—

having regard to the Article 13(2) of the Treaty on European Union and the principle of sincere cooperation,

—

having regard to the Framework Agreement of 20 November 2010 on relations between the European Parliament and the European Commission (1),

—

having regard to the Interinstitutional Agreement of 13 April 2016 between the European Parliament, the Council of the European Union and the European Commission on Better Law-Making (2),

—

having regard to the report of 22 May 2023 of its Committee of Inquiry to investigate the use of the Pegasus and equivalent surveillance spyware (A9-0189/2023),

—

having regard to its recommendation of 15 June 2023 to the Council and the Commission following the investigation of alleged contraventions and maladministration in the application of Union law in relation to the use of Pegasus and equivalent surveillance spyware (3),

—

having regard to Rule 208(13) of its Rules of Procedure,

—

having regard to Rule 132(2) of its Rules of Procedure,

A.

whereas on 15 June 2023, Parliament adopted a recommendation to the Council and the Commission following the investigation of alleged contraventions and maladministration in the application of Union law in relation to the use of Pegasus and equivalent surveillance spyware, which included proposals for legislative and non-legislative actions at EU level to regulate the use of spyware, the aim of which was to protect Union law and the rights enshrined in the Charter of Fundamental Rights of the European Union;

B.

whereas the Framework Agreement and the Interinstitutional Agreement on Better Law-Making oblige the Commission to reply to requests for proposals for Union actions made by Parliament within three months, stating the follow-up it intends to give to them;

C.

whereas more than five months following the adoption of the recommendation, the Commission has failed to deliver a formal response to Parliament outlining the actions taken and its plans for the future;

D.

whereas since the adoption of Parliament’s recommendation, new cases of abuse of spyware have been reported in the EU with no response by national authorities or by the Commission;

E.

whereas the Predator Files revealed that Members of the European Parliament, including President Roberta Metsola and Pierre Karleskind, as well as Commission officials and other individuals, were targeted with Predator spyware; whereas media reports indicate the attacks originated from third countries;

F.

whereas it has been revealed that the phone of Russian journalist Galina Timchenko, who is living in exile, was infected with Pegasus spyware while she was in Germany;

G.

whereas it has been reported that the telephone of Ahmed Tantawy, an Egyptian presidential candidate, had been repeatedly hacked using Predator spyware, which is sold by Intellexa, a European-owned company;

H.

whereas in Greece, the Hellenic Authority for Communication Security and Privacy (ADAE) and the Data Protection Authority have identified 92 targets, the prosecutors in charge have requested to cross-check the list with persons placed under surveillance by the Greek National Intelligence Service (EYP), two EYP officials are facing criminal charges by the prosecutors, and the ADAE board subsequently had to contend with sudden changes and the files have been transferred to another prosecutor;

I.

whereas the magistrate in charge of the case in Spain provisionally dismissed the inquiry into the alleged spyware attacks against the prime minister and government ministers by Morocco, owing to lack of cooperation by the Israeli authorities;

J.

whereas it was revealed that a French company, Nexa Technologies, has sold Predator spyware to repressive regimes, including Egypt, Vietnam and Madagascar;

K.

whereas none of the reports, partly documented in Parliament’s recommendations, alleging a possible violation of the Dual-Use Regulation (4) by Intellexa and other companies have led to credible follow-up by national authorities or by the Commission; whereas the lack of scrutiny may continue to create a favourable environment for malicious actors in this field;

L.

whereas on 6 September 2023, the Polish Senate’s extraordinary committee of inquiry investigating cases of illegal surveillance and their impact on the electoral process adopted its final report, in which it concluded that in Poland, Pegasus was used against people against whom no criminal proceedings were pending and that the victims of surveillance were spied on for political reasons;

M.

whereas the Irish Oireachtas Committee on Justice has been asked to investigate the role of Intellexa Group in the sale of spyware;

N.

whereas on 18 July 2023 the United States Department of Commerce added Intellexa S.A. in Greece, Intellexa Limited in Ireland, Cytrox Holdings Zrt. in Hungary, and Cytrox AD in North Macedonia to the Entity List, for trafficking in cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organisations worldwide;

O.

whereas the large number of cases has vividly demonstrated that the existing legal framework – both in certain Member States and at European level – is not sufficient to prevent abuse and sanction the misuse of surveillance spyware;

P.

whereas these revelations demonstrate the urgent need for the Union to act;