The Off Switch You Do Not Hold: Israeli Cyber Vendors and the Export Licence Risk
Israeli cyber vendors operate under export licences that a foreign government can condition, restrict, or revoke at will, creating a single point of failure organisations cannot control. The NSO Group case, including Spain's closed Pegasus probe after Israel refused to cooperate, shows what that accountability gap looks like in practice.

Key takeaways
- Cyber vendors originating from Israel operate under Israeli government export controls. Those licences can be conditioned, restricted, or revoked at any time by a government whose strategic interests may not align with those set out by an organisation.
- This creates a single point of failure in security architecture that cannot be managed or mitigated through an organisation’s own controls.
- NSO Group’s Pegasus has been sold to at least 14 EU governments using export licences issued by the Israeli government. In 2025, Amnesty International confirmed the spyware had been used against European journalists. Additionally, Meta has won a $168 million judgment against NSO and a court injunction banning further targeting has purportedly been violated.
- When Spain investigated Pegasus use against its Prime Minister and Defence Minister, the probe was closed because Israel declined to cooperate and ignored five separate requests for information. This is the accountability structure that organisations can be operatingwithin.
- The control question thus becomes a risk to organisations. If an organisation’s security capability depends on a platform subject to foreign export controls, there is a dependency that cannot be appropriately managed.
Regardless of the ethical considerations, the cybersecurity implications posed by Israeli cyber vendors becomes a matter of risk management.
Any cyber capability built on Israeli technology is subject to government export controls. Those controls can be tightened, conditioned or revoked at any time, for reasons entirely unrelated to an organisation or their threat environment. As such, the continuity of security capability is contingent on foreign policy decisions which organisations have no visibility into and no ability to influence.
That is not a vendor risk that an organisation can manage. It is a dependency they are carrying.
How the Export Licence Works
Under a 2007 Israeli law, companies selling cyber security-related products abroad must receive export licences from the Defence Ministry's Defence Export Controls Agency. Those licences are not neutral as Israel's DECA has reportedly used them strategically to advance geopolitical objectives, granting or blocking access to align with foreign policy priorities.
Any Israeli company selling these capabilities abroad requires a licence from the Israeli Ministry of Defence. This licence can specify conditions on use, restrict categories of operation, or be revoked entirely.
In practice, this gives the Israeli government leverage over every foreign buyer that builds a core security capability around its technology. The question for the teams building security architecture is not whether they trust the current Israeli government. It is whether they are comfortable with operational continuity being contingent on the decisions of any foreign government, now and in the future.
The NSO Group Case Study
NSO Group's Pegasus is the most thoroughly documented example of what this dependency structure produces.
According to the European Parliament's PEGA inquiry committee, Pegasus was sold to at least 14 EU governments and export licences were issued by the Israeli government. However, there was limited transparency about the conditions attached.<sup>[1]</sup> The spyware was used in the surveillance of journalists, lawyers, and political opponents across multiple member states.
In May 2025, a US federal jury awarded Meta $168 million in damages against NSO. At the time, this was the largest award ever against a spyware company.<sup>[2]</sup> The punitive element was subsequently reduced by the judge to $4 million, but a permanent injunction banning NSO from targeting WhatsApp users remained in force.<sup>[3]</sup> On 8 June 2026, Meta filed a contempt motion in the US District Court for the Northern District of California. Here, it alleged that NSO violated the injunction with fresh attacks in February and April 2026.<sup>[4]</sup>
The accountability gap became clearest when Spain's High Court investigated Pegasus use against Prime Minister Pedro Sánchez and Defence Minister Margarita Robles. The probe was closed not because the allegations were deemed to be unsubstatiated, but because Israel declined to cooperate with the judicial process. A foreign government, the one that licensed the technology, simply declined to engage with a European court investigating its misuse.
That is what the accountability structure looks like in practice.
The Control Question
An organisation’s vendor and its operational continuity is subject to a foreign government's licensing decisions. The ability to investigate platform incidents is thus constrained by that government's willingness to cooperate. The platform's conditions of use may include terms that users are not fully aware of. If the licence is revoked, then an organisations response capability has a gap that its own controls cannot fill.
If threat detection or response capability depends on a platform subject to these controls, it is a single point of failure with an off switch that organisations do not hold.
What a Sovereign Alternative Looks Like
The alternative is not reduced capability but rather one built on a foundation that organisations can actually govern.
CYJAX holds no Israeli export licences. Our capability does not depend on conditions set by a foreign government. Our platform is auditable under UK law. When you assess the continuity risk of your intelligence programme, CYJAX does not introduce the dependency that Israeli-licensed technology carries by design.
Want the Full Checklist?
This is one of five questions security leaders should be asking their intelligence vendor right now. The other four cover contractual blind spots, foreign export licence risk, procurement red flags to watch for, and how to treat jurisdiction as an architecture decision rather than an afterthought.
Get all 5 in one place:
Download: 5 Top Tips to Digital Sovereignty & Threat Intelligence →
Sources
- Euronews, September 2022 — European spyware investigators criticise Israel and Poland
- Amnesty International / JURIST, March 2025 — Serbia targets Balkan investigative journalists with Pegasus spyware
- NBC News, May 2025 — Meta wins $168 million verdict against spyware company NSO
- Cybernews, June 2026 — Meta sues Israeli spyware firm NSO over WhatsApp attacks
- CyberScoop, June 2026 — Meta accuses NSO Group of defying spyware injunction, files contempt of court complaint
- The Record, January 2026 — Spanish judge closes NSO Group spyware probe due to lack of cooperation from Israel
- Reuters / AOL, January 2026 — Spain closes Pegasus spyware probe again, saying Israel has not responded
Get Started with CYJAX CTI
Empower Your Team. Strengthen Your Defences.CYJAX gives you the intelligence advantage: clear, validated insights that let your team act fast without being buried in noise.

