End-to-end encryption is moving beyond consumer messaging applications and into the enterprise. The ratification of the IETF Messaging Layer Security (MLS) standard, combined with interoperability mandates under the EU Digital Markets Act and growing demand for secure business communications, is driving a fundamental shift in how organizations approach encrypted messaging.
MLS becomes official
The Internet Engineering Task Force formally ratified RFC 9420 (Messaging Layer Security) as a Proposed Standard on July 19, 2023, culminating years of development.
Development history
| Date | Milestone |
|---|
| 2016 | Initial concept discussed at IETF 96 (Berlin) |
| 2016-2023 | ~5 years of development (similar to TLS 1.3) |
| July 19, 2023 | RFC 9420 published |
| 2024-2026 | Enterprise adoption accelerates |
Contributors
| Organization | Role |
|---|
| Cisco | Protocol development |
| Meta | Protocol development |
| Google | Protocol development |
| Mozilla | Protocol development |
| Wire | Protocol development, reference implementation |
MLS vs. Signal Protocol
| Attribute | Signal Protocol | MLS |
|---|
| Primary use | 1:1 and small groups | Groups up to 50,000 |
| Scalability | Limited for large groups | Designed for scale |
| Member management | Less efficient | Efficient add/remove |
| Standardization | De facto standard | IETF standard (RFC 9420) |
| Forward secrecy | Yes | Yes |
| Post-compromise security | Yes | Yes |
“MLS is not a replacement for the Signal Protocol. It builds on the same cryptographic foundations but solves the group messaging scalability problem that has been a barrier to enterprise adoption of end-to-end encryption.”
— Raphael Robert, IETF MLS working group co-chair
Key MLS capabilities
| Feature | Benefit |
|---|
| Efficient group management | Add/remove members without full rekey |
| 50,000+ participant support | Enterprise-scale groups |
| Asynchronous operation | Works with offline members |
| Multiple device support | Consistent across user devices |
| Reference implementation | Rust, permissive license |
Enterprise adoption
Current implementations
| Platform | Status |
|---|
| Cisco Webex | MLS implementation announced (January 2026) |
| Wire | Contributing since early drafts |
| Matrix/Element | Migration to MLS underway |
| RingCentral | Early MLS integration |
| Google Workspace | MLS under evaluation |
RCS and mobile messaging
| Date | Development |
|---|
| March 2025 | GSMA announces Universal Profile 3.0 with MLS support |
| March 2025 | Apple announces RCS support with MLS in Apple Messages |
| 2024-2026 | Google Messages hybrid key exchange experiments |
EU Digital Markets Act mandates
The EU DMA designated several large messaging platforms as “gatekeepers” in September 2023, requiring interoperability:
Timeline
| Deadline | Requirement |
|---|
| March 2024 | Basic 1:1 text interoperability |
| 2027 | Group messaging interoperability |
| Platform | Company | Status |
|---|
| WhatsApp | Meta | Interoperability spec published (late 2025) |
| Messenger | Meta | Interoperability spec published (late 2025) |
| iMessage | Apple | Specification expected mid-2026 |
Technical challenges
| Challenge | Concern |
|---|
| Key management differences | Platform-specific approaches |
| Trust model variations | Different verification methods |
| Metadata handling | Privacy implications |
| Implementation quality | Security depends on correct implementation |
“Interoperability is a policy goal, not a technical one. The question is whether it can be achieved without creating new attack surfaces.”
