Only 26% of Europe’s top companies earn a high rating for cybersecurity
With the EU’s Digital Operational Resilience Act (DORA) deadline approaching on 17th January, 2025, Europe’s top 100 companies face an urgent cybersecurity challenge, according to SecurityScorecard.
A-rated companies safer from breaches
The report highlights the role of SecurityScorecard’s A-to-F rating system in delivering actionable insights into cyber resilience. Companies with an A rating were found to be 13.8 times less likely to experience a breach than those with an F rating.
Europe’s largest organizations are facing mounting cybersecurity challenges, with third- and fourth-party ecosystems emerging as significant points of vulnerability. Alarmingly, 98% of European companies experienced third-party breaches in the past year, leaving businesses exposed to operational disruptions and reputational risks.
18% of companies reported direct breaches in the past year, illustrating significant gaps in internal defenses. Only 26% of Europe’s top 100 companies achieved an A rating for cybersecurity resilience.
100% of the European companies with an A grade have not been breached in the last year (demonstrating the importance of having an A grade).
Supply chain vulnerabilities create an all-too-easy point of entry for adversaries to make their way into organizations and networks. Organizations of all sizes are only as secure as their weakest link, which means even the ones that invest large sums into security still face risks from third- and fourth-party vulnerabilities.
Companies in the energy sector had the lowest overall security ratings, with an alarming 75% receiving a C rating or below. This is unsurprising, considering that both of these industries have unusually complex attack surfaces, with vast networks of third-party vendors, partners, and service providers. 25% of the energy companies also experienced direct breaches in the last year.
The transport sector stands out as the most secure in Europe, with no companies scoring a C rating or lower. The technology sector is closely followed, where only 25% of companies fall into the C rating category or below.
Scandinavian companies lead in cybersecurity, with only 20% receiving a C rating or lower, compared to the UK (24%), Germany (34%), France (40%), and Italy (41%). France has the highest rate of third- and fourth-party vendor breaches, at 98% and 100% respectively. These rates surpass those of the UK, Germany, Italy, and Scandinavia, highlighting a significant vulnerability in managing supply chain security.
Larger companies outperform smaller firms in security ratings
The top 50 companies by market capitalization (82 billion plus USD) have higher security ratings than the 50 companies with lower market capitalization. An average of 36% of the companies with lower market capitalization have a C rating or below; while an average of 24% of the higher value companies have a C rating or below.
This demonstrates that any company— regardless of size, industry, value, or revenue—can be a target for cyber criminals if it doesn’t have strong cyber defenses.
“Supply chain vulnerabilities remain a critical threat, as adversaries exploit these weak links to infiltrate global networks. With regulations like DORA set to reshape cybersecurity standards, European companies must prioritize third-party risk management and leverage rating systems to safeguard their ecosystems,” said Ryan Sherstobitoff, SVP of Threat Research and Intelligence at SecurityScorecard.
“Our data clearly shows that organizations with top-tier cybersecurity ratings are far less likely to experience breaches. By leveraging these ratings, companies can not only protect themselves but also hold vendors accountable, creating stronger, more resilient supply chains,” said Jeff Le, VP, Global Government Affairs & Public Policy at SecurityScorecard.
Improving cybersecurity hygiene is a top priority for many European companies as nearly all have faced third- and fourth-party breaches, exposing them to significant risks.