EU surveillance exports: hedge for stricter disclosure
Observation
Human Rights Watch on May 12, 2026 published a 54‑page report, “Looking the Other Way,” documenting that companies and exporters based in EU member states licensed or shipped surveillance technologies—intrusion software, interception systems, and forensic extraction tools—to governments with known human‑rights abuses. Its dataset draws on freedom‑of‑information (FOI) replies from six member states and two regions, and highlights authorisations from Bulgaria to Azerbaijan in 2022 and from Poland to Rwanda in 2023. The report also says the replies point to exports to “over two dozen” destinations with documented surveillance‑related violations. (hrw.org)
Theme: EU‑level transparency and member‑state discretion under the Dual‑Use Recast create a leakage point for surveillance‑capable technologies. This matters for corporate compliance, investor relations (IR), and strategy teams because regulatory hardening, reputational risk, and vendor compliance costs can reprice exposure across IT, law‑enforcement tech, and government‑facing SaaS.
Our call: for corporate compliance, IR, and strategy teams with EU exposure, hedge for a regulatory hardening cycle and reprice vendors reliant on opaque routing. Accelerate supplier due diligence and avoid counterparties that cannot publish licence‑ and destination‑level metrics.
Geoeconomic Structure
The pushback we hear: the EU already tightened rules in Regulation (EU) 2021/821, and the Commission’s January 2024 guidance balances national security and commercial confidentiality—why expect further change, and why hedge now? Because the mechanism that matters is not the law on paper but the visibility of decisions and the ease of routing around them. The Commission sets the tone through its Article 26 annual report and guidance; member‑state authorities are the gatekeepers issuing licences; and firms can exploit permissive registries to steer exports to hard‑to‑audit destinations. HRW’s FOI dataset shows the result: national redactions and aggregate EU‑level reporting that leave large blind spots exactly where incentives to abuse are highest. (eur-lex.europa.eu)
Start at the Brussels chokepoint. The Commission’s January 2024 instrument is a non‑binding Recommendation that sets the fields national desks populate for the Article 26 report and the aggregation the Commission publishes. When the report rolls up decisions to high‑level counts and omits exporter names, item categories, and destinations, external monitors cannot triangulate patterns. That opacity erodes the deterrent value of the Recast’s human‑rights “catch‑all,” because neither peers nor parliaments can hold outlier authorities to account. In geoeconomic terms, the Recommendation defines the reporting chokepoint; looseness here cascades into permissive practice downstream. (eur-lex.europa.eu)
Then the national gate: export‑licensing authorities in member states such as Bulgaria, Poland, and Sweden make the authorisation calls and decide how much to disclose. HRW documents uneven use of secrecy exemptions and incomplete FOI replies. Two cases matter because they are named and recent: Bulgaria authorised surveillance exports to Azerbaijan in 2022; Poland did so to Rwanda in 2023. Both recipients carry documented surveillance‑abuse records. Even where a licence might be legally defensible under national criteria, the absence of destination‑ and item‑level transparency means neither civil society nor counterpart regulators can stress‑test the decision quality. (hrw.org)
Layered onto this is the company routing dynamic. Vendors and intermediaries can register entities in permissive jurisdictions to originate exports from within the EU single market. HRW cites Swedish forensic‑extraction vendor MSAB and Bulgaria‑registered intermediaries such as Circles to illustrate how commercially legitimate products (e.g., mobile device extraction) and inherently sensitive capabilities (telecom interception) traverse the single market’s legal seams. Once the Commission report aggregates and national authorities redact, those seams become durable value‑chain nodes—jurisdictional venues where opacity is a feature, not a bug. (hrw.org)
A skeptic might say the market will self‑correct: when EU channels tighten, buyers pivot to non‑EU suppliers such as NSO Group, Cellebrite, or Intellexa/Cytrox. That is precisely why opacity at the EU chokepoint matters. U.S. counter‑instruments—the Commerce Department’s Bureau of Industry and Security (BIS) Entity List and the Treasury Department’s Office of Foreign Assets Control (OFAC) sanctions—have already constrained several non‑EU spyware vendors. As those extraterritorial levers expand, the relative importance of EU‑origin and EU‑registered routes rises. In other words, pressure from Washington is making Brussels’ reporting architecture the high ground where norms will be set. (commerce.gov)
