Statement end: why ISS World Europe now needs scrutiny

EDRi’s call to cut ties with ISS World Europe turns a surveillance trade fair into an operational due-diligence problem for public bodies, universities, an

2026-06-01 GIGATAP Team #opsec
#digital-rights#surveillance#privacy

Statement end: the ISS World Europe risk is institutional, not abstract

EDRi’s new statement asks EU institutions, governments, agencies, universities, law enforcement bodies, and other stakeholders to cut ties with ISS World Europe, a closed surveillance industry conference scheduled for 2–4 June 2026 at the Clarion Hotel in Prague.

The claim is direct: civil society groups say the event gives legitimacy and market access to companies trading tools for mass surveillance, data harvesting, tracking, spyware, and digital repression. EDRi also links several participating or associated companies to war crimes, human rights violations, and the genocide in Gaza.

This is not just a reputational dispute over a conference. For any public body or partner in the orbit of surveillance technology, the statement creates a practical question: are you funding, attending, endorsing, hosting, or otherwise normalising a market you have not properly risk-assessed?

What changed#

EDRi published a civil society call to end institutional support for ISS World Europe. The statement targets several forms of support: participation, endorsement, sponsorship, legitimisation, partnerships, investments, and other ties to the event or its participants.

The named audience is broad. It includes the European Commission, EU agencies, EU Member State governments, public institutions, civil servants, elected officials, universities, law enforcement agencies, and other stakeholders.

That breadth matters. The statement is not limited to companies selling surveillance systems. It also challenges the public and academic infrastructure around them: the people who attend panels, procure tools, share venues, sponsor access, lend institutional credibility, or treat the event as a normal procurement and networking space.

EDRi describes ISS World Europe as annual, closed, and invitation-only. According to the statement, state agencies and private companies use it to trade and promote invasive technologies for mass monitoring, data harvesting, and tracking individuals. The concern is not theoretical privacy risk. The statement says these tools are associated with the targeting and rights violations of journalists, activists, migrants, and political opponents.

EDRi also names companies it says are directly involved in war crimes, crimes against humanity, or the Gaza genocide, including NSO Group, BAE Systems, Elbit Systems, and Cellebrite. The statement does not provide a full evidentiary file in the collected text, so readers should treat the source as an advocacy statement and verify specific company-level claims before using them in legal, procurement, or compliance action.

The operational point still stands: if an institution has a relationship with ISS World Europe, it now has a public due-diligence problem to answer.

Why it matters for security operations and privacy risk#

Surveillance markets do not scale through code alone. They scale through conferences, government access, procurement channels, technical partnerships, research relationships, and the quiet normalisation of vendor presence.

That is the deeper issue in EDRi’s statement. A spyware vendor or data-harvesting firm does not need universal public approval. It needs enough access to buyers, enough credibility to pass procurement filters, and enough institutional ambiguity that public bodies can say they were only “attending,” “observing,” or “learning about capabilities.”

For security operations teams, the risk is not only whether a specific tool is illegal or compromised. It is whether the organisation’s supply chain, vendor review process, and event participation policies can distinguish legitimate security tooling from intrusive surveillance infrastructure with weak human-rights controls.

A law enforcement agency may view an event like this as a place to understand investigative technology. A university may see a partnership or conference link as research exposure. A public institution may treat attendance as routine market awareness. EDRi’s statement challenges that assumption. In its view, the event itself helps normalise a surveillance market tied to abuse.

That creates a governance issue. If an institution claims to care about privacy, open source security, human rights, or responsible technology, it cannot treat closed surveillance trade fairs as neutral spaces by default. At minimum, it needs a clear reason for involvement, a documented risk review, and a defensible boundary around vendors and technologies linked to abuse.

The same logic applies beyond this single event. Security teams already know that technical controls are only part of trust. Vendor incentives, ownership, deployment context, and customer base all matter. A product sold into repressive use cases can carry risk even if the software works as advertised.

What to check before acting#

The useful next step is not a vague statement of concern. It is an inventory.

Institutions that may be exposed to ISS World Europe or similar surveillance trade fairs should check:

  • Whether staff, contractors, departments, or affiliated labs are registered to attend the event.
  • Whether the institution has sponsored, endorsed, hosted, promoted, or provided speakers for the conference.
  • Whether procurement teams are evaluating vendors that appear at the event or are named in civil society reporting.
  • Whether law enforcement, intelligence, or security units have separate vendor relationships not visible in central IT records.
  • Whether university research partnerships, grants, or industry programmes involve surveillance vendors or intermediaries.
  • Whether existing due-diligence rules cover human-rights risk, not only cybersecurity, sanctions, export controls, or financial standing.
  • Whether public communications imply support for the event or its participants.

This is also where open source security and privacy governance intersect. Many organisations have become better at asking whether software is maintained, tested, signed, reproducible, or vulnerable. Fewer ask whether a technology ecosystem is built around coercive deployment or mass tracking.

That gap matters. Security artifacts can show what code is. They do not always show what a vendor enables, who buys it, or where it is deployed. For a related operational frame, see GigaTap’s coverage of security artifacts and open source governance: OpenSSF’s April signal: make security artifacts operational, 100% package test coverage is the point, not the slogan, and Open Source Security Needs More Than Code.

What not to overclaim#

EDRi’s statement is strong, but the collected source material is still a statement, not a court judgment or a full investigative dossier.

Readers should not overclaim that every attendee, vendor, agency, or partner at ISS World Europe is proven to have committed unlawful acts. They should not infer specific legal liability from the statement alone. They should not treat every surveillance, forensic, or lawful-intercept technology as identical in function or risk.

The stronger and safer claim is this: EDRi argues that ISS World Europe functions as a marketplace for invasive surveillance and digital repression tools, and that public or institutional support helps legitimise a market linked to serious rights abuses. That is enough to trigger scrutiny.

There is also a distinction between intelligence gathering and endorsement. A regulator, journalist, or civil society researcher might monitor an event to understand the market. A public agency sponsoring, speaking, procuring, or networking without a human-rights review is different. Policies should preserve legitimate scrutiny while blocking institutional laundering.

The hard line EDRi wants is political and operational: no EU market legitimacy for companies complicit in grave abuses, and no routine public-sector participation in the trade spaces that help those companies grow.

Practical takeaway#

If your organisation has any connection to ISS World Europe, treat the statement end as a trigger for operational checks, not as background noise.

Find the relationship. Classify it. Document the risk. Decide whether it can be justified. If it cannot, cut it cleanly and update the policy that allowed it.

The privacy risk is not only the tool. It is the ecosystem that makes the tool normal.