— Matthew Green, Johns Hopkins University
Enterprise demand drivers
451 Research survey (Q4 2025):
| Metric | 2023 | 2025 |
|---|
| Enterprises evaluating/deployed E2EE | 29% | 48% |
Driving factors
| Factor | Driver |
|---|
| State-sponsored surveillance | Volt Typhoon, APT campaigns targeting corporate networks |
| IP theft concerns | Board-level awareness of communication risks |
| Regulatory pressure | Financial, healthcare, legal sector requirements |
| Executive targeting | Phone hacking incidents affecting corporate leaders |
| Platform | E2EE Status |
|---|
| Slack | E2EE pilot for Enterprise Grid DMs |
| Microsoft Teams | E2EE for group calls (up to 50 participants) |
| Teams chat | E2EE not available |
| Webex | MLS implementation |
| Wire | E2EE-native |
Encryption vs. compliance tension
E2EE in enterprise environments creates direct conflict with regulatory requirements:
Affected industries
| Sector | Requirement |
|---|
| Financial services | SEC/FINRA message retention and supervisory review |
| Healthcare | HIPAA audit trails for PHI communications |
| Legal | Attorney-client privilege documentation |
| Government | Records retention laws |
The fundamental conflict
| E2EE design | Compliance requirement |
|---|
| Platform cannot access content | Platform must archive content |
| Only endpoints can decrypt | Regulators must be able to review |
| No server-side copies | Retention policies mandate copies |
Client-side archiving solutions
| Vendor | Approach |
|---|
| Smarsh | Client-level capture before encryption |
| Global Relay | Endpoint archiving integration |
| Theta Lake | Compliance-ready archive storage |
Security purist concern
“There is an inherent contradiction between the promise of end-to-end encryption and the requirement to retain and produce message content for regulators. Organizations need to be honest with their users about which promise they are actually keeping.”
— Philip Zimmermann, PGP creator
Client-side archiving creates an additional plaintext copy, fundamentally undermining E2EE security guarantees.
Post-quantum cryptography research
| Development | Status |
|---|
| PQC for MLS | IETF Internet-Draft prepared |
| Research | Ongoing integration work |
| Timeline | Future MLS versions |
Evaluation criteria
Security teams evaluating encrypted messaging platforms should consider:
Key management
| Question | Consideration |
|---|
| Who controls keys? | Platform, organization, or individual users |
| Recovery mechanisms | What happens if keys are lost |
| Key rotation | How frequently keys change |
Compliance integration
| Question | Consideration |
|---|
| Archiving support | Client-side capture capability |
| Supervisory review | Workflow for compliance review |
| Regulatory alignment | Specific industry requirements |
Interoperability
| Question | Consideration |
|---|
| External communication | Can you securely message outside the platform |
| Protocol standards | MLS, Signal Protocol, proprietary |
| Federation | Cross-platform messaging capability |
| Question | Consideration |
|---|
| Content protection | Message bodies encrypted |
| Metadata protection | Sender, recipient, timing, group membership |
| Traffic analysis | Can patterns reveal information |
Signal Foundation perspective
Signal President Meredith Whittaker:
“Encryption is not a spectrum. Either the provider cannot read your messages, or they can. The details matter enormously.”
The Signal Foundation welcomes broader E2EE adoption while cautioning against implementations that compromise security for convenience.
Recommendations
For security teams
| Priority | Action |
|---|
| Inventory | Catalog current messaging platforms and security properties |
| Requirements | Define encryption and compliance requirements |
| Evaluation | Assess MLS-enabled platforms against requirements |
| Testing | Pilot E2EE messaging with security-conscious teams |
For compliance teams
| Priority | Action |
|---|
| Understand trade-offs | E2EE vs. archiving implications |
| Evaluate solutions | Client-side archiving vendors |
| Document decisions | Justify approach to regulators |
| User communication | Be transparent about actual protections |
For IT leadership
| Priority | Action |
|---|
| Strategic planning | E2EE as default expectation (3-5 year horizon) |
| Vendor engagement | Understand platform E2EE roadmaps |
| Policy development | Guidelines for encrypted communication use |
Context
The convergence of MLS standardization, DMA interoperability mandates, and enterprise security requirements suggests that end-to-end encrypted messaging will become a default expectation for business communications within the next several years.
The technical foundations are now in place—MLS provides scalable group encryption, and major platforms are implementing or evaluating the standard. The remaining challenges are primarily organizational (balancing security with compliance) and regulatory (resolving the encryption-access tension).
For enterprises, the question is no longer whether to adopt E2EE, but how to implement it in a way that satisfies both security requirements and regulatory obligations. The answer may require accepting that perfect security and perfect compliance are mutually exclusive—and making deliberate choices about which compromises are acceptable.