These mechanics underpin the stance to hedge for stricter disclosure now. The political economy is aligned: HRW’s FOI disclosures give parliamentary committees and the Dual‑Use Coordination Group concrete cases to interrogate; the Commission can translate soft law into firmer, standardised reporting templates without reopening the Recast; and reputational heat on named vendors raises the cost of relying on secrecy exemptions. Expect the next Article 26 cycle to compress ambiguity into standard fields—destination and item categories at minimum. Even if some states resist, the compliance floor will rise because buyers and investors will demand comparable disclosures to avoid being the next Bulgaria→Azerbaijan headline. (hrw.org)
For practitioners, the transmission channels are practical: - Counterparty risk repricing: discount business models that depend on redacted national registers or EU‑registered intermediaries with opaque ownership. Require vendors in categories like intrusion tools and universal forensic extraction devices (UFEDs) to publish licence metrics and customer‑vetting processes to remain on approved supplier lists. (hrw.org) - Cost of capital and sales friction: as reporting hardens, vendors without auditable trails face longer sales cycles to EU public buyers and heightened anti‑money‑laundering/know‑your‑customer (AML/KYC) queries from banks. That shows up in working‑capital needs and guidance risk. - Route‑to‑market redesign: even absent formal bans, narrower secrecy exemptions and disaggregated reporting will push intermediaries out of permissive registries into higher‑governance venues, raising operating costs and shrinking arbitrage margins. (eur-lex.europa.eu)
This is why “accelerate due diligence” is a position, not a platitude. The structural high ground—binding, disaggregated reporting and narrower exemptions—looks reachable within a year given current scrutiny. If you wait for a delegated act or a scandal to name your counterparty, you will be repriced by the market before the Commission publishes in EUR‑Lex. (eur-lex.europa.eu)
Strategic Reading from Sun Tzu
Sun Tzu wrote: “An army prefers high ground and avoids low ground; it values light and avoids shadow.”
Choose positions where you can see clearly and be seen, and avoid opaque ground where information sinks. In policy and markets, that means building rules and data flows that surface facts early and allow outside scrutiny; darkness invites misuse and hidden risk. Taking the high ground reduces friction because problems are detected and corrected sooner.
Human Rights Watch’s FOI work shows that member‑state export licensing authorities (e.g., Bulgaria, Poland, Sweden) often redact or withhold licence‑level details while the Commission’s aggregated report leaves large blind spots. Those shadows are where surveillance‑capable tools can be routed through permissive registries, EU‑registered intermediaries, or non‑EU suppliers. Applying the quote means moving the system onto high ground: binding, disaggregated reporting, narrower secrecy exemptions, and comparable disclosures across countries so routing games become harder to execute and easier to audit. (hrw.org)
Expect a policy inflection in which the Commission and coordination fora translate soft guidance into firmer requirements, using current scrutiny as leverage. Visibility will not end demand, but it will raise the compliance floor and make re‑registration and opaque routing more costly to sustain. (eur-lex.europa.eu)
Monitor whether upcoming Article 26 reports add destination‑ and item‑level detail and whether implementing measures narrow secrecy exemptions; treat firms with verifiable customer vetting and published licence metrics as lower‑risk exposure. Map reliance on jurisdictions with chronic redactions and discount business models that depend on opaque routing, as these will face mounting compliance friction. (eur-lex.europa.eu)
Caveats and Open Questions
- If the European Commission defends the January 2024 Recommendation and declines to issue binding, disaggregated Article 26 reporting templates within 12 months, and member states continue to report only aggregated data, the hardening thesis weakens and the hedge may be early. (eur-lex.europa.eu)
- If member‑state audits or disclosures demonstrate that the highlighted licences (e.g., Bulgaria→Azerbaijan 2022; Poland→Rwanda 2023) did not result in operational transfers to abusive units—i.e., chain‑of‑custody breaks the link—the case for tighter EU‑level transparency is narrower and should be re‑priced. (hrw.org)
- If major vendors adopt credible, public sale‑restrictions and publish customer lists or licence metrics for sensitive items—backed by third‑party assurance—corporate self‑policing could blunt abusive flows without EU legal change, reducing the payoff from hedging for regulation.
