Multiple CCTV surveillance cameras mounted on a building wall

TL;DR:

  • The report: Human Rights Watch published a 54-page investigation on May 12, 2026, documenting how at least six EU member states. Bulgaria, Poland, the Czech Republic, Denmark, Finland, and Estonia, exported surveillance technology to 24+ countries with documented histories of targeting journalists, activists, and political opposition. [1][2]
  • The worst offender: Bulgaria exported intrusion software and telecom interception systems to over 20 countries between 2020 and 2023, including Azerbaijan, the UAE, Mexico, the Philippines, Uganda, and Vietnam. [1]
  • The regulatory failure: The EU adopted the Dual-Use Regulation in 2021 specifically to prevent this. It required human rights assessments and transparency reporting. Five years later, 12 of 27 member states refused to even share their export records, and the European Commission quietly rewrote the transparency rules to hide what’s being sold and to whom. [1][3]
  • The scale: A 2024 Google Threat Analysis Group report on the commercial surveillance industry profiled vendors that are almost entirely based in the EU (all but two of those named are EU-based). A majority of EU member states host at least one surveillance company. Europe isn’t just failing to stop the spyware trade, it’s the factory floor. [2][4]
  • What’s at stake: The EU is scheduled to evaluate the regulation in September 2026. HRW published the raw export data on GitHub so researchers and journalists can follow the supply chains themselves. [1][5]

Follow the Supply Chain

Here’s how European surveillance technology ends up in the hands of authoritarian governments:

A European company builds intrusion software or telecom interception gear. That company applies for an export license from its home government. The government is supposed to check whether the buyer has a track record of using surveillance tech to crush dissent. If the answer is yes, the license should be denied.

That’s the theory. In practice, Bulgaria granted export licenses for surveillance tech to Azerbaijan, a country where Citizen Lab researchers found “substantial evidence” of Pegasus spyware targeting journalists, activists, academics, and even UN workers during the 2023 armed conflict. Poland approved phone-monitoring system exports to Rwanda, where authorities have been documented using Pegasus against journalists and political dissidents since 2017. [1][2]

Nobody denied these licenses. Nobody asked hard questions. The system designed to catch exactly these cases waved them through.

Bulgaria: Europe’s Spyware Supermarket

Bulgaria stands out as the most prolific exporter in the report. Between 2020 and 2023, it exported surveillance technology to more than 20 countries: Azerbaijan, Bosnia and Herzegovina, Brazil, Côte d’Ivoire, the Dominican Republic, El Salvador, Ghana, Guatemala, Israel, Jordan, Malaysia, Mexico, Mongolia, Morocco, Panama, the Philippines, Serbia, Uganda, the UAE, Ukraine, and Vietnam. [1]

That list reads like a who’s who of surveillance abusers. Mexico has been one of the world’s most aggressive Pegasus deployments, targeting journalists, human rights lawyers, and even nutrition scientists advocating for soda taxes. The UAE used both FinFisher and Hacking Team’s RCS spyware against activist Ahmed Mansoor, who is currently serving a 15-year prison sentence. The Philippines under Duterte and Marcos has a documented record of digital targeting of opposition voices. [1][6]

Bulgaria isn’t just a waypoint. It’s home to Circles, an affiliate of NSO Group, which develops products that exploit telecommunications infrastructure vulnerabilities. When NSO faces export bans from Israel, the EU supply chain picks up the slack. [1]

A Regulation Designed to Fail

The EU adopted the Dual-Use Regulation recast (2021/821) on September 9, 2021. It was supposed to be Europe’s answer to the Pegasus scandal. MEP Markéta Gregorová promised it would ensure “powerful European cyber-surveillance technology does not end up in the hands of dictators and authoritarians.” [1][3]

The regulation had three key requirements: expanded definitions of surveillance technology including a “catch-all clause” for unlisted items, mandatory consideration of the destination country’s human rights record, and annual public transparency reports. [3]

All three have been undermined.

In January 2024, the European Commission issued implementation guidelines that gutted the transparency requirements. The Commission decided to separate technology type data from destination country data, meaning the public reports show what kinds of tech were exported and which countries received surveillance tools, but never which country got which technology. The justification? “Commercial confidentiality.” [1][3]

HRW calls this what it is: unjustified. The data is already aggregated and anonymized. No individual company is identified. But by splitting what from where, the Commission made it impossible to trace any specific supply chain. You can see that Bulgaria exported intrusion software. You can see that Azerbaijan received surveillance technology. But the official reports won’t connect those dots for you.

