Sopra Steria's EU Biometric Border System Criticized for Cybersecurity Flaw

Published Date : 7/8/2025 

An audit revealed critical vulnerabilities in the EU's border biometric system, raising concerns about data security and the role of Sopra Steria in maintaining the Schengen Information System. The findings highlight gaps in cybersecurity protocols and delays in addressing risks ahead of the Entry/Exit System's launch. 

An audit by the European Data Protection Supervisor (EDPS) last year uncovered thousands of high-severity cybersecurity flaws in the Schengen Information System (SIS II), a critical tool for EU border control. These vulnerabilities have sparked alarm, especially as the second-generation system is a cornerstone of the EU’s biometric Entry/Exit System (EES), scheduled to launch in October. The SIS II database, managed by Sopra Steria, stores sensitive data on illegal immigrants, suspects, and criminal records, making it a prime target for cyber threats. n n nSopra Steria, the developer of SIS II, has faced scrutiny for its handling of these security gaps. According to leaked emails and an audit report obtained by Bloomberg and Lighthouse Reports, the company took between eight months and five and a half years to address some issues after being notified by eu-LISA, the EU agency overseeing border systems. One Sopra Steria employee reportedly suggested that an additional 19,000 euros (about $22,200) was needed to fix certain vulnerabilities, despite eu-LISA stating that maintenance fees should have covered the costs. The company defended its actions, claiming it adhered to legal and contractual obligations. n n nThe audit also revealed alarming flaws in access controls. Administrator-level permissions were granted to an excessive number of accounts, increasing the risk of insider threats. Notably, 69 individuals not directly employed by the EU, and lacking proper security clearance, were found to have access to SIS II. While no data breaches have been confirmed, the vulnerabilities underscore the system’s fragility. The database contains 93 million records, including 1.7 million personally identifiable details, such as photos, fingerprints, and biometric data from crime scenes. Nearly 200,000 entries flag individuals as potential national security threats, amplifying the stakes of any security lapse. n n nThe EDPS report criticized eu-LISA for failing to disclose security gaps to its management board, citing the agency’s reliance on external consulting firms as a contributing factor. Experts like Leonardo Quattrucci of the Center for Future Generations argue that the EU must treat cybersecurity procurement as a strategic priority rather than a bureaucratic task. Sopra Steria and Idemia, which jointly won the contract for the shared biometric matching system (sBMS) backing the EES in 2020, have faced repeated delays. Projects like the EES, initially led by Atos and partners IBM and Leonardo, have been plagued by setbacks, with blame often directed at contractors. n n nThe vulnerabilities come as the EU prepares to roll out the EES, a biometric system designed to track travelers entering and exiting the Schengen Area. Critics warn that the system’s reliance on outdated infrastructure and slow patching processes could compromise its effectiveness. With the EES set to handle sensitive data on millions of individuals, the audit highlights the urgent need for transparency and accountability in EU border security. Sopra Steria’s role in maintaining SIS II remains under intense scrutiny, as the agency grapples with balancing technological innovation with robust cybersecurity measures. n n nThe situation has sparked broader debates about the EU’s approach to digital infrastructure. While the EES aims to streamline border management, its success hinges on addressing systemic weaknesses. The audit serves as a wake-up call for policymakers to prioritize security over speed, ensuring that the EU’s biometric systems are both efficient and resilient against cyber threats. 

Frequently Asked Questions (FAQS): 

Q: What is the Schengen Information System (SIS II)?

A: SIS II is a critical database used by EU border authorities to share information on illegal immigrants, suspects, and criminals. It plays a central role in the EU’s biometric Entry/Exit System (EES), which tracks travelers entering and exiting the Schengen Area.

Q: Why is Sopra Steria under fire?

A: Sopra Steria, the developer of SIS II, faces criticism for delayed responses to cybersecurity vulnerabilities. An audit revealed thousands of high-severity flaws, including excessive administrator access and insufficient patching, raising concerns about the system’s security.

Q: What are the cybersecurity vulnerabilities in SIS II?

A: The system has flaws such as excessive administrator-level access, granting permissions to non-EU employees without proper clearance, and delayed fixes for critical issues. These gaps could expose sensitive data, including biometric records and personal identifiers.

Q: How does the Entry/Exit System (EES) work?

A: The EES is a biometric system designed to track travelers entering and exiting the Schengen Area. It relies on SIS II and the shared biometric matching system (sBMS) to collect and share data, including fingerprints and facial recognition, to enhance border security.

Q: What are the implications of the audit findings?

A: The audit highlights systemic risks in EU border security, including delayed responses to threats and overreliance on external contractors. It underscores the need for stricter oversight, faster patching, and a strategic approach to cybersecurity in critical infrastructure. 

More Related Topics :