SECTION 07
Next Steps:
A Continuous Duty Needs Continuous Visibility
The findings throughout this report point in one direction. Ransomware against European organisations is rising, and it increasingly reaches them through their suppliers. Direct attacks have not eased; the supplier path has been added to them. The visibility, the speed of response and the depth of analysis needed to manage this layer of risk sit outside an organisation's own perimeter where internal controls cannot reach.
The European regime has drawn the same conclusion: Under NIS2, CER and the Cyber Resilience Act, the security of the suppliers an organisation depends on is now its own responsibility to manage and to demonstrate.
Black Kite's platform is built to manage risk at the third-party layer, where internal controls cannot reach.
Anticipate Which Vendors Are Most Likely to Be Hit
Most third-party programs treat every vendor as an equal risk until an incident happens. This approach should be reversed in a way to rank your supplier base by how likely each vendor is to be attacked before the attack.
Once you know which vendors sit highest on that list, you can prioritize your efforts by directing your monitoring and your harder questions to the suppliers that need them first, rather than spreading the same attention evenly across hundreds of vendors.
Our Ransomware Susceptibility Index® (RSI™) answers the prioritisation question with a score from 0.0 to 1.0 that estimates an organisation's likelihood of a ransomware attack. It combines technical exposure with intrinsic factors such as industry, location and size, and is informed by data on thousands of confirmed victims.
See the Full Vendor Ecosystem, Including the Nth Tier
An organisation cannot manage what it cannot see. Visibility matters more than ever as the vendor ecosystem is proliferated with additional tiers of vendors. A supplier you have already assessed depends on suppliers of its own, and dozens of organisations can sit behind the same vendor without any of them knowing it. Mapping the entire ecosystem, from your direct suppliers through to the vendors they in turn depend on, has gained strategic importance for proactive security and to see the single points of failure before they cause large-scale crises. Miljödata supplied roughly 80% of Sweden's municipalities, which is what turned one breach into a national disruption.
Black Kite's Supply Chain Module maps Nth-party dependencies, surfaces concentration risk and identifies the shared vendors that, if compromised, would cascade across a peer group. Mapping the full ecosystem, including the vendors your vendors depend on, is the precondition for everything else a third-party risk programme does.
Black Kite’s Supply Chain automatically maps your extended supply chain to show concentration and cascading risk.
Replace Annual Reviews With Continuous Monitoring
As documented in this report, cyber threats move faster than annual cycles can track, and threat actors shift their tactics continuously, so a supplier's security posture rarely holds steady between annual assessments. That makes continuous monitoring of the supplier base a fundamental requirement.
A point-in-time assessment is accurate only on the day it is taken, and the gap until the next one is exactly where new exposure tends to appear unseen. Continuous monitoring closes that gap by catching a supplier's decline as it happens, which leaves time to engage the vendor and respond while the problem is still contained rather than after it has been exploited.
Continuous, automated monitoring across the 20 risk categories that compose Black Kite's Cyber Rating surfaces these changes when they happen, rather than at the next assessment window. It is also what the NIS2 Article 21 supply-chain duty assumes: An obligation that is continuous cannot be met with a point-in-time check.
Black Kite's Cyber Rating scores vendors across 20 risk categories using OSINT data validated against MITRE, NIST, and Open FAIR™ standards.
Quickly Identify Your Vendors Affected by Disclosed Vulnerabilities
When a critical vulnerability is disclosed or an active campaign is identified, a window opens between the moment the threat becomes public and the moment a team acts on it, and attackers work inside that window. Closing it on your side means identifying quickly which of your vendors are exposed, so the response reaches them first.
Black Kite's FocusTags® surface the precise vendors affected by a given vulnerability or campaign as soon as it is flagged, so teams act inside the window rather than after it.
FocusTags® instantly identify which vendors in your portfolio are affected by an active vulnerability or breach, so you can act on evidence, not questionnaire
Engage Vendors and Track Remediation in One Place
Continuous monitoring identifies a weakness the moment it surfaces, but the speed of the fix depends on the vendor. Scattered email and spreadsheets widen the window between exposure and remediation. Every day in that window is a day the weakness stays open, and much of the delay has nothing to do with the technical fix. It comes from the friction of reaching the right person at the vendor, agreeing on what must change and confirming it was done. A single shared channel for that exchange shortens the time from exposure to remediation, which is the part of the response a buyer can actually control.
Black Kite's The Bridge™ replaces that manual layer with a single vendor-engagement workflow. Vendors receive asset-level vulnerability intelligence, see real-time ratings impact and respond directly, while communications, documentation and remediation status flow into one auditable view.
As the EU moves toward harmonizing supplier security information requests under its 2026 cybersecurity package, a single workflow rather than duplicated questionnaires becomes the practical way to engage a vendor base.
Align Vendor Posture With the European Regime
European organisations operate under NIS2, CER, the CRA and, in the financial sector, DORA, regimes that increasingly require demonstrated visibility into third-party security and resilience.
Black Kite's AI-Powered Cyber Risk Assessments turn that requirement into an automated process. The system reads vendor documentation, including SOC 2 reports and questionnaires, extracts verbatim evidence, identifies gaps where evidence is missing and maps findings to the frameworks against which the organisation is held.
Translate Cyber Risk Into Terms the Board Acts On
NIS2 places accountability for managing supplier risk on the management body itself, and boards and regulators act on financial exposure rather than on technical scores. CER adds a second dimension to that accountability. For critical entities the obligation extends beyond security to the continuity of the service when a supplier fails, which is a question of downtime and the cost that downtime carries.
Black Kite quantifies cyber risk into euros and cents showing the financial Impact of the cyber risk. This is built on Open FAIR™ modelling, which helps translate each vendor's cyber posture into probable financial impact, giving leadership the terms in which the NIS2 obligation is now framed.
Its business interruption view extends the same model to continuity, expressing a supplier outage as expected days of downtime and an annualized loss figure, which is the language the CER resilience duty calls for and the one a board already uses.
Black Kite's Open FAIR™-based CRQ automatically translates a vendor's cyber risk into probable financial loss, giving boards and executives the dollar figure behind the threat.
Get Ahead of Vendor Risk with Black Kite
The European organisations that stay resilient in 2026 will be the ones that treat third-party risk as a continuous, predictive and measurable discipline, and that build the capability to act on it before the breach notification arrives.
Black Kite is built to provide that baseline.
Next: The methodology of this report.