The Schengen Information System II (SIS II) had thousands of cybersecurity flaws that the European Data Protection Supervisor judged to be of “high” severity in a 2024 report, the Bloomberg news agency reported on Wednesday 2 July.
The report also revealed that an “excessive number” of accounts had administrator-level access to the database, creating “an avoidable weakness that could be exploited by internal attackers” or a risk of system saturation or unauthorised access by hackers.
Sopra Steria, the system’s subcontractor, took between eight months and more than five years to correct the problems, and the European agency overseeing the project, EU-Lisa, has been criticised for failing to inform its management board of security vulnerabilities and for relying too heavily on consultancy firms, the report adds.
SIS II, which was first implemented in 2013, enables Member States to issue and consult real-time security alerts when marked individuals, including terrorist suspects and people with arrest warrants, attempt to cross an EU border. SIS II will eventually be integrated into the EU’s Entry/Exit System to automate the registration of third-country nationals crossing the EU’s external borders. This system has also been delayed and is expected to gradually come into force in October. (Original version in French by Solenn Paulic)