Spyware Regulations in Europe: Overview as of October 2025

Europe has seen growing scrutiny of spyware—tools like Pegasus, Predator, and Candiru—due to their misuse by governments against journalists, activists, politicians, and dissidents. While there is no EU-wide outright ban on spyware, regulations focus on export controls, law enforcement restrictions, and human rights safeguards. These stem from the EU's Dual-Use Regulation, the PEGA (Pegasus and Equivalent Spyware) Committee inquiry, and related laws like the European Media Freedom Act. However, implementation remains fragmented, with national abuses persisting and civil society calling for stronger action. Below is a breakdown of the key frameworks, developments, and challenges.1. EU Dual-Use Regulation: Export Controls on Cyber-Surveillance ToolsThe cornerstone of EU spyware regulation is Regulation (EU) 2021/821 on dual-use items, which controls the export, brokering, and transit of technologies with both civilian and military applications, including spyware classified as "cyber-surveillance items."

• Key Provisions:
  • Requires export licenses for items on Annex I (aligned with the Wassenaar Arrangement), covering intrusion software and monitoring tools.
  • Catch-all clause (Article 4): Mandates licenses for non-listed items if they pose risks to human rights, international security, or EU foreign policy. Updated guidelines in October 2024 emphasize spyware risks, urging exporters to assess end-use and human rights impacts.
  • Human rights due diligence: Exporters must evaluate if items could enable repression, with penalties for non-compliance up to €1 million or 10% of turnover.
• Latest Developments (2025):
  • On September 8, 2025, the European Commission adopted a Delegated Regulation updating Annex I, adding new cyber-surveillance categories and strengthening controls on AI-enabled spyware.
  • Nine EU member states (including Cyprus, Greece, and Malta) opposed stricter controls in 2025, arguing they hinder national security exports. Despite this, the regulation commits states to harmonized assessments.
  • SIPRI's 2025 policy paper highlights enhanced oversight but notes gaps in transparency for intra-EU transfers.

This framework has led to sanctions against firms like NSO Group and Intellexa, but critics say it doesn't cover domestic use or imports.2. PEGA Committee: Recommendations to Curb MisuseThe European Parliament's PEGA inquiry (2022–2023) investigated spyware abuses across the EU, revealing systemic issues in countries like Greece, Hungary, Poland, and Spain. Its final report, adopted in June 2023, labeled spyware scandals "Europe's Watergate" and urged reforms.

• Core Recommendations:
  • Limit law enforcement spyware use to "exceptional cases" (e.g., terrorism threats), with judicial oversight and proportionality tests.
  • Protect "sensitive targets" (journalists, lawyers, politicians, doctors) from surveillance.
  • Ban commercial spyware sales within the EU and prohibit funding to abusive vendors.
  • Establish an EU-wide spyware registry and whistleblower protections.
  • Harmonize national laws to prevent "forum shopping" for lax jurisdictions.
• 2025 Follow-Up:
  • A June 16, 2025, plenary debate reviewed progress two years post-PEGA, with MEPs criticizing the Commission's inaction amid new scandals (e.g., Italy's use against journalists).
  • On October 2, 2025, 39 MEPs demanded a public audit of € millions in EU subsidies to spyware firms like Intellexa and Cy4Gate since 2015, citing risks to democracy.
  • An open letter from journalists and NGOs in June 2025 called for urgent EU action, including a full commercial spyware ban.
  • The Left group in Parliament pushed for mass surveillance bans in June 2025, following Italy's scandal.

PEGA's influence led to the European Media Freedom Act (2024), which bans spyware against journalists unless strictly necessary, with fines up to 6% of global turnover.3. Related EU Initiatives and Privacy Safeguards

• Chat Control Proposal (Child Sexual Abuse Regulation - CSA): A controversial 2022 proposal to mandate scanning of encrypted messages for child abuse material was delayed indefinitely on October 14, 2025, due to privacy fears. Critics, including the EFF, called it "inherently spyware-like," as it would require client-side scanning on devices. A vote was postponed amid debates on end-to-end encryption.
• Digital Services Act (DSA) and Digital Markets Act (DMA): Indirectly address spyware by requiring platforms to report abusive surveillance and mitigate risks from high-risk AI tools.
• EU Cybersecurity Act and NIS2 Directive: Enhance incident reporting for spyware breaches, with NIS2 (effective 2024) mandating risk assessments for critical infrastructure.

4. Challenges and Gaps

• Fragmented Enforcement: National laws vary; e.g., Hungary and Poland face ongoing abuses without EU intervention. A January 2025 report warned that ignoring PEGA allows spyware proliferation.
• Funding Issues: EU programs have indirectly subsidized spyware via national channels, prompting 2025 calls for exclusion clauses.
• Industry Pushback: Exporters argue controls stifle innovation; a July 2025 civil society roundtable stressed only the Dual-Use Regulation and Media Freedom Act explicitly target spyware.
• Global Context: EU aligns with U.S. sanctions but lags behind proposed UN moratoriums on spyware exports.

5. Future OutlookThe Commission plans a "digital omnibus" package in November 2025 to ease data laws but may include spyware transparency measures. Civil society coalitions urge a dedicated EU Spyware Regulation by 2026, building on PEGA. Amnesty International's October 2025 report confirmed regulatory gaps fueling the surveillance industry, demanding immediate probes into telecom spying.