Decoding the world of cybersecurity

Bulgaria faces surveillance export scrutiny

Human Rights Watch says Bulgarian authorities licensed exports of surveillance technology to governments with records of repression, exposing weaknesses in Europe’s cyber-surveillance controls.

Bulgaria faces surveillance export scrutiny
Summary
  • Human Rights Watch says Bulgaria licensed Circles surveillance exports between 2018 and 2023 to countries with documented risks of rights abuse.
  • The findings place renewed scrutiny on EU dual-use controls, national licensing decisions, and commercial surveillance oversight.
  • Telecoms interception tools create cyber, legal, diplomatic, and human rights risks when sold into weak oversight environments.

Human Rights Watch has accused Bulgaria of licensing surveillance technology exports to governments with records of using similar capabilities against journalists, activists, and political opponents, placing renewed pressure on Europe’s controls over commercial cyber-surveillance tools.

The organisation said it reviewed export licensing records showing that Circles, a surveillance company based in Bulgaria, was granted licences between 2018 and 2023 to export telecommunications interception systems, communications monitoring software, and other surveillance technology. The records came from Bulgaria’s Interdepartmental Commission for Export Control and Non-Proliferation of Weapons of Mass Destruction, the body responsible for deciding whether companies based in the country can export controlled goods.

According to Human Rights Watch, the licences involved countries with documented histories of using surveillance technologies to monitor journalists, activists, and dissenting voices. The public evidence described by the organisation covers licensing decisions from earlier years, rather than a complete current account of every transaction or deployment. Human Rights Watch said it did not have access to export documents for 2025 or 2026, leaving the present licensing position unclear.

The organisation said it wrote to Circles several times between April and June 2026 seeking comment and further information about the licences, but received no response. It remains unclear whether every licensed export was completed, what safeguards Bulgarian authorities assessed before approval, and whether any licences were refused on human rights or security grounds.

Surveillance export controls have become a persistent test for European governments because the technology can be developed, hosted, sold, or licensed from inside the EU while the impact is felt in countries where oversight is weaker and legal protection for targets is limited. Telecoms interception and communications monitoring systems can expose political figures, civil society groups, lawyers, journalists, opposition movements, and government critics. They can also become part of diplomatic disputes, sanctions cases, and wider national security concerns.

The EU has tightened parts of its dual-use export framework, including controls on cyber-surveillance technologies, but enforcement still depends heavily on national authorities. Licensing decisions require evidence about the buyer, the likely end use, the human rights context, and the risk of misuse. Where those assessments are weak, fragmented, or politically cautious, commercial surveillance products can move through formal approval channels before abuse is visible to the public.

The structure of the surveillance market adds further complexity. Development, sales, hosting, licensing, intermediaries, and end users may sit across several jurisdictions. That makes it harder to identify who approved a sale, what a vendor knew about the likely use, and whether a government applied export controls before harm became foreseeable.

The operational risk is more concrete than the usual phrase “surveillance technology” suggests. These products can enable communications interception, target location, network monitoring, and access to sensitive communications metadata. When such capabilities are attached to telecoms infrastructure, the exposure goes beyond individual privacy and reaches the integrity of communications systems and the ability of states to map relationships at scale.

Bulgaria’s licensing record now sits within a broader European accountability debate over commercial spyware, lawful interception, state procurement, and vendor due diligence. The unresolved points in the Human Rights Watch account do not weaken the policy concern. They show where oversight needs to be auditable: what was approved, which risks were assessed, which safeguards were imposed, and who remains accountable if exported technology is misused.

×