The European Data Protection Supervisor (EDPS) has called for a bloc-wide ban on the controversial Pegasus spyware tool, warning its use could lead to an “unprecedented level of intrusiveness.”
Israeli’s NSO Group, the developer of the notorious spyware, claims to only sell Pegasus to governments for the purpose of fighting crime and terrorism. However, multiple reports have revealed that the spyware was used to target journalists, activists and politicians in several European Union member states, including France, Spain and Hungary.
Just last month, researchers at Citizen Lab found that Pegasus was used to spy on three critics of the Polish government, raising questions over the legitimacy of the country’s 2019 parliamentary elections.
In light of the cases, the EDPS — tasked with issuing guidance and recommendations to the European Commission — called for a “ban on the development and deployment of spyware with the capability of Pegasus in the EU.” The watchdog cited the spyware’s “powerful” features, such as its ability to be silently installed on devices silently via zero-click attacks and to gain near-complete access to a target’s device, including their personal data, photos, messages and precise location.
The Brussels-based watchdog says a ban on Pegasus-like spyware is necessary to protect “fundamental freedoms but also to democracy and the rule of law.”
The EDPS said in its report that a number of member states had admitted to buying the spyware. However, it added the true list of customers “may prove bigger” as “it appears that a number of member states have at least initiated negotiations with NSO Group for the licensing of the product”.
The EDPS added it could not rule out a need for the spyware to be deployed in exceptional circumstances, for instance, to prevent a very serious imminent threat such as terrorism. The Brussels-based watchdog also said that if governments do use Pegasus, they should apply eight steps, including ensuring any forms of monitoring are “meaningful and effective” and strictly applying EU privacy rules.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
In a statement, an unnamed NSO spokesperson rebuked the academics and researchers who have found and published evidence of known Pegasus infections, including against journalists and human rights defenders.
The EDPS report comes just months after the U.S. Commerce Department added NSO to its Entity List, banning American companies from doing business with the surveillance software maker unless they receive explicit permission.
Poland’s phone spyware scandal raises doubts over 2019 election
