The Records
On June 18, 2026, Human Rights Watch published five years of Bulgarian export licensing records documenting that the surveillance firm Circles received government authorization to sell four distinct interception product lines to law enforcement and intelligence agencies in fifteen countries: Azerbaijan, Bahrain, Brazil, the Dominican Republic, El Salvador, Ghana, Guatemala, Israel, Jordan, Malaysia, Mexico, Morocco, Panama, Serbia, and the United Arab Emirates.
The product suite was not marginal. "Landmark" tracked mobile subscribers' real-time locations by querying SS7 signaling infrastructure. "VOLE" (Voice Over Location Enabler) intercepted voice calls and data using the same SS7 vulnerabilities. "Saphire" allowed remote command injection into mobile operators' systems to redirect a target device's IP address. "Pixcell" was a tactical IMSI-catcher system that captured voice, messages, and internet traffic from specific handsets. Several of the destination states — Bahrain, Azerbaijan, Morocco — have documented records of deploying equivalent technology against journalists, lawyers, and political dissidents.
Bulgaria's Ministry of Economy and Industry, through its Interdepartmental Commission for Export Control and Non-Proliferation of Weapons of Mass Destruction, issued these licenses annually across that five-year span. The ministry's public position, relayed to HRW, was that exports "contradicting human rights are not allowed" and that the government maintains "zero tolerance for abuses." The licensing record does not support that characterization.
The Case For Controls
The strongest argument for a robust surveillance export regime is straightforward: interception technology is fungible political power. Unlike conventional arms, phone location tracking and SS7 exploitation tools leave no physical trace, scale to mass surveillance with minimal marginal cost, and tend to flow toward the targets states most want to suppress. The EU's decision in Regulation 2021/821 to treat cyber-surveillance tools as dual-use items subject to export licensing reflects a considered assessment of asymmetric risk: the downside of misclassification is systematic abuse of fundamental rights, not a trade dispute.
That case is well-founded empirically. The European Parliament's PEGA Committee documented in its June 2023 recommendation — following a year-long inquiry into Pegasus and equivalent spyware — that surveillance tools had been used against journalists and opposition politicians inside EU member states themselves. If the risk of abuse exists within the bloc, the exposure from exporting the same capabilities to states with weaker rule-of-law infrastructure is self-evident. The PEGA rapporteur Sophie In 't Veld stated plainly: "Not one victim of spyware abuse has been awarded justice. Not one government has really been held accountable."
Where Enforcement Breaks Down
The problem is not the regulatory framework on paper. Article 5 of Regulation 2021/821 contains a "catch-all" provision requiring exporters to seek authorization whenever they know or have reason to suspect that a cyber-surveillance item — even one not listed in the main control annex — may be used for "internal repression" or "serious violations of human rights and international humanitarian law." The Recitals explicitly oblige member states' competent authorities to factor destination countries' human rights records into their licensing decisions.
But according to SIPRI's analysis, Article 5 "has been limited to date" in practice. The European Commission did not issue clarifying guidelines on when exporters must notify licensing authorities until October 2024 — three full years after the regulation entered force in September 2021. Bulgaria, meanwhile, continued issuing export authorizations for Circles products through 2023, well into the regulation's operative period.
Aggregate data reinforces the picture. The Commission's first annual report on dual-use export controls, published in January 2025 and covering 2022, found that EU member states collectively denied export applications worth roughly 0.03% of the total value of extra-EU dual-use exports — 831 denials against €57.3 billion in authorizations. The system approves at scale and declines at the extreme margin.
A Structural Vulnerability, Not an Anomaly
The Circles case also illustrates a structural vulnerability specific to surveillance technology: EU firms can incorporate and seek export licenses in whichever member state applies the least friction. Circles originated in Cyprus before operating from Bulgaria. The PEGA committee explicitly identified Cyprus and Greece as jurisdictions the spyware industry had gravitated toward for precisely this reason — they offered more accommodating licensing environments within the single market.
The network behind Circles makes the pattern clearer. One of the firm's co-founders, Tal Dilian, also founded Intellexa, the Greece-based firm whose Predator spyware was central to a 2022 political surveillance scandal. On February 26, 2026, an Athens court convicted Dilian and three associates of illegal access to information systems, breach of communications privacy, and interference with personal data systems, sentencing them to eight years — suspended pending appeal. The U.S. Treasury sanctioned Intellexa entities in March and September 2024, describing the spyware consortium as posing a threat to U.S. national security and the security of U.S. allies. That the same individual network built both Circles and Intellexa across multiple EU jurisdictions suggests not a compliance failure but an architecture deliberately calibrated to stay ahead of enforcement.
What Proportionate Reform Requires
The argument here is not against export controls — it is for enforcing the ones that already exist. Three targeted reforms would close the most significant gaps without disrupting legitimate trade in dual-use technology.
First, the Commission should establish binding minimum due-diligence standards for member state licensing authorities specifically covering cyber-surveillance items: a presumption against export to any jurisdiction appearing on the EU's human rights concern lists, with documented rebuttal required before a license issues.
Second, Article 5 should carry a mandatory notification step — before any member state issues a surveillance-product license to a jurisdiction with documented misuse history, the Commission's Export Control Coordination Group should receive notice. This does not hand Brussels a veto; it creates a record, a moment of institutional friction, and a basis for subsequent accountability.
Third, the Commission's upcoming evaluation of Regulation 2021/821 — scheduled between September 2026 and September 2028 — should treat the Bulgaria-Circles record as a design stress-test rather than an isolated incident. If five years of surveillance exports to documented rights violators can proceed through a properly transposed regulation, the gap is not a licensing failure. It is what the regulation, as implemented, was configured to permit.
The EU has the legal framework. What the Circles records document is not its absence — it is the distance between the framework's stated intent and the daily decisions of the competent authorities who operate it.