Hard2bit
← Back to blog

Digital supply chain 2025-2026: 5 lessons for the CISO from European and global data

By Adrián González · CEO · Published: 11 June 2026 · Updated: 11 June 2026
Research Cybersecurity
Digital supply chain 2026

Two reports published in recent months paint the same picture: digital supply chain risk has stopped being an abstract regulatory concern and has become the structural pattern that most reshapes security teams' daily operations. The numbers come from verifiable sources, not from marketing.

The ENISA Threat Landscape 2025 (published on 1 October 2025, with incidents from 1 July 2024 to 30 June 2025) analyses 4,875 incidents across the European Union. The Verizon Data Breach Investigations Report 2026 (covering November 2024 to October 2025) adds a global view with a different sample mix. Read together, they offer five concrete lessons a CISO can turn into a 2026 action plan.

1. Software vulnerabilities overtake credentials as the leading initial vector

For years the dominant narrative was that breaches began with a leaked password or a phishing email. In 2025 the balance shifts. Verizon DBIR 2026 puts at 31 per cent the breaches that begin with software vulnerability exploitation, above stolen credentials. ENISA, with its own methodology and European focus, places vulnerability exploitation at 21.3 per cent of initial intrusion vectors, only behind phishing.

For the CISO the message is operational: vulnerability management — prioritised by real exposure, not by isolated CVSS — becomes the control that most reduces breach probability. The tools are already on the market (KEV as a mandatory minimum list, EPSS as a probability signal), but most organisations still prioritise by theoretical severity. That gap between practice and evidence is the hardest to close.

2. Digital dependencies are now the main impact multiplier

Juhan Lepassaar, ENISA Executive Director, put it plainly when presenting the report: "Systems and services that we rely on in our daily lives are intertwined, so a disruption on one end can have a ripple effect across the supply chain. This is connected to a surge in abuse of cyber dependencies by threat actors that can amplify the impact of cyberattacks."

The change in tone matters. This is no longer the classic "watch your suppliers" line, but the institutional acknowledgement that digital interdependence is a structural damage accelerator. When a critical SaaS provider goes down or is compromised, the incident stops being bilateral and starts having cascading effects on customers, partners and, in regulated sectors, citizens.

Operationally this translates into third-party risk management (TPRM) programmes that can no longer live in a vendor spreadsheet. They need a consolidated inventory, per-service criticality, technical due diligence with evidence, contractual clauses aligned with DORA and NIS2, continuous monitoring between formal reviews and a documented exit plan for critical vendors. Article 28 of DORA and article 21.2.d of NIS2 ask for precisely this.

3. Phishing remains number one and generative AI is industrialising it

If you expected generative AI to be doing something else, the data does not yet support it. ENISA identifies phishing — email, vishing, malspam and malvertising — as the leading initial intrusion vector with about 60 per cent of observed cases. And what was already a chronic problem is now automated: by early 2025, AI-supported social engineering campaigns represent more than 80 per cent of observed global activity, according to the report itself.

What changes is the attacker's barrier to entry. Phishing-as-a-Service (PhaaS) lets you deploy convincing campaigns with minimal cost and expertise. The attack no longer requires a sophisticated actor and becomes commodity, while defence still depends on people having to tell a real email from one fabricated by a model. The asymmetry is unfavourable.

Verizon DBIR 2026 adds a nuance: mobile sees a 40 per cent higher click-through rate than traditional email. Organisations have spent years training users to spot phishing in the inbox; the attacker has moved the front line to SMS, instant messaging and push notifications. Awareness based exclusively on email simulations falls short.

4. Hacktivists and state-aligned actors converge on tools and techniques

One of the most interesting observations in ENISA 2025 is the convergence between threat groups. Hacktivists use tools and techniques that were once the preserve of nation-state actors, and vice versa. ENISA coins the term "faketivism" for intrusions by state-aligned actors that adopt hacktivist appearance to muddy attribution.

The quantitative data reinforces the trend: 77 per cent of incidents reported in the EU during the analysed period are distributed denial-of-service (DDoS) attacks, mostly deployed by hacktivists. Although most have low operational impact (only 2 per cent of hacktivism incidents lead to actual service disruption), they saturate the landscape, consume response capacity and mask higher-impact attacks executed in parallel.

For a CISO this means two practical consequences. First: early attribution is increasingly difficult and risky, so incident response procedures must stay clear of "who is behind this?" until evidence is solid. Second: DDoS resilience needs reinforcement and signal must be separated from noise, because serious actors use hacktivist noise as cover.

5. NIS2 is no longer theory: 53.7% of EU incidents hit essential entities

The number in the report that should worry leadership the most is this: 53.7 per cent of the total incidents recorded in the EU during the period analysed by ENISA affect entities classified as essential under the NIS2 Directive. Public administration leads with 38.2 per cent, followed by transport (7.5%), digital infrastructure and services (4.8%), finance (4.5%) and manufacturing (2.9%).

