Summary
- Black Kite says publicly disclosed ransomware incidents in Europe rose 55.1% year on year in the first four months of 2026.
- Germany, the UK, France, Italy, and Spain accounted for nearly 70% of recorded incidents.
- Supplier compromise is becoming a central resilience issue under NIS2, DORA, CER, and the Cyber Resilience Act.
Black Kite has published a Europe-focused ransomware and third-party cyber risk report that places supplier exposure at the centre of the region’s resilience problem.
The company’s 2026 European Cyber Risk Report examined publicly disclosed ransomware incidents affecting European organisations between January 2025 and April 2026. Its headline finding is that ransomware activity rose 55.1% year on year in the first four months of 2026, reaching an average of 171 incidents per month.
The research says nearly 70% of Europe’s recorded ransomware activity was concentrated in five markets: Germany, the United Kingdom, France, Italy, and Spain. Germany was the most targeted country in the dataset, followed by the UK, France, Italy, and Spain. Qilin was identified as the most geographically widespread ransomware group, linked to incidents in 26 of the 31 countries analysed.
The report also places manufacturing at the top of the affected sectors, with professional, scientific, and technical services following. Within that second group, IT service providers stand out because attacks against suppliers can expose multiple downstream customers. Black Kite said 64 European organisations were drawn into ransomware or data extortion incidents through a third party, with a large share connected to the compromise of Swedish software supplier Miljödata.
Public disclosure-based ransomware tracking will not capture every incident, and no single dataset gives a complete picture of regional activity. Even within those limits, the direction of risk is consistent with the experience of European regulators and operators: supplier compromise is no longer peripheral.
The regulatory context has changed the consequences. NIS2 expects essential and important entities to manage cyber risk across their supply relationships. DORA imposes detailed ICT third-party risk obligations on financial entities. The Critical Entities Resilience framework and the Cyber Resilience Act add further pressure around operational continuity, product assurance, and accountability.
A ransomware incident at a payroll provider, IT services company, logistics platform, HR system, managed service provider, or software vendor can become a board-level resilience issue for organisations that were never directly attacked. The operational effect can include service interruption, personal data exposure, regulatory notification, contractual disputes, customer communications, and emergency supplier reviews.
Supplier cyber risk has often been handled through questionnaires, annual attestations, and contract clauses. Those mechanisms remain necessary, but they do not provide continuous evidence that a supplier is resilient, patched, segmented, monitored, and able to recover. The report’s findings point to the gap between third-party risk governance and the speed at which extortion groups exploit weak suppliers.
European organisations also face concentration risk. The same small set of service providers may support hundreds of public bodies, regulated companies, municipalities, healthcare organisations, manufacturers, and financial firms. A compromise at that layer can create an incident pattern that looks less like a single breach and more like regional operational disruption.
Regulation is now being tested against an attack model built around dependency. Supplier governance will need stronger asset visibility, contractual access to evidence, incident notification discipline, exit planning, recovery testing, and clearer decisions about which providers are too critical to be managed at arm’s length.





