A clash between Poland’s right-wing president and its centrist ruling coalition over the European Union’s flagship social media law is putting the country further at risk of multimillion euro fines from Brussels. President Karol Nawrocki is holding up a bill that would implement the EU’s Digital Services Act, a tech law that allows regulators to police how social media firms moderate content. Nawrocki, an ally of U.S. President Donald Trump, said in a statement that the law would “give control of content on the internet to officials subordinate to the government, not to independent courts.” The government coalition led by Prime Minister Donald Tusk, Nawrocki’s rival, warned this further exposed them to the risk of EU fines as high as €9.5 million. Deputy Digital Minister Dariusz Standerski said in a TV interview that, “since the president decided to veto this law, I’m assuming he is also willing to have these costs [of a potential fine] charged to the budget of the President’s Office.” Nawrocki’s refusal to sign the bill brings back bad memories of Warsaw’s years-long clash with Brussels over the rule of law, a conflict that began when Nawrocki’s Law and Justice party rose to power in 2015 and started reforming the country’s courts and regulators. The EU imposed €320 million in penalties on Poland from 2021-2023. Warsaw was already in a fight with the Commission over its slow implementation of the tech rulebook since 2024, when the EU executive put Poland on notice for delaying the law’s implementation and for not designating a responsible authority. In May last year Brussels took Warsaw to court over the issue. If the EU imposes new fines over the rollout of digital rules, it would “reignite debates reminiscent of the rule-of-law mechanism and frozen funds disputes,” said Jakub Szymik, founder of Warsaw-based non-profit watchdog group CEE Digital Democracy Watch. Failure to implement the tech law could in the long run even lead to fines and penalties accruing over time, as happened when Warsaw refused to reform its courts during the earlier rule of law crisis. The European Commission said in a statement that it “will not comment on national legislative procedures.” It added that “implementing the [Digital Services Act] into national law is essential to allow users in Poland to benefit from the same DSA rights.” “This is why we have an ongoing infringement procedure against Poland” for its “failure to designate and empower” a responsible authority, the statement said. Under the tech platforms law, countries were supposed to designate a national authority to oversee the rules by February 2024. Poland is the only EU country that hasn’t moved to at least formally agree on which regulator that should be. The European Commission is the chief regulator for a group of very large online platforms, including Elon Musk’s X, Meta’s Facebook and Instagram, Google’s YouTube, Chinese-owned TikTok and Shein and others. But national governments have the power to enforce the law on smaller platforms and certify third parties for dispute resolution, among other things. National laws allow users to exercise their rights to appeal to online platforms and challenge decisions. When blocking the bill last Friday, Nawrocki said a new version could be ready within two months. But that was “very unlikely … given that work on the current version has been ongoing for nearly two years and no concrete alternative has been presented” by the president, said Szymik, the NGO official. The Digital Services Act has become a flashpoint in the political fight between Brussels and Washington over how to police online platforms. The EU imposed its first-ever fine under the law on X in December, prompting the U.S. administration to sanction former EU Commissioner Thierry Breton and four other Europeans. Nawrocki last week likened the law to “the construction of the Ministry of Truth from George Orwell’s novel 1984,” a criticism that echoed claims by Trump and his top MAGA officials that the law censored conservatives and right-wingers. Bartosz Brzeziński contributed reporting.

WARSAW — Poland’s nationalist President Karol Nawrocki on Friday sided with his ally U.S. President Donald Trump to veto legislation on enforcing the EU’s social media law, which is hated by the American administration. Trump and his top MAGA officials condemn the EU’s Digital Services Act — which seeks to force big platforms like Elon Musk’s X, Facebook, Instagram to moderate content — as a form of “Orwellian” censorship against conservative and right-wingers. The presidential veto stops national regulators in Warsaw from implementing the DSA and sets Nawrocki up for a a clash with centrist pro-EU Prime Minister Donald Tusk. Tusk’s parliamentary majority passed the legislation introducing the DSA in Poland. Nawrocki argued that while the bill’s stated aim of protecting citizens — particularly minors — was legitimate, the Polish bill would grant excessive power to government officials over online content, resulting in “administrative censorship.”  “I want this to be stated clearly: a situation in which what is allowed on the internet is decided by an official subordinate to the government resembles the construction of the Ministry of Truth from George Orwell’s novel 1984,” Nawrocki said in a statement — echoing the U.S.’s stance on the law. Nawrocki also warned that allowing authorities to decide what constitutes truth or disinformation would erode freedom of expression “step by step.” He called for a revised draft that would protect children while ensuring that disputes over online speech are settled by independent courts. Deputy Prime Minister and Digital Affairs Minister Krzysztof Gawkowski dismissed Nawrocki’s position, accusing the president of undermining online safety and siding with digital platforms.  “The president has vetoed online safety,” Gawkowski told a press briefing Friday afternoon, arguing the law would have protected children from predators, families from disinformation and users from opaque algorithms.  The minister also rejected Nawrocki’s Orwellian comparisons, saying the bill explicitly relied on ordinary courts rather than officials to rule on online content. Gawkowski said Poland is now among the few EU countries without national legislation enabling effective enforcement of the DSA and pledged that the government would continue to pursue new rules. The clash comes as enforcement of the social media law has become a flashpoint in EU-U.S. relations.  Brussels has already fined Elon Musk’s X €120 million for breaching the law, prompting a furious response from Washington, including travel bans imposed by the Trump administration on former EU Commissioner Thierry Breton, an architect of the tech law, and four disinformation experts. The DSA allows fines of up to 6 percent of a company’s global revenue and, as a measure of last resort, temporary bans on platforms. Earlier this week, the European Commission expanded its investigation into X’s AI service Grok after it started posting a wave of non-consensual sexualized pictures of people in response to X users’ requests. The European Commission’s digital spokesperson Thomas Regnier said the EU executive would not comment on national legislative procedures. “Implementing the DSA into national law is essential to allow users in Poland to benefit from the same DSA rights, such as challenging platforms if their content is deleted or their account suspended,” he said. “This is why we have an ongoing infringement procedure against Poland. We have referred Poland to the Court of Justice of the EU for failure to designate and empower the Digital Services Coordinator,” in May 2025, Regnier added. Gawkowski said that the government would make a quick decision on what to do next with the vetoed bill but declined to offer specifics on what a new bill would look like were it to be submitted to parliament again. Tusk four-party coalition does not have enough votes in parliament to override Nawrocki’s vetoes. That has created a political deadlock over key legislation efforts by the government, which stands for reelection next year. Nawrocki, meanwhile, is aiming to help the Law and Justice (PiS) political party he’s aligned with to retake power after losing to Tusk in 2023. Mathieu Pollet contributed reporting.

