Russian-Linked Password Manager Passwork Puts European Critical Infrastructure at Risk

The enterprise password tool marketed as European has Russian origins — and cybersecurity experts warn that handing over your digital keys to such a vendor is a serious mistake.

Russian-Linked Password Manager Passwork Puts European Critical Infrastructure at Risk

When Your Password Manager Has a Hidden Passport

A password manager that appears European on the surface has been found to have Russian origins — and multiple European companies operating critical infrastructure have been using it. The tool, called Passwork, presents itself with European branding and positioning, but cybersecurity researchers and journalists have traced the software back to Russia. The Russian password manager risk this creates for enterprises across Europe is significant, touching on everything from data sovereignty and supply chain integrity to regulatory compliance under GDPR and NIS2.

Password managers occupy one of the most sensitive positions in any organisation's digital infrastructure. They hold the credentials to virtually every system, database, server, and cloud platform an organisation operates. Trusting that function to software with opaque or misleading origins is, according to security professionals, an invitation to catastrophe — particularly in the current geopolitical climate, where state-sponsored cyber operations have become a persistent and well-documented threat.

Cybersecurity professional reviewing password and access control systems
Enterprise password managers sit at the heart of digital access control — making vendor origin a matter of strategic security.

What Is Passwork and Why Does Its Origin Matter?

Passwork markets itself as an enterprise-grade password manager designed for teams, with features including role-based access control, audit logs, and on-premise deployment options. On the surface, these are exactly the kinds of features that would appeal to security-conscious IT departments in European enterprises. The software is polished, professionally presented, and not obviously linked to any specific national context at first glance.

However, investigative reporting by Dutch outlet Nu.nl has revealed that Passwork's actual origins lie in Russia. The company behind the software is Russian, and the product has been used by a number of European businesses — including those in sectors classified as critical infrastructure. The concern is not merely academic. Organisations operating critical infrastructure — think energy grids, water systems, financial networks, or healthcare systems — are precisely the targets most valuable to state-sponsored threat actors.

The origin of software matters for several deeply practical reasons. Source code may contain intentional backdoors or data exfiltration capabilities. Legal obligations in Russia — including laws requiring technology companies to cooperate with Russian intelligence services such as the FSB — mean that even a well-intentioned Russian vendor could be compelled to provide access or information under national law. This is not a hypothetical concern; similar legal frameworks have been extensively documented and analysed by organisations including the European Union Agency for Cybersecurity (ENISA).

"It is unwise to give such a party the digital keys to your house. A password manager by definition has access to everything — and if the vendor's loyalties or legal obligations are unclear, your entire infrastructure is potentially exposed."

— Senior cybersecurity consultant, European critical infrastructure sector

The Hidden Danger of Software Supply Chain Risk in European Enterprises

The Passwork case is not an isolated incident — it is a symptom of a broader and growing problem in enterprise software procurement: the software supply chain. When organisations purchase or deploy third-party software, they inherit all of that software's dependencies, its developers' legal obligations, and the geopolitical context in which that software was created. This is the core of what security professionals call "supply chain risk."

High-profile supply chain attacks — from the SolarWinds compromise, which affected thousands of organisations including US government agencies, to the more recent exposure of vulnerabilities in widely-used open-source libraries — have demonstrated how devastating it can be when trusted software is turned against its users. A password manager is arguably an even more critical attack vector than a network monitoring tool, because the damage from credential exposure is immediate and total.

According to research from Gartner, the majority of enterprises do not conduct thorough geopolitical or legal due diligence on the software vendors they deploy in sensitive roles. Procurement decisions are frequently driven by feature sets and price rather than vendor jurisdiction, corporate structure transparency, or compliance with European data sovereignty standards.

62%of enterprises experienced a software supply chain attack in recent years (Gartner)
NIS2EU directive now mandates supply chain security for critical infrastructure operators
CriticalPassword managers rated highest-risk third-party tool category by security auditors

The European Union has been moving to address these gaps. The NIS2 Directive, which extends cybersecurity obligations across a broader range of sectors and supply chain partners, explicitly requires organisations to assess the security practices of their vendors. For organisations that were or are using Passwork in critical roles, this creates not just a security risk but a potential compliance exposure under European law.

