Sopra Steria Under Fire for EU Border Biometric Issues

Published Date : 7/8/2025 

An audit revealed critical cybersecurity flaws in the EU's Schengen Information System, raising concerns about the security of biometric data used in border management. Sopra Steria, the system's developer, is under fire for delayed fixes and high costs, while the Entry/Exit System (EES) faces further delays. 

An audit by the European Data Protection Supervisor (EDPS) uncovered thousands of high-severity cybersecurity vulnerabilities in the second-generation Schengen Information System (SIS II), a critical tool for EU border control. The findings have sparked alarm, especially as the system is integral to the EU’s biometric Entry/Exit System (EES), set to launch in October. The SIS II, developed by Sopra Steria, is designed to store and share data on illegal immigrants and suspects, but the audit highlights significant risks to its security. n n nSopra Steria, a major player in the biometrics and border management sector, is responsible for maintaining the SIS II. However, the audit and internal communications seen by Bloomberg and Lighthouse Reports reveal a troubling timeline for addressing the vulnerabilities. According to the report, the company took between eight months and five and a half years to resolve issues identified by eu-LISA, the EU agency overseeing the system. One Sopra Steria employee reportedly suggested that an additional 19,000 euros (around $22,200) was needed to patch some flaws, despite eu-LISA stating that monthly maintenance fees should have covered these costs. n n nThe audit also exposed a critical flaw: an excessive number of administrator-level accounts had access to the database, increasing the risk of insider threats. Notably, 69 individuals not directly employed by the EU and lacking proper security clearance were found to have access to SIS II. While no data breaches have been confirmed, the vulnerabilities underscore the system’s fragility. Sopra Steria defended its actions, stating that it operated within legal and contractual frameworks, but the findings have raised questions about its accountability. n n nThe SIS II stores 93 million records, including biometric data like fingerprints and photos of suspects. Approximately 1.7 million records contain personally identifiable information, with nearly 200,000 individuals flagged as potential national security threats. The system’s role in the EES, which aims to streamline border checks using biometrics, has drawn particular scrutiny. The EES, part of the EU’s broader digitalization efforts, has faced delays, with some blaming Atos and its partners for setbacks in the project’s development. n n nThe EDPS audit also criticized eu-LISA for failing to inform its management board about security gaps. Sources told Bloomberg that the agency’s reliance on external consulting firms may have contributed to the system’s vulnerabilities. Leonardo Quattrucci, a senior fellow at the Center for Future Generations, emphasized the need for the EU to treat procurement as a strategic priority rather than a compliance-driven process. This perspective aligns with growing concerns about the lack of oversight in critical infrastructure projects. n n nSopra Steria and Idemia were awarded the contract for the shared biometric matching system (sBMS) supporting the EES in 2020. However, the project has languished under delays, with Atos and its consortium partners IBM and Leonardo facing blame for technical and logistical issues. The EES’s delayed rollout has compounded frustrations, as the system’s success hinges on robust cybersecurity measures and timely implementation. 

Frequently Asked Questions (FAQS): 

Q: What are the main vulnerabilities in the EU's border biometric system?

A: The system, SIS II, has thousands of high-severity cybersecurity flaws, including excessive administrator access and insufficient safeguards against insider threats.

Q: How long did Sopra Steria take to address the identified issues?

A: The company took between eight months and five and a half years to fix vulnerabilities, according to audit findings and internal communications.

Q: What data is stored in the Schengen Information System?

A: The system holds 93 million records, including biometric data like fingerprints, photos of suspects, and information on 1.7 million personally identifiable individuals.

Q: Who is responsible for the security gaps in SIS II?

A: Both Sopra Steria and eu-LISA face criticism. The EDPS audit highlighted eu-LISA’s failure to inform its board about vulnerabilities, while Sopra Steria’s delayed fixes have drawn scrutiny.

Q: What are the implications of these flaws for the EU's Entry/Exit System?

A: The vulnerabilities could compromise the security of biometric data, delay the EES’s launch, and raise concerns about the EU’s ability to manage critical infrastructure effectively. 

More Related Topics :