The overlap between the most attacked sectors and the sectors covered by NIS2 is not coincidental: the regulation was designed precisely to strengthen the resilience of those verticals. The operational problem is that national transposition in many Member States is advancing more slowly than the risk, and organisations still approach NIS2 as a documentary exercise while attackers are already operating.

The lesson is direct: essential entities that still treat the directive as a year-end compliance project are going to arrive late. NIS2 should already be a continuous operational programme with monthly review evidence and metrics leadership understands.

CISO action 2026: turning the five lessons into a plan

If the data converges, the plan can too. Five minimum action blocks for the next twelve months:

  • Prioritise vulnerability management with KEV and EPSS as mandatory inputs, not as optional dashboards. Written policy, deadlines by level and comparable metrics.
  • Professionalise the third-party risk management (TPRM) programme with consolidated inventory, technical due diligence with evidence and documented exit plans for critical vendors. Start with the top 20 highest-impact suppliers and grow.
  • Strengthen awareness beyond email: SMS, instant messaging, voice and push notifications. Realistic simulations adapted to the organisation's profile.
  • Separate DDoS resilience from serious incident response. Saturation is the usual scenario; playbooks must distinguish noise from real attack.
  • Treat NIS2 as a continuous operational programme, not as an annual milestone. Monthly evidence, leadership-level metrics and a clear mapping from every control to a named owner.

In practice, the two fastest starting points are: discover and understand your own external attack surface (Hard2bit Scanner delivers a passive snapshot in 60 seconds for any domain) and stand up a proper attack surface management (ASM/EASM) programme coordinated with vulnerability management. The rest of the plan is built on that inventory.

Conclusion: risk shifts to dependencies, response must follow

The pattern for the next twelve months will not be a single headline-grabbing attack but the accumulation of smaller incidents whose origin will, increasingly, lie in someone else's digital dependency. Organisations entering 2026 with a real TPRM programme, evidence-based vulnerability management and serious attack-surface work will have a measurable advantage. The rest will learn the hard way. To discuss the specific programme that best fits your organisation, contact Hard2bit.

Cited sources

ENISA Threat Landscape 2025 (1 October 2025): enisa.europa.eu/publications/enisa-threat-landscape-2025. Verizon Data Breach Investigations Report 2026 (period November 2024 — October 2025): verizon.com/business/resources/reports/dbir.

Frequently asked questions

What percentage of security breaches originate in the digital supply chain in 2025?

The two main sources do not provide a single figure for "supply chain breach" because the risk does not fit a single category: it spreads across vectors. ENISA Threat Landscape 2025 does quantify the initial intrusion vectors across 4,875 EU incidents: 60% phishing and 21.3% vulnerability exploitation, both common paths to compromise a supplier that then opens the door to its customer. Verizon DBIR 2026 places at 31% the breaches that begin with software vulnerability exploitation, a path through which many SaaS and third-party technology compromises materialise.

What does DORA require on ICT third-party risk management?

Article 28 of the DORA Regulation sets specific obligations for financial entities: maintain a detailed register of ICT vendors, classify the criticality of each arrangement, assess concentration risk, apply minimum contractual clauses, guarantee audit rights and have documented exit plans for critical vendors. The entity remains responsible even when outsourcing and must be able to demonstrate it to the competent supervisor. DORA applies from 17 January 2025.

And NIS2? What does it ask about the supply chain?

Article 21.2.d of the NIS2 Directive requires essential and important entities to manage supply chain risk proportionally to their profile: homogeneous questionnaires, technical due diligence, contractual clauses and evidence of periodic review. ENISA Threat Landscape 2025 documents that 53.7% of incidents recorded in the EU during the period analysed affect entities classified as essential under NIS2, confirming that the directive's sectoral coverage matches the real victim profile.

If we have no TPRM programme yet, where does a CISO start in 90 days?

Five minimum actions, in order: 1) consolidate the real vendor inventory with per-service criticality and data processed; 2) classify the top 20 most critical and apply technical due diligence with evidence, not just declared certifications; 3) review key contractual clauses (audit rights, incident notification, subcontracting, data location, exit plan); 4) install continuous monitoring between formal reviews — material changes, public breaches, certification expirations — and 5) present an executive dashboard with coverage, deadlines and vendors with open improvement plans. This is exactly what DORA requires and what NIS2 will audit.

How do you measure the operational effectiveness of a TPRM programme?

Five useful committee-level metrics: inventory coverage (percentage of vendors with current due diligence), mean review time, number of material findings detected in the last twelve months, critical vendors with open improvement plans and critical vendors with documented exit plans. The most revealing metric is usually the first one: a programme covering less than 80% of critical vendors with current review is not meeting the frameworks required by DORA, NIS2 or ISO 27001:2022 controls 5.19-5.22.