EU investigating Atos over buying EES software through Russian office

European prosecutors are investigating French IT company Atos for using its Russian office to purchase software for the upcoming EU’s Entry-Exit System (EES), a traveler registration scheme that will gather biometric and other data from non-EU visitors entering the bloc.

The discovery of the involvement of Russia-based staff is raising alarms over the security of the EES system which is expected to collect massive amounts of sensitive data. Atos’s Moscow office operated under a license issued by Russia’s Federal Security Service (FSB) which also grants the security agency access to the company’s work in the country.

The investigation into Atos Russia was launched by the European Public Prosecutor’s Office (EPPO), an agency combating financial crimes against the EU. No charges have been brought so far, according to sources cited by The Financial Times.

Atos Belgium won a contract to help build the core of the biometric border system together with its consortium partners IBM Belgium and Leonardo in 2019. The system is designed to record third-country nationals entering the Schengen area by requiring them to submit biographic information, fingerprints and facial images.

The software purchases were conducted in 2021 before Russia invaded Ukraine and Atos divested from its Russian office.

According to leaked documents, the Moscow office procured software allowing airlines to verify traveler information such as visa status, including cryptographic certificates from U.S. company AppViewX and middleware from Swiss company Magnolia. Although the deal was managed through the Russian office, the two software suppliers signed contracts with Atos France and Atos Belgium.

One of the questions left lingering is whether Moscow-based employees had the proper security clearance to make purchases for the EES.

The European agency in charge of building the border system EU-Lisa says that the Moscow-based Atos employee who purchased AppViewX software, Yulia Plavunova, did not have access to EES “IT systems, sensitive information or premises.”

EU-Lisa also says it has not identified any security breaches nor does it have contractual relations with Atos Russia. Software from AppViewX was never used while Magnolia’s product was used until 2022, it added. Meanwhile, the European Commission has promised that EU-Lisa would perform a security audit before EES goes live.

The EPPO investigation is not the first time that Atos Russia has been probed. Last year, the EU’s anti-corruption agency OLAF made its own inquiries, concluding that EU-Lisa’s internal security measures were not sufficient. The agency, however, did not find enough evidence to open an anti-fraud investigation, per FT.

Currently, there is no set date for the launch of the EES as the system is expected to be gradually introduced throughout 2025. The border scheme has already experienced several delays. Media reports have placed a major part of the blame for the delays on Atos and its consortium partners which have reportedly been missing deadlines since 2020.

Article Topics

Atos  |  biometrics  |  border security  |  Entry/Exit System (EES)  |  EU  |  Russia