EU commercial spyware

Pegasus Infected the MEP Investigating Pegasus: Europe's Three-Year Failure to Regulate Commercial Spyware Is Now Indefensible

Citizen Lab's Report 194 reveals Stelios Kouloglou's phone was compromised twice during the PEGA Committee's deliberations — and the EU Commission has enacted none of the 2023 recommendations.

Pegasus Targets the PEGA Committee People of Internet Research · EU 2 Pegasus Infections Confirmed Kouloglou's phone compromised Oct … 14 months PEGA Probe Duration EU Parliament's Committee of Inqui… 47 Spain Spyware Cases Cases where legal authorization fo… 215+ Experts Interviewed Interlocutors heard by the PEGA Co… peopleofinternet.com

Key Takeaways

Citizen Lab's Report 194, published July 3, 2026, documents a pattern that should disturb every EU institution: Stelios Kouloglou, a Greek MEP who served as a substitute member on the European Parliament's PEGA Committee from March 2022 to July 2023, had his phone infected with Pegasus spyware on October 21, 2022 — days before a series of scheduled PEGA hearings — and again on March 6–7, 2023, as the committee entered its final push toward its formal recommendations. The committee was established precisely to investigate Pegasus abuse. One of its members was, simultaneously, one of its subjects.

Watching the Watchers

The PEGA Committee was set up in March 2022 in the wake of the Pegasus Project revelations, which documented use of NSO Group's zero-click spyware against journalists, opposition politicians, and civil society across EU member states. Over fourteen months, it interviewed more than 215 interlocutors, conducted fact-finding missions to Greece, Poland, Spain, Cyprus, Hungary, and Israel, and in May 2023 adopted its report and recommendations by 30 votes in favour, 3 against, and 4 abstaining.

The October 2022 infection struck while Kouloglou was hospitalized in Greece and the committee was preparing a draft report ahead of key hearings. The March 2023 infection hit in Brussels, during the final weeks of deliberation, approximately two months before the committee formally adopted its findings. Citizen Lab's forensic analysis confirmed both attacks and noted that Apple sent Kouloglou threat notifications on March 2, August 29, and April 10, 2024 — notifications he reportedly never received. The exposure window covered drafts, witness communications, and the internal deliberations of an active parliamentary inquiry.

Attribution Without Certainty

Kouloglou, also a longtime investigative journalist, told Recorded Future News he believes the Greek government is responsible for the attacks. The Citizen Lab explicitly says it has no evidence to support that conclusion. What it did find is that the infections overlap with a previously documented Pegasus campaign targeting Russian and Belarusian-speaking journalists and activists in Europe — suggesting a single customer with authorization to deploy Pegasus across multiple EU jurisdictions. That breadth matters: Pegasus licenses are issued to states, not individuals. Whoever was running this operation had both the means and the multi-country mandate to surveil targets during a parliamentary inquiry into exactly that activity.

A Systemic Pattern, Not an Isolated Incident

Kouloglou was not the only PEGA committee member targeted. French MEP and committee chair Nathalie Loiseau confirmed she was targeted with Pegasus. Bulgarian MEP Elena Yoncheva had her device compromised in late October 2023. German MEP Daniel Freund was targeted with Candiru's mercenary spyware in May 2024. The committee tasked with documenting the threat became, in part, the threat's target list.

The broader PEGA findings documented illegitimate spyware use in at least four member states — Poland, Hungary, Greece, and Spain. Spain alone had 47 cases where the authorization basis for spyware deployment remained legally unclear. Poland and Hungary were found to have actively dismantled the independent oversight mechanisms that might have checked such deployments. These were not edge cases; they were the governing logic of how those states approached surveillance.

Three Years of Recommendations, Zero Binding Rules

Here is where the institutional failure becomes impossible to defend. The PEGA Committee's recommendations, adopted by the full Parliament on June 15, 2023, were specific and operationally grounded: establish an EU Tech Lab for independent device forensics; require independent judicial authorization for any lawful spyware deployment; define "national security" in EU law so member states cannot invoke it as a blanket shield; create mandatory victim notification requirements; enforce and tighten export controls on dual-use surveillance technology; and repeal non-compliant spyware export licenses already granted by Greece and Cyprus.

The European Commission's response was to observe that compliance with EU law is primarily a matter for member states — precisely the member states the inquiry documented as violators. Three years after the PEGA report, no binding EU regulation on commercial spyware has been enacted. No EU court has convicted a government for unlawful spyware deployment. The Pall Mall Process, a voluntary international framework signed by some EU states, explicitly avoids legally binding commitments. As Citizen Lab researcher John Scott-Railton warned: the next chapter of this story will be more hacked members of parliament.

Half-Measures Do Not Cover the Gap

There has been movement at the margins. The European Media Freedom Act, which took full effect on August 8, 2025, prohibits the use of spyware against journalists and their families, with a carve-out for judicially authorized investigations of serious crimes. That is a real protection — for journalists. It does not extend to parliamentarians, civil society researchers, political opponents of surveillance-capable governments, or the staff of oversight bodies. The European Democracy Shield, announced in November 2025, addresses foreign information manipulation and disinformation. Commercial spyware sold by companies incorporated in EU partner countries to EU member state governments is a categorically different threat, and the Shield does not address it.

What Proportionate Regulation Looks Like

The strongest argument for deference to member states is that national security remains a sovereign domain and that EU-level oversight risks creating constitutional conflicts with intelligence prerogatives the Court of Justice has historically been reluctant to override. That argument has genuine legal weight. But Kouloglou's case cuts directly against it: the very "national security" justification was apparently invoked to surveil the parliamentary body conducting oversight of national security abuses. When the loophole consumes the rule it was designed to protect, the legal argument for deference collapses.

Proportionate regulation here does not mean banning commercial spyware outright. It means what the PEGA Committee actually proposed: judicial authorization, meaningful oversight, legal definitions that prevent abuse, victim remedies, and an independent technical body capable of detecting infections. None of that is radical. All of it remains unimplemented. What Citizen Lab found on one MEP's phone is not the end of this story — it is the prologue to the next scandal, and the Commission knows it.

Sources & Citations

  1. Citizen Lab Report 194 — Kouloglou Pegasus Infections
  2. European Parliament — PEGA Committee Recommendations, May 2023
  3. EP Think Tank — Parliament's Actions Against Spyware Abuse
  4. The Record — Pegasus Found on PEGA Committee Member's Phone
  5. Digital Front Lines — EU Spyware Regulation After PEGA