preloader

· security digital-security ransomware europe supply-chain nis2 dora compliance third-party-risk

Ransomware in Europe Is Up 55 Percent This Year, and Attackers Are Increasingly Walking In Through Suppliers

Source: Help Net Security / Black Kite

Cyber risk intelligence firm Black Kite has published its first report focused solely on Europe, and the headline number is stark: ransomware incidents across the continent rose 55.1 percent year-over-year in the first four months of 2026, reaching an average of 171 incidents every month.

Where the attacks are landing

Five countries account for roughly 70 percent of all recorded incidents. Germany leads with 370 incidents (17.9 percent), followed by the UK at 347 (16.8 percent), France at 255 (12.3 percent), Italy at 240 (11.6 percent), and Spain at 203 (9.8 percent). Manufacturing was the single most targeted sector, accounting for 27.9 percent of incidents, with IT services close behind, a logical target given how many downstream customers a single compromised provider can expose.

Qilin remains the most prolific group by a wide margin, claiming activity across 26 of the 31 countries Black Kite analysed and 372 recorded incidents, more than double the next most active group, Akira, at 159. SafePay rounds out the top three with 80 incidents.

Suppliers are the new front door

The report’s central finding is not the growth rate itself but where the growth is coming from. Supply chains are becoming a primary attack path into European organisations, not a secondary one. Black Kite points to the August 2025 compromise of Swedish software supplier Miljödata as a template for what this looks like in practice: a single vendor breach that Black Kite traces to more than 30 separate downstream ransomware incidents at the vendor’s customers, none of whom were directly targeted by the initial intrusion.

This matters for a specific reason beyond the raw statistics. NIS2 and DORA both place explicit obligations on organisations to assess and monitor the cyber risk of their third-party suppliers, not just their own perimeter. A vendor breach that cascades into your environment is no longer just an unfortunate external event under either framework, it is a risk you were required to have visibility into. Organisations that cannot currently answer basic questions about which suppliers hold sensitive data, what access those suppliers have, and how quickly they would know about a supplier-side breach are exposed on two fronts at once: the operational risk of the cascade itself, and the regulatory risk of not having managed it.

What this means for European organisations right now

The combination of a 55 percent rise in incidents, a small cluster of countries and sectors absorbing most of the impact, and suppliers increasingly serving as the entry point should reset how organisations prioritise their security spend. A perimeter that has never been breached directly is not evidence of safety if a critical supplier’s perimeter has never been assessed at all.

If your organisation needs a clear picture of its third-party and supply chain risk exposure, help meeting NIS2 or DORA obligations around supplier oversight, or a ransomware readiness assessment that accounts for indirect entry points, contact Excello Digital. We help European organisations map their supplier risk before it becomes an incident report.

These news items are automatically aggregated from industry sources and are not individually reviewed. Any inaccuracies are unintentional — let us know and we'll correct or remove it.

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!