Blog
Data Sovereignty for CTI

The Off Switch You Do Not Hold: Israeli Cyber Vendors and the Export Licence Risk

Israeli cyber vendors operate under export licences that a foreign government can condition, restrict, or revoke at will, creating a single point of failure organisations cannot control. The NSO Group case, including Spain's closed Pegasus probe after Israel refused to cooperate, shows what that accountability gap looks like in practice.

July 17, 2026
18
min read
CYJAX
Table of contents
Share

Key takeaways

  • Cyber vendors originating from Israel operate under Israeli government export controls. Those licences can be conditioned, restricted, or revoked at any time by a government whose strategic interests may not align with those set out by an organisation.
  • This creates a single point of failure in security architecture that cannot be managed or mitigated through an organisation’s own controls.
  • NSO Group’s Pegasus has been sold to at least 14 EU governments using export licences issued by the Israeli government. In 2025, Amnesty International confirmed the spyware had been used against European journalists. Additionally, Meta has won a $168 million judgment against NSO and a court injunction banning further targeting has purportedly been violated.
  • When Spain investigated Pegasus use against its Prime Minister and Defence Minister, the probe was closed because Israel declined to cooperate and ignored five separate requests for information. This is the accountability structure that organisations can be operatingwithin.
  • The control question thus becomes a risk to organisations. If an organisation’s security capability depends on a platform subject to foreign export controls, there is a dependency that cannot be appropriately managed.

Regardless of the ethical considerations, the cybersecurity implications posed by Israeli cyber vendors becomes a matter of risk management.

Any cyber capability built on Israeli technology is subject to government export controls. Those controls can be tightened, conditioned or revoked at any time, for reasons entirely unrelated to an organisation or their threat environment. As such, the continuity of security capability is contingent on foreign policy decisions which organisations have no visibility into and no ability to influence.

That is not a vendor risk that an organisation can manage. It is a dependency they are carrying.

How the Export Licence Works

Under a 2007 Israeli law, companies selling cyber security-related products abroad must receive export licences from the Defence Ministry's Defence Export Controls Agency. Those licences are not neutral as Israel's DECA has reportedly used them strategically to advance geopolitical objectives, granting or blocking access to align with foreign policy priorities.  

Any Israeli company selling these capabilities abroad requires a licence from the Israeli Ministry of Defence. This licence can specify conditions on use, restrict categories of operation, or be revoked entirely.

In practice, this gives the Israeli government leverage over every foreign buyer that builds a core security capability around its technology. The question for the teams building security architecture is not whether they trust the current Israeli government. It is whether they are comfortable with operational continuity being contingent on the decisions of any foreign government, now and in the future.

The NSO Group Case Study

NSO Group's Pegasus is the most thoroughly documented example of what this dependency structure produces.

According to the European Parliament's PEGA inquiry committee, Pegasus was sold to at least 14 EU governments and export licences were issued by the Israeli government. However, there was limited transparency about the conditions attached.<sup>[1]</sup> The spyware was used in the surveillance of journalists, lawyers, and political opponents across multiple member states.

In May 2025, a US federal jury awarded Meta $168 million in damages against NSO. At the time, this was the largest award ever against a spyware company.<sup>[2]</sup> The punitive element was subsequently reduced by the judge to $4 million, but a permanent injunction banning NSO from targeting WhatsApp users remained in force.<sup>[3]</sup> On 8 June 2026, Meta filed a contempt motion in the US District Court for the Northern District of California. Here, it alleged that NSO violated the injunction with fresh attacks in February and April 2026.<sup>[4]</sup>

The accountability gap became clearest when Spain's High Court investigated Pegasus use against Prime Minister Pedro Sánchez and Defence Minister Margarita Robles. The probe was closed not because the allegations were deemed to be unsubstatiated, but because Israel declined to cooperate with the judicial process. A foreign government, the one that licensed the technology, simply declined to engage with a European court investigating its misuse.

That is what the accountability structure looks like in practice.

The Control Question

An organisation’s vendor and its operational continuity is subject to a foreign government's licensing decisions. The ability to investigate platform incidents is thus constrained by that government's willingness to cooperate. The platform's conditions of use may include terms that users are not fully aware of. If the licence is revoked, then an organisations response capability has a gap that its own controls cannot fill.

If threat detection or response capability depends on a platform subject to these controls, it is a single point of failure with an off switch that organisations do not hold.

What a Sovereign Alternative Looks Like

The alternative is not reduced capability but rather one built on a foundation that organisations can actually govern.

CYJAX holds no Israeli export licences. Our capability does not depend on conditions set by a foreign government. Our platform is auditable under UK law. When you assess the continuity risk of your intelligence programme, CYJAX does not introduce the dependency that Israeli-licensed technology carries by design.

Want the Full Checklist?

This is one of five questions security leaders should be asking their intelligence vendor right now. The other four cover contractual blind spots, foreign export licence risk, procurement red flags to watch for, and how to treat jurisdiction as an architecture decision rather than an afterthought.

Get all 5 in one place:

Download: 5 Top Tips to Digital Sovereignty & Threat Intelligence →

FAQs

Frequently asked questions

It applies to any Israeli cyber technology subject to Ministry of Defence export controls, which covers the full category of offensive and surveillance capabilities. The structural dependency of a foreign government licensing and being able to condition an organisation's security capability is inherent to the category.

Yes. The risk is structural, not behavioural. A vendor's track record does not change the fact that its operational continuity is subject to Israeli government licensing decisions.

Partially. Escrow can protect code access in some circumstances but does not address export control conditions on use or the accountability gap when incidents require Israeli government cooperation. Whilst contracts bind an organisation to a vendor, they do not affect the Israeli government.

The CLOUD Act creates compelled disclosure risk: a foreign government can access data. The export control problem creates continuity and accountability risk, where a foreign government can condition or terminate your vendor's ability to operate and can decline to cooperate in investigations of the platform's misuse. Both are supply chain risks, but they require different mitigations.

Ask the vendor directly: is the underlying technology subject to Israeli Ministry of Defence export controls, and under what conditions? Then ask what happens to an organisation's capability if those conditions change. If the answers are unsatisfactory or unavailable, that is itself a finding. CYJAX is available to walk your security and legal teams through a vendor jurisdiction assessment. Contact us to find out more.

Sources

  1. Euronews, September 2022 — European spyware investigators criticise Israel and Poland
  1. Amnesty International / JURIST, March 2025 — Serbia targets Balkan investigative journalists with Pegasus spyware
  1. NBC News, May 2025 — Meta wins $168 million verdict against spyware company NSO
  1. Cybernews, June 2026 — Meta sues Israeli spyware firm NSO over WhatsApp attacks
  1. CyberScoop, June 2026 — Meta accuses NSO Group of defying spyware injunction, files contempt of court complaint
  1. The Record, January 2026 — Spanish judge closes NSO Group spyware probe due to lack of cooperation from Israel
  1. Reuters / AOL, January 2026 — Spain closes Pegasus spyware probe again, saying Israel has not responded
Subscribe for weekly updates

Receive our latest cyber intelligence insights delivered directly to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Share
Get started

Get Started with CYJAX CTI

Empower Your Team. Strengthen Your Defences.CYJAX gives you the intelligence advantage: clear, validated insights that let your team act fast without being buried in noise.

Link Copied