AI-powered cyber risk assessments
provide an externally observable, evidence-based reading of a supplier’s security posture drawn from its own attack surface.
2026 European Third-Party Cyber Risk Report
European Ransomware Incidents Rose 55.1% Year Over Year. Suppliers Were the Primary Entry Point.
by the Black Kite Research Group™. Period covered: January 2025 to April 2026.
2,066 ransomware incidents hit European organisations across 31 countries between January 2025 and April 2026, but the pace did not hold steady across that period. The 684 incidents recorded in the first four months of 2026 ran 55.1% above the same four months of 2025, and on a monthly basis, the rate jumped from 108 incidents per month in the first half of 2025 to 171 by early 2026. That acceleration is the first thing this data tells you: the threat is not stabilising.
The second thing it tells you is where the entry point is. Sixty-four European organisations in this dataset were drawn into a ransomware or data extortion incident through a supplier rather than through their own systems. The Miljödata case alone reached around 200 Swedish municipalities, 8 universities, and more than a dozen named private-sector organisations, exposing the personal data of over 1 million individuals through the breach of a single HR software supplier. None of those organisations had been breached themselves.
The third dimension is sector. Manufacturing cybersecurity absorbed 27.9% of all incidents, the highest share of any sector, and its exposure spread across 78 subindustries with no safe corner. Professional and technical services absorbed 17.8%, but the concentration inside that sector is sharper: Computer Systems Design and Related Services became the single most-targeted subindustry in all of Europe, accounting for 5.4% of every recorded incident. An IT-services firm is itself a supplier, sitting inside the operations of the organisations it serves. When the leading ransomware target is a supplier, every client it serves is exposed through it.
The fourth dimension is legal. Under NIS2, DORA, and the Critical Entities Resilience Directive, European organisations are now accountable for the security of the third parties they depend on. The obligation is not to prevent a supplier from being breached. It is to assess, monitor, and demonstrate oversight of the suppliers behind essential services, continuously. This is Black Kite's first report dedicated to Europe, and it is your blueprint for meeting that obligation with the evidence base, platform capability, and continuous visibility the law assumes you have.
(No download required)
Key Findings From the 2026 European Cyber Risk Report
55.1% Year-Over-Year Surge in Ransomware Confirms Europe Is in Acceleration
The 684 incidents recorded between January and April 2026 exceeded the 441 from the same four months of 2025 by 55.1%. Adjusted for time, the monthly incident rate rose from 108 in the first half of 2025 to 122 in the second half, then spiked to 171 in early 2026, a 39.8% acceleration from the H2 2025 baseline. Read as raw totals the 2026 figure looks like a step down from H2 2025's 734. Read as a monthly rate, it's the sharpest escalation in the study period.
Five Countries Absorbed 68.5% of All Incidents, With Concentration Deepening in 2026
Germany, the United Kingdom, France, Italy, and Spain account for 68.5% of the 2,066 incidents recorded across 31 countries. That concentration did not ease as volume rose. The Big Five's share of incidents climbed from 68.7% in January to April 2025 to 71.2% in the same four months of 2026. Germany leads the continent at 370 incidents (17.9%), shaped in part by SafePay, a threat actor that directed 56.7% of its 80 European incidents at a single national market.
Manufacturing Held at 27.9% of Incidents and Its Share Grew Every Period
576 incidents landed in manufacturing between January 2025 and April 2026, spread across 78 subindustries with no single one above 7.1%. The sector's share of all European incidents rose from 25.5% in H1 2025 to 27.2% in H2 2025 to 30.8% in early 2026. There is no safe niche inside this sector. Its exposure is broad and consistently growing.
IT Services Became Europe's Single Most-Targeted Subindustry, Concentrating Rapidly
Computer Systems Design and Related Services reached 5.4% of every recorded incident in Europe, the highest rate of any subindustry, and its share within professional and technical services climbed from 27.5% in H1 2025 to 38.4% by early 2026. The exposure is narrowing onto one subindustry rather than spreading across the sector. Because an IT-services firm is a supplier to the organisations it serves, a single compromise can multiply across a client base before any individual client's own systems are touched.
64 European Organisations Were Breached Through a Supplier, 34 Through a Single Vendor
64 organisations in the dataset were drawn into a ransomware or data extortion incident through a third party rather than through their own systems. 34 of those trace to one event: the breach of Miljödata, a Swedish IT software supplier serving roughly 80% of Sweden's municipalities. The Salesforce ecosystem accounted for seven additional victims, including Chanel, Pandora, Air France-KLM, Stellantis, Esker, Sophos, and ContentSquare. Marks & Spencer's breach has been linked to credentials belonging to employees of Tata Consultancy Services.
