Audit Phase: V-DIG — Digital Forensics / Cyber-Intelligence & Technology Supply Chain
Target Entity: Lidl Stiftung & Co. KG (subsidiary of Schwarz Group)
Audit Date: 2026-05-01
Classification: Draft — For Review
The most significant confirmed Israeli-origin technology relationship within the Schwarz Group / Lidl ecosystem is the acquisition of XM Cyber, an Israeli cybersecurity firm, completed in November 2021. Schwarz Group — Lidl’s ultimate parent — acquired XM Cyber for a reported sum in the range of $700 million12. XM Cyber was founded in 2016 and headquartered in Herzliya, Israel, specialising in attack path management (APM) and continuous threat exposure management (CTEM): it uses simulated breach-and-attack scenarios to map how an adversary could move laterally through an enterprise network from an initial point of compromise to critical assets3.
Following the acquisition, XM Cyber was integrated as an internal cybersecurity capability within the Schwarz Group technology portfolio rather than retained as an independent commercial entity at arm’s length13. This positioning means the platform is structurally available to Lidl’s parent group’s security operations function. The precise scope of deployment within Lidl-specific operational technology networks — store-level infrastructure, logistics, or point-of-sale — is not publicly documented and constitutes a confirmed evidence gap.
Schwarz Group operates Schwarz IT as its centralised IT services and procurement subsidiary, responsible for technology selection and deployment across both Lidl and the Kaufland retail chains7. This centralised structure means vendor relationships negotiated at group level — including the XM Cyber integration — flow through to the Lidl operating entity without requiring separate subsidiary-level contracting to appear in public records. The opacity this creates for external audit is material: it is not possible to determine from public sources alone which specific Israeli-origin technologies are deployed at the Lidl subsidiary level versus retained at Schwarz Group corporate IT level.
Lidl undertook a SAP S/4HANA migration, a programme reported in retail and enterprise technology trade press from approximately 2021–20228. The project experienced well-documented difficulties before progressing — a point of significance for assessing the overall maturity of Lidl’s enterprise technology estate. SAP Ariba is additionally reported as used for procurement management8. SAP is a German company; neither S/4HANA nor Ariba carries an Israeli-origin classification.
Microsoft Azure has been reported as a cloud infrastructure partner for elements of Schwarz Group’s operations8, though this relationship is contextualised by Schwarz Group’s parallel development of its own sovereign cloud platform, Stackit (addressed in full under Section 3). The extent to which Azure services run workloads attributable specifically to Lidl operations, as opposed to Schwarz Group corporate functions, is not publicly disaggregated.
No public evidence was identified of specific licensing, subscription, or integration agreements between Lidl or Schwarz Group and the following Israeli-origin vendors: Check Point Software, SentinelOne, CyberArk, Wiz, Verint Systems, NICE Systems, Claroty, Axonius, or Palo Alto Networks (Israeli-founded). Negative checks were performed against vendor case study libraries, trade press archives, and Schwarz Group press releases. Absence of public evidence does not constitute confirmed non-use, particularly given Schwarz IT’s opaque centralised procurement model.
Multiple trade press reports from 2022–2023 document a pilot relationship between Lidl and Trigo, an Israeli computer vision and autonomous checkout technology company founded in Tel Aviv in 201845. Trigo’s platform uses ceiling-mounted camera arrays and machine vision to enable frictionless, cashierless checkout — identifying items picked up by shoppers and automating billing without traditional point-of-sale interaction4.
Pilots were reported in at least one Lidl store location in the Netherlands45. Trigo has separately reported partnerships with other major European grocers4, giving the company a documented footprint in the European retail technology market. The current status of the Lidl–Trigo relationship — whether the pilot was expanded, extended to further stores, converted to a commercial rollout, or discontinued — is not confirmed in available public sources through the research cutoff. This constitutes a material evidence gap given the biometric and surveillance-adjacent nature of the technology.
Trigo’s store-level technology involves persistent visual tracking of individuals throughout a retail environment. Whether Lidl’s deployment of this system involved:
is not publicly confirmed in available sources. The European Data Protection Board has issued guidelines on facial recognition and automated processing in publicly accessible spaces that would be directly relevant to assessing this deployment10. No GDPR enforcement action specifically targeting Lidl’s Trigo pilot has been identified in public sources through the research cutoff.
