As the EU’s Digital Operational Resilience Act (DORA) deadline looms on January 17, 2025, European companies are under immense pressure to enhance their cybersecurity frameworks. A recent report by SecurityScorecard has made it clear that major vulnerabilities exist, with 98% of Europe’s top 100 companies experiencing third-party breaches in the past year. This unsettling statistic underscores the widespread vulnerabilities within Europe’s largest organizations, with serious implications for operational continuity and regulatory compliance. Therefore, companies must take substantial steps to fortify their cybersecurity measures ahead of the strict regulations imposed by DORA.
The supply chain has emerged as a critical area of concern, with breaches in third- and fourth-party ecosystems cited by nearly all companies surveyed. These findings highlight the interconnected risks of supply chains, where even minor vendor missteps can expose organizations to significant cyber threats. Supply chain vulnerabilities remain a critical threat, as adversaries exploit these weak links to infiltrate global networks. With regulations like DORA set to reshape cybersecurity standards, European companies must prioritize third-party risk management and leverage rating systems to safeguard their ecosystems.
The findings are compounded by the fact that 18% of companies experienced direct breaches, revealing substantial gaps in internal defenses. These incidents highlight the urgent need for businesses to strengthen their cybersecurity frameworks, particularly as regulators tighten scrutiny under DORA. Prioritizing this urgency can no longer be postponed; actionable measures are necessary to enhance resilience against cyber threats.
1. Fortify Application and Network Security
A tale of two sectors reveals contrasting resilience in the transport and energy industries. The transport sector has emerged as Europe’s most secure, with all companies achieving a B rating or higher. Transport companies have invested in robust cybersecurity due to the sector’s reliance on interconnected logistics networks and its exposure to ransomware attacks. This proactive approach has resulted in a comparatively resilient security posture, setting an example for other sectors to follow. Organizations across all sectors should draw from the transport sector’s commitment to strong defenses in application and network security to mitigate cyber threats effectively.
In stark contrast, the energy sector fares poorly, with 75% of firms rated C or below. This low performance is attributed to the sector’s inherently complex attack surface, involving extensive third-party dependencies for critical operations. Adding to the energy sector’s challenges, 25% of its companies reported direct breaches over the past year, highlighting the urgent need for more stringent protective measures. The energy sector’s vulnerabilities also reflect its attractiveness as a target for nation-state actors and sophisticated threat groups. With critical infrastructure at stake, the consequences of a breach extend beyond financial losses to potential national security implications.
2. Ensure DNS Integrity
Geographic disparities in cybersecurity resilience are equally stark. Scandinavian companies lead the pack, with only 20% rated C or below. This performance reflects a long-standing emphasis on digital innovation and robust cybersecurity policies in Nordic countries, where collaboration between governments, industries, and academia has fostered a proactive security culture. Scandinavian companies have also invested heavily in employee training and advanced threat detection technologies, reducing their vulnerability to breaches. The example set by Scandinavian companies underlines the critical importance of ensuring DNS integrity to prevent exploitation.
Meanwhile, France lags, with 40% of its companies in the lowest rating tiers. French firms reported the highest rates of third- and fourth-party breaches, at 98% and 100% respectively. These figures indicate significant challenges in managing supply chain security, potentially stemming from a reliance on complex vendor ecosystems. Additionally, regulatory enforcement in France has historically focused more on data privacy than operational resilience, which may have contributed to gaps in addressing third-party risks. Ensuring DNS integrity is an immediate step towards closing these vulnerabilities and enhancing overall security.
3. Boost Endpoint Security
The UK, Germany, and Italy sit between these extremes, with varying levels of readiness. The UK’s strong financial services sector has driven higher investments in cybersecurity, but gaps persist in smaller industries and among mid-sized firms. Germany’s industrial base faces challenges from its reliance on legacy systems, while Italy’s fragmented business landscape often hampers unified cybersecurity efforts. These regional variations underscore the importance of a harmonized approach to cybersecurity. Boosting endpoint security by addressing weaknesses in devices like laptops and mobile phones is a critical step toward achieving this.
SecurityScorecard’s A-to-F rating system offers crucial insights into organizational cyber resilience. According to the report, companies with an A rating are 13.8 times less likely to experience a breach compared to those with an F rating. Despite these clear benefits, only 26% of Europe’s largest companies achieved an A rating, while 36% were rated C or below. Such statistics highlight the uneven progress in mitigating cyber risks. By boosting endpoint security, companies can protect themselves and hold vendors accountable, creating stronger, more resilient supply chains.
4. Improve Patching Frequency
As the EU’s Digital Operational Resilience Act (DORA) deadline looms on January 17, 2025, European companies face significant pressure to revamp their cybersecurity frameworks. SecurityScorecard’s recent report revealed that 98% of Europe’s top 100 companies had third-party breaches last year, highlighting critical vulnerabilities in these large organizations. Such weaknesses have grave implications for operational continuity and regulatory compliance, urging businesses to bolster their defenses ahead of DORA’s stringent requirements.
The supply chain has become a major concern, with nearly all surveyed companies reporting breaches in their third- and fourth-party ecosystems. This underscores the interconnected risks within supply chains, where even minor vendor errors can lead to significant cyber threats. Adversaries exploit these gaps to infiltrate global networks, making supply chain vulnerabilities a pervasive issue. With DORA poised to transform cybersecurity standards, European companies must focus on managing third-party risks and using rating systems to protect their ecosystems.
Additionally, 18% of companies experienced direct breaches, exposing major deficiencies in internal defenses. These incidents underscore the urgent necessity for businesses to enhance their cybersecurity frameworks, especially as regulators increase their scrutiny under DORA. Immediate and actionable measures are crucial to fortify resilience against cyber threats, as delays in addressing these issues are no longer an option.