2026 European Cyber Risk Report: Key Stats
55.1%
Year-over-year increase in ransomware incidents, January to April 2026 vs. 2025
171
Monthly incident rate in early 2026, up from 108 per month in H1 2025
68.5%
Share of all European incidents absorbed by Germany, UK, France, Italy, and Spain
27.9%
Manufacturing's share of 2,066 recorded incidents across 31 countries
64
European organisations reached through a supplier rather than their own systems
1M+
Individuals whose data was exposed through the Miljödata third-party breach
The Geography of Ransomware in Europe: Five Countries, Four Clusters, One Pattern
Germany Leads the Continent at 370 Incidents, Shaped by a Threat Actor Targeting It Almost Exclusively
Germany recorded more ransomware incidents than any other European country, at 370 in total, representing 17.9% of all 2,066 incidents. The UK followed at 347 (16.8%), France at 255 (12.3%), Italy at 240 (11.6%), and Spain at 203 (9.8%). Germany is also the one major market where a specialist group, SafePay, runs a dominant strategy. SafePay directed 56.7% of its 80 European incidents at Germany, a concentration pattern that appears nowhere else in the dataset.
The Regional Clusters That Carry the Most Weight Are Structural, Not Seasonal
When European countries are grouped into regional clusters, two carry close to six in ten incidents across the study period.
Incident counts by cluster:
0
France, Italy, Spain (avg. 232.7 per country)
0
UK and Ireland (avg. 184.5 per country)
0
DACH (Germany, Austria, Switzerland) (avg. 170.3 per country)
0
Benelux (avg. 37.7 per country)
0
Nordics (avg. 23.5 per country)
The regions leading the total also led in every individual period. That pattern held across the full 16 months.
Turkey, Romania, and Poland Posted Large Percentage Jumps, but the Big Five Still Drove Three-Quarters of the Absolute Increase
Turkey rose 433% year over year (6 to 32 incidents), Romania 333% (3 to 13), and Poland 217% (6 to 19). The percentage figures are striking, but the Big Five delivered the volume. France added 56 incidents, Italy 44, the UK 35, Spain 27, and Germany 22, together accounting for 184 of the 243 additional incidents recorded between January to April 2025 and the same months of 2026. Smaller market growth is real. It has not yet redistributed the threat away from where it is most concentrated.
Suppliers as the Entry Point: How Third-Party Ransomware Risk Is Reshaping Exposure
One Swedish Vendor, One Weekend, 200 Municipalities, and More Than 1 Million Exposed Records
The Miljödata incident demonstrates exactly how a single vendor dependency becomes a national-scale incident. On the weekend of 23 August 2025, ransomware actors breached Miljdata, a Swedish IT software supplier providing HR systems to approximately 80% of Sweden's municipalities. Stolen data for more than 1 million individuals was published online. The documented downstream effects reached around 200 municipalities and regions, 8 universities, and 9 named companies including SAS, Volvo Group, and Axfood. None of those organisations' own systems had been compromised. The point of failure was a single shared supplier embedded deeply in Swedish public-sector infrastructure.
The Salesforce Cluster Shows How a Single Ecosystem Multiplies Into Seven Victims
Seven European organisations were affected through the Salesforce ecosystem alone. The full list of named organisations reached via individual suppliers extended further:
- Chanel, Pandora, Air France-KLM, Stellantis — reached through Salesforce environments
- Esker, Sophos, ContentSquare — reached through the connected Drift integration
- Glasgow City Council — reached through CGI
- Royal Mail — reached through Spectos
- Belgium’s state security service — reached through Barracuda
- UK Ministry of Defence — reached through Inflite The Jet Centre
- SwissBorg — reached through the French vendor Kiln
- Marks & Spencer — reached through employees of Tata Consultancy Services
In each case, the organisation was reached through a supplier, not through its own systems.
EU Digital Sovereignty Targets Address Jurisdiction, Not Security Posture
The EU relies on non-EU countries for more than 80% of key digital products, services, and infrastructure. A 2030 target set in the tech sovereignty package presented in June 2026 aims to cut that figure to 40%. The vendor-origin incidents documented in this report add a dimension that sovereignty frameworks do not automatically address: whether the chosen European alternative is actually secure. Spectos is German. Radix is Swiss. Kiln is French. All three were breach origin points in 2025. A vendor's jurisdiction determines which law governs your data. It does not determine how well that vendor monitors its credentials, patches its systems, or responds to an intrusion. The incidents that ran through European vendors show that sourcing closer to home does not close the fourth-party vendor risk management gap.