12 Countries Won’t Even Talk About It

HRW filed freedom of information requests with all 27 EU member states. The response tells you everything about the state of surveillance export oversight in Europe:

  • 7 member states provided usable data. [1]
  • 8 member states claimed they had zero cybersurveillance exports. [1]
  • 12 member states denied access to their records or ignored the requests entirely. [1]

France, Germany, Italy, Spain, and Greece, five of the EU’s six largest economies, refused to share anything. Italy is home to Hacking Team and its Remote Control System (RCS) spyware. France is where Amesys, later renamed Nexa Technologies, operated before four of its executives were indicted in 2021 for complicity in torture through the sale of surveillance technology to Libya and Egypt. [1][6]

These aren’t countries with nothing to report. They’re countries with something to hide.

Europe Is the Factory Floor

This isn’t just about a few bad actors slipping through the cracks. Europe is the global center of the commercial surveillance industry.

A 2024 Google Threat Analysis Group report on the commercial surveillance industry profiled vendors that are almost entirely based in the EU (all but two of those named are EU-based). A majority of EU member states host at least one surveillance company. Google also found that commercial surveillance vendors were behind half of known zero-day exploits targeting Google products. [2][4]

The companies are European. The export licenses are European. The regulations are European. And the victims, journalists in Azerbaijan, activists in the UAE, dissidents in Rwanda, have no recourse through any European institution.

Sweden illustrates how even “responsible” exporters exploit loopholes. MSAB, a Swedish company, has been exporting Universal Forensic Extraction Devices (UFEDs) to India annually since 2023. These devices can rip data from locked phones. But because of how “surveillance technology” is defined in the regulation, UFEDs reportedly fall outside official reporting requirements. The catch-all clause that was supposed to close these gaps hasn’t been meaningfully enforced. [1]

The Human Cost

Behind the export license numbers are real people.

Ahmed Mansoor, an Emirati human rights activist, was targeted with both FinFisher and Hacking Team spyware, products from European vendors exported through European supply chains. He’s been in solitary confinement since 2018, serving a 15-year sentence for “insulting the status and prestige of the UAE.” His phone was his evidence. European-made spyware helped turn it into his prison sentence. [6]

In Azerbaijan, surveillance tools were deployed against journalists and civil society during the 2023 military offensive in Nagorno-Karabakh. In Rwanda, they tracked political opponents both domestically and in exile. In Ethiopia, Mexico, and the Philippines, the pattern repeats: European tech, authoritarian buyer, silenced critic. [1]

The EU’s response to all of this is a regulation review, scheduled for September 2026. Four years after the rules were adopted. Twelve years after FinFisher was documented in Egyptian government hands.

What You Can Do

  • Read the data yourself. HRW published all the export records it obtained on GitHub. If you’re a journalist, researcher, or just curious about what your government is selling and to whom, the data is open. [5]
  • Know where your spyware comes from. If you live in the EU, your tax-funded export agencies are licensing these sales. Contact your MEP and ask what surveillance technology your country has exported in the last three years. Under the Dual-Use Regulation, this should be public information, even if your government claims otherwise.
  • Support digital rights organizations tracking these supply chains: Citizen Lab, Access Now, Privacy International, and the EFF all do critical work mapping the surveillance industry.
  • Watch the September 2026 evaluation. The European Commission is required to review the Dual-Use Regulation this year. HRW is demanding the Commission close the transparency loopholes, require real human rights due diligence, and establish remedy mechanisms for victims. Public pressure during the review window matters.
  • Protect yourself. If you’re a journalist, activist, or anyone in a country that imports European surveillance tech, use Lockdown Mode on iOS, keep your devices updated, and follow Citizen Lab’s security guidelines. The tools being sold to target you are sophisticated, but they’re not invincible.

The Real Question

The EU likes to position itself as the global standard-setter for privacy and human rights. GDPR. The AI Act. The Digital Services Act. Brussels talks a big game about protecting people from technology abuse.

But the same union that gave the world GDPR is also the world’s biggest exporter of commercial spyware. The same governments that require cookie consent banners are licensing the sale of intrusion software to Azerbaijan and phone-monitoring systems to Rwanda.

The Dual-Use Regulation was supposed to fix this. Instead, the Commission rewrote the transparency rules to make the exports harder to trace, and 12 member states won’t even disclose what they’re selling.

Europe doesn’t have a spyware problem. Europe is the spyware problem.

Related: NSO Group’s $167 Million Verdict: The Appeal That Could Kill Commercial Spyware | EU AI Act Biometrics Delay: Facial Recognition Rules Pushed to 2027

Sources

  1. Human Rights Watch: Looking the Other Way: EU Failure to Prevent Surveillance Exports to Rights Violators (May 12, 2026)
  2. The Record: European countries are exporting surveillance tech to countries with poor human rights records (May 12, 2026)
  3. Human Rights Watch: European Union: Surveillance Technology Sold to Rights Violators (May 12, 2026)
  4. Google Threat Analysis Group: Buying Spying: How Commercial Surveillance Vendors Work (February 2024)
  5. GitHub: Human Rights Watch EU Surveillance Export Data
  6. Bloomberg: Europe Exports Spyware to Human Rights Abusers, Watchdog Says (May 12, 2026)