Encryption at Risk? Experts Sound Alarm Over EU’s New Data Access Plan

• EU’s 2030 roadmap proposes lawful access to encrypted data for law enforcement agencies.
• Experts concern for EU's plan shows how encryption backdoors create systemic vulnerabilities and security risks.
• VPN and cybersecurity leaders urge stronger encryption, not weakened access, to ensure digital safety.

Leading VPN and cybersecurity voices have responded strongly to the European Commission's most recent roadmap under the ProtectEU plan, which has sparked new discussion in the tech industry. The proposal, which was unveiled on June 24, describes how law enforcement organizations around the EU will be able to lawfully access encrypted data by 2030.

As the European Commission moves forward with its encryption-access roadmap, TechNadu reached out to industry experts who voiced deep concerns about its impact on digital security. Let's have a look at what they had to say.

A Roadmap with Big Goals

Data retention, legitimate interception, digital forensics, decryption technologies, standardization of security standards, and AI-powered tools to process digital evidence are the six primary focal areas of the EU's new plan. The approach, according to the Commission, is to address the increasing use of VPNs and encrypted platforms by criminals and to fill in investigative gaps.

But the roadmap's centerpiece, creating a system for lawful decryption, has become its most controversial element. Critics say that even with good intentions, such a move could undermine cybersecurity for everyone.

NordVPN: “Encryption Either Works for Everyone, or It Doesn’t”

NordVPN, a global privacy and VPN provider, pushed back hard against the assumption that a “balanced” approach to encryption is possible. They told TechNadu;

“The premise of your question contains a dangerous assumption that needs correcting immediately. Governments cannot maintain meaningful national security by weakening the very encryption that protects their citizens, businesses, and critical infrastructure,” the statement read.

NordVPN argued that once encryption is weakened for any purpose, even for law enforcement, it becomes vulnerable to exploitation by malicious actors, including foreign state-sponsored hackers. The company pointed out the contradiction between the EU’s desire for stronger cybersecurity through legislation like the Cyber Resilience Act and its simultaneous push to create backdoors in encryption systems.

“There is no technical 'lawful access' to end-to-end encrypted messages or encrypted data that preserves both security and privacy,” NordVPN said.

The company added that any mechanism to decrypt user data would require infrastructure that can itself be attacked, including authentication systems and key management, turning secure systems into new targets.

Point Wild: “Risk Without Proportionate Gain”

Dr. Zulfikar Ramzan, Chief Technology Officer at Point Wild, also voiced concern, stating that the history of so-called “exceptional access” to encrypted data is fraught with risk.

“While we support the broader goal of aiding law enforcement in preventing and investigating crime, we remain deeply concerned about proposals that would mandate 'exceptional access' to encrypted data,” Ramzan said.

He warned that the technical and legal complexity of managing backdoor access, especially across different jurisdictions, makes such systems difficult to secure and easy to misuse.

Ramzan also highlighted the potential unintended consequences of the plan on VPN providers. He quoted, "We also worry that scrutiny of VPN providers under this roadmap could undermine core privacy protections, such as no-log policies. If VPN services are compelled to retain metadata or user activity, it could not only erode user trust but also lead providers to exit the EU market altogether—ultimately reducing access to privacy-preserving tools for millions." All in all, the EU's move has been criticized by Point Wild.

“Law enforcement has access to vast troves of information through existing means. The push for exceptional access adds unnecessary risk without a proportionate increase in safety,” he concluded.

Sectigo: “A Logical Fallacy”

Jason Soroko, Senior Fellow at digital certificate authority Sectigo, described the EU’s proposal as an example of what security professionals call the "Exceptional Access" or "NOBUS" fallacy — short for "Nobody But Us."

“It assumes engineers can embed a weakness that is usable solely by trusted authorities while remaining invisible to everyone else. Cryptographic history shows that any such backdoor expands the attack surface and its keys or methods will leak or be reverse engineered, so unique access cannot be guaranteed.” Soroko said.

He emphasized that weakening encryption doesn’t just affect criminals, it puts all commercial and personal data at greater risk. Past efforts, from the 1990s Clipper Chip in the U.S. to the UK’s recent attempts to mandate backdoors, have consistently failed or been abandoned.

“Introducing a golden key erodes trust in digital platforms, imposes new liability for inevitable breaches, and pushes users toward unregulated shadow networks instead of the regulated services lawmakers hope to monitor,” Soroko noted.

Deepwatch: “There Are Better Ways”

Shane McGee, General Counsel and Chief Privacy Officer at cybersecurity company Deepwatch, took a similar stance. While he acknowledged the goal of helping law enforcement investigate serious crime, he questioned the effectiveness and safety of building government access into encrypted systems.

“Point-to-point encryption is secure because, when implemented correctly, it limits access to a sender and a recipient, leaving no way for a party that intercepts the encrypted transmission to access the unencrypted data. The EU’s proposal would destroy the point-to-point nature of those communications, and require providers such as Apple, Google, and other communications services to make themselves a middleman in those communications, allowing them to intercept, unencrypt, and provide to law enforcement the otherwise private communications,” McGee said.

He outlined several risks: encryption could be compromised technically; access keys could be lost or stolen; and the cost of building secure, compliant infrastructure could be extremely high. “Most importantly, laws like these are destined to be ineffective,” he said. “Criminals are already using secure tools based in encryption-friendly jurisdictions. They’ll simply move further underground.”

McGee cited the FBI’s experience with the 2015 San Bernardino case, where authorities ultimately accessed encrypted data without help from Apple. He said this example shows there are existing technical methods that don’t require weakening encryption for all users.

A Tense Path Forward

With vocal and unified concerns from experts regarding EU's plan, the path to a workable compromise remains unclear. Privacy advocates argue that encryption is not an obstacle to justice, it is a critical part of digital safety. Any attempt to weaken it, they say, risks turning a shield into a weapon.

As 2030 approaches, the EU will need to address one of the digital age’s biggest dilemmas: how to protect people without breaking the systems that keep them safe.