Human Rights Watch Just Got the EU's Surveillance Export Records—Bulgaria Sold Spyware to Azerbaijan, Poland Sold Phone Interception to Rwanda, and Half the Bloc Refused to Hand Over Their Data

On May 12, 2026, Human Rights Watch published "Looking the Other Way: EU Failure to Prevent Surveillance Exports to Rights Violators," a 54 page report assembled from freedom of information requests filed with all 27 European Union member states. HRW received responses from a little under half of them. From those responses, plus public licensing data, the organization documented two transactions that nobody disputes:

• Bulgaria licensed the export of intrusion software and telecommunications interception systems to Azerbaijan in 2022, where the same year the government's Pegasus deployment against journalists Khadija Ismayilova and Sevinj Vagifgizi was publicly documented.
• Poland licensed the export of telecommunications interception systems to Rwanda in 2023, where opposition figures in exile have repeatedly been targeted with intrusion software and where domestic journalists have been jailed for reporting on the ruling party.

Companies based in Bulgaria, Poland, Finland, Denmark, Estonia, and the Czech Republic collectively sold surveillance technology to more than two dozen governments with documented human rights violations. France, Germany, Italy, Spain, and Greece, all of whom are home to the bloc's largest commercial spyware vendors, did not respond to HRW's records requests.

The Regulation That Was Supposed to Stop This

The EU Dual-Use Regulation took effect in 2021 in direct response to the Pegasus revelations and the documented use of European-made spyware against journalists in Mexico, the United Arab Emirates, and Morocco. The regulation requires every member state to vet exports of "cybersurveillance items" against the EU's own human rights obligations, deny export licenses when there is a clear risk of misuse, and report all licensing decisions to the European Commission for annual publication.

On paper, the system is the strictest export control framework for surveillance technology anywhere in the world. In practice, HRW's report documents three failures that have hollowed it out.

Failure one: minimal transparency. The 2024 European Commission recommendation on dual use reporting allowed member states to publish license counts without naming the destination country or technology type. Bulgaria's Azerbaijan license and Poland's Rwanda license only became visible because HRW filed national-level FOI requests, not because the EU's centralized system surfaced them.

Failure two: voluntary compliance. There is no central enforcement body. Member states grade their own homework. When a national export authority decides a license is acceptable despite documented risk, the European Commission has no formal authority to overrule them.

Failure three: industry capture. The 2024 reporting recommendation was drafted with explicit input from European surveillance vendors, who argued that detailed disclosure would harm "commercial confidentiality." Most of the largest vendors in the world are headquartered inside the EU. Their lobbying is at home.

The Industry Footprint

HRW's report cites Google Threat Analysis Group's 2024 study of commercial surveillance vendors. In that study, all but two of the named companies are headquartered or substantially operate inside the European Union. Israel's NSO Group and Cytrox are the high-profile exceptions; the bulk of the rest are EU based:

• Intellexa, the Predator spyware consortium with operations in Greece, Cyprus, Ireland, and France
• Paragon Solutions, headquartered in Israel but with significant European operations and Italian government contracts
• RCS Lab, the Italian developer of Hermit spyware
• Memento Labs (formerly Hacking Team) in Italy
• FinFisher's Munich-based corporate successors
• Multiple Bulgarian and Czech firms specializing in lawful interception infrastructure

Zach Campbell, the senior HRW researcher who led the report, summarized the position: "The EU is currently doing too little to prevent the export of surveillance technology" to governments "likely to use it to crack down on dissent." The regulatory regime exists. The enforcement does not.

The Pattern at the Receiving End

The two named recipient countries are not random. Both are the subjects of multi-year investigations by Citizen Lab and Amnesty International's Security Lab into the targeting of journalists, opposition politicians, and exiled critics.

Azerbaijan. The country jailed reporters from the OCCRP partner Abzas Media in 2023 and 2024 after months of phone surveillance. Citizen Lab confirmed Pegasus deployments against Azerbaijani journalists in 2021 and 2022. Bulgaria's 2022 export license for intrusion software arrived in the middle of that campaign.

Rwanda. Rwandan operatives have been linked to Pegasus targeting of the family of Paul Rusesabagina and of opposition figures living in exile across Europe and North America. The Rwandan government has consistently denied this. Poland's 2023 export license for telecommunications interception arrived alongside continued documented harassment of the same individuals.

For the journalist community, this is the part that lands hardest. The same European countries that publicly support press freedom statements at the UN are licensing the technology used to surveil journalists abroad. The Committee to Protect Journalists, Reporters Without Borders, and the European Federation of Journalists all called for an immediate moratorium on cybersurveillance exports within 24 hours of the HRW report's release.

Why This Matters for Email

Commercial spyware sold by the firms named in the HRW report does not usually announce itself. The most common deployment path is a single targeted email, sometimes containing a one click exploit, sometimes a zero click exploit that fires the moment the mail is received. The recipient may never see the message. Once the implant is on the device, the operator gains access to email, messaging, microphone, camera, location, and contact lists.

Email is the delivery channel for almost every documented commercial spyware infection chain. Predator spyware hacked an Angolan journalist's phone on World Press Freedom Day through an email link. Italian authorities used Paragon's Graphite spyware against journalists through targeted messaging that eventually reached the inbox. Citizen Lab's 2025 telecom surveillance investigation turned up the same delivery pattern across multiple vendors.

The HRW report's findings extend that pattern up the supply chain. The exploit chains sold through European vendors to governments in Baku and Kigali are the same exploit chains that arrive in target inboxes a few months later. The export licenses are the lead indicator.

What Happens Next

HRW has called on the European Commission to do four things: tighten the 2024 reporting recommendation so that destination countries and technology types must be disclosed, give the Commission formal authority to challenge a member state's licensing decision, mandate human rights impact assessments before licenses are granted, and publish a list of high risk destinations against which licenses will be denied by default.

None of those changes are imminent. The Dual-Use Regulation is up for review in 2027. The Council of the European Union has signaled that the review will focus on competitiveness with non-EU surveillance vendors rather than on tightening exports.

For journalists, activists, and human rights defenders working in the recipient countries, the practical answer continues to be operational security at the device level: hardened devices, lockdown mode, application of all available patches, careful triage of every link and attachment, and the assumption that any unsolicited message could carry a payload that was, somewhere along the way, licensed for export from a friendly capital.