The Dutch government has quietly removed Google tracking tools from job listings for its intelligence services over concerns that the data would expose aspirant spies to U.S. surveillance. The intervention would put an end to Google’s processing of the data of job seekers interested in applying to spy service jobs, after members of parliament in The Hague raised security concerns. The move comes at a moment when trust between the Netherlands and the United States is fraying. It reflects wider European unease — heightened by Donald Trump’s return to the White House — about American tech giants having access to some of their most sensitive government data. The heads of the AIVD and MIVD, the Netherlands’ civilian and military intelligence services, said in October that they were reviewing how to share information with American counterparts over political interference and human rights concerns. In the Netherlands, government vacancies are listed on a central online portal, which subsequently redirects applicants to specific institutions’ or agencies’ websites, including those of the security services. The government has now quietly pulled the plug on Google Analytics for intelligence-service postings, according to security expert Bert Hubert, who first raised the alarm about the trackers earlier this year. Hubert told POLITICO the job postings for intelligence services jobs no longer contained the same Google tracking technologies at least since November. The move was first reported by Follow the Money. The military intelligence service MIVD declined to comment. The interior ministry, which oversees the general intelligence service AIVD, did not respond to a request for comment at the time of publication. In a statement, Communications Manager for Google Mathilde Méchin said: “Businesses, not Google Analytics, own and control the data they collect and Google Analytics only processes it at their direction. This data can be deleted at any time.” “Any data sent to Google Analytics for measurement does not identify individuals, and we have strict policies against advertising based on sensitive information,” Méchin said. ‘FUTURE EMPLOYEES AT RISK’ Derk Boswijk, a center-right Dutch lawmaker, raised the alarm about the tracking of job applicants in parliamentary questions to the government in January. He said that while China and Russia have traditionally been viewed as the biggest security risks, it is unacceptable for any foreign government — allied or not — to have a view into Dutch intelligence recruitment. “I still see the U.S. as our most important ally,” Boswijk told POLITICO. “But to be honest, we’re seeing that the policies of the Trump administration and the European countries no longer necessarily align, and I think we should adapt accordingly.” The government told Boswijk in February it had enabled privacy settings on data gathered by Google. The government has yet to comment on Boswijk’s latest questions submitted in November. Hubert, the cybersecurity expert, said the concerns over tracking were justified. Even highly technical data like IP addresses, device fingerprints and browsing patterns can help foreign governments, including adversaries such as China, narrow down who might be seeking a job inside an intelligence agency, he said. “By leaking job applications so broadly, the Dutch intelligence agencies put their future employees at risk, while also harming their own interests,” said Hubert, adding it could discourage sought-after cybersecurity talent that agencies are desperate to attract. Hubert previously served on a watchdog committee overseeing intelligence agencies’ requests to use hacking tools, surveillance and wiretapping.  One open question raised by Dutch parliamentarians is how to gain control over the data that Google gathered on aspiring spies in past years. “I don’t know what happens with the data Google Analytics already has, that’s still a black box to me,” said Sarah El Boujdaini, a lawmaker for the centrist-liberal Democrats 66 party who oversees digital affairs. The episode is likely to add fuel to efforts to wean off U.S. technologies — which are taking place across Europe, as part of the bloc’s “technological sovereignty” drive. European Parliament members last month urged the institution to move away from U.S. tech services, in a letter to the president obtained by POLITICO. In the Netherlands, parliament members have urged public institutions to move away from digital infrastructure run by U.S. firms like Microsoft, over security concerns. “If we can’t even safeguard applications to our secret services, how do you think the rest is going?” Hubert asked. The country also hosts the International Criminal Court, where Chief Prosecutor Karim Khan previously lost access to his Microsoft-hosted email account after he was targeted with American sanctions over issuing an arrest warrant for Israeli Prime Minister Benjamin Netanyahu. The ICC in October confirmed to POLITICO it was moving away from using Microsoft Office applications to German-based openDesk.

