The 2026 RSF Index reframes the work of protecting journalists.
Norway held the top spot on the World Press Freedom Index for the 10th straight year, but the rest of the 2026 rankings released by Reporters Without Borders (RSF) this week tell a colder story. For the first time since the index began in 2002, over half of the 180 countries surveyed sit in the ‘difficult’ or ‘very serious’ categories, and the global average score has fallen to its lowest level in 25 years, according to the Paris-based press-freedom advocacy group, which compiles the index annually as both a research product and a campaigning tool.
That headline matters. So does what it implies for the people who never appear in the bylines but who decide whether journalism can continue at all—the cybersecurity engineers, records managers, and eDiscovery counsel who handle the data that journalists collect, store, transmit, and, eventually, defend in court.
The Reporters Without Borders annual ranking, published April 30, 2026, ahead of World Press Freedom Day on May 3, scores countries across five categories: political context, legal framework, economic context, sociocultural context, and safety. As of the 2026 release, the legal indicator declined the most year over year, deteriorating in 110 of 180 countries, according to RSF. “There are fewer and fewer countries today where press freedom is guaranteed,” Thibaut Bruttin, director general of Reporters Without Borders, said in remarks accompanying the release.
A Nordic and Baltic story—with cracks
The Nordic and Baltic states again occupied an outsized share of the top 12. Norway led with a score of 92.72, followed by the Netherlands at 88.92 and Estonia at 88.54. Denmark placed fourth at 88.47, Sweden fifth at 87.61, and Finland sixth at 86.22. Iceland climbed five places to 12th. Lithuania ranked 15th and Latvia 17th, the two Baltic neighbours continuing a pattern of slipping a place or two each year.
Estonia’s drop from second to third was the more closely watched move in the region. RSF attributed the slide to political pressure on the Estonian press, including pressure on its public broadcaster, even as the country retained a ‘good’ press freedom rating — one of only seven countries to do so. Latvia’s decline, the second consecutive year it has lost ground, came alongside continuing concern about the regional security environment for exiled Russian and Belarusian journalists who relocated to Riga and Vilnius after 2022.
The picture, taken together, is the clearest data point in the index: a small group of mostly northern European democracies remains the safest places on Earth to publish, but the gap between them and the next tier is widening. The United States, by comparison, fell seven places to 64th, its lowest-ever ranking, with RSF citing what it called systematic attacks on press freedom by the current administration.
The legal indicator is the alarm bell
RSF said the legal indicator’s decline reflects an expansion of national security laws, criminal defamation statutes, and strategic lawsuits against public participation—the abusive complaints commonly known as SLAPPs. “Although attacks on the right to information are more diverse and sophisticated, their perpetrators are now operating in plain sight,” Anne Bocandé, RSF’s editorial director, said in the report. She identified “the misuse of national security laws, SLAPPs, and the systematic obstruction of those who investigate, expose, and name names” as drivers of the global decline. Bocandé also pointed to “underregulated online platforms” as a cause of erosion—a framing that places technology companies inside the same set of risks RSF lays at the feet of authoritarian states.
For European Union member states, the test of those drivers will play out against two recent legal instruments: the European Media Freedom Act (EMFA), which entered into force on May 7, 2024, with full application starting August 8, 2025; and the EU Anti-SLAPP Directive (Directive 2024/1069), which member states had to transpose into national law by May 7, 2026 — five days after this article’s publication. EMFA Article 4 prohibits authorities from compelling journalists to disclose sources through detention, sanctions, office searches, or the deployment of invasive surveillance tools on their devices. That last category is where the cybersecurity, information governance, and eDiscovery professions enter the story. RSF itself has cautioned that without political will to enforce the act, EMFA risks becoming what the organization called a dead letter.
What this means for cybersecurity professionals
Spyware investigations across the Baltic states have already produced one of the cleanest case studies in journalist threat modelling. A 2024 joint inquiry by Access Now and Citizen Lab found at least seven Pegasus infections among exiled journalists and civil-society figures based in Latvia, Lithuania, and Poland between 2020 and 2023, including Galina Timchenko of Meduza and Maria Epifanova of Novaya Gazeta Europe. The attribution is contested—Access Now noted that available evidence suggested possible involvement of Latvian or Estonian state actors, but said no conclusion was reached.
