Launched in early 2024 by Britain and France, the Pall Mall Process is one of two global initiatives aiming to set norms to prevent the harmful proliferation of commercial spyware. But unless the process becomes more inclusive, flexible and responsive to emerging economies, it risks lacking global legitimacy. This is an opportunity to empower Global South  countries to shape—and co-own—the spyware governance agenda.

Spyware misuse is widespread. Europe has seen scandals in Italy, Greece, Poland and Serbia, with spyware deployed against political opponents, activists and journalists. Indo-Pacific cases are growing too: Indonesian agencies have reportedly imported and deployed spyware via Singapore; Thailand has used Pegasus against pro-democracy activists; and Singapore has warned of spyware-linked phishing. Despite global abuse, regulation remains uneven, hindered by limited capacity, conflicting priorities and scepticism toward international initiatives. Many governments view surveillance as vital for national security.

In April, government, civil society and private sector representatives met in Paris to launch the Code of Practice for States—part of the Pall Mall Process—promoting voluntary controls over commercial cyber intrusion capabilities, including spyware.

While 28 states signed the 2024 declaration, only 25 endorsed the code. There are glaring absences in global efforts to regulate this growing threat. The signatories were mostly European. Some of the biggest hosts of spyware firms (for instance Spain, Cyprus and Israel) and most of Asia, Latin America and Africa were not included. While Australia and Singapore endorsed the initial 2024 declaration, neither signed the code of conduct.

This diminishing support reflects the difficulty of achieving broad-based adoption. To maintain traction in such contexts, the international movement to counter the proliferation and misuse of spyware must reframe its appeal and provide states with more adaptable pathways that reflect their diverse capacities, political priorities and tech-security interests.

This means moving away from an all-or-nothing compliance model and instead adopting a tiered approach to participation. Such a model would allow countries to gradually engage with the initiative, building confidence as regulatory capacity grows over time while working toward higher standards. It would also shift the emphasis from a rights-based to an interest-based framework—one that speaks to sovereignty, regime security and strategic autonomy.

For many governments, spyware regulation may be more appealing if it is presented as a means to protect national sovereignty from foreign espionage—including by major powers—and to control the domestic spyware market, thereby avoiding rogue use by political rivals, security agencies or foreign contractors. Reframing the initiative this way acknowledges that spyware is not inherently illegitimate. The goal is to create guardrails, not prohibitions, to ensure spyware use is lawful, controlled and transparent.

The first tier of this model could start with a public declaration of intent to align with the code’s core principles. This would include basic commitments to transparency in procurement of cyber intrusion tools and the introduction of oversight mechanisms, even if minimal. Lowering the entry threshold allows states to signal support without being overwhelmed by technical or legal burdens.

The second tier would involve tailored support and technical assistance. This would mean that the group of signatories recognises the diversity of national security contexts among themselves and would offer customised capacity-building programs. Assistance could take the form of legal advisory services, knowledge-sharing and exchange platforms, and training to develop oversight institutions. A roadmap with milestone targets—shaped collaboratively with the country in question—could provide structure while accommodating political and institutional sensitivities and constraints.

The third tier would entail more advanced reforms. These might include establishing independent regulatory bodies, creating import and export controls for commercial cyber intrusion capabilities, and requiring vendors to undergo licensing and perform due diligence. Legal safeguards against misuse could then be expected, alongside clear mechanisms for accountability. The move to this stage should be gradual, calibrated to the readiness and willingness of each jurisdiction.

Importantly, inclusive consultation and co-design are essential throughout this process. Governments, the private sector, civil society and academia all have roles to play. Companies should be compelled to disclose their supply chains and conduct due diligence. In return, states could offer regulatory clarity and reputational incentives for responsible behaviour. Civil society actors, who often lead investigations into spyware abuse, can contribute to transparency and accountability through monitoring and public reporting.

This tiered approach is not just a diplomatic strategy; it is a necessity. Spyware is now so widely available to both state and non-state actors. Its misuse undermines global norms for responsible behaviour in cyberspace, erodes trust in digital systems and threatens civil liberties. But the solution cannot be imposed through rigid frameworks that ignore geopolitical realities. In today’s fracturing order, global coalitions of across the Global North and South must be brought along through partnership, trust, respect for national concerns and mutual interest, rather than pressure to follow unrealistically high standards.