The proximate goal they're trying to achieve is mostly irrelevant when compared to the broader technical goal. That goal is to force all messaging systems to re-architect so they include a "bump on the wire" that hosts a scanning mechanism sophisticated enough to recognize novel (unknown) image content. This implicitly requires re-architecting these systems to contain neural-network image classifiers that operate over a model that's kept secret (to the user/client.) Everything else is sort of irrelevant compared to the implications of this new architecture.

The "good news" for now is that the systems deployed in this model won't classify text, only images and URLs. The bad news is that the current draft explicitly allows that question to be reviewed in the future. And of course, once you've re-architected every E2EE system to make image scanning possible, most of the damage to cybersecurity is likely already done; a year or two down the road, text scanning will probably be viewed as a modest and common-sense upgrade. I expect that folks who object to text scanning on cybersecurity grounds will be informed that the risks are already "baked in" to the image-scanning model, and so there's no real harm in adding text scanning.

Leaving aside the privacy issues, this is basically an existential national security risk for Europe. It's amazing to me that they're walking right into it.