This is not about iCloud and iMessage scanning (which would happens on Apples' servers on content stored there), these new CSAM scans are triggered directly on the device. And that is what under GDPR rules would not be legal in the EU.
BTW, iMessage content and iCloud photos are not end-to-end encrypted There's voices who surmise the introduction of on-device scanning might be a precursor to Apple offering end-to-end encryption on iCloud in the future, but that hasn't been confirmed.
I`ve found this article a very good, overview about all this: https://educatedguesswork.org/posts/apple-csam-intro/. It's not too technical, but very thorough.