Nearly 70% of all recorded ransomware incidents were concentrated in Germany, the United Kingdom, France, Italy, and Spain, highlighting the concentration of cyber risk in Europe's largest markets

BOSTON, June 25, 2026 /PRNewswire/ -- Black Kite, the leader in third-party cyber risk management, today released its 2026 European Cyber Risk Report: Ransomware Is Escalating and Your Third Parties Are the Entry Point. Black Kite's first report dedicated to Europe identifies where ransomware risk is concentrated across the continent and what the region's evolving accountability standards mean for organisations managing threats that begin beyond their own perimeter.

"Three forces are converging on European organisations at once: ransomware is accelerating, supply chains are becoming a primary attack path, and regulations are placing greater emphasis on third-party risk," said Dr. Ferhat Dikbiyik, Chief Research and Intelligence Officer, Black Kite. "Our research shows that some of Europe's most significant ransomware incidents are defined less by the initial victim than by the scale of their downstream impact across an interconnected ecosystem. As regulations like NIS2 and DORA continue to reshape expectations, organisations are under growing pressure to demonstrate a deeper understanding of the cyber risk that exists across their supplier ecosystem. Understanding where risk is concentrated, and how it can spread, is becoming essential for building resilience".

Black Kite's research arrives at a time when third-party cyber risk is becoming a greater focus for European organisations and regulators alike. Under frameworks such as NIS2 and DORA, organisations face increasing obligations to assess and oversee cyber risk across their supplier ecosystem, just as ransomware activity across Europe continues to accelerate.

In just 16 months, Black Kite tracked publicly disclosed ransomware incidents across Europe and the pace is accelerating. Ransomware attacks rose 55.1% year-over-year in the first four months of 2026 and reached an average of 171 incidents per month.

Nearly 70% of Europe's ransomware activity was concentrated in just five countries - Germany, the United Kingdom, France, Italy, and Spain - with Germany emerging as the most-targeted country. Looking across Europe as a whole, Qilin was the most active ransomware group identified in the research. What makes Qilin notable isn't just its volume, but its geographic footprint. The group was linked to incidents in 26 of the 31 countries analysed, making it a true ransomware generalist. SafePay, the third most active ransomware group, followed a very different strategy. More than half of its European activity targeted German organisations, highlighting how some ransomware groups are casting a wide net across Europe while others are concentrating on a single market.

Third-Party Risk: How Vendors Become the Breach
European organisations spent 2025 and 2026 defending on two fronts simultaneously: direct attacks on their own systems, and attacks arriving through the suppliers they depend on to operate, such as payroll platforms, CRM environments, and logistics providers. Vendor vulnerability has not replaced direct attack risk. Rather, it now sits alongside it, and over this period, it moved from a peripheral concern to a primary one.

Across the 31 countries in scope, 64 European organisations were drawn into a ransomware or data extortion incident through a third party. Of those, 53% of those impacted organisations trace to a single event - the August 2025 compromise of Swedish software supplier Miljödata, which provides HR systems to approximately 80% of Sweden's municipalities.

The attack exposed the data of more than one million individuals and affected roughly 250 customers, including around 200 municipalities and regions. The incident demonstrates how a single supplier compromise can create cascading consequences far beyond the original victim, reaching critical public services and organisations that were never directly targeted.

Key findings from the report:

• Accelerating volume: Black Kite tracked publicly disclosed ransomware incidents affecting European organisations between January 2025 and April 2026. The research found ransomware activity is accelerating, with incidents rising 55.1% year-over-year in the first four months of 2026.
• Geographic concentration: Europe's five largest economies lead in ransomware attacks, with Germany being the most targeted reporting 370 incidents (17.9%), followed by the United Kingdom at 347 (16.8%), France at 255 (12.3%), Italy at 240 (11.6%), and Spain at 203 (9.8%).
• Threat actor activity: Qilin, Akira, and SafePay were among the most active ransomware groups identified in the research. Qilin stood out for its geographic reach, operating across 26 of the 31 countries analysed. SafePay, meanwhile, followed a far more concentrated strategy, with more than half of its European activity targeting German organisations.
• Sectoral concentration: Manufacturing was the most-affected sector at 27.9%. Professional, scientific, and technical services followed at 17.8%. Within that second group, IT service providers were the single most-targeted subindustry, a strategic pattern. When the primary target is a supplier, every client it serves becomes exposed through it.
• Suppliers as the point of failure: A growing share of victims were exposed through a third party rather than attacked directly. The Miljödata incident illustrates the scale this can reach. One single supplier breach exposed roughly 200 Swedish municipalities, 25 companies, and several universities, compromising the personal data of over one million individuals although none had been breached directly.

These findings have implications that extend beyond security operations. Under frameworks such as NIS2, CER, and the Cyber Resilience Act, organisations face growing expectations to understand, assess, and demonstrate oversight of cyber risk across their supplier ecosystem. Black Kite helps organisations gain visibility into that risk with a platform built for the third-party layer, where internal controls cannot reach.

Black Kite is now serving and supporting organisations across EMEA through a growing regional presence and expanding partner ecosystem. With a strategic hub in the United Kingdom and partnerships including Elasticito, Sayari, and RAS Infotech, Black Kite enables organizations to gain real-time visibility into cyber risk across their extended supply chain. It does this by revealing deep risk signals that span ransomware susceptibility, regulatory gaps, financial exposure, and more. From cyber assessments to continuous monitoring and risk response, organizations can now manage risk across their entire ecosystem based on the industry's most trusted cyber risk intelligence.

To read the report, visit https://blackkite.com/report/2026-europe-cyber-risk-report.

To register for the upcoming webinar, Europe's Cyber Risk Equation: Ransomware, Third-Party Risk, and Regulatory Pressure, taking place on July 22 at 9:00 AM ET, visit here. The session will highlight key findings from the report and provide additional insights into the evolving cyber risk landscape across Europe.

Methodology
The report was assembled by the Black Kite Research Group™ from several independent lines of evidence between January 2025 and April 2026: ransomware tracking, vendor ecosystem analysis, the European regulatory landscape, and cyber risk telemetry. Together, they trace how ransomware reaches European organisations, both at their own perimeter and through the suppliers they depend on. The study covers 31 countries: the 27 European Union member states together with the United Kingdom, Switzerland, Norway and Turkey.

About Black Kite
Black Kite is the AI-native third-party cyber risk management platform trusted by over 3,000 customers to manage every supplier and every risk across their extended ecosystem. Powered by the industry's highest-quality risk intelligence, spanning over 40 million companies, Black Kite is differentiated by the accuracy, transparency, and actionability of its data. The platform automates vendor monitoring and risk assessments, surfacing reliable insights into ransomware susceptibility, regulatory gaps, financial exposure, and more. With Black Kite, security and risk teams gain always-on visibility and trusted intelligence to act early, reduce exposure, and stay ahead of third-party threats. Black Kite has received numerous industry awards and recognition from customers. Learn more at www.blackkite.com, or on the Black Kite blog.

Media Contact:
Michelle Kearney
Hi-Touch PR
443-857-9468
kearney@hi-touchpr.com

View original content to download multimedia:https://www.prnewswire.com/news-releases/black-kites-first-report-dedicated-to-europe-ransomware-incidents-rose-55-year-over-year-in-early-2026-as-supply-chains-become-a-key-attack-path-302808057.html

SOURCE Black Kite