NIS2, DORA, and CER: What the European Regulatory Regime Now Requires of Your Vendor Program
NIS2 Article 21 Creates a Continuous Oversight Duty That Does Not Stop at a Supplier's Border
NIS2 makes supply-chain security one of the Article 21 risk-management measures that every essential and important entity must implement. The obligation requires an in-scope entity to assess the specific vulnerabilities and cybersecurity practices of each direct supplier and to keep doing so. Whatever a supplier's own national position (several member states are still finalising secondary legislation), the buyer's Article 21 duty stands. The Miljödata incident is a concrete test of what those obligations are designed to prevent: A single shared IT provider creating simultaneous exposure across most of a country's local governments.
For organisations that need to demonstrate they have met that duty, Black Kite provides four capabilities that work together:
DORA's ICT Third-Party Monitoring Obligation Has Turned Into a Continuous Questionnaire Problem
The Digital Operational Resilience Act (DORA) requires financial entities to monitor ICT providers throughout the life of the contract, not only at onboarding. Article 28(6) mandates ongoing monitoring; Article 30(3)(e) requires contracts to secure the right to monitor continually. In practice, this obligation has produced a continuous flow of vendor security assessment questionnaires that burden both the institutions issuing them and the suppliers fielding them. Much of what DORA expects an institution to verify can be observed directly from a vendor's external attack surface rather than requested through a questionnaire. Black Kite's external assessment capability covers the verification obligation without adding to the questionnaire volume that strains the supplier relationship.
RSI™ Identifies Which Vendor Dependencies Are Most Likely to Fail Under CER's Continuity Standard
The Critical Entities Resilience Directive approaches third-party risk from the continuity side. Where NIS2 frames a vendor breach as a security question, CER frames it as a continuity question: Can the essential service keep running when a supplier fails? Articles 12 and 13 place responsibility for that continuity on the critical entity. The Collins Aerospace MUSE incident in September 2025 illustrates the point at scale. Ransomware on a shared check-in and boarding platform forced Heathrow, Brussels, Berlin, Dublin, and Cork airports into manual processing for days. None of the airports were themselves breached, yet all of them lost the service they exist to provide.
The Ransomware Susceptibility Index® (RSI™) converts that risk into a forward signal: a score from 0.0 to 1.0 that estimates a vendor's likelihood of suffering a ransomware attack. A vendor scoring above 0.8 is 96 times more likely to suffer a ransomware attack than one below 0.2. RSI lets a critical entity identify which dependencies are most likely to fail before one of them does, so continuity arrangements can be built around the suppliers that actually warrant them rather than spread evenly across the full vendor base.
The Compliance Gap Is Not About Knowing the Rules. It’s About Having the Capacity to Meet Them
Three frictions stand between a European organisation’s regulatory obligations and its ability to meet them with the resources it actually has:
- Uneven NIS2 transposition. An organisation operating across multiple jurisdictions faces genuine uncertainty about which obligations apply where.
- DORA’s continuous monitoring cadence. The obligation has produced questionnaire burdens that annual programs were not built to absorb.
- Capacity. The expectation of continuous vendor risk monitoring across a full supplier base is being asked of teams staffed and budgeted for annual reviews.
Black Kite’s external monitoring covers the capacity problem without adding headcount. Because every supplier is assessed on the same consistent external basis, the organisation stays ready regardless of how each jurisdiction’s transposition ultimately lands.
NIS2 | DORA | CER | |
|---|---|---|---|
Regulation | |||
Who enforces it | National competent authorities and CSIRTs | National financial regulators coordinated by EBA, ESMA, EIOPA | National competent authorities designated by each member state |
Third-party obligation | Article 21: assess and continuously oversee direct suppliers' cybersecurity; board accountable under Article 20 | Article 28: monitor ICT providers throughout the contract; Article 30(3)(e) requires contractual right to monitor continually | Articles 12–13: assess supplier dependencies and maintain resilience so a supplier's failure doesn't interrupt essential services |
Non-compliance cost | Essential entities: up to €10M or 2% of global turnover; important entities: up to €7M or 1.4% | Varies by national authority; Germany's BaFin can impose up to €5M or twice the benefit gained | Penalties set by each member state; required to be effective, proportionate, and dissuasive |
How to Operationalise Continuous Third-Party Risk Visibility in 2026
Replace Static Vendor Lists With RSI-Ranked Prioritisation Across the Full Supplier Base
Most third-party risk management programs treat every vendor as an equal risk until an incident happens. The RSI™ inverts that logic. A score from 0.0 to 1.0 estimates each supplier's likelihood of a ransomware attack before one occurs, combining technical exposure (exploitable vulnerabilities, exposed remote access, leaked credentials) with intrinsic factors including industry, location, and size. At RSI 0.4–0.6, likelihood is 11.6 times higher than at baseline. At 0.6–0.8, it reaches 17.6 times higher. Prioritising monitoring and vendor risk response by RSI score directs attention where it is most needed rather than spreading it evenly across a supplier base that is never equally at risk.
