As cyberattacks have become more frequent, state and private actors increasingly rely on sophisticated technologies for protection and defense. This growing dependency on technology has simultaneously exposed new vulnerabilities, particularly through the use of spyware. The major Pegasus scandal in 2021 revealed that European countries such as Poland and Hungary used the software to spy on journalists and political opponents. At the same time, artificial intelligence has become intertwined with spyware and digital espionage technologies, increasing their effectiveness. In September 2025, researchers documented the first AI-driven cyber-espionage operation, originating in China. It was carried out with minimal direct human development. This showcases the growing threat potential of automated spyware and raises the question of how this trend can be effectively countered.  

Against this backdrop, Europe has emerged as a paradoxical case. On the one hand, the European Union is often regarded as a pioneer in data protection and digital regulation through instruments like the GDPR and the DSA. On the other hand, export hubs of commercial spyware have been established in Europe, for instance in countries like Cyprus and Italy. This raises the question: Despite the strong commitment to privacy rights, why has Europe become a key hub for the spyware and surveillance industry, and which institutional reforms are needed to change this situation?  

What exactly are Spyware Hubs?  

While it is notoriously difficult to define spyware, cybersecurity authorities, for instance, the US-CERT, see it as a type of malicious technology that collects sensitive information from a computing system without the user’s consent or knowledge. Importantly, the deployment of such tools serves a range of purposes, including political, economic, and military espionage. It frequently targets particularly vulnerable groups such as journalists, political opponents, human rights defenders, and diplomats. 

While spyware hubs are locations where the development and export of such tools are concentrated and politically tolerated or even encouraged. In recent years, several European countries have emerged as notable examples of this development. Italy, for instance, hosts several major spyware vendors, while Spain has become a base for a company whose surveillance products were originally developed elsewhere, particularly in Israel. Germany, too, has become part of this emerging spyware landscape, with a firm such as Paragon Solutions reportedly operating from Hamburg.  

Why Are Spyware Hubs Spreading in Europe? 

Following the revelations of the Pegasus spyware scandal, the European Parliament established the PEGA Committee of Inquiry to investigate the abuse of surveillance technologies. While PEGA succeeded in raising political awareness and issuing detailed recommendations, the EU has yet to adopt a comprehensive legal framework that specifically regulates the use of spyware. This regulatory gap is particularly significant, given that under EU law, national security remains primarily the responsibility of the member states. As a result, the prioritization and governance of spyware are largely shaped by domestic political preferences and value choices rather than collective European standards. The following will showcase three factors that explain this development of spyware hubs within Europe.   

A first structural factor lies in the classification of spyware as a dual-use technology. While surveillance tools are subject to regulation, EU export controls still leave significant loopholes. Transparency obligations for spyware vendors are limited, and domestic use is largely unregulated. Moreover, critics have pointed out that the current export-controls protect non-EU citizens more effectively than EU citizens, because they rigorously govern exports but leave significant gaps when spyware is used domestically in EU-states.  

A second factor concerns the growing global demand for commercial spyware, including among democracies. Many democratic governments frequently justify the use of spyware as a cost-effective and efficient security tool to combat terrorism and crime. Buying spyware from private vendors allows governments to build sophisticated surveillance capacities without investing in equivalent in-house expertise.  

A third factor is the strategic advantage for spyware vendors of locating their headquarters inside the EU. Establishing operations inside the Union facilitates access to the European market and allows companies to benefit from consumer trust associated with EU-based firms. For public authorities, procuring surveillance technologies from companies based in Europe may appear more legitimate or less politically sensitive than sourcing similar tools from vendors in Israel or China. Additionally, factors, such as low supervision, tax advantages, and comparatively low operational costs, contribute to this trend.  

The Need for Institutional Reform: Closing Europe’s Spyware Governance Gap 

The discrepancy in Europe lies in the coexistence of a highly developed, rights-based data protection and privacy framework and the continued national control over security and surveillance policies. This institutional mismatch has significant consequences. In the absence of a coherent and enforceable regulatory framework, spyware vendors are able to operate within the EU with relatively few constraints. In practice, this means that the Union and its member states indirectly facilitate the development, circulation, and deployment of surveillance technologies. They do so by failing to impose effective legal barriers. As long as member states fail to regulate those spyware companies, Europe remains an open environment for the circulation and deployment of spyware tools, including those originating from autocratic countries. At the same time, banning EU-based spyware vendors or hubs would be insufficient, as governments could still turn to non-EU providers.   

However, these measures can only be implemented if member states demonstrate sufficient political will to curb the development, and export of spyware technologies, which remains presently absent. Although initiatives such as the Pall Mall Process, which aims to regulate commercial spyware and the “Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware” signal growing awareness of the problem, they remain largely non-binding. What is therefore required is stronger and legally binding regulations at the European Union level, coupled with institutional mechanisms capable of enforcing them.  

In the best-case scenario, one could argue that a comprehensive EU-level framework and a dedicated authority for surveillance technologies would offer the most effective response to the current governance gap. However, such far-reaching reforms may prove politically challenging. In this context, a more realistic mechanism to counterbalance the political will of individual states is the concept of “rule of law by design”. Rather than regulating how Member States use surveillance tools in an order for their national security, this approach focuses on regulating what may be developed, marketed, and sold within the EU. In other words, it exercises greater control over the capabilities of such technologies. Regulation would therefore begin at the development stage and require compliance with constitutional and fundamental-rights standards. Nevertheless, at this stage it is only a proposal from the European Parliament and not a binding law. One other example comes from the United States which has issued an executive order blacklisting spyware companies. A similar blacklist mechanism at the EU level could help.  

Overall, this commentary has demonstrated that the emergence of spyware hubs in Europe is not coincidental, but the result of political, economic, and regulatory structures. While the EU has established one of the world’s most advanced data protection and privacy frameworks, it has simultaneously failed to impose effective oversight over the spyware industry, jeopardizing democratic accountability and civil protection in the process. To close this governance gap, the next step for the EU should be to adopt EU-wide minimum standards for the use of spyware.