AI-fuelled violations, creeping state surveillance and a lack of protection from online platform abuses are key issues highlighted by BIRN’s annual report on digital rights violations in Southeast Europe.
BIRN’s Digital Rights Violations in Southeast Europe report for 2025, published on Monday, highlights how Southeast Europe is undergoing rapid digital transformation while simultaneously confronting democratic backsliding, technological misuse and weak safeguards.
“The findings paint a concerning picture, underscoring the urgent need for continuous, independent monitoring of digital rights violations in a region that remains highly vulnerable,” the report says.
It is based on 1,440 incidents registered by BIRN’s monitoring team from September 2024 to August 2025 in ten countries – Albania, Bosnia and Herzegovina, Croatia, Hungary, Kosovo, Montenegro, North Macedonia, Romania, Serbia and Turkey.
One of the most concerning developments highlighted by the report is the rapid rise of AI-driven harm, which is fuelling sexual and gender-based violence, as well as enabling new forms of fraud and manipulation.
Deepfakes, voice cloning and other generative AI tools are now routinely used to impersonate public figures or institutions, enabling phishing schemes, investment scams and emergency-related fraud. At the same time, AI is increasingly weaponised to facilitate sexual and gender-based violence, disproportionately targeting women and children through the non-consensual creation and circulation of intimate images.
These technological threats are unfolding in a region where major platforms continue to operate largely unregulated and with opaque systems.
“Across the region, some governments have taken aggressive steps to control digital spaces, often citing national security, public order, child safety, or moral concerns, while online platforms remain largely unregulated, opaque in their operations and vulnerable to pressure,” the report says.
“Platforms are caught between protecting users and appeasing governments, some of which are adopting more authoritarian approaches. This clash has exposed users to both state overreach and insufficient protection from tech companies,” it adds.
Globally, experts warn that such dynamics reflect a broader drift toward techno-authoritarianism, where state and corporate power increasingly merge to shape, and sometimes constrain, public discourse.
Parallel to this, civic digital spaces are shrinking across Southeast Europe, mirroring offline realities. What once appeared as isolated incidents now forms a coherent pattern of hybrid repression. Journalists, activists, fact-checkers and civil society organisations face escalating harassment, coordinated smear campaigns, doxxing, digital attacks on content and online presence, legal intimidation and surveillance.
Pro-government media and far-right groups have weaponised narratives such as “foreign agent”, “traitor” and “mercenary,” particularly against LGBTQ+ organisations, and NGOs affected by cuts to USAID funding. Civil society and independent media increasingly find themselves silenced through a steady erosion of legitimacy and safety, compounded by growing financial precarity and personal risk.
The report also documents the expansion of state surveillance, often enabled through opaque procurement processes. Through the latter, the region has imported controversial technologies from foreign companies and governments with poor human rights records, often under international sanctions. Governments across the region are acquiring facial recognition systems, digital forensics tools and other intrusive technologies with minimal transparency.
Several of these tools – already used to target journalists and civic actors, including BIRN staff – have drawn scrutiny from digital rights advocates and the European Parliament, prompting calls for stronger accountability mechanisms and the exclusion of spyware vendors from public funding.
Some of the tech companies involved have also raised global concerns for their role in surveillance in the occupied Palestinian territories, where they have been accused of testing systems on the Palestinian population before exporting them abroad.
These findings, together with cases of illegal wiretapping, politically motivated monitoring and abuse by senior officials of surveillance powers across the region, highlight systemic institutional vulnerabilities and weak oversight.
Finally, the 2024-2025 election cycle underscored how vulnerable democratic processes have become to digital interference. AI-generated disinformation, data protection breaches, cyberattacks and unregulated platform behaviour all contributed to an environment in which electoral fairness and transparency were increasingly undermined, culminating in the unprecedented cancellation of election results in Romania.
As governments, tech companies and societies grapple with these challenges, the region’s ability to uphold democratic integrity in the digital age remains a critical test for its political future.
Eyes on the bigger picture
The report’s ten country chapters contextualise these regional trends within specific national political and legal environments. They analyse key cases, highlight gaps in governance and institutional capacity, and provide targeted recommendations.
A broader look across the region shows that rapid digitalisation is unfolding in contexts marked by weak rule of law and wide disparities in digital literacy. While some countries have digitalised more than 90% of their public services, this transformation has often taken place without adequate safeguards, oversight or support for citizens.
In Albania, an artificial intelligence system has been appointed as the world’s first AI government ‘minister’, despite the absence of a legal framework, while in North Macedonia digital healthcare platforms now provide public services.
But large segments of the population in these countries still lack reliable digital access, with rural and remote communities disproportionately affected. Across the Western Balkans and Turkey, digital literacy levels remain well below the EU average, heightening the risk of exclusion, unequal access to services and new forms of discrimination.
Real-life consequences
The report documents numerous examples where online harms translated directly into ‘real-life’ risks. In Belgrade, an online challenge ended in the tragic death of an 18-year-old; in North Macedonia, a femicide was livestreamed on social media; in Romania, social media channels were used to galvanise extremist violence against minorities.