Map the Full Vendor Ecosystem, Including Every Nth-Party Dependency
Miljdata supplied roughly 80% of Sweden's municipalities. That concentration was invisible to most of its customers until the breach made it visible. Black Kite's Supply Chain Module maps Nth-party dependencies, surfaces concentration risk, and identifies the shared vendors that, if compromised, would cascade across a peer group. A vendor you have assessed depends on vendors of its own. Dozens of organisations can sit behind the same fourth-party provider without any of them knowing it. Mapping those dependencies is the precondition for supply chain cyber risk management that is actually complete.
Enforce Continuous Monitoring Because a Point-in-Time Assessment Is Accurate Only on the Day It Is Taken
A cyber risk management platform that runs continuously closes the gap where new exposure appears unseen between annual reviews. Black Kite's Cyber Rating scores vendors across 20 risk categories using OSINT data validated against MITRE, NIST, and Open FAIR™ standards. Changes surface when they happen rather than at the next assessment window. NIS2's Article 21 supply-chain duty is framed as a standing obligation, not a periodic one. A risk management methodology built on point-in-time audits cannot structurally satisfy a duty that the law frames as continuous.
Build a Vendor Engagement Workflow That Closes the Gap Between Exposure and Remediation
Continuous monitoring identifies a weakness the moment it surfaces. The speed of the fix depends on what happens next. Reaching the right person at the vendor, agreeing on what must change, and confirming it was done is where the delay accumulates. None of that delay is technical. The Bridge™ replaces scattered email and spreadsheet tracking with a single vendor-engagement workflow. Vendors receive asset-level vulnerability threat intelligence, see real-time ratings impact, and respond directly. Communications, documentation, and remediation status flow into one auditable view.
As the EU moves toward harmonising supplier security information requests under its 2026 cybersecurity package, a single workflow becomes the practical way to meet vendor engagement obligations at scale.
How Black Kite Built the 2026 European Cyber Risk Report
2,066 Incidents Across 31 Countries, Tracked Across Three Consecutive Periods
The ransomware dataset covers confirmed, publicly disclosed incidents attributable to ransomware activity across 31 countries (the 27 EU member states plus the United Kingdom, Switzerland, Norway, and Turkey) between January 2025 and April 2026. After removing incidents outside this scope, the working base is 2,066 incidents. These are analysed across three periods: H1 2025 (648 incidents), H2 2025 (734), and January to April 2026 (684). Because the final window is four months rather than six, pace comparisons use a monthly rate to keep the periods comparable.
Validated Across OSINT, Dark Web Intelligence, and Black Kite Telemetry
Vendor and third-party data was derived from Black Kite's telemetry and publicly available information, supplemented by intelligence gathered from surface, deep, and dark web sources. Attribution to a named threat group was recorded where it could be established from source evidence. The financial impact of cyber attacks observed in named third-party incidents is modelled using Open FAIR™ methodology, translating each vendor's posture into probable financial exposure for the organisations depending on them.
Victim Counting Standardised to Prevent Inflation of the Third-Party Figures
A standardised victim counting method prevents the cascade structure of supplier incidents from inflating headline figures. Attacks against chains, networks, or holding structures are counted as a single incident unless distinct disclosures exist. A single supplier compromise that reaches many downstream organisations is counted as one incident in the threat-actor and period analysis, while the affected downstream organisations are documented separately in the third-party analysis. The Miljdata case is the clearest example: 34 organisations are documented by name, a subset of a much larger affected population. The findings represent a conservative lower bound of systemic third-party risk exposure across Europe.
Industry Classifications Follow NAICS to Prevent Sector-Level Misclassification
Industry and subindustry classifications follow the North American Industry Classification System (NAICS). Sector-level figures are built from two-digit NAICS codes; subindustry analysis uses the more detailed NAICS codes below that. Manufacturing is measured by its NAICS classification rather than by a broader label, which is why the figure of 576 incidents reflects only organisations whose primary activity falls within that sector's NAICS definition. Geopolitical risk factors affecting incident distribution (including sanctions exposure, conflict proximity, and jurisdictional enforcement gaps) are contextualised in the regulatory analysis rather than applied as a classification variable.
(No download required)