The European Union’s law enforcement agency wants to speed up how it gets its hands on artificial intelligence tools to fight serious crime, a top official said. Criminals are having “the time of their life” with “their malicious deployment of AI,” but police authorities at the bloc’s Europol agency are weighed down by legal checks when trying to use the new technology, Deputy Executive Director Jürgen Ebner told POLITICO. Authorities have to run through data protection and fundamental rights assessments under EU law. Those checks can delay the use of AI by up to eight months, Ebner said. Speeding up the process could make the difference in time sensitive situations where there is a “threat to life,” he added. Europe’s police agency has built out its tech capabilities in past years, ranging from big data crunching to decrypting communication between criminals. Authorities are keen to fight fire with fire in a world where AI is rapidly boosting cybercrime. But academics and activists have repeatedly voiced concerns about giving authorities free rein to use AI tech without guardrails. European Commission President Ursula von der Leyen has vowed to more than double Europol’s staff and turn it into a powerhouse to fight criminal groups “navigating constantly between the physical and digital worlds.” The Commission’s latest work program said this will come in the form of a legislative proposal to strengthen Europol in the second quarter of 2026.  Speaking in Malta at a recent gathering of data protection specialists from across Europe’s police forces, Ebner said it is an “absolute essential” for there to be a fast-tracked procedure to allow law enforcement to deploy AI tools in “emergency” situations without having to follow a “very complex compliance procedure.” Assessing data protection and fundamental rights impacts of an AI tool is required under the EU’s General Data Protection Regulation (GDPR) and AI Act. Ebner said these processes can take six to eight months.  The top cop clarified that a faster emergency process would not bypass AI tool red lines around profiling or live facial recognition. Law enforcement authorities already have several exemptions under the EU’s Artificial Intelligence Act (AI Act). Under the rules, the use of real-time facial recognition in public spaces is prohibited for law enforcers, but EU countries can still permit exceptions, especially for the most serious crimes. Lawmakers and digital rights groups have expressed concerns about these carve-outs, which were secured by EU countries during the law’s negotiation. DIGITAL POLICING POWERS Ebner, who oversees governance matters at Europol, said “almost all investigations” now have an online dimension.   The investments in tech and innovation to keep pace with criminals is putting a “massive burden on law enforcement agencies,” he said. European Commission President Ursula von der Leyen has vowed to more than double Europol’s staff and turn it into a powerhouse to fight criminal groups. | Wagner Meier/Getty Images The Europol official has been in discussions with Europe’s police chiefs about the EU agency’s upcoming expansion. He said they “would like to see Europol doing more in the innovation field, in technology, in co-operation with private parties.”  “Artificial intelligence is extremely costly. Legal decryption platforms are costly. The same is to be foreseen already for quantum computing,” Ebner said. Europol can help bolster Europe’s digital defenses, for instance by seconding analysts with technological expertise to national police investigations, he said. Europol’s central mission has been to help national police investigate cross-border serious crimes through information sharing. But EU countries have previously been reluctant to cede too much actual policing power to the EU level authority.  Taking control of law enforcement away from EU countries is “out of the scope” of any discussions about strengthening Europol, Ebner said. “We don’t think it’s necessary that Europol should have the power to arrest people and to do house searches. That makes no sense, that [has] no added value,” he said.   Pieter Haeck contributed reporting.

The “anonymous” location data of EU officials in Brussels is up for sale, according to a joint investigation by European media outlets. Three senior officials working for the EU were identified as part of an investigation into phone location data being sold by data brokers. Other phones were located in NATO sites and Belgian military bases. The European Commission has recognized the “worrying conclusions” of the investigation and, as a result, told investigating outlets that it has “issued new guidance to its staff regarding ad tracking settings on business and home devices, and has informed other Union entities.” The investigation was conducted by L’Echo, Le Monde, German public broadcasters (BR / ARD), Netzpolitik.org and BNR nieuwsradio. Journalists posed undercover as employees at a marketing company, and were able to obtain hundreds of millions of location data points from phones in Belgium through data brokers. Data brokers collect and sell aggregated databases of personal information, often gathered from mobile apps or online web trackers. The data is bundled and resold to advertisers, or even law enforcement and governments. Location data is supposed to be anonymous, but it can be used to paint a picture of someone’s daily movements, and combining a few anonymous data points together can lead to re-identifying a person. Investigating publications were able to use the data to figure out surnames, first names and lifestyle habits of at least five people who work or have worked for the EU, three of whom “hold positions of high responsibility.” Two confirmed that the data collected corresponded to their home, workplace and travel. Under the EU’s General Data Protection Regulation (GDPR), it is legal to collect this kind of data from mobile phone users if they consent, but users must be clearly informed about how their data will be used. The Google Play Store and Apple App Store have requirements for apps to disclose the information they gather, but analysis by investigating outlet Netzpolitik has revealed that some apps still gather information such as location data without disclosing this in their policies. A similar undercover investigation by Ireland’s public broadcaster in September spurred Ireland’s Data Protection Commission to suspend the activities of an Irish data broker. The Irish DPC has said it has also identified two data broker companies in other EU member countries, and is engaging with data protection authorities responsible for regulating them.

