Roads of surveillance. 6– Policies, Laws and Responses: Who Regulates Surveillance?

Far from being marginal, the commercial surveillance market is now deeply structured. A recent mapping exercise identifies around forty companies active in the spyware sector, with more than seventy client states identified (Spens, 2024). FinFisher, Hacking Team and NSO Group are among the most widely deployed vendors, each with several dozen government users.

This landscape is made even more difficult to assess by the complexity of corporate and legal structures. Cyber-surveillance companies operate through multiple subsidiaries, shell companies and transnational arrangements that fragment the chain of responsibility. This opacity is not merely a side effect: it has become one of the conditions under which the market operates.

From a legal standpoint, these technologies are most often classified as dual-use goods (civilian and military), which complicates their regulation. Existing control mechanisms struggle to keep pace with the speed of innovation and with the evolution of business models, which are now based on modularity and the fragmentation of capabilities.

Europe: Normative Ambition, Political Implementation

The European Union has nevertheless equipped itself with one of the most advanced regulatory frameworks in the world. With Regulation (EU) 2021/821, it strengthened export controls on dual-use goods by explicitly integrating certain cyber-surveillance technologies. ENISA plays a coordination and technical expertise role, while the AI Act introduces a risk-based approach for the most sensitive digital systems.

The stated objective is to prevent European companies from exporting intrusive surveillance tools to regimes likely to misuse them and to place these technologies within a framework compatible with fundamental rights.

In practice, however, the implementation of these rules remains largely national and deeply political. Export authorisations, ex post controls and sanctions still fall under the responsibility of Member States, which arbitrate between legal requirements, industrial interests and diplomatic considerations. European regulation thus runs up against a central principle: surveillance still largely belongs to the reserved domain of sovereign state authority.

Italy: The Hacking Team Case as a Symptom of Control Failures

Italy provides a textbook example. The rise and subsequent fall of the Milan-based company Hacking Team highlighted the concrete limits of export control mechanisms for surveillance technologies. In 2015, a massive data leak revealed that the company had sold its tools to intelligence services and defence ministries in several high-risk countries, including Saudi Arabia, Sudan and Russia, despite existing legal frameworks (Le Monde, 2015).

These revelations showed that export licences had been granted despite obvious warning signals. Although judicial proceedings and administrative investigations followed, they occurred only after the fact and did not structurally challenge the authorisation regime. The Hacking Team case thus illustrates a recurring problem: the law intervenes too late, and rarely in a systemic way.

Spain: Pegasus and the Grey Zone of “National Security”

In Spain, the use of Pegasus against Catalan independence figures highlighted another major limitation of European regulation. The CatalanGate report, published by Citizen Lab in April 2022, states that at least 65 individuals—including political leaders, lawyers and members of civil society—were targeted by spyware, notably Pegasus and Candiru.

According to the investigation, these intrusions may be linked to Spanish state entities, triggering a major political crisis and several parliamentary inquiries. However, the report also attracted significant criticism: lack of full independent validation, contested methodology and political instrumentalisation of the case in the context of the Catalan conflict (Citizen Lab, 2023).

Beyond the controversy, the case reveals a constant: even within the European Union, the notion of “national security” constitutes a legal grey zone in which mechanisms of oversight and transparency quickly reach their limits. ENISA may coordinate technical responses, but it has no authority over national intelligence services.

The Grey Market for Zero-Days: A Regulatory Blind Spot

One of the most persistent blind spots in regulation concerns the market for software vulnerabilities, particularly zero-days. These vulnerabilities, unknown to software vendors, have become strategic assets traded on opaque markets at the intersection of security research, intelligence activity and commercial surveillance.

An OECD study highlights the extreme difficulty of regulating these markets due to the fragmentation of actors involved: independent researchers, specialised brokers, private companies and state agencies (OECD, 2022). As long as these vulnerabilities are not legally classified as controlled goods or weapons, they largely escape traditional regulatory mechanisms.

This vulnerability economy directly feeds the commercial surveillance industry while making chains of responsibility almost impossible to reconstruct.

When Law (Poorly) Catches Up with Surveillance

Faced with these developments, legal responses remain fragmented. In Europe, parliamentary inquiries—particularly the European Parliament’s PEGA committee—have documented abuses and governance failures without leading to a harmonised binding framework. In the United States, the blacklisting of NSO Group and Executive Order 14093 signed by President Biden in 2023 constitute strong political signals. However, these measures primarily fall within the scope of foreign policy and national security rather than a comprehensive mechanism for regulating the market.

Across contexts, the diagnosis is similar: the law acts after the fact, case by case, without any real capacity to sustainably structure an ecosystem that is already globalised and technically fragmented.

The Diplomacy of “Bluffing”

Regulating surveillance ultimately runs up against a diplomatic reality that few states publicly acknowledge: cyber intrusion has become a central attribute of digital sovereignty.

In this “bluffing game,” states condemn abuses, call for ethical standards and support multilateral initiatives, while at the same time maintaining—or even strengthening—their own offensive capabilities. Regulation thus becomes an exercise in balancing: displaying principles without relinquishing tools.

Attempts at regulation are not limited to general declarations: several states have recently launched multilateral initiatives aimed at structuring norms of behaviour regarding commercial cyber-intrusion capabilities. The most advanced example is the Pall Mall Process, jointly launched by the United Kingdom and France in February 2024, with the ambition of creating a global framework for cooperation between states, companies, researchers and civil society organisations to address the proliferation and irresponsible use of these tools (RUSI, 2025).

Unlike a treaty, this process is not legally binding. It is a structured multilateral dialogue designed to bring definitions, best practices and political commitments closer together. During the first meeting at Lancaster House, a multipartite declaration was adopted, structured around four principles: responsibility, precision, oversight and transparency. It was subsequently signed by more than twenty-six governments and regional organisations, including the African Union and the Gulf Cooperation Council.

One concrete outcome was the development of a Code of Practice for States, adopted at the second conference in Paris in April 2025: a set of political commitments and practical recommendations intended to combat uncontrolled proliferation and irresponsible uses of cyber-intrusion capabilities. Supported by more than twenty-seven states, this document is intended to complement existing frameworks (such as the United Nations framework for responsible state behaviour in cyberspace and the Paris Call for Trust and Security in Cyberspace) and provides guidance on state responsibility, due diligence, risk assessment and export controls (RUSI, 2025).

However, several challenges remain: the process still needs to define operational definitions accepted by all participants, include a broader range of countries, and move from the stage of best practices to that of effective commitments followed by concrete actions. It should also be noted that the international dynamic is currently uncertain, and the success of the Pall Mall Process will depend on states’ ability to commit to common standards within a rapidly evolving geopolitical environment, while ensuring the active participation of the actors whose behaviour must change if meaningful progress is to be achieved.

In a converging approach, the Carnegie Endowment for International Peace advocates regulation based on a more refined understanding of surveillance tools, a geostrategic analysis of export practices and a clear differentiation between types of offensive capabilities (Institut Montaigne, 2023). Here again, the challenge lies less in the absence of proposals than in the difficulty of transforming these analytical frameworks into effective political constraints.

The question of regulating commercial surveillance is therefore not only legal or technical in nature: it is profoundly political. Regulation implies making explicit trade-offs between security, sovereignty and fundamental rights—trade-offs that few states are currently willing to address openly.

As long as surveillance continues to be perceived as an indispensable strategic lever, regulation will remain partial, fragmented and reversible. The issue is no longer whether new texts should be produced, but whether states are prepared to limit—also for themselves—the capabilities they consider excessive when used by others.