"The fact that Stelios Kouloglou's device was infected with an intrusive form of spyware that only governments can procure, while he was actively involved in the parliamentary inquiry committee that was investigating spyware abuse by European countries, raises serious concerns about the integrity of independent oversight at the highest levels in Europe," said Elina Castillo Jiménez, advocacy and policy advisor for the Security Lab at Amnesty International.
Citizen Lab finds Pegasus on Kouloglou's iPhone during PEGA hearings
Citizen Lab forensically analyzed the device of Stelios Kouloglou, a former investigative journalist who served as a Greek member of the European Parliament between 2014 and 2023 and was a substitute member of the inquiry into the use of Pegasus and other spyware (the PEGA Committee). The research unit reported that Kouloglou's iPhone was infected with Pegasus in October 2022 and again in March 2023 — precisely when key hearings on the committee's formal recommendations were taking place.
Citizen Lab did not definitively attribute the infections to a specific NSO Group customer, and noted that attribution is notoriously difficult in cyberattacks, especially spyware cases. The unit said it found no indications that the Greek government was responsible, and posited that the same Pegasus operator behind attacks on seven targets in 2024 — all exiled activists and journalists from Russia, Latvia, or Belarus — was behind Kouloglou's infection.
Amnesty International and civil liberties groups demand an EU probe
Amnesty International joined other civil liberties groups in a joint statement urging urgent EU action. Signatories demanded that the EU's Directorate-General for Information Technologies and Cybersecurity (DG ITEC) launch a "robust investigation" into the hacking of Kouloglou's iPhone and "pinpoint who was responsible." They also called on the EU to respond publicly and urgently to the PEGA Committee's May 2023 recommendations and to disclose which recommendations have or have not been implemented.
The groups said the targeting of a parliamentarian serving on the spyware inquiry demonstrates how protections intended to prevent abuse are not being implemented, and that the response should ensure accountability rather than impunity.
PEGA Committee recommendations and the EU's current stance
The PEGA Committee's May 2023 recommendations did not call for a ban on spyware sales, but favored tight regulation within the EU. Under those recommendations, member states seeking to use spyware lawfully would have to involve Europol, submit to independent oversight, and thoroughly investigate allegations of abuse. Civil society signatories argue the EU has failed to meaningfully implement those measures, leaving the bloc exposed to recurring scandals.
Campaigners want the EU to guarantee effective remedies for victims, including access to evidence, notifications about when surveillance occurred, and accountability for those behind spyware infections.
Dual‑Use Regulation under scrutiny
Campaigners further demanded meaningful reform of the 2021 Dual‑Use Regulation, the EU framework governing the export of spyware products. The Regulation has been updated several times since 2021 and is currently under evaluation, and the signatories called for any revisions to reflect PEGA's recommendations. Critics — including the Centre for Democracy and Technology Europe (CDT) — argue that export controls across the EU are not being enforced effectively and that spyware can move across internal borders without the licensing or accountability measures necessary to prevent abuse.
Context: a pattern of spyware scandals in EU member states
The Kouloglou finding arrives amid a series of high-profile European cases. Citizen Lab previously revealed infections tied to Spain's "CatalanGate," finding devices of at least 65 people associated with the Catalan separatist movement were infected with Pegasus or Candiru between 2017 and 2020. Spain dismissed its national intelligence director, Paz Esteban López, in 2022 after high-ranking ministers — including Prime Minister Pedro Sánchez — were infected.
In Greece, four individuals connected with Intellexa were sentenced in February to more than 126 years in prison each for roles in a 2022 spyware scandal that involved journalist Thanasis Koukakis and MEP Nikos Androulakis; Greece's Supreme Court cleared intelligence agencies in 2024. In Poland, former intelligence officials and ministers were charged in February 2026 with using Pegasus after a 2024 inquiry commitment. Hungary has also been implicated in earlier allegations tied to Pegasus in 2021.
What this means for DG ITEC, member states, and victims
- DG ITEC: The groups explicitly call on DG ITEC to open a forensic investigation and to disclose implementation status of PEGA's recommendations; the office will be judged on whether it can produce public findings and attribution despite the well-documented difficulty of attributing spyware operations.
- Member states that use or export surveillance tools: The demand for tighter regulation and involvement of Europol and independent oversight signals increased pressure on national authorities to show oversight, licensing, and post-use accountability in line with PEGA's framework.
- Victims and civil society: Campaigners want guaranteed remedies — access to evidence, notification of surveillance, and mechanisms to hold perpetrators accountable — which will require legal and procedural changes if the EU accepts the groups' demands.
The Citizen Lab finding that a parliamentarian active on a spyware inquiry was infected during committee hearings crystallizes the central problem the civil liberties groups describe: rules and recommendations exist, but implementation and enforcement lag. With DG ITEC put on notice and the Dual‑Use Regulation under review, the immediate test is whether Europe will move from public recommendations and symbolic updates to concrete investigations, disclosures, and remedies that the signatories say are required to protect independent oversight and fundamental rights.