Lead‑time question: how many months before the next Article 26 annual report from the European Commission adds destination‑ and item‑level fields? If it lands within 6–12 months, the hardening thesis is confirmed; if it does not, position for a longer status‑quo glide. (eur-lex.europa.eu)
Editorial Changes
1. Observation — rewritten
Before:
Human Rights Watch on 12 May 2026 published a 54‑page report, “Looking the Other Way,” documenting... HRW’s dataset draws on freedom‑of‑information replies... highlights authorisations from Bulgaria to Azerbaijan (2022) and from Poland to Rwanda (2023). The report argues... to “over two dozen” destinations.
After:
Human Rights Watch on May 12, 2026 published a 54‑page report... Its dataset draws on freedom‑of‑information (FOI) replies... highlights authorisations from Bulgaria to Azerbaijan in 2022 and from Poland to Rwanda in 2023... “over two dozen” destinations with documented surveillance‑related violations.
Reason: Comprehension — standardised date to Month DD, YYYY for US readers; expanded FOI on first use; tightened wording. Fact-check — aligned phrasing with HRW report/news release. (hrw.org)
2. Observation — rewritten
Before:
This matters for Tier‑3 observers...
After:
This matters for corporate compliance, investor relations (IR), and strategy teams...
Reason: Pipeline-leak — removed internal cohort label (“Tier‑3”) and replaced with plain‑English audience; expanded IR on first use.
3. Geoeconomic Structure — rewritten
Before:
The Commission’s January 2024 guidance on data collection for the Article 26 report is non‑binding...
After:
The Commission’s January 2024 instrument is a non‑binding Recommendation that sets the fields national desks populate for the Article 26 report and the aggregation the Commission publishes.
Reason: Fact-check — named the legal act precisely as Commission Recommendation (EU) 2024/214 and its non‑binding status for clarity. (eur-lex.europa.eu)
4. Geoeconomic Structure — rewritten
Before:
A skeptic might say the market will self‑correct... U.S. counter‑instruments—the Commerce Department’s Entity List and OFAC sanctions—have already constrained several non‑EU spyware vendors.
After:
... U.S. counter‑instruments—the Commerce Department’s Bureau of Industry and Security (BIS) Entity List and the Treasury Department’s Office of Foreign Assets Control (OFAC) sanctions—have already constrained several non‑EU spyware vendors.
Reason: Comprehension — expanded BIS and OFAC on first use. Fact-check — supported with BIS/Treasury actions against NSO and Intellexa/Cytrox. (commerce.gov)
5. Geoeconomic Structure — rewritten
Before:
HRW cites Swedish forensic‑extraction vendor MSAB and Bulgaria‑registered intermediaries such as Circles...
After:
HRW cites Swedish forensic‑extraction vendor MSAB and Bulgaria‑registered intermediaries such as Circles... (examples of mobile device extraction and telecom interception traversing legal seams).
Reason: Fact-check — ensured both MSAB and Circles are named in the HRW report; preserved examples and added brief gloss. (hrw.org)
6. Geoeconomic Structure — rewritten
Before:
Require vendors in categories like intrusion tools and UFED‑class forensics...
After:
Require vendors in categories like intrusion tools and universal forensic extraction devices (UFEDs)...
Reason: Comprehension — expanded UFED on first use to avoid specialist shorthand.
7. Strategic Reading from Sun Tzu — trimmed
Before:
Sun Tzu wrote: —— An army prefers high ground and avoids low ground; it values light and avoids shadow.
After:
Sun Tzu wrote: “An army prefers high ground and avoids low ground; it values light and avoids shadow.”
Reason: Comprehension — standardised quotation formatting; no change to meaning.
8. Caveats and Open Questions — rewritten
Before:
If the European Commission defends the January 2024 guidance...
After:
If the European Commission defends the January 2024 Recommendation...
Reason: Fact-check — replaced generic “guidance” with the formal act type to avoid ambiguity. (eur-lex.europa.eu)
