Eleven years after its deployment, the Schengen Information System II (SIS II), which serves as the backbone of European border control, is now revealed to have significant security vulnerabilities. A 2024 audit conducted by the European Data Protection Supervisor uncovers thousands of critical flaws within this system, which monitors the movements of millions of Europeans. These findings have been reported by Bloomberg and Lighthouse Report.
The audit highlights serious concerns regarding the system, initially implemented in 2013, which allows EU member states to issue and access real-time alerts about individuals suspected of security threats—including alleged terrorists and those under arrest warrants—when attempting to cross into European countries.
A particular point of concern in the report is the excessive number of user accounts with administrative access to the SIS II database. This creates an avoidable security weakness that could be exploited by insiders. The large volume of privileged accounts significantly increases the risk of unauthorized access to sensitive personal and operational data, exposing the system to potential internal threats or malicious activities.
Sensitive Data of Millions at Risk
The SIS II database currently contains approximately 93 million records, including detailed information on about 1.7 million individuals. Among these, 195,000 have been flagged as potential threats to national security. The alerts stored within SIS II can include photographs of suspects as well as biometric data such as fingerprint scans collected during criminal investigations. Since March 2023, the system has also incorporated “return decisions,” which are judicial rulings ordering an individual’s expulsion from the Schengen area.
Romain Lanneau, a legal researcher at Statewatch, warns that a breach of these data—if exploited—could be catastrophic, potentially affecting millions of individuals. The risk is particularly insidious because most persons are unaware that their information is stored in SIS II until law enforcement agencies take action based on the alerts.
The audit further identifies vulnerabilities to denial-of-service (DoS) attacks and intrusion attempts that could grant unauthorized access to the system. These security gaps are especially alarming as SIS II is currently isolated but is scheduled to be integrated into the new Entry/Exit System (EES). The EES will be connected to the internet, enabling automated registration of the hundreds of millions of visitors entering the EU annually, which could compound security risks if not properly secured.
Slow Responses to Security Flaws
Troublingly, the audit reports that when EU-LISA—the agency responsible for overseeing large-scale IT projects like SIS II—reported these vulnerabilities to Sopra Steria, the IT services company managing development and maintenance, remedial actions took an unacceptably long time. Some issues took as little as eight months to address, while others remained unresolved for over five and a half years, according to the documents obtained by Lighthouse Report and Bloomberg.
Despite contractual obligations that mandated Sopra Steria to fix critical and high-severity vulnerabilities within two months of publication of a security patch, the company often failed to meet these deadlines. The contract also stipulated that corrective maintenance would be billed at rates between €519,000 and €619,000 per month. Internal emails from 2022 reveal that Sopra Steria even argued for an additional €19,000 cost for fixing certain vulnerabilities, despite EU-LISA’s position that these fixes should be covered under existing contractual terms.
Organizational Shortcomings at EU-LISA
The audit also criticizes EU-LISA for organizational deficiencies. Notably, the agency did not inform its management board of the identified security vulnerabilities, raising questions about transparency and oversight. Its security posture appears to be compromised by both technical and organizational shortcomings. The auditors recommend developing a comprehensive action plan with a clear strategy to address these vulnerabilities.
Moreover, the report states that 69 individuals with access to SIS II did so without proper security clearances—without the necessary authorizations—raising concerns about increased risk of data leaks or misuse. It remains unclear whether these individuals were employees of Sopra Steria or other contractors involved.
Sources familiar with the matter indicate that many of the issues stem from EU-LISA’s heavy reliance on external consulting firms rather than building robust internal technical capabilities. This approach is partly driven by pressure to deliver projects rapidly, often without sufficient in-house expertise.
This pattern of delays and organizational issues extends beyond SIS II. The Entry/Exit System (EES), another EU project managed by EU-LISA and initially scheduled for 2022, has faced multiple delays, largely due to technical problems associated with the contractor Atos. Recently, the European Commission announced that certain parts of the EES would begin operational testing in October.
Francesca Tassinari, a researcher at the University of the Basque Country and an expert in EU IT systems, commented to Bloomberg that the creation of a decentralized agency like EU-LISA in 2012 was intended to facilitate the development of “smart border” technologies. However, she added that the agency has proven insufficient to manage the scale and complexity of these projects effectively.
Neither Sopra Steria nor EU-LISA has publicly commented in detail on these security issues, merely asserting that European protocols and frameworks are being followed and that ongoing security measures are in place to protect the systems.
This situation highlights the urgent need for improved management, oversight, and internal expertise to ensure the security and integrity of critical border control systems, which are increasingly vital as the EU moves toward more automated and integrated entry and exit processes.
