European Union flags against a blue sky, the institutional backdrop for the joint civil-society demand for a Commission-level investigation of the Pegasus hit on a PEGA Committee member
Photo via Unsplash

Today in Surveillance:

  • Amnesty Security Lab and CDT Europe are demanding the European Commission investigate the Pegasus infection of former PEGA member Stelios Kouloglou. In a joint statement on July 6, 2026 the two civil-liberties groups called on the Commission's Directorate-General for Information Technologies and Cybersecurity (DG ITEC) to take point on the case, to publicly respond to the PEGA Committee recommendations the Parliament adopted in May 2023, to guarantee remedies for EU spyware victims, and to reform the 2021 Dual-Use Regulation [1][2].
  • Citizen Lab Report 194, published July 3, 2026, confirms Kouloglou was infected with Pegasus twice while sitting on PEGA. The forensic timeline puts the first infection on October 21, 2022 in Greece, the second across March 6 to 7, 2023 in Belgium. The infections span at least two EU jurisdictions and match a Pegasus customer with cross-border authorization [2][4].
  • The operator trail points outside Greece. Citizen Lab is not attributing the infections to the Greek government. The same HomeKit email address used in the 2022 infection also appeared in a 2024 Citizen Lab / Access Now report on exiled Russian and Belarusian journalists targeted with Pegasus in Europe [2][3].
  • The structural context is a Commission that has never named an attacker in any of the EU's prior spyware cases. Greece convicted four Intellexa-connected individuals in February 2026. Spain dismissed its national intelligence director in 2022 after Pegasus infections of Prime Minister Pedro Sánchez and several ministers. Poland's Tusk government has charged former officials. Hungary's Orbán government was confirmed as a Pegasus customer in 2021. None produced a Commission-level finding [1][5][6].
  • The Dual-Use Regulation is on the September 2026 review calendar. Human Rights Watch documented at least six EU member states exporting surveillance technology to 24+ countries with documented rights abuses and twelve of 27 member states refusing to share export records. The Amnesty / CDT call for reform is timed to land ahead of that review window [7][8].

Also today: Citizen Lab's recommendations include immediate spyware screening for MEPs and PEGA staff via DG ITEC, Lockdown Mode on iPhones, and an annual report on cyber and surveillance threats commissioned through the European Parliamentary Research Service [4]. The Pegasus-on-a-PEGA-member track now sits inside a wider Council of Europe record: Citizen Lab has confirmed Pegasus or Predator infections on a Catalan cluster of MEPs, on Nikos Androulakis in Greece, on Nathalie Loiseau in France, on Elena Yoncheva in Bulgaria, and on Daniel Freund in Germany, with the CatalanGate report documenting sixty-five-plus people associated with the Catalan separatist movement between 2017 and 2020 [1][4]. The European Parliament's PEGA inquiry sat on the Commission's desk without a published implementation roadmap for more than three years; the "urgent and public" status update the Amnesty / CDT statement demands is the procedural pressure point [1][7].

Amnesty and CDT Europe Ask the Commission to Investigate Its Own

Amnesty International's Security Lab and the Centre for Democracy and Technology Europe issued a joint statement on July 6, 2026 responding to Citizen Lab's July 3 confirmation that former Greek MEP Stelios Kouloglou had been infected with Pegasus twice in 2022 and 2023 while sitting as a substitute member of the European Parliament's PEGA Committee [1][2].

Elina Castillo Jiménez, advocacy and policy advisor at Amnesty's Security Lab, framed the Kouloglou infection as more than a Greek national scandal. The case, she said, "raises serious concerns about the integrity of independent oversight at the highest levels in Europe" and "is yet another wake-up call that the protections that were put in place to prevent this kind of abuse are still not being implemented in Europe" [1]. Castillo Jiménez closed the joint statement with the civil-society frustration in plain text: "Europe cannot continue moving from scandal to scandal without consequence." The accompanying demand is that "spyware abuse in Europe is met with accountability, not impunity" [1].