When voters went to the polls to elect Ireland’s next president, some of them may have been surprised to see Catherine Connolly’s name on the ballot. Just days before, a deepfake video showing the eventual winner withdrawing from the race had circulated, imitating Connolly and multiple journalists within its fake reality. In the Netherlands, two far-right members of parliament were found to be behind a Facebook page promoting deepfake images of their left-wing rival ahead of Sunday’s tight election, prompting apologies and recrimination. This was the week that artificial intelligence hit two European electoral campaigns in a major way and exposed significant gaps in ongoing efforts to curb undue influence on voters. There are concerns about what that means for European politics and for its voters, as politicians and regulators wake up to the arrival of AI-generated text and video content that has been part of U.S. political life for some time. “The normalisation of such practices is worrying,” said Hannes Cools, assistant professor on the human factor in new technologies at the University of Amsterdam. The Dutch election “is one of the first elections in Europe where we see that [the technology] has become an integral part in electoral campaigns in various ways,” said Claes de Vreese, a professor of artificial intelligence and society at the University of Amsterdam. SHOCK JOCK In a study of some 20,000 election-related posts in the Netherlands, researchers from the University of Amsterdam and the University of Mainz found that over 400 posts were AI-generated. The party of far-right leader Geert Wilders, the Party for Freedom (PVV), came out on top in its use of AI. More than a quarter of the AI posts (120 in total) could be traced back to PVV-linked accounts. Wilders kicked off the PVV’s campaign with an AI-generated video depicting a fictional future Netherlands living under Sharia law. Dutch weekly De Groene Amsterdammer reported that the video was made with OpenAI’s video generator Sora.  When asked about the dominance of extremist or fringe parties in the use of AI, researcher Fabio Votta said, “There’s still a normative aspect of using AI.” “For the far-right, a lot of their modus is norm-breaking and shocking. They don’t fear the reputation hit.” Yet Wilders took the rare step on Monday of apologizing to Frans Timmermans, a former European Commission heavyweight and the leader of the GreenLabor-Left ticket, after it emerged through the Dutch press that two PVV members of parliament were behind a Facebook page spreading incendiary, AI-generated depictions of him.  In one of the images, shown by Dutch daily De Volkskrant, Timmermans could be seen being led away by police in handcuffs. In another, he had his hands on a pile of money. The party of far-right leader Geert Wilders, the Party for Freedom, came out on top in its use of AI. | Laurens Van Putten/EPA In Ireland, the fake video that saw Connolly announce her withdrawal from the presidential election was branded by the candidate as a “disgraceful attempt to mislead voters and undermine our democracy.” Through a fake bulletin of Irish national broadcaster RTÉ, the video saw a deepfake version of Connolly declaring: “It is with great regret that I announce the withdrawal of my candidacy and the ending of my campaign,” with deepfake versions of two well-known TV presenters validating the news and discussing the impact. Both Meta and Google-owned YouTube removed the Connolly video from their platforms without specifying how long it had been online. The Irish left-wing independent candidate won the election convincingly with 63 percent of the vote. Depicting fictional events or attacking or discrediting other candidates are only two ways in which AI-generated content is being deployed to sway minds.  Researchers also warn against a third, arguably more direct, method in which AI could influence election outcomes: users asking AI chatbots who to vote for. With a large majority of voters typically undecided until the final days of the election, the Dutch data protection authority on Oct. 21 warned voters not to ask AI chatbots for voting advice, since these give a “highly distorted and polarized image of the Dutch political landscape.”  “Chatbots are full of mistakes,” said de Vreese, adding that “they attribute various party positions to the wrong parties, and they also seem to have a kind of a suction effect” in a specific political direction. An experiment showed that chatbots favored the GreenLeft-Labour ticket for voters on the left, while voters on the right were mainly directed to the far-right PVV.  “People with a low literacy are particularly vulnerable to AI-generated disinformation,” said Cools. DISCLAIMER Regulators in Brussels have made election integrity, AI risks and online disinformation major priorities, a patchwork of ongoing efforts left them watching as the elections played out. As the technology to generate AI content and the platforms to distribute them is mostly U.S.-based, all eyes are on Brussels for a bloc-wide response. The EU’s powerful Digital Services Act puts some responsibility on platforms to tackle risks to elections, and both Meta and Google have recognized generative AI as a major risk factor — likely contributing to their decision to take down the Connolly video. But the requirements are driven mainly by concerns about misinformation, rather than by efforts to regulate how European political parties use generative AI to spread their messages.  Labeling is also a big part of the response, as required by a separate EU law specific to artificial intelligence. Researchers at the University of Amsterdam flagged that a majority of the posts they tracked for the Dutch election lacked an AI-labeling disclaimer. For those who did, it was the platform that added it, not the political parties. More laws that could deal with the matter are on their way. The European Commission is drafting guidance for so-called high-risk AI systems that can pose a risk to people’s fundamental rights, which will enter into force in August 2026 at the earliest. “These guidelines will include a section on AI systems intended to influence election outcomes or referendums,” said Commission spokesperson Thomas Regnier.  Developers of the most complex AI models, such as OpenAI’s GPT or Google’s Gemini, have already had to comply with a series of obligations since August, including mitigating “systemic risks” to democratic processes.  Next month, Brussels will unveil another proposal, meant to support EU countries in upholding the fairness and integrity of election campaigns against foreign manipulation and interference. That is not expected to contain any binding legal requirements. Eliza Gkritsi contributed reporting.

BRUSSELS — The European Commission said it is “not empowered to take action” amid concerns about the appointment of a former tech lobbyist to Ireland’s privacy regulator. The Irish Council for Civil Liberties — a non-profit transparency campaign group — on Tuesday filed a complaint calling on the Commission to launch an inquiry into how Niamh Sweeney was appointed to co-lead the Irish Data Protection Commission. Citing reporting from POLITICO, the complaint alleges the appointment process “lacked procedural safeguards against conflicts of interest and political interference.” It’s the first formal challenge to the decision after Sweeney took up her role as one of three chief regulators at Ireland’s top data regulator this month. Her prior experience as a lobbyist for Facebook and WhatsApp reignited concerns that the regulator is too close to Big Tech. In response to the complaint, Commission spokesperson Guillaume Mercier said that “it is for the member states to appoint members to their respective data protection authorities.” The Commission “is not involved in this process and is not empowered to take action with respect to those appointments,” Mercier told a daily press briefing Tuesday. He emphasized that countries do need to respect requirements set out in EU law — that the appointment process must be “transparent,” and that those appointed should “have the qualifications, the experience, the skills, in particular in the protection of personal data, required to perform their duties and to exercise their powers.” The complaint asked the Commission to look into the appointment as part of its duties to oversee the application of EU law, claiming these responsibilities had not been met by Ireland. Sweeney was appointed by the Irish government on the advice of the Public Appointments Service, the authority that provides recruitment services for public jobs, which has previously expressed its full confidence in the process.

