Nearly 70% of all recorded ransomware incidents were concentrated in Germany, the United Kingdom, France, Italy, and Spain, highlighting the concentration of cyber risk in Europe’s largest markets
BOSTON, June 25, 2026 /PRNewswire/ — Black Kite, the leader in third-party cyber risk management, today released its 2026 European Cyber Risk Report: Ransomware Is Escalating and Your Third Parties Are the Entry Point. Black Kite’s first report dedicated to Europe identifies where ransomware risk is concentrated across the continent and what the region’s evolving accountability standards mean for organisations managing threats that begin beyond their own perimeter.
“Three forces are converging on European organisations at once: ransomware is accelerating, supply chains are becoming a primary attack path, and regulations are placing greater emphasis on third-party risk,” said Dr. Ferhat Dikbiyik, Chief Research and Intelligence Officer, Black Kite. “Our research shows that some of Europe’s most significant ransomware incidents are defined less by the initial victim than by the scale of their downstream impact across an interconnected ecosystem. As regulations like NIS2 and DORA continue to reshape expectations, organisations are under growing pressure to demonstrate a deeper understanding of the cyber risk that exists across their supplier ecosystem. Understanding where risk is concentrated, and how it can spread, is becoming essential for building resilience”.
Black Kite’s research arrives at a time when third-party cyber risk is becoming a greater focus for European organisations and regulators alike. Under frameworks such as NIS2 and DORA, organisations face increasing obligations to assess and oversee cyber risk across their supplier ecosystem, just as ransomware activity across Europe continues to accelerate.
In just 16 months, Black Kite tracked publicly disclosed ransomware incidents across Europe and the pace is accelerating. Ransomware attacks rose 55.1% year-over-year in the first four months of 2026 and reached an average of 171 incidents per month.
Nearly 70% of Europe’s ransomware activity was concentrated in just five countries – Germany, the United Kingdom, France, Italy, and Spain – with Germany emerging as the most-targeted country. Looking across Europe as a whole, Qilin was the most active ransomware group identified in the research. What makes Qilin notable isn’t just its volume, but its geographic footprint. The group was linked to incidents in 26 of the 31 countries analysed, making it a true ransomware generalist. SafePay, the third most active ransomware group, followed a very different strategy. More than half of its European activity targeted German organisations, highlighting how some ransomware groups are casting a wide net across Europe while others are concentrating on a single market.
