS judicial 
authority 
  Reports flow
MS Coordinating Authority
  Other information flows

Document Outline