The two groups are asking the EU to deliver on four specific items. The Commission's Directorate-General for Information Technologies and Cybersecurity must investigate the infection and identify the Pegasus customer behind it. The Commission must respond "urgently and publicly" to the PEGA Committee recommendations adopted in May 2023 and disclose what has been implemented. Victims of EU spyware abuse must be guaranteed effective remedies, including access to evidence and notification when surveillance is later confirmed. The 2021 Dual-Use Regulation, the EU export-control law that governs spyware, has to be reformed to reflect the PEGA recommendations [1].

The Register, which first reported the joint call, framed the institutional shift: civil-society groups have never before publicly asked the Commission's own cybersecurity directorate to take point on a Pegasus case. Putting DG ITEC in the lead moves the case from a Greek national matter to one that sits inside the EU's own institutional perimeter [1].

The Forensic Timeline: Two Infections, Two EU Jurisdictions

Citizen Lab Report 194, published July 3, 2026, confirms that Kouloglou was "successfully infected with Pegasus spyware on or around October 21, 2022," and again "on or around March 6 and 7, 2023," while serving as a substitute member of the PEGA Committee [2]. The Pegasus infections spanned two EU jurisdictions: Greece on October 21, 2022, when Kouloglou was a patient in a Greek hospital, and Belgium across March 6 and 7, 2023, when Kouloglou had traveled from Athens to Brussels. Citizen Lab assesses that this implicates "a Pegasus customer with authorization to spy in multiple European countries" [2][4].

Citizen Lab does not attribute the infections to a specific NSO Group customer, and the report is explicit that it has "no indications that the Greek Government is responsible." Greece is not known to be an NSO Group customer, though Greece is known to have used Intellexa's Predator spyware [2]. The 2022 infection vector was the PWNYOURHOME zero-click exploit, in which a specially crafted NSKeyedArchive lands in HomeKit and is followed by malicious content delivered through MessagesBlastDoorService [4].

The operator trail runs through the same HomeKit infrastructure email address used in a Citizen Lab / Access Now joint investigation published in May 2024 that documented Pegasus targeting of exiled Russian and Belarusian-speaking journalists and activists in Europe. Citizen Lab writes that "We believe that the same operator targeted both Kouloglou in 2022 and the targets we highlighted" in the earlier report. The March 2023 infection may involve the same or a different operator [2][3]. The structural point: a Pegasus customer with the authorization to operate across at least two EU member states, using infrastructure markers already on file from a 2024 targeting campaign against exiled dissidents and journalists.

The Member-State Pattern That Has Produced Zero Commission Findings

The Amnesty / CDT demand for a DG ITEC investigation lands against a three-year record of EU member-state spyware scandals in which the Commission has not named a single attacker. Greece convicted four Intellexa-connected individuals in February 2026 to prison terms of 126-plus years each, capped at eight years pending appeal, in a case involving 87 high-profile Greeks targeted with Predator spyware. Spain dismissed its national intelligence director Paz Esteban López in 2022 after Pegasus infections of Prime Minister Pedro Sánchez and several ministers. Poland's Tusk government has charged former intelligence officials and ministers under its own inquiry. Hungary's Orbán government was confirmed as a Pegasus customer in 2021 [1][5][6].

None of those national proceedings produced a Commission-level finding. The Register, which reported the joint call, flagged the structural difficulty at the EU level: attribution in spyware cases is hard, and the operator Citizen Lab says is the likely culprit is the same one that hit a group of Russian, Latvian, and Belarusian exiled activists and journalists in 2024 [1][3]. The Pegasus customer behind the Kouloglou infections is the operational pressure point the civil-society coalition is now asking DG ITEC to use.

Kouloglou is the first PEGA Committee member publicly identified as hacked with Pegasus while serving on the committee. He is not the first European Parliament member publicly identified as a Pegasus or Predator target. Citizen Lab has previously confirmed infections on Diana Riba, Jordi Solé, Clara Ponsatí, Carles Puigdemont, and Antoni Comín in the Catalan case, on Nikos Androulakis in Greece, on Nathalie Loiseau in France, on Elena Yoncheva in Bulgaria, and on Daniel Freund in Germany. The Council of Europe's "CatalanGate" report covers sixty-five-plus people associated with the Catalan separatist movement between 2017 and 2020, with at least two hit by both Pegasus and Candiru [1][2].

