The blind spot in European cyber reporting: we’re focusing on the wrong KPIs 📊

In the Netherlands, we measure and know a great deal.

• In 2024, nearly 40,000 data breaches were reported.
• In 2025, 65 ransomware attacks were officially reported to the police.

The actual number is likely higher.

What we do not measure is how many companies go under as a result.

📝 Bankruptcies are recorded as:

• Liquidity problems
• Loss of revenue
• Debt position

Whilst this could just as easily be the result of a data breach or ransomware incident.

Internationally, we do see the impact reflected in individual cases:

• Jaguar Land Rover (UK) saw production come to a prolonged standstill, with a major impact on suppliers and significant financial pressure
• Fasana (DE) had to halt production following a ransomware attack, resulting in major daily losses and ultimately bankruptcy
• Stoli Group (US) ran into financial difficulties following cyber incidents and operational disruption, which contributed to its bankruptcy
• KNP Logistics (UK) went bankrupt following a ransomware attack that completely paralysed its IT systems

These are not incidents.

These are business continuity risks.

As long as we fail to make that connection, we systematically underestimate the impact of cyber incidents and treat them as an IT problem.

Whereas in reality it is a business continuity risk –

and therefore belongs on the boardroom table, not just with IT.

The most important KPI is not:

“How many incidents have we had?”

But:

“How many of these incidents could have brought our business down?”