EU States Export Spyware to Abusive Regimes, HRW Report Finds
Human Rights Watch report documents EU surveillance tech sales to over two dozen nations with poor human rights records, citing Bulgaria as a top exporter.
Executive Summary
European Union member states continue to export commercial surveillance technology to governments with documented human rights abuses, despite a 2021 update to bloc-wide export rules intended to curb the practice, according to a report released Tuesday by Human Rights Watch (HRW). The report, based on trade documents obtained through freedom of information requests, identifies Bulgaria, Poland, Finland, Denmark, Estonia, and the Czech Republic as countries whose companies sold spyware and intrusion tools to over two dozen nations with a history of human rights violations. Bulgaria emerged as the top exporter, with sales reaching authoritarian regimes including the United Arab Emirates and Azerbaijan. France, Greece, Spain, Germany, and Italy — all known exporters of surveillance tech — either refused to share trade records or ignored HRW's requests entirely, the report states.
Technical Analysis
The HRW report draws on customs and export licensing data to trace the flow of commercial surveillance technology from EU vendors to end-user governments. The 2021 EU regulation expanded the definition of surveillance technology products, required exporting states to consider the human rights record of customer countries, and created a reporting framework for the European Commission to review exports. Despite these measures, HRW alleges the Commission has failed to enforce the rules effectively. The report notes that all but two of the companies named in a 2024 Google Threat Analysis Group report on the commercial surveillance industry are based in the EU, underscoring the bloc's central role in the global spyware market.
Bulgarian companies exported surveillance tech to more than 20 countries, including the UAE and Azerbaijan, both of which have been accused of using spyware to target dissidents and journalists. Poland authorized the sale of systems capable of intercepting phone calls to Rwanda, a country with a documented history of human rights abuses. The report does not name the specific firms involved, citing the sensitivity of the trade documents and the risk of retaliation against whistleblowers.
The European Commission, in a statement provided to The Record, said it "attaches great importance to cyber-surveillance items" and has "significantly strengthened export controls for such items." The statement emphasized that member states bear ultimate responsibility for issuing export licenses. The Commission plans to evaluate the updated rules in September 2026, an opportunity HRW says must be used to "strengthen due diligence and transparency requirements."
Mitigations & Recommendations
The HRW report calls on the European Commission to use its September 2026 review of the export control framework to close enforcement gaps. Specific recommendations include mandating that member states publish detailed export data for surveillance technology, requiring end-user certificates that include human rights impact assessments, and establishing a centralized EU body to audit and approve high-risk exports. For governments and organizations that may be targeted by imported spyware, the report recommends deploying mobile device integrity checks, using endpoint detection and response tools capable of identifying known commercial spyware variants, and maintaining awareness of indicators of compromise published by groups such as the Citizen Lab and Amnesty International's Security Lab.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.
