SECTION 05 Third-Party Risk:

How Vendors Become the Breach

European Vendors as Breach Origin Points

European organisations spent the 2025 to 2026 period defending against cyber threats on two fronts at once. The first is the direct attack on their own systems, which the earlier sections of this report have measured. The second runs through the suppliers they depend on to operate, such as the payroll platform, the CRM environment, the logistics tracker, and the registry. Vendor risk has not displaced direct attack risk. It sits alongside it, and over this period, it moved from a peripheral concern to a primary one.

Across the 31 countries in scope, 64 European organisations were drawn into a ransomware or data extortion incident through a third party they relied on.

Of these, 34 trace to a single event, the compromise of one Swedish software supplier, Miljödata which is examined separately below. The remaining 30 were reached through a range of other suppliers, from global SaaS platforms to small national service providers.

A Single Dependency, With No Visibility Into It

The clearest illustration of how a single supplier relationship multiplies into many victims is the cluster of incidents tied to the Salesforce ecosystem. Seven European organisations in the dataset were affected through it: Chanel, Pandora, Air France-KLM and Stellantis through Salesforce environments, and Esker, Sophos and ContentSquare through the connected Drift integration.

Suppliers behind these European victims sat across the full range of the economy:

Glasgow City Council was reached through its supplier CGI. (Source: Glasgow.gov.uk)
The Swiss nonprofit health organization was reached through its registry provider Radix. (Source: The Record)
Belgium's state security service was reached through Barracuda. (Source: Digwatch)
Royal Mail was reached through Spectos. (Source: Infosecurity Magazine)
TalkTalk allegedly through CSG Ascendon, (Source: Techcrunch)
A UK Ministry of Defence through Inflite The Jet Centre, (Source: The Guardian)
The cryptocurrency platform SwissBorg through Kiln. (Source: The Record)
Marks & Spencer's breach has been allegedly linked to credentials belonging to two Tata Consultancy Services employees. (Source: Cybernews)

European Organisations Reached Through a Compromised Supplier

Organisation	Country	Compromised Through
Chanel, Pandora, Air France-KLM, Stellantis	Various	Salesforce
Esker, Sophos, ContentSquare	Various	Drift (Salesforce integration)
Glasgow City Council	UK	CGI
Swiss healthcare nonprofit	Switzerland	Radix
Belgium state security service	Belgium	Barracuda
Royal Mail	UK	Spectos
TalkTalk	UK	CSG Ascendon
UK Ministry of Defence	UK	Inflite The Jet Centre
SwissBorg	Switzerland	Kiln
Marks & Spencer	UK	Tata Consultancy Services

SPOTLIGHT

Miljödata, One Vendor, One Weekend, One Million Records

The 34 organisations set aside at the start of this chapter all trace to one event. On the weekend of 23 August 2025, ransomware actors breached Miljödata, a Swedish IT software supplier that provides HR systems to around 80% of Sweden's municipalities. The stolen data of more than one million individuals was published online.

Around 250 of Miljödata's customers had reported to Sweden's data protection authority that they were affected, among them roughly 200 municipalities and regions. A breakdown shows how deeply Miljödata was embedded in Swedish public infrastructure: 17 public-sector bodies, including 15 municipalities, 8 universities, and 9 further organisations, including SAS, Volvo Group, Axfood, the Swedish Medical Association and the waste operator SSAM.

The NIS2 dimension

NIS2 brings municipal IT suppliers within the scope of supply-chain security obligations for essential-service operators. The Miljödata incident is a concrete test of what those obligations are meant to prevent: A single shared IT provider creating simultaneous exposure across most of a country's local governments.

The state of impact:

municipalities & regions

named companies

universities

Individuals

Sovereignty Decisions Require Security Scrutiny

The EU relies on non-EU countries for more than 80% of key digital products, services, infrastructure and intellectual property, and the tech sovereignty package presented in June 2026 targets cutting that to 40% by 2030.

of Key Digital Products and Services Sourced Outside the EU

➞

Target for EU Digital Sovereignty by 2030

The European vendor-origin incidents in this section add a dimension that sovereignty frameworks do not automatically address: The security posture of the chosen European alternative.

Spectos is German, Radix is Swiss, Eurofiber France is French, Kiln is French, and all were breach origin points in 2025. A vendor's jurisdiction determines which law governs your data. It does not determine how well that vendor manages its patches, monitors its credentials or responds to an intrusion.

NIS2 and DORA converge on exactly this point. Both require continuous oversight of third parties rather than point-in-time assessment. Digital sovereignty addresses jurisdictional risk. Continuous vendor monitoring addresses security risk. The incidents in both tracks show that in 2025 and early 2026, European organisations needed both, and in most cases had only one.

Next: See what regulations require and what it costs to ignore

The vendor breach data shows how exposure travels. European law determines who's accountable when it does.