Two years after the European Parliament’s PEGA Committee first raised alarm over the misuse of spyware across the EU, lawmakers returned to discuss the matter in Strasbourg on 18 June. Instead of closure, however, it brought a growing sense of déjà vu. The spyware had not gone away. Neither had the silence from Brussels.

Wednesday’s plenary debate on the current state of play soon turned into a chorus of frustration. From Pegasus to Predator and Graphite, spyware scandals continue to surface across the EU. Yet despite lofty promises, new legislation, and damning evidence, the EU has failed to regulate the market, or even rein in its member states.

“It’s happening. Today. In Europe.”

During this Monday plenary debate on the ‘State of play and follow-up two years after the PEGA recommendations and illegal spyware use’, MEP Jeroen Lenaers (EPP/NE) delivered a stark warning to his colleagues. “Imagine someone reading every message you’ve ever sent, watching every video you’ve ever watched, listening to your private conversations… This isn’t fiction. It’s happening. Today. In Europe.”

Mr Lenaers also criticised the European Commission for what he called overpromising and underdelivering on the fight against spyware. His frustration resonated with Evin Incir (S&D/SWE), who wondered whether the Parliament was being taken seriously. She pointed out that while the EU’s new European Media Freedom Act (EMFA) offers some protection to journalists, “what about the rest? Citizens? Political opponents?” 

Their fellow parliamentarian Krzysztof Brejza (EPP/PL) has had a first-hand experience with Pegasus, having fallen victim to the spyware during Poland’s 2019 election campaign. On Wednesday, he added a poignant reminder of the human cost. “My messages were stolen and manipulated,” he said. “Pegasus can destroy lives.” 

You might be interested

JURI - Exchange of views with Executive Vice-President for Tech Sovereignty, Security and Democracy Henna Virkkunen

Spyware scandals multiply

Pegasus, developed by Israel’s NSO Group, remains the best-known spyware. Its advanced capabilities, including remotely activating microphones and extracting data without detection, triggered outrage across Europe and beyond. But Pegasus was only the tip of the iceberg.

New spyware tools,  including Paragon’s Graphite and Cytrox’s Predator, have reportedly been deployed in several EU countries. Yet many of the PEGA Committee’s 2023 recommendations remain unimplemented. MEP Moritz Körner (Renew/GER) summed it up bluntly: “Two years later, what has the EU done? Sit on their hands?”

Two years later, what has the EU done? Sit on their hands? MEP Moritz Körner

Originally designed for targeted national security operations, spyware like Pegasus and Graphite has been implicated in widespread abuses across at least 14 member states. Reports detail surveillance of journalists, opposition politicians, activists, and even EU officials. 

United in criticism

In a rare show of cross-party alignment, MEPs from across the political spectrum criticised the European Commission’s inertia. Giorgos Georgiou (The Left/CYP) said: “We gave you everything. You did nothing.” Hannes Heide (S&D/AUT) called spyware abuse a “structural problem”, warning that “national security cannot justify undermining the rule of law.” And Gabriella Gerzsenyi (EPP/HUN) took aim at Hungary, her home country.

Pegasus was not used to protect citizens. It was used to protect those in power. MEP Gabriella Gerzsenyi

In response, Henna Virkkunen, Executive Vice-President of the Commission, cited ongoing work on EMFA, the e-Privacy Directive, and the Cyber Resilience Act. She acknowledged, however, that “further work is needed.”

Brussels’ blank check

At the heart of the debate lies the invocation of national security to justify surveillance. Several speakers denounced this rationale as a legal grey area that undermines democratic oversight. For many member states, it remains a catch-all loophole. Lawmakers argued that this must change.

Limitations to fundamental rights must only apply under strict conditions. Adam Szłapka, President-in-Office of the Council

In the same tone, “National security can no longer be a justification for undermining the rule of law or democracy,” declared Mr Heide. Others, like Saskia Bricmont (Greens-EFA/BEL), demanded concrete regulation. She also called for investigation of those member states which endanger the security of citizens in the name of national security. Hungary, Poland, and Italy were among the most frequently cited concerning allegations of surveillance abuse targeting journalists, dissidents, and election campaigns.

A policy vacuum

Across party lines, MEPs pressed for binding legislation and concrete enforcement mechanisms, exhorting the Commission to:

  • regulate the trade and use of spyware technologies
  • ensure independent oversight over national security claims
  • establish legal remedies and compensation for victims
  • create an EU-level tech lab for cybersecurity and digital rights monitoring
  • sanction companies and states found complicit in unlawful surveillance

Juan Fernando López Aguilar (S&D/ES) summarised the complaints, urging the powers that be to learn the lessons and act against the member states spying on people, as well as the companies and governments behind it.

Several speakers raised the role of third-country actors, particularly Israel, whose firms developed Pegasus and Graphite. These technologies were allegedly sold with tacit state approval. Some MEPs linked spyware use to broader geopolitical manipulation, including cyberattacks from Russia and the use of surveillance tech in undemocratic regimes.

Threat to democracy

Pernando Barrena (The Left/ES) went further, alleging spyware tools developed in Israel are now used to commit human rights violations. This underscores the growing urgency of both the ethical and strategic dimensions of spyware governance.

The debate concerned primarily a political—rather than technological—challenge. The EU stands at a crossroads: it can either lead with principled legislation and enforceable safeguards or risk normalising surveillance practices antithetical to its founding values.

Despite repeated warnings, victims remain without justice, regulations remain non-binding, and spyware continues to infiltrate democratic spaces. As Adam Szłapka, President-in-Office of the Council, concluded, “We can and should do more.”