“Pegasus creates a chilling effect on human rights by making journalists and activists scared to talk to their sources and attend human rights conferences out of fear they are being surveilled,” Natalia Krapiva, senior tech-legal counsel at Access Now, said in connection with the investigation.
The defensive lesson stands regardless of attribution. Newsrooms working with exile reporters need device-level threat modelling that assumes commercial-grade spyware on the contact graph. Practical steps include hardware-key authentication, default Lockdown Mode on iOS for high-risk staff, end-to-end encrypted messaging with disappearing messages set to short, sandboxed mail clients, and an internal escalation channel to forensics partners such as Citizen Lab when a suspected infection appears. Editors should also assume that a single foreign-correspondent device can compromise an entire newsroom directory and segment access accordingly. AI-driven harassment campaigns and deepfake disinformation aimed at named reporters add a second pressure layer; security teams should plan for synthetic-media incident response the way they plan for ransomware.
What this means for information governance professionals
Information governance is often the thinnest layer in a newsroom’s defence stack. Source-protection obligations under EMFA Article 4, the EU Anti-SLAPP Directive, and the patchwork of state shield laws in the United States all rely on the same precondition: the news organization must actually know what data it holds, where, for how long, and under what classification. Records that are not retained cannot be subpoenaed; records that are retained but uncatalogued become the worst of both worlds—discoverable and unprotectable.
The platform-dependency question is now part of the same governance brief. Major newsrooms keep editorial communications, source contacts, and draft work product on third-party platforms whose retention defaults, jurisdictional exposure, and lawful-access policies the newsroom does not control. Bocandé’s reference to ‘underregulated online platforms’ is a media-freedom point; in practice, it lands as an information-governance question. Programs should map every platform that touches source-confidential data, document its retention behaviour and law-enforcement-disclosure practices, and treat platform-resident data as a discoverable surface that the newsroom is responsible for.
Effective programs treat unpublished newsgathering material as a separate retention class. Source identifiers, communications metadata, raw recordings, and pre-publication drafts each carry their own minimum-necessary horizons. A defensible program documents those horizons in a written policy, applies them through automated retention rules, and reviews them when a litigation hold lands. The point is not retention for its own sake — it is the ability to demonstrate, in a deposition or a hearing, that nothing was destroyed in anticipation of a subpoena and that nothing was kept past the operational need.
What this means for eDiscovery professionals
eDiscovery counsel and consultants are increasingly the bridge between newsroom practice and legal exposure. SLAPP cases — and the more conventional defamation suits filed against investigative reporting — produce production demands that test source-protection frameworks under real pressure. eDiscovery teams supporting media defendants should expect to negotiate protective orders that carve out unpublished newsgathering material, assert privilege logs that distinguish source-confidential communications from ordinary editorial work product, and apply targeted search and review protocols that surface only what is responsive without exposing source identities to opposing counsel.
The growing use of cross-border claims, including SLAPPs filed by foreign claimants against EU-based defendants, also means eDiscovery professionals should be ready to apply EMFA Article 4 protections within review workflows—flagging custodian devices that may have been subject to surveillance attempts, and treating any forensic image of a journalist’s phone as presumptively privileged until shield-law review is complete. Generative-AI tools sitting inside the newsgathering workflow add a fresh privilege wrinkle: prompts, transcripts, and AI-assisted drafts may all need privilege treatment, and review teams should know which AI tooling a media client uses before production begins.
The next 12 months
The 2026 RSF Index shows what trajectory the space is on and where the safe harbour sits. The next year will test whether the EMFA’s enforcement matches its promise, whether the Anti-SLAPP Directive’s transposition is meaningful in member states beyond the early movers—Belgium, Ireland, the Netherlands, and Germany among them—and whether the United States slide can be arrested by federal shield legislation such as the PRESS Act.
The work of protecting journalism, in the meantime, will continue to fall in part to the technical and legal professionals who never see a byline.
Should newsrooms publish their own data-protection and source-handling standards the way they publish ethics policies—and would your organisation stand behind one if asked to defend it tomorrow? Read the complete article at Northern lights, southern shadows: The 2026 RSF Index reframes the work of protecting journalists.
Photo: Dreamstime.