On July 18th, 2021, Amnesty International and other investigators revealed how Pegasus was sold to authoritarian regimes and used to target activists, politicians, and journalists. It soon became clear that democratic governments, too, have deployed the spyware. A total of 14 member states acquired the tool, the software manufacturer told European lawmakers this week during a fact-finding mission to Israel.

The Pegasus scandal has sparked alarm across Europe and triggered a European Parliament inquiry. But victims, civil society organizations, researchers, and politicians remain dissatisfied with the lack of progress. “The time for indignation and condemnation is over,” Kristina Hatas, advocacy officer at Amnesty International complains. “Action is needed.”

Top politicians targeted by the spyware include European Commissioner Didier Reynders, Spanish Prime Minister Pedro Sánchez, and French President Emmanuel Macron.

The German Federal Criminal Police Office confirmed acquiring and deploying a modified version of Pegasus. In France, Finland, and Belgium, Pegasus’ use has been “forensically confirmed”, while in the Netherlands it is categorized as “possibly”, according to a recent study by the European Parliament.

Produced by Israeli surveillance company NSO Group, Pegasus gives complete access to mobile devices. It extracts details such as passwords, messages, and browsing history, and even activates the device’s microphone and camera, offering a user the ability to spy on targets in real-time.

The European Parliament’s Pegasus committee will present the results of their twelve-month investigation in spring 2023. It has dispatched fact-finding missions to Israel, Poland, Hungary, and the US. In Israel, government officials said they had issued export licenses to more than half of the 27 EU member states and suspended the license for two governments for misuse. The two suspended governments were not named.

Both the Hungarian and Polish governments have admitted that they have deployed Pegasus – feeding into the criticism from the European Commission about both countries’ abuse of democratic rule of law reports.

Political fallout also has hit Catalonia.  During the Catalan independence referendum in 2017, the Spanish government reportedly targeted independence supporters. Outraged Catalans now fear that the European Parliament will fail to investigate. Erika Casajoana Daunert, a representative of the Catalan Government to the EU, charges Spanish MEP Juan Antonio Zoido with obstructing an investigation into Spain.

Zoido is a member of the European Parliament Pegasus Committee and served as Spain’s minister of the interior between 2016 and 2018. In response, Zoido said a mission to Spain “has not been completely ruled out,” but that the Parliament’s Commission’s priority was Poland because it presented the most “flagrant” case where “the spyware was used” against political opponents and because “we know that Poland, unfortunately, does not respect the rule of law.” None of these “assumptions occur in Spain,” Zoido said.

Although the US has blacklisted Pegasus, Europe looks unlikely to support a ban, according to Dutch MEP Sophie in ‘t Veld, who is leading the European Parliament inquiry. It is hard to achieve unity among the European Union’s 27 nation-states, she explains.  “We can make as much noise as we possibly can,” says in ‘t Veld.  “We can’t completely discipline member states.”

Until now, rules around spyware remain a national competency, with the EU having almost no say over national security matters.  It remains unclear which countries are using spyware, on whom exactly and for what motives. In ‘t Veld believes that common European-wide oversight can be established to at least provide transparency. “We also need better oversight,” she says.

What can be done remains potentially significant.  Potential reforms include discouraging European governments from purchasing this technology by creating high tariffs and increasing transparency, according to Ben Wagner, professor at the Technology University Delft.  Tariffs or fines could be used to compensate victims and protect the vulnerable, he says.

Laura Kabelka is a Berlin-based correspondent for Euractiv.com specializing in digital policy.