The Schengen Information System II (SIS II) is meant to be a digital sentinel for Europe’s borders. It flags suspects, alerts officials, and logs biometric data in real time. But behind the promise lies a system riddled with security flaws.
Bloomberg reviewed confidential documents showing thousands of unpatched vulnerabilities. Some date back years. In a 2024 audit, the European Data Protection Supervisor rated many as “high risk.” Most troubling of all are excessive admin access and inadequate oversight.
No breach has been confirmed. But the doors appear wide open.
Digital Eyes on Europe’s Borders
SIS II is the EU’s largest security database. In operation since 2013, it’s designed to help member states share alerts on stolen vehicles, forged documents, and individuals wanted or barred from the EU. It holds an estimated 93 million records. About 1.7 million relate to people. Nearly 200,000 are tagged as potential threats to national security.
The system operates on a closed network. But it won’t for long. It’s being integrated into the EU Entry/Exit System (EES), which will log arrivals and departures from the Schengen area. EES is internet-connected. That link could create a new attack path.
“The integration increases the exposure of highly sensitive data,” the report warns.
Alerts in SIS II can include mugshots and fingerprints. Since March 2023, they’ve also included deportation orders, so-called “return decisions.” People caught in the database usually don’t know it until they’re stopped at a border. A leak could help them slip away before they are.
Long Waits for Critical Patches
EU-Lisa, the agency managing Europe’s big IT systems, flagged the flaws. Sopra Steria, the French contractor responsible for developing and maintaining SIS II, was notified. But in many cases, fixes took months. Some, years.
That’s despite a clause in the contract: critical or high-risk bugs must be patched within two months after a fix is available. The lag, according to internal emails, partly stems from disputes over costs. In one case, Sopra Steria requested an additional €19,000 for a fix. EU-Lisa pushed back, arguing that its monthly payments (ranging from €519,000 to €619,000) already cover corrective maintenance.
A company spokesperson told Bloomberg that SIS II falls under strict legal and contractual rules. “Sopra Steria’s role,” they said, “is aligned with these frameworks.”
Access Without Clearance
The security lapses don’t end with code. The EDPS audit also found that 69 individuals, not directly employed by the EU, had access to SIS II. None had proper clearance. The report blamed both Sopra Steria and EU-Lisa.
The agency, critics say, has stretched itself thin. It leans heavily on outside consultants instead of building internal technical depth. The result is a system run by rotating teams with limited institutional memory. According to Bloomberg, some insiders say EU-Lisa lacks the staffing to meet its expanding mandate.
The report calls on the agency to draft a clear plan for fixing its organizational and technical gaps. So far, no such plan has been made public.
Trouble With the Entry/Exit System
The Entry/Exit System itself has run into delays. Originally set to launch in 2022, it has stumbled over repeated technical issues. Atos, another French IT firm, is responsible for EES’s development. Member states now aim to go live in October.
When it does launch, EES will automate the registration of hundreds of millions of travelers. Combined with SIS II, it will form the backbone of Europe’s future border management infrastructure.
But with the current state of SIS II, the foundation looks shaky. And in cybersecurity, shaky is dangerous.
Nicolette Carklin, technical specialist at SecureFlag, says: “The recent audit, revealing thousands of ‘high’ severity vulnerabilities in the Schengen Information System II, goes to show that business-critical software can suffer from basic engineering oversights. These findings point to shortcomings that include insecure coding practices and inadequate access controls.”
First, she says thousands of flaws labeled ‘high’ severity suggest gaps in secure development processes. “Tools like static analysis and automated testing are important, but they’re only effective when development teams understand what to look for. Without proper training in secure coding principles, such as input validation, access control, and error handling, issues can still get through even with tooling in place.”
Next, the ‘excessive number’ of administrator-level accounts introduces an unacceptable insider threat risk, she Carklin continues. “Teams should enforce least privilege principles, role‑based access controls, and use just‑in‑time privileges for maintenance tasks. Together with continuous monitoring of account activity, these measures drastically reduce the attack surface.”
She concludes that this audit shows why security must be embedded into every stage of the software development lifecycle. “There should be threat modeling during the design phase, secure coding practices during implementation, code reviews and automated testing in development, and careful configuration and access control in deployment.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.