The Dual-Use Regulation Lands in the September 2026 Review

The second civil-society ask is reform of the 2021 Dual-Use Regulation (Regulation 2021/821), the EU's only hard law governing spyware exports. The regulation does not currently require human-rights due diligence before a member state authorizes an export. Human Rights Watch documented at least six EU member states exporting surveillance technology to 24 or more countries with documented records of targeting journalists, activists, and political opposition. Bulgaria exported intrusion software or interception systems to more than 20 destinations between 2020 and 2023. Poland approved phone-monitoring system exports to Rwanda, where authorities have been documented using Pegasus against journalists and political dissidents since 2017. Twelve of 27 member states refused to share their export records with HRW at all [7][8].

The European Commission is required to evaluate the Dual-Use Regulation in September 2026. HRW is demanding the Commission close the transparency loopholes, require real human-rights due diligence, and establish remedy mechanisms for victims. The Amnesty / CDT dual-use ask lands in the same review window. Reform proposals have been in circulation for two years without a Council vote [1][7].

The connection to the Kouloglou case is structural. A regulator that issues export licenses for the same spyware then fails to investigate when that spyware hits a member of its own Parliament is a regulator that has not decided whose rights it is protecting. Our full brief on the Dual-Use Regulation gap walks through the country-by-country supply chain, the Danish and Estonian cases, and the December 2025 Intellexa leaks [8][9].

What to Watch

The Commission's first move. The first test is whether the Commission acknowledges the joint call. The PEGA Committee's recommendations from May 2023 sat on the Commission's desk without a published implementation roadmap. The Amnesty / CDT ask for an "urgent and public" status update on those recommendations is the procedural pressure point [1].

Tuesday July 7 to Friday July 10. Citizen Lab's recommendations include immediate spyware screening for MEPs and PEGA staff via DG ITEC, Lockdown Mode on iPhones or Advanced Protect on Android, and an annual European Parliamentary Research Service report on cyber and surveillance threats. The first institutional test is whether the European Parliament treats the infection as a security incident worth a full response or files it next to the existing pile of Pegasus findings and moves on [4].

September 2026. The European Commission's mandatory review of the Dual-Use Regulation. HRW, Amnesty Security Lab, CDT Europe, and the EU civil-society coalition are all now publicly coordinating around the review window. Twelve of 27 member states not even sharing export records is the baseline the review has to beat [7][8].

Ninth Circuit. NSO's appellate fight against the WhatsApp verdict is moving in parallel on a different track. NSO's opening brief to the Ninth Circuit frames the WhatsApp injunction as putting it out of business regardless of the damages number. If the EU institutions won't act on the institutions that NSO's spyware was used against, the U.S. civil liability route is where the operational pressure on the vendor is concentrated [10].

Sources

  1. The Register: EU urged to act after Pegasus infects phone of spyware inquiry MEP (July 6, 2026)
  2. Citizen Lab: Member of Committee Investigating Spyware Hacked with Pegasus (Report 194, July 3, 2026)
  3. Access Now / Citizen Lab: Joint investigation on Pegasus targeting of exiled Russian and Belarusian journalists and activists in Europe (May 2024)
  4. State of Surveillance: Citizen Lab Confirms Pegasus Hit Greek MEP on PEGA Committee, the forensic writeup of the Kouloglou infections
  5. State of Surveillance: Spyware Makers Finally Face Justice, the Intellexa conviction brief
  6. State of Surveillance: Spain Closes Pegasus Probe Without Israeli Cooperation
  7. Human Rights Watch: Looking the Other Way: EU Failure to Prevent Surveillance Exports to Rights Violators (May 12, 2026)
  8. State of Surveillance: European Countries Are Selling Spyware to Dictators, the brief on the HRW report and the Dual-Use Regulation gap
  9. State of Surveillance: Intellexa Predator Spyware Leaks: December 2025
  10. State of Surveillance: NSO Group Appeals $167 Million WhatsApp Pegasus Verdict