A Continent Under Pressure
Black Kite released its first report dedicated entirely to Europe on June 25, and the headline number is stark. Ransomware incidents across the continent rose 55.1 percent year over year in the first four months of 2026, reaching an average of 171 incidents per month. For a region that has invested heavily in regulation and resilience, that trajectory is a sobering reminder that policy maturity has not translated into a slowdown of actual attacks. If anything, Europe is now squarely in the crosshairs, and the gap between regulatory ambition and operational reality has rarely been more visible than in these figures.
The report spans 31 countries, covering the 27 EU member states plus the United Kingdom, Switzerland, Norway and Turkey, which makes the trend hard to dismiss as a local anomaly. Black Kite's chief research and intelligence officer Dr. Ferhat Dikbiyik framed the moment as a convergence of three forces, noting that ransomware is accelerating, supply chains are becoming a primary attack path, and regulations are placing greater emphasis on third-party risk. Those three pressures are arriving at once, and the organizations caught between them are precisely the enterprises this report set out to study, often without the visibility to see all three coming.
Where the Damage Concentrates
The pain is not evenly distributed. Five countries absorbed roughly 70 percent of all incidents: Germany led with 370 incidents at 17.9 percent, followed by the United Kingdom at 347 and 16.8 percent, France at 255 and 12.3 percent, Italy at 240 and 11.6 percent, and Spain at 203 and 9.8 percent. These are Europe's largest economies, and their concentration at the top of the list reflects the simple economics of extortion. Attackers go where the revenue, the data and the willingness to pay are densest, and the major economies offer all three in abundance.
For multinational CISOs, this geography matters operationally. A security program calibrated to a quieter market will be underprepared if it carries meaningful exposure in Germany, the UK or France, where the volume of attempts is materially higher. The data argues for risk-weighting defensive investment by jurisdiction rather than spreading it evenly, and for treating the major European economies as high-threat environments on par with the most-targeted regions globally. Volume at this scale is not background noise. It is a planning input that should inform where you concentrate detection engineering, response capacity and tabletop preparation across a multinational footprint.
Qilin Runs the Table
One name dominates the European landscape. Black Kite identifies Qilin as the most active ransomware group on the continent, linked to incidents in 26 of the 31 countries analyzed, alongside notable activity from Akira and SafePay. A single brand reaching into 26 national markets is a measure of how industrialized the ransomware-as-a-service model has become. Qilin does not need a presence everywhere. Its affiliate network projects its reach across borders with little additional effort from the core operators, who effectively franchise the attack and collect a cut of every payment.
That near-ubiquity carries a defensive upside. When one group is responsible for incidents in the overwhelming majority of countries, its tactics, techniques and procedures become a high-value detection target. Investing in robust coverage against Qilin's known playbook yields protection across most of Europe at once, which is an unusually efficient return on detection engineering. We would encourage security teams operating in the region to prioritize threat intelligence and detection engineering specifically around Qilin, treating it as the default adversary rather than one option among many on a long and undifferentiated list of possible attackers.
The Supply Chain Multiplier
The report's most instructive finding is about leverage. Sixty-four European organizations were impacted through third parties, and a striking 53 percent of those traced back to a single event, the Miljodata breach. That statistic is the supply-chain risk thesis distilled into one number: compromise one well-placed vendor and the blast radius engulfs dozens of downstream organizations that did nothing wrong themselves. As Dikbiyik observed, some of Europe's most significant incidents are defined less by the initial victim than by the scale of their downstream impact across an interconnected ecosystem.
This is why third-party risk has moved from compliance checkbox to genuine operational priority, and why regulators across Europe are codifying it. The sector data reinforces the point: manufacturing was the most targeted vertical at 27.9 percent, ahead of professional, scientific and technical services at 17.8 percent, both ecosystems built on dense webs of suppliers and service providers. For CISOs, the implication is unambiguous. Mapping critical vendor dependencies and demanding evidence of their security posture is no longer optional, because the next major incident may arrive through a partner you have never directly assessed, on a day you had no reason to be watching them.
Regulation Meets Reality
The timing of this report is not incidental. Europe has spent the past two years operationalizing frameworks such as NIS2 and DORA, both of which place explicit, auditable obligations on organizations to manage the security of their suppliers and report incidents promptly. Black Kite's data lands as those rules move from drafting to enforcement, and the numbers suggest the threat is outrunning the compliance timeline. A 55 percent year-over-year jump is not the profile of a region that has its supply-chain risk under control, regardless of how many policy documents reference it.
For boards and CISOs, the convergence Dikbiyik describes is the real headline: accelerating ransomware, supply chains as the primary attack path, and regulators demanding third-party accountability are arriving simultaneously. That combination turns vendor risk from a periodic questionnaire exercise into a continuous monitoring problem with legal teeth. Organizations that treated third-party assessments as an annual formality will find that posture untenable when a single vendor breach can implicate dozens of customers and trigger reporting obligations across multiple jurisdictions. The defensible response is continuous visibility into critical suppliers, not a spreadsheet refreshed once a year. Black Kite frames this plainly: understanding where risk is concentrated, and how it can spread, is becoming essential to building resilience, and the Miljodata wave shows how quickly a single upstream failure cascades into a continent-wide event.