MILAN — Nothing about the sand-colored façade of the palazzo tucked behind Milan’s Duomo cathedral suggested that inside it a team of computer engineers were building a database to gather private and damaging information about Italy’s political elite — and use it to try to control them.   The platform, called Beyond, pulled together hundreds of thousands of records from state databases — including flagged financial transactions and criminal investigations — to create detailed profiles on politicians, business leaders and other prominent figures.  Police wiretaps recorded someone they identified as Samuele Calamucci, allegedly the technical mastermind of the group, boasting that the dossiers gave them the power to “screw over all of Italy.”  The operation collapsed in fall 2024, when a two-year investigation culminated in the arrests of four people, with a further 60 questioned. The alleged ringleaders have denied ever directly accessing state databases, while lower-level operatives maintain they only conducted open-source searches and believed their actions were legal. Police files indicate that key suspects claimed they were operating with the tacit approval of the Italian state.  After months of questioning and plea bargaining, 15 of the accused are set to enter their pleas at the first court hearing in October.   The disclosures were shocking, not only because of the confidentiality of the data but also the high-profile nature of the targets, which included former Prime Minister Matteo Renzi and Ignazio La Russa, co-founder of the ruling Brothers of Italy party and president of the Senate.  The scandal underscores a novel reality: that in the digital era, privacy is a relic. While dossiers and kompromat have long been tools of political warfare, hackers today, commanded by the highest bidder, can access information to exploit decision-makers’ weaknesses — from private indiscretions to financial vulnerabilities. The result is a political and business class highly exposed to external pressures, heightening fears about the resilience of democratic institutions in an era where data is both power and liability.  POLITICO obtained thousands of pages of police wiretap transcripts and arrest warrants and spoke with alleged perpetrators, their victims and officials investigating the scheme. Together, the documents and interviews reveal an intricate plot to build a database filled with confidential and compromising data — and a business plan to exploit it for both legal and illegal means.  On the surface, the group presented itself as a corporate intelligence firm, courting high-profile clients by claiming expertise in resolving complex risk management issues such as commercial fraud, corruption and infiltration by organized crime.   Banca Mediolanum, said it had paid “€3,000 to Equalize to gather more public information regarding a company that could have been the subject of a potential deal, managed by our investment bank.” | Diego Puletto/Getty Images Prosecutors accuse the gang of compiling damaging dossiers by illegally accessing phones, computers and state databases containing information ranging from tax records to criminal convictions. The data could be used to pressure and threaten victims or fed to journalists to discredit them.  The alleged perpetrators include a former star police investigator, the top manager of Milan’s trade fair complex and several cybersecurity experts prominent in Italy’s tech scene. All have denied wrongdoing.  SUPERCOP TURNED SUPERCROOK  When the gang first drew the attention of investigators in the summer of 2022, it was almost by accident.  Police were tracking a northern Italian gangster when he arranged a meeting with retired police inspector Carmine Gallo at a coffee bar in downtown Milan. Gallo, a veteran in the fight against organized crime, was a familiar face in Italy’s law enforcement circles. The meeting raised suspicions, and authorities put Gallo under surveillance — and inadvertently uncovered the gang’s wider operations.  Gallo, who died in March 2025, was a towering figure in Italian law enforcement. He helped solve high-profile cases such as the 1995 murder of Maurizio Gucci — carried out by the fashion mogul’s ex-wife Patrizia Reggiani and her clairvoyant — and the 1997 kidnapping of Milanese businesswoman Alessandra Sgarella by the ‘ndrangheta organized crime syndicate.  Yet Gallo’s career was not without controversy. Over four decades, he cultivated ties to organized crime networks and faced repeated investigations for overstepping legal boundaries. He ultimately received a two-year suspended sentence for sharing official secrets and assisting criminals.  When he retired from the force in 2018, Gallo illegally carted off investigative material such as transcripts of interviews with moles, mafia family trees and photofits, prosecutors’ documents show. His modus operandi was to tell municipal employees to “get a coffee and come back in half an hour” while he photographed documents, he boasted in wiretaps.  Still, Gallo’s work ethic remained relentless. In 2019, he co-founded Equalize — the IT company that hosted the Beyond database — with his business partner Enrico Pazzali, presenting the firm as a corporate risk intelligence company.  Gallo’s years as a police officer gave him a unique advantage: He could leverage relationships with former colleagues in law enforcement and intelligence to get them to carry out illegal searches on his behalf. Some of the information he obtained was then repackaged as reputational dossiers for clients, commanding fees of up to €15,000.  Gallo also cashed in his influence for favors, such as procuring passports for friends and acquaintances. Investigators recorded conversations in which he bragged of sourcing a passport for a convicted mafioso under investigation for kidnapping, who planned to flee to the United Arab Emirates.  The supercop-turned-supercriminal claimed that Equalize had a full overview of Italian criminal operations, extending even to countries like Australia and Vietnam.  When investigators raided the group’s headquarters, they found thousands of files and dossiers spanning decades of Italian criminal and political history. The hackers even claimed to have — as part of what they called their “infinite archive” — video evidence of the late Prime Minister Silvio Berlusconi’s so-called bunga bunga parties, which investigators called “a blackmail tool of the highest value.”   Enrico Pazzali cultivated close ties to right-wing politicians, including Attilio Fontana, president of the Lombardy region, and maintained a close association with high-level intelligence officials. | Alessandro Bremec/Getty Images Gallo’s sudden death of a heart attack six months into the investigation stirred unease among prosecutors. They noted that while an initial autopsy found no signs of trauma or injection, the absence of such evidence does not necessarily rule out interference. Investigators have ordered toxicology tests.  ‘HANDSOME UNCLE’  Gallo’s collaborator Pazzalli, a well-known businessman who headed Milan’s prestigious Fondazione Fiera Milano, the country’s largest exhibition center, was Equalize’s alleged frontman.  Pazzali, through his lawyer, declined to comment to POLITICO about the allegations.  The Fiera, a magnet for money and power, made Pazzali a heavy hitter in Milanese circles. Having built a successful career across IT, energy and other sectors, and boasting a full head of steely gray hair, he was known to some by the nickname “Zio Bello,” or handsome uncle.   