No public evidence was identified of Lidl deploying or piloting technologies from the following Israeli-origin retail surveillance or analytics vendors: Trax Retail, AnyVision (now Oosto), BriefCam (a Canon subsidiary of Israeli origin), or Realeyes. No third-party managed service relationship was identified that would indicate bundled Israeli-origin surveillance technology reaching Lidl indirectly via a platform integrator.
No public evidence was identified of Lidl deploying Israeli-origin workforce monitoring, sentiment analysis, or productivity surveillance technologies. General SaaS workforce management platforms (such as Quinyx) have been referenced in trade press coverage of Lidl’s HR technology estate, but no Israeli-origin workforce analytics vendor relationship has been identified.
Schwarz Group operates Stackit, its proprietary cloud platform, explicitly positioned as a European sovereign cloud offering with GDPR compliance and German/EU data residency as primary design parameters6. Stackit is marketed to both internal Schwarz Group entities (including Lidl) and external enterprise customers, with the sovereignty narrative — data processed and stored within German and European Union legal jurisdiction — forming the core commercial proposition6.
No evidence was identified that Stackit infrastructure is operated from, or has data exchange dependencies with, any facility located in Israel. The platform’s sovereign positioning is structurally oriented away from non-EU cloud dependencies6.
No public evidence was identified of Lidl or Schwarz Group participating in Project Nimbus — the Israeli government and IDF cloud infrastructure contract awarded to Google Cloud and Amazon Web Services. Schwarz Group / Lidl are not reported as participants in Project Nimbus or any analogous Israeli state-backed digital infrastructure programme. This finding is consistent with Schwarz Group’s stated sovereign cloud strategy, which is documented as focused on EU-jurisdiction infrastructure6.
No public evidence was identified that Lidl or Schwarz Group operates, leases, or co-locates data centre infrastructure within Israel. Schwarz Group’s data centre strategy, as reported in its public communications, is oriented towards Central European sovereign infrastructure8. The presence of XM Cyber’s R&D base in Herzliya (addressed below under Section 6) does not in itself constitute data centre or cloud infrastructure within Israel.
XM Cyber was co-founded by Tamir Pardo (former Director of the Mossad, 2011–2016), Noam Erez, and Boaz Gorodissky, both reported as former veterans of Israeli intelligence units32. This biographical context is a matter of public record and is relevant to understanding the provenance of the technology now embedded within Schwarz Group’s security infrastructure.
It is important to state explicitly what this finding does and does not constitute:
No public evidence was identified of Lidl or Schwarz Group holding contracts — for technology provision, data services, or any other purpose — with the Israeli Ministry of Defence, the Israel Defense Forces, the Mossad, Shin Bet, or Unit 8200. No export control actions, sanctions investigations, or dual-use technology notifications involving Lidl or Schwarz Group in connection with Israeli state entities have been identified in available public sources.
No public evidence was identified of Lidl’s or Schwarz Group’s commercial technology being reported, confirmed, or documented by researchers as deployed for military, intelligence, or law enforcement surveillance purposes within Israel or in Israeli-occupied territories.
No public evidence was identified. XM Cyber’s attack simulation platform operates as an adversarial simulation tool for enterprise network defence — it maps attack paths within a client’s own environment for the purpose of remediation prioritisation. Available public reporting does not characterise it as an offensive cyber or weaponised capability13.
No public evidence was identified of Lidl or Schwarz Group providing artificial intelligence or machine learning systems, datasets, or model infrastructure to Israeli state, military, security, or law enforcement bodies.
No public evidence was identified of Lidl’s or Schwarz Group’s AI models being developed using, or provided access to, civilian population data, intercepted communications, or surveillance-derived datasets originating from Israel or occupied territories.
Trigo’s frictionless checkout platform, piloted at Lidl’s Netherlands store, represents the closest identified instance of autonomous machine-learning systems deployed by Lidl with Israeli-origin technology provenance45. The system involves real-time inference models running against continuous video feeds. Whether the underlying model training involved data derived from the Lidl pilot environment — and whether any such training data was processed by Trigo’s Israeli-based engineering team — is not publicly documented.
Lidl and Schwarz Group are known to deploy AI/ML systems for demand forecasting, inventory management, and logistics optimisation. The specific AI/ML platform vendors underpinning these capabilities are not publicly confirmed at vendor level in available sources. No Israeli-origin AI vendor relationship for these use cases has been confirmed or denied.
No public evidence identified. This finding is expected for a grocery retail group.
