Black Kite 2026: Europe’s Ransomware Surge Now Runs Through Your Suppliers

by

Estimated reading time: 6 minutes

On Friday, 19 September 2025, ransomware hit a piece of software most travelers never notice. Collins Aerospace runs MUSE. It is the shared check-in system used across many European airports. Heathrow, Brussels, Berlin, and Dublin lost their automated systems. Staff checked passengers in by hand. At least 217 flights were canceled. None of those airports was breached. Each lost the service it exists to provide. That is the shape of Europe’s new cyber risk.

Black Kite has now mapped that risk across the continent. Its first Europe-only report tracked 2,066 ransomware incidents over 16 months. Attacks rose 55.1% in early 2026. The bigger warning sits in the supply chain. European law makes the buyer accountable for it. The report is titled 2026 European Cyber Risk Report: Ransomware Is Escalating and Your Third Parties Are the Entry Point.

Map of Europe on dark navy showing ransomware spreading from a glowing amber hub to cyan nodes across the continent, with text noting Germany, the United Kingdom, France, Italy, and Spain account for 70% of European ransomware incidents.

Europe’s Ransomware Count Climbs Fast

The report covers January 2025 through April 2026. It spans 31 countries. The pace matters more than the total. Monthly incidents rose from 108 in early 2025 to 171 in early 2026. The first four months of 2026 ran 55.1% above the same months of 2025. Read as raw totals, early 2026 can look lower than late 2025. That comparison misleads. It counts four months against six. Adjusted for time, early 2026 shows the sharpest jump in the dataset. Ferhat Dikbiyik is Black Kite’s Chief Research and Intelligence Officer. He said, “Three forces are converging on European organisations at once.” Those forces are faster ransomware, supplier exposure, and tougher laws.

Five Countries Carry Most Of The Damage

Ransomware does not spread evenly across Europe. Five countries absorbed 68.5% of all recorded incidents. Germany led with 370 incidents. The United Kingdom followed with 347. France, Italy, and Spain came next. These are Europe’s five largest economies. Their place at the top is no surprise. The concentration is also tightening. The Big Five’s share climbed to 71.2% in early 2026. Two groups shaped the threat map. Qilin acted as the generalist. It struck 26 of the 31 countries studied. It logged 372 incidents, more than double its nearest rival. SafePay played the specialist. More than half of its European activity hit German targets.

See also  Mosaic Launches Cyber and Financial Institutions Insurance for Digital Assets

Manufacturing And IT Services Absorb The Most Attacks

Two sectors took nearly half of Europe’s ransomware. Manufacturing led at 27.9%. Professional, scientific, and technical services followed at 17.8%. The pattern inside each sector differs sharply. Manufacturing exposure spreads wide across dozens of subindustries. Technical services exposure narrows onto one. Computer systems design was the single most-targeted subindustry in Europe. The report calls that “a strategic pattern.” It matters for supply chain cyber risk. An IT services firm is itself a supplier. Its compromise reaches every client it serves.

Suppliers Become The Breach

The report’s sharpest section examines supplier breaches. Black Kite counted 64 European organizations pulled into an incident through a third party. That figure stays small against 2,066 direct incidents. The danger is concentration. The raw count stays low. One Swedish supplier accounted for 34 of those 64 cases. Ransomware actors breached Miljödata over the weekend in August 2025. Miljödata provides HR systems to roughly 80% of Sweden’s municipalities. The breach exposed data on more than one million individuals. Around 250 customers reported an impact. The report calls it “one vendor, one weekend, one million records.” None of those customers was breached directly.

Other cascades followed the same shape. Seven European names were hit through the Salesforce ecosystem. They included Chanel, Pandora, and Air France-KLM. The report also linked the Marks & Spencer breach to exposed credentials tied to a contractor. The Collins Aerospace airport outage fits the same pattern. One shared platform failed. Many organizations lost service at once.

The Law Now Holds You Responsible

This is where Europe differs from the United States. European law treats a supplier’s security as your problem. The NIS2 Directive sits at the center. Article 21 requires firms to assess and monitor direct suppliers. The duty applies regardless of where the supplier sits. DORA adds the same pressure on financial services. It demands continuous monitoring of ICT providers. The CER Directive frames supplier failure as a continuity risk. The penalties carry weight. NIS2 fines reach 10 million euros or 2% of global turnover. The higher figure applies. Transposition still runs unevenly across member states. The buyer’s duty stands wherever the directive is in force.

See also  Coalition Introduces Active Cyber Insurance in Germany

What This Means For Cyber Insurance Underwriting

The report rarely mentions cyber insurance. The implications still land on underwriting desks. Start with accumulation risk. One supplier breach can hit many insured clients at once. Miljödata touched 250 customers. Collins Aerospace touched several national airports. Estimates of the Collins damage run into the millions of euros. One security firm put the figure above 50 million euros. That number remains unconfirmed. A single event can still trigger correlated claims across a book. That is the exposure reinsurers fear most. It also shapes how policies respond to supply chain risk.

Next comes a second loss vector. NIS2, DORA, and CER attach penalties to supplier failures. A breach can now produce both a loss and a fine. Underwriters pricing European books face both at once. Timing adds a further problem. Attackers often strike before public disclosure. Policy triggers tied to disclosure dates can lag the actual loss. Visibility remains thin. Most firms still lack a full view of their supply chains. The European map raises the stakes on closing that gap.

FAQ – European Cyber Risk

What did Black Kite’s 2026 Europe report find?

It found that ransomware against European organizations is accelerating. Incidents rose 55.1% in early 2026. A growing share reached victims through compromised suppliers. European law now makes buyers accountable for supplier security.

How much did European ransomware rise?

Black Kite recorded 2,066 incidents across 16 months. The first four months of 2026 ran 55.1% above the same period in 2025. Monthly incidents climbed from 108 to 171.

How does NIS2 change cyber insurance exposure?

NIS2 makes firms accountable for the security of direct suppliers. Fines reach 10 million euros or 2% of global turnover. A supplier failure can produce both a breach loss and a regulatory penalty.

Martin Hinton
Martin Hinton is the Executive Editor and Publisher of Cyber Insurance News and Information. With over three decades of journalism experience across six continents, his work encompasses investigative reporting, documentaries, and coverage of cultural, political, and business news. To learn more about his career, click on his name to visit his LinkedIn page.

Leave a Comment

×