The Dutch government is launching a new national security law that will grant *automatic* permission to do targeted surveillance of *victims* of hackers, or to hack the victims: https://aboutintel.eu/nl-government-wants-to-abandon-key-safeguards-for-hacking-of-non-targets/

Dutch agencies can, under exceptional circumstances, already do targeted surveillance of "non-targets" who themselves are not of national security interest. However, because of the European human rights concept of subsidiarity, this is only allowed if other things didn't work

Under the existing law, agencies have to ask permission to target (state sponsored) hackers. If they want to do surveillance on non-targets (for example, victims), a more stringent test applies: might these people be doctors, lawyers or otherwise sensitive groups?

Under the new law, paradoxically, surveillance on non-targets no longer needs special permission. No permission is required at all! Not even internal permission. Adding hacking victims to a warrant becomes a purely administrative procedure.

For more details, and indeed some nuance, please head to this about:intel page, where it is also possible to discuss the matter: https://aboutintel.eu/nl-government-wants-to-abandon-key-safeguards-for-hacking-of-non-targets/