Six European Union member states have exported surveillance technology to more than two dozen countries with documented histories of human rights abuses, according to a report published by Human Rights Watch on May 12, 2026. The findings expose a systemic failure in the EU's flagship export control framework and raise direct questions about whether European surveillance tools are being used to track activists, journalists, and VPN users in authoritarian regimes worldwide.
The Report: EU Spyware Exports to Authoritarian Regimes
The HRW report, titled "Looking the Other Way: EU Failure to Prevent Surveillance Exports to Rights Violators," documents how the EU's 2021 Dual-Use Regulation - intended to prevent surveillance technology from reaching repressive governments - has failed in practice. Researchers obtained export data from only 7 of 27 EU member states after 12 freedom-of-information requests were denied outright.
Among the confirmed cases: Bulgaria exported intrusion software and telecommunications interception systems between 2020 and 2023 to Azerbaijan, Bosnia and Herzegovina, Brazil, Cote d'Ivoire, Dominican Republic, El Salvador, Ghana, Guatemala, Israel, Jordan, Malaysia, Mexico, Mongolia, Morocco, Panama, Philippines, Serbia, Uganda, United Arab Emirates, Ukraine, and Vietnam. Poland exported telecommunications interception systems to Rwanda in 2023. Sweden's company MSAB exported forensic data extraction tools to India by exploiting a classification loophole.
How the Regulation Failed
The 2021 EU Dual-Use Regulation was positioned as a landmark reform that would close the surveillance export loophole that had allowed European companies to sell spyware to authoritarian governments for years. The regulation requires member states to report licensing decisions, assess human rights risks, and prevent exports likely to violate international law.
HRW found five distinct failure mechanisms:
- Transparency gap: The European Commission reinterpreted reporting obligations in a way that separated technology type from destination country in its public reports. The result: it is impossible to determine which country received which surveillance tool from which EU state.
- Weak due diligence: Companies are only required to "consider" human rights risks - not required to act on them or document the assessment. This is not a binding standard.
- Secrecy exemptions: Member states invoked national security and trade secrets to withhold export licensing data, making external oversight impossible.
- Classification loopholes: Sweden's MSAB exported forensic extraction tools to India - a country with documented spyware abuse - by arguing the tools were not "specially designed" for covert surveillance and thus fell outside the regulation's catch-all clause.
- Underreporting: Sweden officially reported zero export license applications to the Commission, despite confirmed MSAB exports occurring in the same period.
The Recipients: Countries with Documented Repression
Azerbaijan, one of Bulgaria's confirmed export destinations, has a well-documented history of targeting journalists, activists, and political opposition with digital surveillance. Researchers found substantial evidence that Azerbaijan used Pegasus spyware - developed by the NSO Group, a company linked to Circles, which is connected to Bulgarian surveillance exports - against Armenian civil society during the 2023 conflict.
Rwanda, which received telecom interception systems from Poland, has been documented using Pegasus against dissidents and diaspora members since at least 2017. The country adopted an expanded surveillance law in 2013 that gives authorities broad authority to monitor communications.
France, Germany, Greece, Italy, and Spain - suspected to be major exporters based on their size - denied or ignored HRW's freedom-of-information requests, meaning their export records remain completely opaque.
What "Intrusion Software" and "Telecom Interception" Actually Do
The surveillance categories appearing in the export records are not abstract. Intrusion software - also described as "lawful intercept" tools by vendors - enables covert access to devices, extracting messages, call logs, contacts, location history, and microphone or camera feeds without the target's knowledge. Telecommunications interception systems sit at the network level, enabling real-time monitoring of calls, SMS, and internet traffic across an entire carrier's infrastructure.
These are the tools that authoritarian governments use to identify VPN users, locate dissidents, and monitor encrypted communications. When such tools are exported from EU member states with functioning legal systems, they provide technical capabilities to governments that have none of the oversight or accountability that nominally governs their use in Europe.
HRW Recommendations
Human Rights Watch called on the European Commission to issue new implementation guidelines aligned with the actual text of the Dual-Use Regulation, mandate granular public reporting that links technology categories to destination countries, require companies to conduct and document meaningful human rights due diligence - not merely "consider" risks - and ensure civil society organizations have formal participation in ongoing evaluation of the regulation's effectiveness.
The report also recommended that EU member states refuse export licenses for surveillance technology to any country where the government has a documented pattern of using such tools against journalists, activists, opposition politicians, or diaspora communities.
The Broader Pattern
The HRW findings are consistent with a broader pattern documented by researchers at Citizen Lab, Amnesty International, and Access Now: European technology companies and governments have repeatedly supplied surveillance capabilities to authoritarian regimes, often citing "lawful intercept" or "legitimate law enforcement" use cases that do not withstand scrutiny in the destination countries.
For people living under regimes that received these tools, a VPN provides a partial layer of protection against network-level monitoring. It cannot protect against device-level intrusion software - the kind that Bulgaria exported to Azerbaijan - but it does encrypt traffic in transit and hide the user's actual IP address from their internet provider and from mass surveillance systems sitting on network infrastructure.
