In July 2021, the day after the Pegasus Project was published, the president of the EU Commission Ursula von der Leyen said that the acts of misuse brought to light by the investigation were “completely unacceptable.”
During its plenary session in September 2021, the European Parliament took up the Pegasus scandal, requesting answers from the Commission and calling for action. European Commissioner for Justice Didier Reynders declared that the European Union must rapidly pass legislation to protect the rights of journalists. The media revealed a few months later that around the time of his declaration, his phone might have been targeted with Pegasus.
In December 2021, 88 non-governmental organizations and independent experts called on the European Union to impose global sanctions against NSO Group and to ban the purchase, transfer, export and Import of its technologies.
In February 2022, the European Data Protection Supervisor (EDPS) declared that Pegasus spyware was “incompatible with [the] democratic values [of the EU]” and that it should be banned.
In March 2022, after allegations that the governments of Poland and of Hungary used Pegasus to spy on their critics, the European Parliament announced the creation of an inquiry committee into the Pegasus scandal (PEGA Committee). The commission’s work began in April and continued for a year.
In April 2022, Reuters revealed that at least five senior EU officials were targeted with Pegasus in 2021. Among them was European Justice Commissioner Didier Reynders (he did not return Reuters’ messages).
That same month, NSO Group’s co-founder Shalev Hulio told The New Yorker that “almost all governments in Europe are using [NSO’s] tools.”
On May 21, the European Parliament's inquiry commission auditioned Chaim Gelfand, a representative of NSO Group. Under fire from members of parliament, he stated that at least five European countries had used Pegasus and that NSO Group had terminated the contract with at least one of them. Some of his answers are vague, as a Citizen Lab researcher notes on Twitter.
In August 2022, NSO Group told the PEGA Committee it had active contracts with 22 security and enforcement organizations in 12 EU countries - and that it used to work with two additional EU countries. The company did not disclose which countries were active customers and which were former ones.
In May 2023, the PEGA committee adopted its report, in which it asked the European Union for stricter regulation around spyware usage, sale and production. The report did not ask for a moratorium. In June 2023, the European Parliament adopted the PEGA committee’s recommendations with an overwhelming majority. MEPs called for full investigations and safeguards to prevent spyware abuse.