Since the Schengen Information System has been run by an EU agency, it has failed completely on at least 34 occasions. The latest incidents are only now being made public.
The Schengen Information System (SIS II), launched in 1995, is the largest European information system. As a police database, it forms the digital backbone of the Schengen Agreement, with which the European Union strengthens the surveillance of its external borders against unwanted migration and cross-border crime. It is queried by the participating authorities of the Schengen states during every police check, but also when applying for documents.
Since 2013, the Agency for the Operational Management of Large-Scale IT Systems (eu-LISA ), which was founded a year earlier, has been managing the SIS II central system. It has now become known that the database, which is physically located in Strasbourg, has been completely offline several times since then. This is what the EU Commission writes in the not yet officially available answer to a written question by MEP Cornelia Ernst. This led, accordingly, to a “degradation and partial unavailability of some of the functionalities of the system”.
Hardware allegedly responsible for disruptions
The answer came from Matthias Oel, who is responsible for “Schengen and internal security” at the Commission. The last incident is said to have been occured in time periods of up to 32 hours that partially overlapped in the period from 30 June to 5 July.
However, the Commission does not specify the specific failures. The first incident in this summer is said to have occurred after the introduction of a new version of SIS II. The Commission leaves the cause of the second incident open. Elsewhere, the answer states that a hardware component was responsible.
Information on the period of “unavailability” is also left open in the answer. According to Oel, however, there were only “a few moments” when the central system failed completely. The disruptions were completely remedied and the affected services were restored “within the minimum required time”. The duration of this “minimum time” is not specified.
The secure network also fails several times
Since 2013, there have been a total of 19 cases of “unavailability” of up to two hours and 13 minutes, the commission writes. On average, the outages had lasted about seven minutes. Nevertheless, the overall system is reliable; according to Oel, the availability of the central system has been over 99.95 % in the last seven years.
The Commission attributes a further 14 failures with an average “unavailability” of more than one hour to the secure network through which all storage and queries in the SIS II take place. Since 2013, European authorities have been interconnected via the private TESTA communication infrastructure.
Most Schengen states create national copies of the SIS II system in order not to have to access the central system for every query. Thus, the authorities there are also responsible for compliance with all data protection and cyber security aspects. How many security incidents occur in these countries is not known.
No more succesful hacker attacks after 2021
In its response, Oel points out that the central system was “not impacted by any external influence”. The agency had always maintained control of the SIS II during the known disruptions and had carried out maintenance work to eliminate the causes of the incidents.
This makes the failures different from the only known hacking attack on the database in 2012, when 1.2 million records were downloaded from the Danish national SIS system. This system was run at that time by an external contractor. It was not until March 2013 that the authorities of other Schengen states were informed about the incident.
A month later, eu-LISA took over responsibility for the SIS, which subsequently received an update to its second generation. Since then, the agency has registered no further “cyber security incidents having impact on data integrity or confidentiality”.
Tens of thousands of new authorities gain access
Currently, almost 90 million objects and one million persons are listed in the SIS II for alerts or refusal of entry. Up to now, it was mainly border, police, customs or immigration authorities as well as secret services that had access. Recently, the EU has significantly enlarged this circle.
In Germany alone, about 2,000 additional federal, state and local authorities will be connected to the system in the “SIS 3.0” project, including, for example, registration offices for watercraft or shipping offices at federal and state level, the Federal Aviation Authority with its offices as well as the German embassies. At the end of the multi-year process, private registration offices for recreational sports will also be connected to the SIS network.
Image: Queries of the SIS II in participating member states in 2021 (eu-LISA).