In May 2021, a Serbian cryptocurrency company hired a developer named "Bryan Cho" — a stolen identity used by Jong Pong Ju, a North Korean state operative. He passed the company's hiring checks because those checks confirmed the name was clean, not that the person was real. Once inside with trusted developer access, he and his co-conspirators stole $915,000 in cryptocurrency directly from the company's holdings, laundering it through mixers and shell accounts before the fraud was uncovered — not by the company, but by a US federal grand jury indictment four years later in June 2025. A background check that verified the authenticity of the identity document and confirmed the person presenting it matched that document biometrically would have rejected the application before the operative ever gained access. The Serbian case is one data point in a pattern that CrowdStrike now tracks across the UK, Poland, Romania, and other European countries, with infiltrations of this kind growing 220% in the past twelve months alone.
The cost of the check that was not done: a fraction of a percent of $915,000.
The scale of third-party IT dependency
European organisations have never been more reliant on external IT talent. The Eurostat ICT workforce survey consistently shows that the majority of medium and large enterprises outsource at least a portion of their IT function, whether through managed service providers, nearshore development teams, IT staffing agencies, or independent contractors. In the Czech Republic, Germany, and Poland - three of the fastest-growing technology markets in the CEE region - IT outsourcing accounts for a significant share of total IT spending.
This dependency creates a structural risk that most organisations systematically underestimate. A contractor does not appear on a company's HRIS. They are often onboarded through procurement rather than HR. Their access credentials are frequently provisioned at short notice. Their right-to-work and identity is verified, if at all, by the agency or intermediary that placed them - not by the organisation whose network they are entering.
IBM's Cost of a Data Breach Report 2023 found that breaches involving third parties cost an average of 11.8% more than those originating internally, and took significantly longer to detect. The Ponemon Institute has separately reported that 51% of organisations have experienced a data breach caused by a third party. In Europe, where GDPR fines for insufficiently secured personal data can reach 4% of global annual turnover, the financial exposure is amplified considerably.
Who are these contractors, exactly?
The IT contractor population is diverse, and so is the risk profile. At the lower end of the risk spectrum sits the web developer brought in for a three-month project, who is given access to a staging environment and a Slack workspace. At the higher end sits the infrastructure engineer who has been granted administrator-level access to production servers, cloud environments, or financial systems - and who may be working simultaneously for several other clients.
Between these poles lies a large population of IT professionals whose access is significant and whose vetting is minimal. Database administrators, DevOps engineers, network technicians, support desk staff, and software developers working under staff augmentation contracts frequently hold access to systems that would, if compromised, constitute a serious regulatory and reputational event.
The 2023 breach at a major German logistics company, attributed to a contractor account that had not been deprovisioned following the end of an engagement, illustrates the operational reality. Access had been granted. The work had concluded. The account remained active. The attacker who eventually discovered and exploited it did not need to be sophisticated - they simply needed to find an open door.
What NIS2 and ZKI require
The NIS2 Directive, which entered transposition across EU member states from October 2024, places explicit supply chain security obligations on operators of essential and important entities. Article 21 requires organisations to implement measures that address the security of supply chains, including the security practices of direct suppliers and service providers. This is not limited to software and hardware - it extends to the human elements of those supply chains.
In the Czech Republic specifically, the Zákon o kybernetické bezpečnosti - the national cybersecurity act implementing NIS2 - imposes personnel security requirements on regulated entities that include obligations to assess the trustworthiness of individuals with access to critical systems. This is a meaningful legal development. It shifts background screening from a discretionary HR practice to a regulated security obligation.
For organisations that rely on external IT contractors, compliance with these requirements demands a structured approach to pre-engagement vetting that mirrors, at minimum, the standard applied to permanent employees in equivalent roles.
What does effective contractor screening look like?
Effective screening for IT contractors should be proportional to access level. An individual with read-only access to a test environment is not the same risk as someone with write access to a production database or administrator access to a cloud environment. The screening regime should reflect this.
At a minimum, contractors being granted access to sensitive systems should be subject to identity verification, criminal record checks covering their country of residence and, where relevant, prior countries of residence, and verification of the employment history they have presented. Reference checks from prior engagements should be obtained. Where contractors are nationals of, or have lived in, countries that present particular geopolitical risk, enhanced due diligence is warranted.
In practice, most European organisations do none of this for contractors. They rely on the placing agency to have conducted some level of check, without verifying what standard was applied, whether checks were recent, or whether the individual being placed is actually the individual who was screened. This is a significant gap.
The challenge of multi-tier supply chains
A further complication is the prevalence of subcontracting within IT service delivery. A managed service provider contracted by your organisation may itself subcontract specialist work to a boutique firm, which may in turn use freelancers sourced from platform marketplaces. By the time an individual arrives at your systems, they may be three or four degrees removed from any entity that has a direct contractual relationship with you.
European organisations operating in regulated sectors - financial services, energy, healthcare, telecommunications - should be establishing contractual requirements that flow down through supply chains. These should specify minimum screening standards, require evidence of compliance, and reserve the right to audit or request screening documentation for any individual granted access to systems or data.
The practical steps organisations can take now
The starting point is an audit of who currently has access to your systems and on what basis. Many organisations discover, when they conduct this exercise, that they have active access credentials belonging to contractors who left months or years previously, or that access rights were never scoped appropriately to the work being performed.
From there, the implementation of a structured pre-engagement screening process for all contractors being granted system access is a proportionate and defensible response to both the threat environment and the regulatory requirements. This does not need to be burdensome. Modern background screening platforms can deliver results for European contractors within 24 to 72 hours in most cases, covering the checks that matter.
Finally, organisations should establish a clear deprovisioning process, triggered automatically at the end of any contractor engagement, that removes or suspends access credentials. The number of major incidents that can be traced to dormant accounts is striking, and the remedy is straightforward.
The contractor in your network may be entirely trustworthy. But without a structured process for establishing that trust, you are extending access on the basis of assumption alone. In 2025, that is no longer a defensible position - legally, operationally, or commercially.
