Black Kite’s first report dedicated specifically to Europe puts a number on something security teams across the continent have felt anecdotally for a while: ransomware is not just rising, it is rising because of who your suppliers are, not just what you patch. Across 2,066 tracked incidents in 31 countries between January 2025 and April 2026, publicly disclosed attacks climbed 55.1 percent year over year, with monthly incident counts jumping from an average of 108 to 171.
Five countries, seventy percent of the problem
Germany recorded 370 incidents, 17.9 percent of the European total, more than any other country in the dataset. The UK followed at 347 (16.8 percent), France at 255 (12.3 percent), Italy at 240 (11.6 percent), and Spain at 203 (9.8 percent). Together these five markets, the largest and most digitised economies on the continent, absorbed nearly 70 percent of all recorded ransomware activity. Scale is not protection. If anything, the size and interconnectedness of these economies is precisely what makes them attractive, because a single successful compromise of a widely used supplier can cascade into dozens of downstream victims at once.
The supplier is now part of your attack surface
The report’s most operationally relevant finding is that 64 European organisations were pulled into a ransomware or data extortion incident through a supplier’s systems, not their own. Manufacturing came out as the hardest-hit sector, consistent with an industry built on long, deeply interconnected vendor chains where a single compromised logistics partner, parts supplier, or software vendor can hand attackers a path into companies that were never directly targeted. Traditional perimeter security, however well maintained, does nothing to stop an attack that never touches your own infrastructure until the ransom note appears.
Why this lands right as NIS2 audits are starting
This data arrives at a pointed moment. NIS2 enforcement is now underway across the EU, and supply chain risk management is one of its explicit obligations, not an optional best practice. Regulators pushing organisations to formally assess and monitor supplier cybersecurity posture are not chasing a theoretical risk. The Black Kite numbers are the theoretical risk made concrete: nearly seventy incidents in this dataset alone where the compromise came from outside the victim’s own perimeter, in a regulatory environment that increasingly holds the victim accountable for that gap regardless of where the attack actually originated.
What we recommend
- Build or update a formal inventory of critical suppliers and the systems, data, and network access each one touches, since you cannot manage a risk you have not mapped
- Extend security assessment and monitoring to key suppliers rather than treating vendor risk as a one-time onboarding questionnaire
- Prioritise manufacturing and logistics vendor relationships specifically, given the sector’s outsized share of supply-chain-originated incidents
- Align supplier risk management practices with NIS2 requirements now, ahead of enforcement scrutiny rather than in response to it
- Build incident response plans that explicitly cover the scenario where the compromise originates outside your own environment, since containment and notification obligations differ from a direct breach
If your organisation needs help mapping supplier risk, building a vendor security assessment programme, or aligning your incident response plan with NIS2 obligations, contact Excello Digital. We help European organisations turn supply chain risk from a compliance checkbox into something they can actually manage.
