TL;DR: Amnesty International's Security Lab and the Centre for Democracy and Technology Europe issued a joint statement on July 6, 2026 calling on the European Commission to investigate the Pegasus infection of former Greek MEP Stelios Kouloglou, the substitute member of the European Parliament's PEGA Committee who Citizen Lab confirmed on July 3 was hacked with Pegasus twice while sitting on the committee. The two groups want the EU's Directorate-General for Information Technologies and Cybersecurity to identify the responsible Pegasus customer, to publicly respond to the PEGA recommendations from May 2023, and to reform the 2021 Dual-Use Regulation that governs spyware exports. The call lands against a three-year record of EU member-state spyware scandals in Greece, Spain, Poland, and Hungary, none of which has produced a Commission-level response.
The Joint Call
Amnesty International's Security Lab and the Centre for Democracy and Technology Europe put out a joint statement on Monday July 6, 2026 responding to Citizen Lab's confirmation three days earlier that former Greek MEP Stelios Kouloglou had been infected with Pegasus twice in 2022 and 2023 while serving as a substitute member of the European Parliament's PEGA Committee [1][2].
Elina Castillo Jiménez, advocacy and policy advisor at Amnesty's Security Lab, framed the Kouloglou infection as more than a Greek national scandal. The case, she said, "raises serious concerns about the integrity of independent oversight at the highest levels in Europe" and "is yet another wake-up call that the protections that were put in place to prevent this kind of abuse are still not being implemented in Europe" [1].
The two groups are asking the EU to deliver on four specific items. First, the EU's Directorate-General for Information Technologies and Cybersecurity must launch a robust investigation into the infection and identify the Pegasus customer behind it. Second, the Commission must "urgently and publicly" respond to the PEGA Committee recommendations adopted in May 2023 and disclose what has been implemented. Third, victims of EU spyware abuse must be guaranteed effective remedies, including access to evidence and notification when surveillance is later confirmed. Fourth, the 2021 Dual-Use Regulation, the EU export-control law that governs spyware, has to be reformed to reflect the PEGA recommendations [1].
Castillo Jiménez closed the joint statement with a line that captures the civil-society frustration: "Europe cannot continue moving from scandal to scandal without consequence." The accompanying demand is that "spyware abuse in Europe is met with accountability, not impunity" [1].
Why the Commission's Response Matters
The Commission has not named an attacker in any of the EU's prior spyware cases. Greece convicted four Intellexa-connected individuals in February 2026 to prison terms of 126-plus years each, capped at eight years pending appeal, in a case involving 87 high-profile Greeks targeted with Predator spyware. Spain dismissed its national intelligence director Paz Esteban López in 2022 after Pegasus infections of Prime Minister Pedro Sánchez and several ministers. Poland's Donald Tusk government has charged former intelligence officials and ministers under its own inquiry. Hungary's Viktor Orbán government was confirmed as a Pegasus customer in 2021. None of those national proceedings produced a Commission-level finding [1].
The Amnesty / CDT demand for a DG ITEC investigation is the first time civil-society groups have publicly asked the Commission's own cybersecurity directorate to take point on a Pegasus case. The choice of DG ITEC matters because it is the Commission service that handles threat detection and the institutional response to attacks on EU bodies. Asking DG ITEC to investigate puts the case inside the EU's own institutional perimeter rather than treating it as a Greek national matter [1].
The Register, which first reported the joint call, flagged the structural difficulty: attribution in spyware cases is hard, and the operator that Citizen Lab says is the likely culprit is the same one that hit a group of Russian, Latvian, and Belarusian exiled activists and journalists in 2024. Citizen Lab has tied the 2022 HomeKit infrastructure marker in Kouloglou's phone to that 2024 campaign [1][3].
What to Watch
The first test is whether the Commission acknowledges the joint call. The PEGA Committee's recommendations from May 2023 sat on the Commission's desk without a published implementation roadmap. The Amnesty / CDT ask for an "urgent and public" status update on those recommendations is the procedural pressure point [1].
The second test is the Dual-Use Regulation reform. The 2021 regulation is the EU's only hard law governing spyware exports, and it does not currently require human-rights due diligence before a member state authorizes an export. The Pegasus and Predator record in Greece, Spain, Poland, and Hungary is the case for why that has to change. Reform proposals have been in circulation for two years without a Council vote [1].
The third test is the longer historical pattern. Citizen Lab has previously confirmed Pegasus or Predator infections on other European Parliament members: Diana Riba, Jordi Solé, Clara Ponsatí, Carles Puigdemont, and Antoni Comín in the Catalan case; Nikos Androulakis in Greece; Nathalie Loiseau in France; Elena Yoncheva in Bulgaria; and Daniel Freund in Germany. The Council of Europe has documented the same pattern in the "CatalanGate" report covering 65-plus people associated with the Catalan separatist movement between 2017 and 2020, with at least two hit by both Pegasus and Candiru [1].
The earlier Citizen Lab Pegasus-on-a-PEGA-member writeup covers the forensic timeline of the Kouloglou infections. The earlier Human Rights Watch Dual-Use Regulation explainer lays out what the 2021 law does and does not cover.
Sources
- The Register: “EU urged to act after Pegasus infects phone of spyware inquiry MEP” (July 6, 2026)
- Citizen Lab: “Member of Committee Investigating Spyware Hacked with Pegasus” (Report 194, July 3, 2026)
- Access Now / Citizen Lab: Joint investigation on Pegasus targeting of exiled Russian and Belarusian journalists and activists in Europe (2024)
Published: July 7, 2026