98% of Europe’s Largest Companies Report Third-Party Breaches Ahead of DORA Deadline
As the EU’s Digital Operational Resilience Act (DORA) deadline looms on 17 January 2025, a recent SecurityScorecard report has revealed a stark reality: 98% of Europe’s top 100 companies have faced third-party breaches over the past year.
This unsettling statistic underscores the widespread vulnerabilities within Europe’s largest organisations, with serious implications for operational continuity and regulatory compliance.
Supply chain vulnerabilities have emerged as a critical challenge, with nearly all companies in the report citing breaches in their third- and fourth-party ecosystems. The report highlights the cascading risks of interconnected supply chains, where even a minor vendor misstep can expose an organisation to significant cyber threats.
“Supply chain vulnerabilities remain a critical threat, as adversaries exploit these weak links to infiltrate global networks,” said Ryan Sherstobitoff, SVP of Threat Research and Intelligence at SecurityScorecard. “With regulations like DORA set to reshape cybersecurity standards, European companies must prioritise third-party risk management and leverage rating systems to safeguard their ecosystems.”
The findings are compounded by the fact that 18% of companies experienced direct breaches, revealing substantial gaps in internal defences. These incidents highlight the urgent need for businesses to strengthen their cybersecurity frameworks, particularly as regulators tighten scrutiny under DORA.
A Tale of Two Sectors
The report reveals stark differences in sectoral resilience. The transport sector stands out as Europe’s most secure, with all companies achieving a B rating or higher. Transport companies have long invested in robust cybersecurity due to the sector’s reliance on interconnected logistics networks and its exposure to ransomware attacks. This proactive approach has resulted in a comparatively resilient security posture.
In contrast, the energy sector fares poorly, with 75% of firms rated C or below. This low performance is attributed to the sector’s inherently complex attack surface, involving extensive third-party dependencies for critical operations. Adding to the energy sector’s challenges, 25% of its companies reported direct breaches over the past year, highlighting the urgent need for more stringent protective measures.
The energy sector’s vulnerabilities also reflect its attractiveness as a target for nation-state actors and sophisticated threat groups. With critical infrastructure at stake, the consequences of a breach extend beyond financial losses to potential national security implications. The disparity between sectors underscores the varying levels of preparedness and investment in cybersecurity, emphasising the need for sector-specific strategies.
Geographic Divide
Regional disparities in cybersecurity resilience are equally stark. Scandinavian companies lead the pack, with only 20% rated C or below. This performance reflects a long-standing emphasis on digital innovation and robust cybersecurity policies in Nordic countries, where collaboration between governments, industries, and academia has fostered a proactive security culture. Scandinavian companies have also invested heavily in employee training and advanced threat detection technologies, reducing their vulnerability to breaches.
Meanwhile, France lags, with 40% of its companies in the lowest rating tiers. French firms reported the highest rates of third- and fourth-party breaches, at 98% and 100% respectively. These figures indicate significant challenges in managing supply chain security, potentially stemming from a reliance on complex vendor ecosystems. Additionally, regulatory enforcement in France has historically focused more on data privacy than operational resilience, which may have contributed to gaps in addressing third-party risks.
The UK, Germany, and Italy sit between these extremes, with varying levels of readiness. For instance, the UK’s strong financial services sector has driven higher investments in cybersecurity, but gaps persist in smaller industries and among mid-sized firms. Germany’s industrial base faces challenges from its reliance on legacy systems, while Italy’s fragmented business landscape often hampers unified cybersecurity efforts.
These regional variations underscore the importance of a harmonised approach to cybersecurity. DORA’s regulatory framework aims to address these inconsistencies, compelling organisations across Europe to adopt more stringent standards and practices. However, the findings suggest that significant work remains to ensure collective resilience across all regions.
Grading the Risk
SecurityScorecard’s A-to-F rating system offers critical insights into organisational cyber resilience. According to the report, companies with an A rating are 13.8 times less likely to experience a breach compared to those with an F rating.
Despite these clear benefits, only 26% of Europe’s largest companies achieved an A rating, while 36% were rated C or below. Such statistics highlight the uneven progress in mitigating cyber risks, particularly among organisations with complex attack surfaces.
Jeff Le, VP of Global Government Affairs & Public Policy at SecurityScorecard, echoed this sentiment: “Our data clearly shows that organisations with top-tier cybersecurity ratings are far less likely to experience breaches. By leveraging these ratings, companies can not only protect themselves but also hold vendors accountable, creating stronger, more resilient supply chains.”
Recommendations for Resilience
The report outlines actionable steps for improving cybersecurity resilience, particularly for high-risk companies rated C or below. Key recommendations include:
- Strengthening application and network security: Robust defences in these areas are fundamental to mitigating cyber threats.
- Ensuring DNS health: Misconfigurations in Domain Name System settings can expose organisations to exploitation.
- Enhancing endpoint security: Addressing vulnerabilities in devices like laptops and mobile phones is critical.
- Improving patching cadence: Timely updates to systems and software are essential to closing security gaps.
With DORA’s implementation deadline fast approaching, these measures are not merely advisable but essential for compliance.
Was this article helpful?
YesNo