Why Russian-Origin Software Carries Elevated Risk Right Now

The geopolitical backdrop to this story cannot be ignored. Since Russia's full-scale invasion of Ukraine, European governments, cybersecurity agencies, and intelligence services have consistently warned about elevated risks from Russian-linked software and digital services. Germany's BSI (Federal Office for Information Security) issued a notable advisory recommending that organisations consider replacing Kaspersky antivirus software — a product developed by a Russian company — citing concerns about potential access by Russian authorities.

That same logic applies, arguably with even greater force, to a password manager. Kaspersky handles threat detection; a password manager handles every credential in your organisation. The asymmetry of risk is stark. As Wired has extensively reported, Russian state-sponsored cyber operations have become increasingly aggressive and wide-ranging since the outbreak of the conflict, with spillover effects documented across European and global targets.

Russian law — particularly Federal Law No. 374-FZ (the Yarovaya Law) and related legislation — requires Russian technology companies to store communications data and, in some interpretations, to provide access to Russian intelligence services upon request. This creates a structural vulnerability that exists regardless of whether any individual Russian software vendor has malicious intent. The legal framework itself makes trust difficult to establish on an objective basis.

Digital security concept showing network vulnerabilities and access control risks
Geopolitical risk has become inseparable from enterprise software risk — particularly for tools handling credential and access management.

Practical Steps: Vetting Password Managers for Digital Sovereignty

For IT decision makers, security professionals, and policy teams currently evaluating or reviewing their password management stack, the Passwork case offers a clear set of lessons. Vendor origin and corporate structure transparency must now be treated as first-order selection criteria — not afterthoughts — when deploying tools that occupy privileged positions in your infrastructure.

Evaluation CriteriaWhy It MattersEuropean-Friendly Standard
Vendor jurisdictionDetermines legal obligations and government access risksEU/EEA or trusted allied jurisdiction
Source code auditabilityOpen source allows independent security reviewPrefer open-source with public audit history
Data residencyDetermines where credentials and metadata are storedEU-based servers with GDPR compliance
Third-party security auditValidates that security claims are independently verifiedAnnual audits by recognised European or global firms
Ownership transparencyHidden ownership structures obscure liability and riskClear beneficial ownership with no opaque holding companies

European alternatives to Russian-origin or opaque tools do exist. Open-source solutions such as Bitwarden — which publishes its source code and undergoes independent security audits — offer a credible option for organisations prioritising transparency. Proton Pass, developed by the team behind the Swiss-based ProtonMail, is another option gaining traction among European privacy professionals. For enterprises requiring on-premise deployment with maximum control, tools like Vaultwarden (a Bitwarden-compatible self-hosted backend) and Passbolt — an open-source, European-founded password manager — provide options that align with both digital sovereignty principles and GDPR requirements.

According to guidance published by Germany's BSI, organisations should treat privileged access management tools — which includes password managers — as critical infrastructure components requiring the same level of vendor scrutiny applied to network equipment or cloud providers. The days of treating a password manager as a mere convenience tool are over.

Digital Sovereignty Is No Longer Optional for European Enterprises

The Passwork situation is a microcosm of a much larger debate happening at the intersection of European technology policy and enterprise security strategy. The concept of digital sovereignty — the idea that European organisations should have meaningful control over their data, their digital tools, and the legal frameworks governing them — has moved from policy discussion to operational necessity.

The European Commission's efforts under initiatives such as Gaia-X, the European Cybersecurity Act, and the NIS2 Directive all point in the same direction: Europe is building a regulatory and industrial architecture that prioritises trustworthy, auditable, and jurisdiction-appropriate technology. For IT decision makers and procurement professionals, this trajectory should inform every major software selection decision.

The risk exposed by the Passwork case is not unique to that product. There are likely other tools currently deployed across European enterprises — in roles equally or more sensitive than password management — that would fail basic vendor origin and legal framework scrutiny. A thorough audit of third-party software, with particular attention to tools handling authentication, access control, communications, and data storage, is now a baseline expectation for any organisation serious about its security posture.

For smaller organisations and entrepreneurs who may not have dedicated security teams to conduct such audits, the practical advice is straightforward: choose tools from vendors with clearly European or trusted allied origins, prefer open-source where audited, and never assume that European-looking branding equates to European legal accountability. In an era of sophisticated supply chain risks, due diligence on digital tools is as important as due diligence on financial partners.

Sources