This post is also available in:
עברית (Hebrew)
A key European security database used to monitor border crossings and identify persons of interest has been found to contain serious technical and cybersecurity weaknesses, according to a confidential audit report obtained by Bloomberg and Lighthouse Reports.
The Schengen Information System II (SIS II), which enables information sharing among European law enforcement and border agencies, stores extensive biometric and identity data — including fingerprints, facial images, and alerts on individuals who may be linked to criminal activity or unauthorized entry.
However, an assessment by the European Data Protection Supervisor (EDPS) details widespread vulnerabilities within the platform. The report points to thousands of unresolved security issues, many labeled as high-risk or critical. These include weaknesses that could allow denial-of-service attacks or unauthorized access to sensitive data.
Another point of concern is the system’s user access structure. The audit found that a disproportionately large number of users had elevated administrative privileges, increasing the risk of insider threats and accidental misconfigurations.
While SIS II currently operates on an airgapped network — which reduces exposure to external attacks — this safeguard may be temporary. Plans are underway to link the system to the EU’s forthcoming Entry/Exit System (EES), a digital platform that will track biometric data from all non-EU travelers entering the Schengen zone. Unlike SIS II, the EES will be connected to the internet, potentially expanding the attack surface for cyber threats.
Despite being notified of the flaws, the system’s technical contractor reportedly took several months to several years to apply the necessary fixes, far exceeding its original timelines for resolving critical issues.
EU-Lisa, the European agency responsible for managing large-scale IT infrastructure in the EU, did not directly address the audit findings but stated that all systems under its oversight are subject to ongoing risk assessments, vulnerability scans, and security testing.
The findings highlight the growing challenges of securing large-scale, data-rich platforms in an era of increasingly interconnected border systems. As the EU prepares to expand its reliance on biometric and digital surveillance tools, experts warn that robust cybersecurity measures must be prioritized from the outset—particularly as once-isolated systems move online and become more vulnerable to sophisticated threats.
