6th Civil Society Roundtable on Advancing Spyware Regulation in the EU

On 13 May, CDT Europe and the Open Government Partnership co-hosted the sixth edition of the Civil Society Roundtable Series event in Brussels, “Lifting the Veil: Advancing Spyware Regulation in the EU.” The roundtable brought together over 50 participants from civil society, EU institutions, national regulators, and academia for an action-oriented discussion on the future of spyware regulation in Europe. Held under Chatham House Rules, the discussion provided an opportunity to reflect on the current state of affairs and explore concrete steps toward an EU regulatory framework that upholds human rights, democratic oversight, and the rule of law.

The Way Forward for Spyware Regulation in the EU

The event opened with a high-level panel that included speakers from EU institutions, Member States, the Office of the High Commissioner for Human Rights, and the Open Government Partnership. Panellists started with an assessment of the evolving policy context surrounding spyware in the EU. There was broad consensus that spyware has become a critical policy challenge, particularly as the EU increasingly prioritises the security and resilience of its digital infrastructure. The urgency of this issue aligns with a wider shift in EU policymaking, where digital and cybersecurity concerns are now central to broader discussions on European sovereignty and strategic autonomy.

Participants also stressed that the debate about spyware regulation cannot be had in isolation, but should be seen as a building block in the longstanding push for a regulatory framework governing law enforcement access to data in the EU. It was noted that this issue sits within a wider, highly politicised, conversation around government access to data in the law enforcement context  and the future of encryption. 

Participants also noted that the existing regulatory framework currently falls short of providing the necessary safeguards to prevent abuses and mitigate the proliferation of spyware technologies. In the absence of a coherent and harmonised legal framework at EU level, the deployment and trade of spyware remains largely unregulated in the region. Spyware abuse and proliferation has not yet been addressed through a dedicated EU legislative instrument, which significantly undermines the development of a coherent and coordinated policy response. 

Participants emphasised that while legal mechanisms exist to prevent and address abuses, the primary barrier to decisive EU action against spyware remains a lack of political will to prioritise and enforce them effectively – a challenge recently recognised by the Venice Commission’s report on a rule of law and human rights compliant regulation of spyware. In 2023, the European Parliament laid out a comprehensive set of recommendations outlining a roadmap for reform in response to the misuse of spyware across the EU, including stronger oversight, clear proportionality standards, and mechanisms to ensure accountability. However, participants regretted the lack of follow-up by the EU Institutions to implement them. 

The discussion also underscored the urgent need for transparency across the lifecycle of spyware tools — including their development, supply chains, procurement, deployment, and oversight. Participants emphasised the need for robust legal safeguards, enhanced judicial oversight, and inclusive multistakeholder dialogues, complemented by concrete tools such as annual oversight reports, public registries, and whistleblower protections to enhance transparency and a democratic accountability. 

The discussion also acknowledged the growing international momentum to address spyware through multilateral initiatives such as the Pall Mall Process and the recent adoption of a Code of Practice for States which were recognised as encouraging steps toward the development of shared global norms. However, participants expressed concern that the voluntary and non-binding nature of such initiatives may ultimately limit their effectiveness. 

Finally, participants emphasised the importance of investigating the financial channels that support spyware development and deployment, including public and private investments. Particular concern was expressed about the expansion of surveillance infrastructure in regions like Sub-Saharan Africa, where funding often flows without adequate transparency or oversight. The conversation warned of a growing link between weak regulation and strategic investment patterns, with the potential to erode international human rights protections. 

Regulating Spyware Capabilities: Is Spyware Regulable in the EU?

The first technical panel focused on the regulatory and accountability challenges posed by spyware, especially within the context of the EU’s existing data protection and cybersecurity frameworks. Participants emphasised the distinct capabilities of spyware tools, which go far beyond traditional surveillance by enabling access to encrypted communications and bypassing intermediaries such as service providers. This significantly undermines oversight and accountability, particularly given that spyware often leaves little to no forensic trace, complicating efforts to verify abuse or secure redress.

