Israeli firm NSO is once again facing pressure after new evidence that the phones of senior EU officials were hacked using spyware Photo: Shutterstock

Israeli firm NSO is once again facing pressure after new evidence that the phones of senior EU officials were hacked using spyware Photo: Shutterstock

An EU investigation has found evidence that the phones of senior officials were hacked using the Pegasus spyware by Israeli firm NSO, which has several backoffice entities in Luxembourg.

In a letter shared by member of the European Parliament Sophie in ‘t Veld (Renew) with news agency Reuters, EU justice commissioner Didier Reynders says Apple told him in 2021 that his phone had possibly been hacked.

An inspection of Reynders’ devices and phones by other European Commission employees found “indicators of compromise”, meaning that there no conclusive proof of a breach but that evidence exists showing a hack occurred.

The investigation is still ongoing with no details available on who is behind the spyware infiltration. A spokesperson of NSO, the company behind the Pegasus spyware, said the firm would cooperate with the EU in its search for answers.

The European Data Protection Supervisor in February had of Pegasus in the EU after a leak of information last year revealed more than 50,000 potential targets of the spyware. This included politicians, human rights activists and journalists.

NSO has denied wrongdoing, saying it sells the software only to vetted clients with the aim to fight crime and terrorism.

Pegasus in the EU

The European Parliament this year formed a committee to investigate the use of surveillance software in the EU. It has found that governments in 14 EU member states have purchased NSO technology in the past.

Luxembourg prime minister Xavier Bettel (DP) last October on remarks made during a live interview that Luxembourg had bought the controversial software.


Read also


Speaking during an event with the Luxembourg Times, Bettel said that “when we bought it, it was for reasons of state security.” His office later said that he “referred in a general manner to the purchase of such a tool” rather than about Pegasus specifically.

NSO is from Apple for violating its user terms and services agreement. WhatsApp, too, has and the Biden administration has put NSO on a commerce department blacklist.

Due diligence

linked to NSO are registered in Luxembourg although none of them are authorised to export cyber-surveillance products from the country.

The NSO spyware was previously linked to the murder of Saudi journalist Jamal Khashoggi. The case led to calls for due diligence legislation in Luxembourg, which would force companies to show that they respect human rights along their supply chains.

The European Commission has presented plans for , but critics say many companies lie outside of its scope. A group of in July signed a voluntary agreement to be more vigilant of human rights in their businesses.

Hungarian investigative journalist Szabolcs Panyi, who was targeted with the Pegasus malware, in an told Delano that countries like Luxembourg are complicit in the violations committed.

“When it comes to the role of those countries that are hosting the legal entities, they are also profiting from the profit that was made spying on journalists, political opponents, human rights defenders,” he said.