What the Black Kite report found
On 25 June 2026 the security-ratings firm Black Kite released its first report dedicated to Europe, the 2026 European Cyber Risk Report. It examined 2,066 ransomware incidents across 31 countries between January 2025 and April 2026, and found that incidents rose 55.1% year over year in the first four months of 2026, averaging 171 per month.
Nearly 70% of activity concentrated in just five countries. Germany led with 370 incidents (17.9%), followed by the United Kingdom with 347 (16.8%), France with 255 (12.3%), Italy with 240 (11.6%) and Spain with 203 (9.8%). For any UK owner reading the numbers, the message is plain: the country sits at the sharp end of Europe's ransomware curve, as independent coverage confirmed.
The supplier is the door
Across the 31 countries, 64 organisations were compromised not through their own systems but through a third party. And 53% of those third-party compromises traced to a single event: the August 2025 Miljodata breach, a Swedish HR and software supplier whose failure hit roughly 250 customers, including about 200 municipalities, and exposed data on over one million individuals.
The sector pattern says the same thing. Manufacturing was most targeted at 27.9% of disclosed incidents, but professional, scientific and technical services came second at 17.8%, led by IT service providers, because compromising one provider reaches many downstream customers at once. As Dr. Ferhat Dikbiyik of Black Kite put it, supply chains are becoming a primary attack path alongside accelerating ransomware and tightening regulation.
The owner move under NIS2 and DORA
Here is the part no source headline says out loud. When one supplier breach drives over half of a continent's third-party victims, the risk a board should fear most is not its own defenses but its vendors'. Under NIS2 a qualifying incident can trigger mandatory reporting within 24 hours, and DORA requires financial entities to manage third-party ICT risk directly. The liability for a supplier's failure now lands on you.
Vendor concentration is the unpriced balance-sheet risk of 2026. Most owners can name their biggest customer, but not their most dangerous supplier. The move is to map every vendor that touches your data or operations, rank them by how many of your functions collapse if they fall, and price that exposure before either the regulator or the attacker prices it for you.
Read next: Jailbreak Risk Now Has a Severity Score · Cybercrime Borrows Your Home Internet