Legal exemptions for national security further weaken oversight mechanisms, creating gaps in transparency and accountability. However, participants pointed to established  jurisprudence, by the Court of Justice of the European Union clarifying the applicability of EU law to certain measures adopted on national security grounds.

The discussion also examined the significance of the landmark ruling in WhatsApp v. NSO Group, in which spyware vendors were found liable for violating US law and punished with a hefty financial penalty. While welcoming the ruling, participants noted that such litigation remains resource-intensive and therefore, only viable for large tech firms. They also expressed concerns about  barriers to legal redress for victims of unlawful surveillance, driven largely by a lack of transparency. To strengthen accountability, they called for clear notification requirements, improved public disclosure, cross-border information-sharing, and the establishment of EU-wide redress mechanisms alongside stronger procedural safeguards.

The WhatsApp case also shed light on vendor data collection practices, revealing that NSO Group maintained visibility over the deployment of its tools and was directly involved in their use, challenging common assertions that spyware vendors lack oversight of how their products are employed. This finding reinforces calls for stricter due diligence obligations, vendor accountability, and enforceable transparency measures. In this context, participants referenced the 2024 U.S. Executive Order on commercial spyware as a noteworthy example of how procurement policies and vendor standards can be used to set clear limitations on the use of surveillance technologies, offering insights that could inform similar discussions in the EU.

Participants also reflected on the need for a comprehensive societal dialogue on the legitimacy of spyware tools, recognising their unprecedented intrusion and interference with fundamental rights. They stressed that the legality and necessity of such tools must be grounded in robust evidence. While existing EU instruments such as the GDPR, NIS 2 Directive, and Cyber Resilience Act offer important building blocks, participants agreed that these frameworks are insufficient in isolation. They called for improved regulatory coordination, including centralised vulnerability disclosure mechanisms and stronger cross-institutional collaboration at both the EU and Member State levels.

Moving forward, participants agreed on the need to enhance procedural safeguards, particularly within the criminal justice system. Capacity building for judges, data protection authorities, and oversight bodies was deemed essential to ensure spyware use is subject to rigorous judicial review and complies with the principles of necessity, legality, and proportionality.

The Spyware Trade in the EU

In the final panel, participants reflected on the difficulty of upholding or implementing the PEGA Committee’s recommendations within the current political context and criticised the European Commission’s limited engagement. They noted that the only EU regulations explicitly addressing spyware are the Recast Dual-Use Regulation and the European Media Freedom Act, which are nonetheless undermined by uneven implementation, loopholes and exemptions.

Building on this, the panel underscored the urgency of closing the EU’s internal regulatory gap. While export controls for surveillance technologies have been tightened and are regulated under the EU export control regime, the lack of comparable safeguards within the EU’s internal market has allowed the spyware industry to proliferate with minimal oversight, making the EU an increasingly attractive hub for spyware firms. Many companies thus benefit from access to the EU internal market amid weak enforcement and limited transparency around exports and procurement, factors that continue to hinder effective oversight and accountability.

Lastly, the conversation turned to the financial ecosystem sustaining the spyware market. Participants stressed the need to link investor responsibility with human rights obligations, particularly by exposing the legal, reputational, and financial risks associated with spyware-related investments. The WhatsApp v. NSO Group case provides a concrete example of these risks. Leveraging financial accountability as a policy tool could effectively deter future investments and limit spyware proliferation. By making clear that the sector is not only ethically problematic but also financially and legally risky, policymakers can discourage responsible investors from engaging with the industry.

Conclusion

The roundtable provided a crucial space for diverse stakeholders to engage deeply on the challenges of spyware regulation in the EU. As the regulatory landscape remains complex and evolving, this dialogue must now move towards establishing a framework that ensures effective oversight, accountability, and protection of fundamental rights. The discussions made clear that sustained political commitment, strengthened institutional cooperation, and active civil society involvement will be essential to turn existing recommendations into concrete, lasting reforms. Maintaining this momentum through ongoing multistakeholder engagement will be key to safeguarding democratic principles and human rights amid an expanding spyware industry.