Pazzali cultivated close ties to right-wing politicians, including Attilio Fontana, president of the Lombardy region, and maintained a close association with high-level intelligence officials. He would meet clients in a chauffeur-driven black Tesla X, complete with a blue flashing light on the roof — the kind typically reserved for high-ranking officials.  Since 2019, Pazzali held a 95 percent stake in Equalize. If Gallo’s role was sourcing confidential information, Pazzali’s was winning high-profile clients, the prosecutors allege. Leveraging his reputation and political connections, he helped secure business from banks, industrial conglomerates, multinationals, and international law firms, including pasta giant Barilla, the Italian subsidiary of Heineken, and energy powerhouse Eni.   Documents show that Eni paid Equalize €377,000. Roberto Albini, a spokesperson for the energy giant, told POLITICO that the firm had commissioned Equalize “to support its strategy and defense in the context of several criminal and civil cases.” He added that Eni was not aware of any illegal activity by the company.  Marlous den Bieman, corporate communications manager for Heineken, said the brewer had “ceased all collaboration with Equalize and is actively cooperating with authorities in their investigation of the company’s practices.”  Barilla declined to comment.  Italy’s third-largest bank, Banca Mediolanum, said it had paid “€3,000 to Equalize to gather more public information regarding a company that could have been the subject of a potential deal, managed by our investment bank.” The bank added, “Of course we were not aware that Equalize was in general conducting its business also through the adoption of illicit procedures.”  The group’s reach extended beyond Italy. In February 2023, it was hired by Israeli state intelligence agents in a €1 million operation to trace the financial flows from the accounts of wealthy individuals to the Russian mercenary network Wagner. In exchange, the Israelis promised to hand over intelligence on the illicit trafficking of Iranian gas through Italy — a commodity that, they suggested, might be of interest to Equalize’s client, the energy giant Eni.  Equalize rapidly grew into a formidable private investigation operation. Police reports noted that Pazzali recognized data as “a weapon for enormous economic and reputational gains,” adding, “Equalize’s raison d’être is to provide … Pazzali with information and dossiers to be used for the achievement of his political and economic aims.”  During the 2023 election campaign for the presidency of the Lombardy region, Pazzali ordered dossiers on close affiliates of former mayor of Milan, Letizia Moratti, who was challenging his preferred candidate, the far-right Fontana.  Prime Minister Matteo Renzi warned of a deeper political risk associated with the gang. | Vincenzo Nuzzolese/Getty Images A spokesman for Fontana called the allegation “science-fiction” and said “nothing was offered to the president of the region, he did not ask for anything, and he certainly did not pay anything.”   In 2022, Pazzali was in the running to manage Italy’s 2026 Winter Olympics as chief executive. Wiretaps suggested he ordered a dossier on his competitor, football club AC Milan’s Chairman Paolo Scaroni, but found nothing on him.  Business was booming, but Pazzali and Gallo were thinking ahead. They had become reliant on cops willing to leak information, and those officers could be spooked — or caught in the act. That was a vulnerability.  They started to envisage a more sophisticated operation: a platform that collated all the data the group had in its possession and could generate the prized dossiers with the click of a button, erasing the need for bribes and cutting manpower costs — a repository of high-level secrets that, once operational, would give Pazzali, Gallo, and their team unprecedented power in Italy.  Pazzali declined to comment on the investigation. He is due to plead before a judge at a preliminary hearing in October. ‘THE PROFESSOR’ AND THE BOYS   Enter Samuele Calamucci, the coding brain of the operation.  Calamucci is from a small town just outside Milan, and before he began his career in cybersecurity, he was involved in stonemasonry.   Unlike his partners Gallo and Pazzali, Calamucci wasn’t a known face in the city — and he had worked hard to keep it that way. He ran his own private investigation firm, Mercury Advisor, from the same offices as Equalize, handling the company’s IT operations as an outside contractor.  Calamucci knew his way around Italian government IT systems, too. In wiretapped conversations, he claimed to have helped build the digital infrastructure for Italy’s National Cybersecurity Agency and to have worked for the secret services’ Department of Information for Security.  Known within the gang as “the professor,” Calamucci’s role was to recruit and manage a team of 30 to 40 programmers he called the ragazzi — the boys.  With his best recruits he began to build Beyond in 2022, the platform designed to be the digital equivalent of an all-seeing eye.  To populate it, Calamucci and his team purchased data from the dark web, exploited access through government IT maintenance contracts and siphoned intelligence from state databases whenever they could, prosecutors said.  Beyond gave Pazzali, Gallo, and their gang a treasure trove of compromising information on political and business figures in a searchable platform. Wiretaps indicated the plan was to sell access via subscription to select clients, including international law firm Dentons and some of the Big Four consultancies like Deloitte, KPMG, and EY. | Aleksander Kalka/Getty Images In one police-recorded conversation, Calamucci boasted of a hard drive holding 800,000 dossiers. Through his lawyer, Calamucci declined to comment.  “We all thought the requested reports served the good of the country,” said one of the hackers, granted anonymity to speak freely. “Ninety percent of the reports carried out were about energy projects, which required open-source criminal records or membership in mafia syndicates, given that a large portion concerned the South.” Only 5 percent of the jobs they carried out were for individuals to conduct an analysis of enemies or competitors, he added.  The hackers were also “not allowed to know” who was coming into Equalize’s office from the outside. Meetings were held behind closed doors in Gallo’s office or in conference rooms, the hacker told POLITICO, explaining that the analysts were unaware of the company’s dynamics and the people it associated with.  Beyond gave Pazzali, Gallo, and their gang a treasure trove of compromising information on political and business figures in a searchable platform. Wiretaps indicated the plan was to sell access via subscription to select clients, including international law firm Dentons and some of the Big Four consultancies like Deloitte, KPMG, and EY.  Dentons declined to comment. Deloitte and EY did not respond to a request for comment. Audee Van Winkel, senior communication officer for KPMG in Belgium, where one of the alleged gang members worked, said the consultancy did not have any knowledge or records of KPMG in Belgium working with the platform.   ‘INTELLIGENCE MERCENARIES’  In Italy’s sprawling private investigation scene, Equalize was a relative newcomer. But Gallo, Pazzali and their associates had something going for them: They were well-connected.  One alleged member of the organization, Gabriele Pegoraro, had worked as an external cybersecurity expert for intelligence services and had previously made headlines as the IT genius who helped capture a fugitive terrorist.  Pegoraro said he “carried out only lawful operations using publicly available sources” and “was in the dark about how the information was used.”  According to wiretaps, Calamucci and Gallo had worked with several intelligence agents to provide surveillance to protect criminal informants.   On one occasion, Calamucci explained to a subordinate that the relationship with the secret services “was essential” to continue running Equalize undisturbed. “We are mercenaries for [Italian] intelligence,” he was heard saying by police listening in on a meeting with foreign agents at his office.   The services also helped with data searches for the group and created a mask of cover for the gang, prosecutors believe. A hacker proudly claimed that Equalize had even received computers handed down from Italy’s foreign intelligence agency, while law enforcement watched from bugs planted in the ceiling.  THE PROSECUTION  In October 2024, the music stopped.  Prosecutors placed four of the alleged gang members, including Gallo and Calamucci, under house arrest and another 60 people under investigation. They brought forward charges including conspiracy to hack, corruption, illegal accessing of data and the violation of official secrets.  Franco Gabrielli, a former director of Italy’s civil intelligence services, warned that even the toughest of sentences are unlikely to put an end to the practice. | Alessandro Bremec/Getty Images “Just as the Stasi destroyed the lives of so many people using a mixture of fabricated and collected information, so did these guys,” said Leonida Reitano, an Italian open-source investigator who studied the case. “They collected sensitive information, including medical reports, and used it to compromise their targets.”  News of what the gang had done dropped like a bombshell on Italy’s political class. Foreign Minister Antonio Tajani told reporters at the time that the affair was “unacceptable,” while Interior Minister Matteo Piantedosi warned the parliament that the hackers were “altering the rules of democracy.”  The Equalize scandal “is not only the most serious in the history of the Italian Republic but represents a real and actual attack on democracy,” said Angelo Bonelli, MP and member of the opposition Green Europe.  Prime Minister Renzi warned of a deeper political risk associated with the gang. “It is clear that Equalize are very close to the leaders of the right-wing parties, and intended to build a powerful organization, although it is not yet certain how deep an impact they had,” he told POLITICO. Renzi is seeking damages as a civil plaintiff in the eventual criminal trial.  Equalize was liquidated in March, and some of the alleged hackers have since taken on legitimate roles within the cybersecurity sector.  There are many unresolved questions around the case. Investigators and observers are still trying to determine the full extent of Equalize’s ties to Italian intelligence agencies, and whether any clients were aware of or complicit in the methods used to compile sensitive dossiers. Interviews with intelligence officials conducted during the investigation were never transcribed, and testimony given to a parliamentary committee remains classified. Police documents are heavily redacted, leaving the identities of key figures and the full scope of the operation unclear.  While Equalize is unprecedented in its scale, efforts to collect information on political opponents have “become an Italian tradition,” said the political historian Giovanni Orsina. Spying and political chicanery during and after the Cold War has damaged democracy and undermined trust in public institutions, made worse by a lethargic justice system that can take years if not decades to deliver justice.   “It adds to the perception that Italy is a country in which you can never find the truth,” Orsina said.  Franco Gabrielli, a former director of Italy’s civil intelligence services, warned that even the toughest of sentences are unlikely to put an end to the practice. “It just increases the costs, because if I risk more, I charge more,” he said.   “We must reduce the damage, put in place procedures, mechanisms,” he added. “But, unfortunately, all over the world, even where people earn more there are always black sheep, people who are corrupted. It’s human nature.” 

BRUSSELS — The European Commission on Friday accused Meta and TikTok of breaching the bloc’s landmark social media regulation. The EU executive said Meta’s Facebook and Instagram, and TikTok all failed in their obligations to give researchers access to data from their platforms. The two Meta platforms also failed on three obligations to empower users in flagging illegal content and challenging moderation decisions, it said. The platforms now have the right to reply to the Commission’s allegations under the Digital Services Act (DSA). Should they fail to convince the EU executive, they risk fines of up to 6 percent of annual global revenue. “We disagree with any suggestion that we have breached the DSA, and we continue to negotiate” with the Commission on these issues, Meta spokesperson Ben Walters said. Meta has “introduced changes to our content reporting options, appeals process and data access tools since the DSA came into force and are confident that these solutions match what is required under the law in the EU,” he said. TikTok spokesperson Paolo Ganino said the firm was “reviewing the European Commission’s findings, but requirements to ease data safeguards place the DSA and [General Data Protection Regulation] in direct tension. If it is not possible to fully comply with both, we urge regulators to provide clarity on how these obligations should be reconciled.” Ganino added it had “made substantial investments in data sharing and almost 1,000 research teams have been given access to data through our Research Tools to date.” The moves are part of ongoing efforts to enforce the bloc’s digital rules. Meta is the second American platform to be accused of breaking the rules: Elon Musk’s X was accused of doing so more than a year ago, in July 2024. China’s Temu and AliExpress have also been accused of breaches. The EU executive opened its investigation into Meta in April last year and expanded it in May. TikTok’s probe started in February 2024, and was extended twice in April and in December (with the April section closed after TikTok agreed to pull the product in question from Europe). None of the findings have so far led to fines. Friday’s findings said Facebook and Instagram didn’t make a system to allow users to flag illegal content sufficiently user-friendly, and also that the companies designed the interface deceptively. The platforms also made a difficult interface to use in order to challenge content moderation decisions, the Commission said. Several other parts of the probes remain open, including on how the platforms protect minors and their role in election manipulation. The Trump administration has launched repeated attacks on the EU’s DSA law, calling it “Orwellian” and accusing the bloc of censorship.