Following the Schwarz Group acquisition in November 2021, XM Cyber has maintained its primary R&D and engineering operations in Herzliya, Israel32. Trade press coverage post-acquisition indicates the Israeli engineering base was preserved as a core asset of the acquisition rather than relocated or wound down13. This means Schwarz Group — Lidl’s parent — has an ongoing R&D dependency on an Israeli engineering base for its internal cybersecurity capability.
This relationship is qualitatively different from a standard third-party vendor dependency: the Israeli R&D team are Schwarz Group employees developing technology that runs within Schwarz Group’s own security infrastructure. The depth of integration, and whether Lidl-specific operational data is processed by XM Cyber’s platform in ways that touch the Herzliya engineering environment, is not publicly documented.
No other Lidl- or Schwarz Group-operated R&D facilities, innovation labs, technology accelerators, or incubator relationships within Israel are identified in public sources. Lidl does not operate retail stores in Israel; Schwarz Group does not appear to maintain customer-facing commercial operations in Israel.
The XM Cyber acquisition (November 2021, ~$700 million reported12) is the sole confirmed acquisition of an Israeli-origin technology company by Schwarz Group or Lidl identified in public sources through the research cutoff. No additional acquisitions of Israeli technology companies, or strategic venture investments in Israeli technology funds or startups, are identified in available public sources.
No patent database search was possible during this research session (live search unavailable). No evidence of patent co-development, IP licensing agreements, or joint research arrangements between Lidl / Schwarz Group and Israeli-domiciled academic or research institutions — including the Technion, Hebrew University, Weizmann Institute, or Ben-Gurion University — is identified in publicly available sources. This gap is noted as unverifiable without USPTO/EPO database access.
Schwarz Group operates Schwarz Digital as a dedicated digital transformation subsidiary8, sitting alongside Schwarz IT in the group’s technology organisational structure. No Israeli-origin vendor relationships attributable specifically to Schwarz Digital (as distinct from the group-level XM Cyber acquisition or the Stackit platform) are identified in public sources.
Who Profits — the Israeli NGO that researches corporate involvement in the Israeli occupation economy — does not appear to contain a dedicated profile of Lidl or Schwarz Group in the context of technology relationships with the Israeli state or settlement economy, as of the research cutoff9. The XM Cyber acquisition has not been the subject of a dedicated Who Profits investigation in available public sources. This negative finding is based on training data knowledge of the Who Profits database and may be incomplete; live database access was not available during this research session.
No United Nations reports, Special Rapporteur communications, academic studies, or major international NGO investigations specifically addressing Lidl’s technology relationships with the Israeli state or Israeli-origin vendors are identified in public sources.
No public evidence was identified of organised BDS or technology-sector divestment campaigns specifically targeting Lidl in relation to the XM Cyber acquisition or the Trigo pilot relationship9. Lidl has historically been the subject of some product-level BDS pressure — relating to the stocking of Israeli-origin food products — but this is categorically distinct from technology-sector divestment campaigns and falls outside the V-DIG audit domain.
The absence of a civil society campaign targeting the XM Cyber acquisition is notable given the reported acquisition price (~$700 million) and the intelligence-community provenance of XM Cyber’s founders3. Whether this reflects a genuine gap in civil society monitoring of retail-sector technology relationships, or is an artefact of research coverage limitations, cannot be determined from available sources.
No public evidence was identified of:
The Trigo computer vision pilot has not, in available public sources, been the subject of a GDPR enforcement action in connection with Lidl’s deployment. This is contextualised against the broader European regulatory environment: the EDPB has published guidelines on the use of facial recognition and automated processing in publicly accessible spaces that would apply to retail deployments of this type10. The absence of enforcement action does not confirm compliance; it may equally reflect the early-stage, pilot nature of the deployment or a lag in supervisory authority action.
https://techcrunch.com/2021/11/08/schwarz-group-acquires-xm-cyber/ ↩↩↩↩↩↩
https://www.haaretz.com/israel-news/tech-news/2021-11-08/ty-article/schwarz-group-buys-israeli-cyber-firm-xm-cyber/0000017f-e3e2-d568-a57f-fbfe2dc70000 ↩↩↩↩
https://www.grocerygazette.co.uk/2022/06/07/lidl-trigo/ ↩↩↩↩↩
https://www.it.schwarz/en/ ↩
https://www.schwarz-gruppe.com/en/press/publications/annual-report/ ↩↩↩↩↩
https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-05-2022-use-facial-recognition_en ↩↩
