By SOPHIE IN’T VELD

An Inquiry on Spyware in the EU Revealed Abuses by Member States. Now What?

Without binding action from the European Commission, recommendations to safeguard the use of spyware and regulate its trade will be ignored—at Europe’s peril.

Matt Chase Illustration for FP Analtyics

With authoritarianism on the rise around the globe, the resilience of democracies has been put to the test in an unprecedented way. At the center of this threat is the use and trade of spyware, a dangerous weapon in the hands of autocrats and those who strive to become them.

The use of intrusive spyware to quash dissent, intimidate the opposition, and undermine pluralism not only harms individuals who are targeted but also constitutes a full-scale attack on the foundations of democracy. Spyware is not merely a technical issue but also a political one.

Following the 2021 revelations in the Pegasus Project—which proved that the hacking tool Pegasus was used to spy on journalists, politicians, activists, and others around the world by clients of the Israeli firm NSO Group—the European Parliament formed an inquiry committee to further investigate Pegasus and similar spyware being used by governments both authoritarian and democratic. In 2023, the PEGA inquiry committee delivered its findings and recommendations.

It may not be surprising that spyware is used by dictators and corrupt regimes, but they are not its only clients. Several member-state governments in the European Union have been unable to resist the temptation to use it against their critics and opponents: As reported in the PEGA findings, in at least four member states—Poland, Hungary, Greece, and Spain—there has been illegitimate use of spyware; there are also suspicions about its use in Cyprus. Several member states facilitate the illicit export of spyware, as export and marketing licenses for spyware serve as high-value currency in international relations. Others are home to spyware companies and offer them favorable tax arrangements, fast-track citizenship, or discrete banking services. In Prague, there is a big annual spyware fair—nicknamed the Wiretappers’ Ball—for which the NSO Group has been a main sponsor in recent years.

In its inquiry across the European Union, PEGA received little input from national authorities about the acquisition and use of spyware in their states. Some member states that have deployed spyware invoked national security in refusing to comment.

Whereas all governments publicly denounce the abuse of spyware, they keep a collective and concerted silence about its use in EU member states. And it is likely that they will stay silent unless the European Commission demands more. While the European Parliament adopted recommendations calling on the Commission to more tightly regulate the use, manufacture, and trade of spyware; enforce existing laws more strictly; and come up with a clear definition of “national security,” the Commission, anxious to keep warm relations with the national governments, has argued that it is for the member-state authorities themselves to ensure compliance with EU laws and standards.

But if those very national authorities are the perpetrators, they are not likely to discipline themselves, and the targets of spyware will be left to fend for themselves without any meaningful legal remedy. So far, there have been no convictions in court over the use of spyware by governments in the EU. The majority of cases cannot even be brought to court as it is exceedingly difficult for victims to provide proof that they have been targeted by spyware, not least because they have no access to their own files, which are in the hands of the very authorities who spied on them.

The argument that the EU has no formal powers to act does not hold water, as is clearly demonstrated by the findings in PEGA’s report. It is not the powers that are lacking but the political will, and many politicians have been invoking “national security” as an all-purpose justification to hide their spyware operations, including illegal ones. As Parliament recommended, the notion of “national security” needs to be defined. Without a legal definition, each government can decide unilaterally on the limits to a space where normal law and conventions do not apply. That is an open invitation for abuse.

Parliament’s recommendation of strict rules and safeguards for the use of spyware would allow it only in very narrowly defined cases. Parliament also demands that existing legal tools like privacy rules or the rules on exports of dual-use items have to be strictly enforced, not just recommended. The market for spyware, including the trade in vulnerabilities, has to be subject to strict regulation as well. This and much more can be done immediately if the political will is there, but it has not been.

In practice, there has been complete impunity for the abuse of spyware in the European Union. Even spyware attacks on members of the European Parliament, including its president, have been swept under the carpet. It is true that several EU member states have signed up to international initiatives such as the Pall Mall Process for voluntary regulation of spyware, but they categorically reject binding EU legislation.

It is a mistake to believe that European democracy is indestructible. The abuse of spyware for political purposes is not just a hypothetical risk—it is actively taking place, as the PEGA inquiry committee’s work lays out. Those findings—and the recommendations formed from them—have not resulted in binding action from the European Commission or EU member states. By ignoring PEGA’s warnings, spyware abuses will only continue to grow, and not just in autocracies.

Sophie in’t Veld is a former Dutch member of the European Parliament (2004–2024) and was the rapporteur for the PEGA committee investigating the use of spyware. She was a deputy leader of the Liberal group in Parliament and its spokesperson on civil liberties, justice, and home affairs. In’t Veld also chaired the European Parliament Monitoring Group on the Rule of Law, Democracy and Fundamental Rights for six years. She spearheaded Parliament’s initiative for the EU Annual Rule of Law Report and was part of the negotiating team for the Migration Pact.