BrusselsThe European Commission has not used 5-year-old powers to restrict EU surveillance exports, Human Rights Watch found.
The 2021 bloc-wide dual-use rules gave Brussels this authority; no enforcement action has been taken.
Human Rights Watch called on the Commission to act; no response has been issued.
Sources: The Record
WHAT DUAL-USE MEANS
Dual-use goods are items with both civilian and military applications — encryption, drones, chemical precursors, and increasingly, surveillance software. The category exists because the same code that lets a corporation monitor employees can let a state hunt dissidents.
THE 2021 REGULATION
EU Regulation 2021/821 was the bloc's response to the Arab Spring revelations that European firms had sold mass-surveillance kit to Mubarak, Gaddafi, and Assad. It added a 'human security' clause empowering Brussels to restrict exports of intrusion software and IP monitoring tools — even when no individual member state objected.
THE ENFORCEMENT GAP
Authority sits with the Commission; licensing sits with national authorities. Italy licenses Hacking Team's successors, Germany licenses FinFisher's, France licenses Nexa. Each capital has commercial reasons to approve; no capital has reason to escalate to Brussels. The bloc-wide veto exists on paper and nowhere else.
WHO BUYS
Investigations by Citizen Lab and Amnesty have traced European-licensed spyware to Morocco, Egypt, the UAE, Saudi Arabia, Bahrain, Kazakhstan, and Azerbaijan — used against journalists, opposition figures, and exiled dissidents. The Pegasus revelations got the headlines; the European supply chain got the contracts.
THE WASSENAAR PRECEDENT
The Wassenaar Arrangement added 'intrusion software' to its export-control list in 2013 — the first multilateral attempt to treat spyware as a controlled good. Forty-two states signed on. Enforcement was left entirely to national licensing authorities, and the same gap opened: the rule exists, the licenses still flow.
WHY NON-ENFORCEMENT IS THE NORM
Export-control regimes historically work for nuclear material and missile components — physical goods that cross customs borders and require specialized manufacturers. Software ships as a download under an enterprise license. Once the regulatory frame treats code like a centrifuge, the enforcement model breaks; nobody has yet built one that fits.