EU commercial spyware / surveillance

Pegasus Hacked the MEP Who Investigated Pegasus — and Brussels Still Has No Law to Show for It

Citizen Lab found Pegasus on ex-MEP Stelios Kouloglou's phone during PEGA committee hearings; three years after Parliament's reform call, the Commission has proposed no spyware law.

Three Years After PEGA, Still No EU Spyware Law People of Internet Research · EU 2 Confirmed Pegasus infections Kouloglou's phone was infected in … 30-3-4 PEGA final report vote tally MEPs adopted the PEGA committee's … 5 EU states named in PEGA probe The committee singled out Poland, … ~3 yrs Years since Parliament's call No Commission legislative proposal… peopleofinternet.com

Key Takeaways

A committee investigating spyware, compromised by spyware

On July 3, 2026, Citizen Lab reported that the phone of Stelios Kouloglou, a Greek MEP who sat on the European Parliament's Committee of Inquiry into Pegasus and equivalent spyware (PEGA), was infected with NSO Group's Pegasus spyware not once but twice — via a zero-click exploit on October 21, 2022, and again on March 6–7, 2023. Both intrusions fell squarely inside the committee's active investigation window, meaning whoever operated the spyware had a plausible window into the deliberations of the very body Europe had convened to study spyware abuse.

Citizen Lab is careful about attribution: it explicitly states it is "not attributing these investigations to a specific NSO Group customer," and it has ruled out the Greek government, despite Kouloglou's own suspicion that Athens was responsible. What the forensic trail does show is an operational link — a shared HomeKit lookup email address — connecting the infrastructure used against Kouloglou to a later campaign against Russian and Belarusian-speaking exiled journalists, pointing to "a Pegasus customer with authorization to spy in multiple European countries." That is a more unsettling finding than a single rogue government: it suggests shared or overlapping spyware infrastructure operating across borders inside the EU with no member state clearly accountable.

The reforms that never left paper

The irony is structural, not incidental. The PEGA committee's final report, adopted 30-3-4 on May 8, 2023, found systematic spyware abuse in Hungary — describing it as part of "a calculated and strategic campaign to destroy media freedom" — and in Poland, alongside more ad hoc misuse in Greece and unresolved questions in Spain. Parliament then formally recommended, on June 15, 2023, that the Commission and Council establish EU-wide standards: judicial pre-authorization for spyware deployment, shielding of privileged communications belonging to lawyers, doctors, journalists and politicians absent evidence of crime, mandatory notification of surveillance targets, tighter export-control enforcement, and a new independent "EU Tech Lab" to conduct forensic screening and technical investigations.

More than three years later, none of it has become law. As Citizen Lab researcher John Scott-Railton told Recorded Future News, "I know what the next chapter of this story is — it's going to be more hacked members of parliament," adding that MEPs today are likely walking around with compromised phones and no idea. The Record's reporting notes the Commission has largely set the recommendations aside.

Steelmanning the case for a harder line

The civil society critique, laid out by EDRi even before the Kouloglou revelations, deserves to be taken seriously rather than waved off as absolutist. EDRi argued Parliament should have pushed for an outright ban rather than a "condition-based moratorium," noting that the four conditions attached to lawful spyware use lack enforcement mechanisms, and that national-security carve-outs already weaken the promised protections for journalists and lawyers. The Kouloglou case is close to vindication of that skepticism: a legislature that spent 14 months studying spyware abuse could not protect its own inquiry from the thing it was studying. If judicial pre-authorization, export licensing and threat-notification protocols already existed and were enforced, this infection either would not have happened or would have been caught and disclosed in weeks, not surfaced three years later by an outside research lab.

Why a blanket ban still isn't the answer

Even so, the fix that follows from this incident is enforcement and institutional hardening, not prohibition. Commercial intrusion tools are dual-use technology with legitimate applications in counterterrorism and serious organized-crime investigation — several EU member states, including some hosting spyware vendors, rely on them under lawful-intercept regimes with judicial oversight. Banning the category outright would not eliminate demand; it would push EU governments and their vendors toward less transparent, non-EU brokers operating entirely outside European export-control jurisdiction, which is the opposite of accountability. The PEGA committee's own diagnosis was correct: the problem is the absence of judicial pre-authorization, redress and independent forensic capacity — not the mere existence of intrusion technology.

What the Kouloglou case actually indicts is implementation failure. The Commission has not tabled the legislative proposals Parliament requested; no EU Tech Lab exists to screen MEPs' devices as a matter of course; and Apple's own threat notifications — which flagged Kouloglou's targeting as early as March 2023 — arrive in batches months after the fact, too late for real-time protective action. Proportionate regulation means building the specific, narrow infrastructure PEGA already specified: mandatory device screening for members of sensitive committees, judicial authorization requirements with teeth, and export-control enforcement against firms and states that violate them — not a symbolic ban that leaves the accountability gap exactly where it is today.

The Commission does not need a new mandate. It needs to act on the one Parliament already gave it in June 2023.

Sources & Citations

  1. Citizen Lab: Kouloglou Pegasus report
  2. European Parliament: PEGA final report press release
  3. European Parliament: spyware recommendation adopted
  4. The Record: MEP hacked with spyware he investigated
  5. EDRi: PEGA committee falls short on spyware regulation