EU Commission Needs to Strengthen Due Diligence, Transparency Rules

File Photo: 2026 Glenn Harvey for Human Rights Watch

The European Union has failed to prevent member states from exporting surveillance technology to governments with well-documented histories of using technology to spy on activists, journalists, and other critical voices, Human Rights Watch said in a report released today. The European Commission should strengthen its implementation of EU regulations on the export of cybersurveillance technology to ensure that European technology is not facilitating rights abuses around the world.

The 54-page report, “Looking the Other Way: EU Failure to Prevent Surveillance Exports to Rights Violators,” assesses how the EU’s landmark Dual-Use Regulation, adopted in 2021, is functioning in practice. The regulation was intended, in part, to prevent the export of dual-use technologies—those that may be used for both civilian and military purposes, including commercial surveillance technology—to places where they are likely to be used to violate international humanitarian or human rights law. But that goal is not being achieved because it is not being implemented effectively. 

“The EU is currently doing too little to prevent the export of surveillance technology from its member states to governments who are likely to use it to crack down on dissent,” said Zach Campbell, senior surveillance researcher at Human Rights Watch. “The European Commission should take urgent action to change this and provide much needed transparency for surveillance exports.”

Human Rights Watch sought information about the licensing and exports of such technology through freedom of information requests in each of the 27 EU member states and received data from nearly half of the EU countries that have sent data to the commission. Human Rights Watch analysis of that data, along with its analysis of European Commission public reports and data also obtained via transparency requests, show serious defects in the EU’s current approach.

The EU is home to many of the world’s major developers and exporters of surveillance technology. The EU regulates exports of the most intrusive types of surveillance technology, while individual licensing decisions are taken by national authorities of EU member states. 

The EU Dual-Use Regulation, commonly known as the “Dual-Use Recast,” requires member states to report export licensing decisions of certain types of surveillance technology to the European Commission and for the commission to make it public. In 2024, the European Commission issued a recommendation containing implementation guidelines that establish how member states should report their export data.

In those guidelines, the commission has reinterpreted the Dual-Use Recast’s transparency obligations in a manner that has undermined the purpose of the regulation. As a result, the commission’s reports do not provide sufficient detail to facilitate the scrutiny necessary to assess whether the regulation is having its intended effect, Human Rights Watch found. 

The data collected by Human Rights Watch nevertheless shows clear evidence of EU member states licensing exports of surveillance technology to authorities in a number of countries with well-documented histories of using such tools to violate rights. The data includes, as examples, evidence of the export of intrusion software, telecommunication interception systems, or both from Bulgaria to Azerbaijan in 2022; the export of telecommunication interception systems from Poland to Rwanda in 2023; as well as other examples of exports of these tools to other countries that have used surveillance technology to crack down on dissent.

Human Rights Watch also found that the European Commission is failing to provide legally required transparency on these exports. In order to promote transparency and further research, Human Rights Watch is publishing the received data online. 

In response to questions, the European Commission stated that EU member states are “solely responsible for licensing decisions on dual-use exports.” They explained that their decision, set out in the recommendation, to collect data in a way that obfuscates what technology was sent where was due to a concern “that only a limited number of companies were active in exporting such items at the time of the adoption of the Recommendation, thus potentially violating commercial confidentiality or revealing their identity.” 

The European Commission is required by the Dual-Use Recast to begin an evaluation of the regulation later in 2026. It should use this opportunity to strengthen due diligence and transparency requirements to ensure that the EU curbs its export of surveillance technology to abusive governments around the world. It should also ensure that this process provides for meaningful participation of all relevant stakeholders, including human rights and other civil society organizations. 

The European Commission should issue new guidelines for implementing the Dual-Use Regulation closer to the letter of the law, which requires EU member states to consider the risk of surveillance technology being used for internal repression or to violate international humanitarian or human rights law. These new guidelines should also mandate real transparency over the exports of surveillance technology from EU member states and require companies exporting surveillance technology to undertake meaningful due diligence into whether their products are likely to be used to violate rights. 

States’ human rights obligations include an obligation to regulate the sale and export of surveillance technology. This is due to the inherent threat to the right to privacy the existence of such technology poses, and the potential violation of other rights , –from freedom of expression and assembly, to the right to life and freedom from torture– that can flow from its use, particularly when used to target individuals and communities on a discriminatory basis. To meet this obligation, it is not enough for states to put in place such regulation, but they need to implement and monitor it to ensure that it is achieving its preventative purpose, Human Rights Watch said. 

Companies also have their own separate responsibility to respect human rights, which means they should undertake credible human rights due diligence and mitigate human rights risks so that their operations do not facilitate or exacerbate human rights problems.

“It appears as if EU countries and EU-based surveillance companies are putting profits above people despite adopting one of the most progressive regulations to curtail the sale of this harmful technology,” Campbell said. “Real transparency is needed to ensure that the dual-use regulation is working as intended.”