Public-sector administration and digital identity (FR, EU, FI, CH)

Public-sector administration concentration is unusually heavy in 2026-W19. France ANTS — Agence Nationale des Titres Sécurisés, the French government central identity registry (biometric passports, national identity cards, driving licences) — confirmed a data-records exposure that Help Net Security reports as "between 12 and 18 million" data records; 15-year-old suspect detained 2026-04-25; charges include unauthorised access, data theft, disruption of a state system, and possession of hacking tools (Help Net Security, 2026-05-04 · daily 2026-05-06 · daily 2026-05-07 UPDATE). Ivanti EPMM named EU victims previously associated with the platform per Help Net Security's January-2026-wave reporting: European Commission (DG DIGIT), Dutch DPA, and Netherlands Council for the Judiciary (Help Net Security explicitly attributes those three to the January 2026 CVE-2026-1281/1340 wave, not the May 2026 chain). The daily 2026-05-09 also referenced Finnish Valtori per NCSC-FI advisory not in the Help Net Security article. Each named entity ran EPMM in MDM capacity, meaning compromised admin APIs had device-management access to enrolled endpoints of employees with elevated privileges. Whether the May 2026 wave caught additional named victims is not yet publicly disclosed at week-end (Help Net Security, 2026-02-09 · daily 2026-05-09 UPDATE). Europol shadow IT — Correctiv / Solomon / Computer Weekly joint investigation disclosed that Europol operated CFN (since 2012) and "Pressure Cooker" data-processing platforms holding ≥ 2 PB outside standard EU data-protection oversight for over a decade; multiple categorised security deficiencies identified in a 2019 internal assessment including absent audit logs; per Correctiv, 15 of 150 recommendations remained unimplemented at EDPS monitoring closure in February 2026 (Correctiv, 2026-05-05 · Computer Weekly · daily 2026-05-07). Polish water OT intrusions at five small municipal facilities (covered in § 7) round out the public-sector concentration. The cross-cutting theme is that EU public-sector identity, governance, and small-municipal infrastructure are simultaneously under direct attack, governance review, and structural-coverage-gap pressure — and that the institutional response cycle inside EU public-sector entities is now playing out in real time across all three.