Digital gender-based violence has surged, fuelled by AI-driven deepfake technologies and weak institutional responses. Cases such as the AlbKings group in Kosovo, with 120,000 online members, illustrate the profound impact of non-consensual intimate image sharing, while a European Court of Human Rights case against Romania highlights systemic institutional failures in protection against cyberviolence.
Cyberattacks and digital system failures also pose growing ‘real-life’ risks. In Croatia, a hospital cyberattack disrupted cancer treatment for weeks. Romania experienced the unprecedented cancellation of elections due to digital interference, and its voting infrastructure was targeted by 85,000 cyberattacks originating from 33 countries. In Turkey, organised crime groups infiltrated e-government systems, selling forged documents and citizens’ personal data online.
“The bi-directional harm between online and offline spaces, where digital violations fuel real-world consequences and vice versa, underscores that digital rights violations are not isolated technical issues but core democratic and human rights concerns,” the report warns.
Reform momentum
According to the legal overview provided by the report, governments across Southeast Europe are accelerating digital legislation reforms, largely driven by EU accession processes. But progress remains uneven, with persistent capacity gaps and growing risks of misuse.
Candidate countries in the Western Balkans have advanced their alignment with the EU’s GDPR data protection and privacy legislation and NIS2 cybersecurity directive. Serbia and Albania have ambitiously committed to harmonising their laws with the Digital Services Act and the Artificial Intelligence Act.
However, enforcement of privacy frameworks remains weak, cybersecurity threats are rising, cyber agencies are often under-resourced or delayed in operationalisation, and several criminal law amendments risk curtailing online expression.
Efforts to regulate platforms and artificial intelligence remain limited, frequently outpacing institutional readiness and raising urgent questions about accountability, transparency and the protection of human rights in a rapidly evolving digital landscape.
“Rule-of-law challenges are increasingly manifest in the digital domain. Despite formal commitments to align with European Union digital legislation, the implementation of reforms and institutional capacities in candidate countries raise significant concerns,” the report says.
Among EU member states, Romania, Croatia and Hungary have made several legislative strides but, in some cases, also face criticism for delayed implementation, weak independence of oversight bodies, or outright violations of EU standards – particularly in Hungary, in areas such as biometric surveillance and media freedom.
Meanwhile, ongoing EU-level discussions on deregulation have sparked concerns about the future of digital legislation and the protection of digital rights, creating uncertainty for both member states and candidate countries. Proposals to ease compliance burdens risk weakening hard-won safeguards in areas such as platform accountability, algorithmic transparency, and user privacy.
Digital rights are a democratic imperative
While governments across the region have formally pledged to align with EU standards on privacy, cybersecurity and platform governance, implementation remains uneven, reforms are often rushed, and political interference is not uncommon.
In many cases, legislation adopted to meet EU benchmarks overlooks local realities, including low digital literacy, limited oversight capacity and persistent institutional fragility. In others, digital regulations are instrumentalised to silence dissent, expand executive control or legitimise intrusive surveillance practices.
The growing entanglement between online and offline harms – affecting far from abstract issues such as life, health, finances, facts, elections and the functioning of institutions – reinforces the urgency of treating digital rights as a core human rights concern.
The report findings call for sustained, independent monitoring and far stronger accountability from governments and technology platforms. They emphasise that safeguarding digital rights is essential for protecting democratic integrity, strengthening civic space and ensuring that technological change serves public interest rather than exposing citizens to new forms of harm.
Download the full report here.
What does the data show?
BIRN’s Digital Rights Violations in Southeast Europe report documents 1,440 violations across Albania, Bosnia and Herzegovina, Croatia, Hungary, Kosovo, Montenegro, North Macedonia, Romania, Serbia and Turkey registered by BIRN’s monitoring team from September 2024 to August 2025.
It shows that violations concerning freedom and pluralism of information (24.7 per cent of the 1,440 violations), the protection of digital assets and economic rights (24.2 per cent), and threatening or harmful online behaviour (23.8 per cent) dominate the regional landscape. Together, these three categories amount to 73 per cent of all documented violations, signalling entrenched and systemic challenges.
Other notable violations concern freedom of expression and media (12.6 per cent) and online civic participation (8.3 per cent), reflecting a broader trend of journalists and civic actors coming under heightened pressure. According to the report, these figures are particularly concerning because they affect specific groups, unlike the other broader-reaching areas.
Violations involving personal data protection (6.3 per cent) and digital access (less than 1 per cent) appear less frequently in the data compared to other categories, but the report emphasises that these are often underreported due to their hidden or technically complex nature.
The findings also demonstrate that private individuals (62.8 per cent) remain the main targets of violations, followed by politicians and political parties (10 per cent), public officials and institutions (6.8 per cent), and private sector actors (4.4 per cent).
Journalists and media (10 per cent) and civic actors (5.9 per cent) were specific targets of violations. Private individuals were likewise responsible for the majority of registered violations (42.6 per cent), followed by unknown attackers (33.8 per cent), public institutions or politicians (19.1 per cent) and private-sector actors (4.4 per cent).