BRUSSELS — First it was telecom snooping. Now Europe is growing worried that Huawei could turn the lights off. The Chinese tech giant is at the heart of a brewing storm over the security of Europe’s energy grids. Lawmakers are writing to the European Commission to urge it to “restrict high-risk vendors” from solar energy systems, in a letter seen by POLITICO. Such restrictions would target Huawei first and foremost, as the dominant Chinese supplier of critical parts of these systems. The fears center around solar panel inverters, a piece of technology that turns solar panels’ electricity into current that flows into the grid. China is a dominant supplier of these inverters, and Huawei is its biggest player. Because the inverters are hooked up to the internet, security experts warn the inverters could be tampered with or shut down through remote access, potentially causing dangerous surges or drops in electricity in Europe’s networks. The warnings come as European governments have woken up to the risks of being reliant on other regions for critical services — from Russian gas to Chinese critical raw materials and American digital services. The bloc is in a stand-off with Beijing over trade in raw materials, and has faced months of pressure from Washington on how Brussels regulates U.S. tech giants. Cybersecurity authorities are close to finalizing work on a new “toolbox” to de-risk tech supply chains, with solar panels among its key target sectors, alongside connected cars and smart cameras. Two members of the European Parliament, Dutch liberal Bart Groothuis and Slovak center-right lawmaker Miriam Lexmann, drafted a letter warning the European Commission of the risks. “We urge you to propose immediate and binding measures to restrict high-risk vendors from our critical infrastructure,” the two wrote. The members had gathered the support of a dozen colleagues by Wednesday and are canvassing for more to join the initiative before sending the letter mid next week.   According to research by trade body SolarPower Europe, Chinese firms control approximately 65 percent of the total installed power in the solar sector. The largest company in the European market is Huawei, a tech giant that is considered a high-risk vendor of telecom equipment. The second-largest firm is Sungrow, which is also Chinese, and controls about half the amount of solar power as Huawei. Huawei’s market power recently allowed it to make its way back into SolarPower Europe, the solar sector’s most prominent lobby association in Brussels, despite an ongoing Belgian bribery investigation focused on the firm’s lobbying activities in Brussels that saw it banned from meeting with European Commission and Parliament officials. Security hawks are now upping the ante. Cybersecurity experts and European manufacturers say the Chinese conglomerate and its peers could hack into Europe’s power grid.  “They can disable safety parameters. They can set it on fire,” Erika Langerová, a cybersecurity researcher at the Czech Technical University in Prague, said in a media briefing hosted by the U.S. Mission to the EU in September.  Even switching solar installation off and on again could disrupt energy supply, Langerová said. “When you do it on one installation, it’s not a problem, but then you do it on thousands of installations it becomes a problem because the … compound effect of these sudden changes in the operation of the device can destabilize the power grid.”  Surges in electricity supply can trigger wider blackouts, as seen in Spain and Portugal in April. | Matias Chiofalo/Europa Press via Getty Images Surges in electricity supply can trigger wider blackouts, as seen in Spain and Portugal in April. Some governments have already taken further measures. Last November, Lithuania imposed a ban on remote access by Chinese firms to renewable energy installations above 100 kilowatts, effectively stopping the use of Chinese inverters. In September, the Czech Republic issued a warning on the threat posed by Chinese remote access via components including solar inverters. And in Germany, security officials already in 2023 told lawmakers that an “energy management component” from Huawei had them on alert, leading to a government probe of the firm’s equipment. CHINESE CONTROL, EU RESPONSE  The arguments leveled against Chinese manufacturers of solar inverters echo those heard from security experts in previous years, in debates on whether or not to block companies like video-sharing app TikTok, airport scanner maker Nuctech and — yes — Huawei’s 5G network equipment. Distrust of Chinese technology has skyrocketed. Under President Xi Jinping, the Beijing government has rolled out regulations forcing Chinese companies to cooperate with security services’ requests to share data and flag vulnerabilities in their software. It has led to Western concerns that it opens the door to surveillance and snooping. One of the most direct threats involves remote management from China of products embedded in European critical infrastructure. Manufacturers have remote access to install updates and maintenance. Europe has also grown heavily reliant on Chinese tech suppliers, particularly when it comes to renewable energy, which is powering an increasing proportion of European energy. Domestic manufacturers of solar panels have enough supply to fill the gap that any EU action to restrict Chinese inverters would create, Langerová said. But Europe does not yet have enough battery or wind manufacturers — two clean energy sector China also dominates. China’s dominance also undercuts Europe’s own tech sector and comes with risks of economic coercion. Until only a few years ago, European firms were competitive, before being undercut by heavily subsidized Chinese products, said Tobias Gehrke, a senior policy fellow at the European Council on Foreign Relations. China on the other hand does not allow foreign firms in its market because of cybersecurity concerns, he said. The European Union previously developed a 5G security toolbox to reduce its dependence on Huawei over these fears. It is also working on a similar initiative, known as the ICT supply chain toolbox, to help national governments scan their wider digital infrastructure for weak points, with a view to blocking or reduce the use of “high-risk suppliers.” According to Groothuis and Lexmann, “binding legislation to restrict risky vendors in our critical infrastructure is urgently required” across the European Union. Until legislation is passed, the EU should put temporary measures in place, they said in their letter.  Huawei did not respond to requests for comment before publication. This article has been updated.