Supply Chain Attacks: Why 63 Percent of Strikes on Europe's Banks Come Through Suppliers

Summary

A growing share of cyberattacks on Europe's financial sector no longer targets banks directly. Instead, criminals go after the software and hardware suppliers that banks depend on. According to a recent report by security firm Armis, 63 percent of successful attacks on financial institutions now originate from these third-party vendors. For bank customers across Europe, that means the safety of their money rests on a chain of invisible service providers they never see. The EU is responding with strict rules such as DORA and NIS2, which now hold company executives personally accountable. This article explains how these supply chain attacks work, what they mean for you, and how businesses and consumers can protect themselves.

Introduction

Imagine a burglar who does not pick your front door, but quietly gets a copy of the key from your locksmith. That is exactly how cybercriminals approach banks today. Rather than storming the heavily guarded systems of major financial institutions head-on, they look for the weakest point nearby: smaller software firms, IT service providers and device manufacturers. The latest Armis report puts a startling figure on it - 63 percent of all successful attacks on the financial sector now travel through these suppliers. Supply chain attacks have become the biggest invisible threat to Europe's banks.
The Invisible Backdoor: How Attackers Take the Detour Through Suppliers
Modern banks do not operate alone. Behind every app, every transfer and every cash machine sit dozens of outside companies: cloud providers, payment processors, security software vendors and the makers of routers, firewalls and servers. Attackers exploit exactly these connections. By compromising a single supplier, they can reach many banks at once through a trusted, legitimate link.
What makes it worse is that the very technology meant to protect networks is becoming the risk. According to Armis, firewalls and VPN devices showed up as the initial entry point in 40 percent of investigated incidents during 2024 and 2025. Speed adds to the danger. For around a quarter of disclosed vulnerabilities, attacks began on the same day the flaw was officially reported, leaving defenders almost no time to react.
Recent European cases show how real the threat is. Research by SecurityScorecard found that 96 percent of Europe's 100 largest financial institutions suffered at least one security incident through a service provider within a single year - up from 78 percent the year before. UK retailer Marks & Spencer reportedly lost around 136 million pounds in profit after an attack that came through an external contractor. Even the European Commission was hit: through a tampered version of the widely used security tool Trivy, attackers broke into the cloud behind several EU websites. The message is clear: no organisation is too large or too well defended to be vulnerable through a supplier.

What This Means for You - and How to Stay Safe

For ordinary bank customers across Europe, this has very real consequences. When a service provider is hacked, personal data, account numbers or even login details can fall into the wrong hands - through no fault of your own. In the worst case, online banking or card payments go down for a while. Trust in your own bank suffers, even when it was never directly attacked.
The European Union has recognised the problem and is tightening the rules. Since January 2025, the DORA regulation has required banks and insurers to map every one of their IT suppliers and actively monitor weak spots. Serious incidents must be reported within just four hours. Alongside it, the NIS2 directive is moving into enforcement across many countries in 2026. The biggest change is this: executives and managers can now be held personally liable if they neglect necessary protective measures. Cybersecurity has firmly become a boardroom issue.
But individuals can act too. Turn on two-factor authentication everywhere, ideally with an app or a passkey rather than SMS. Use a unique, strong password for every service and rely on a password manager. Check your account status only through your bank's official app or website, never through links in emails or text messages. Do not react hastily to alarming messages about blocked accounts, because that is exactly what scammers count on. Keep an eye on your transactions and report anything unusual straight away. Businesses, in turn, should monitor their suppliers continuously rather than just once, prepare clear emergency plans, and fix vulnerabilities before attackers can exploit them.

Conclusion and Outlook

Supply chain attacks are the quiet but growing threat to Europe's financial world. As long as banks rely on a dense web of service providers, each one remains a possible way in. With DORA and NIS2, Europe has built one of the strictest protective frameworks in the world, yet rules alone do not stop attackers. What matters now is whether companies take their entire chain as seriously as their own front door - and whether consumers stay alert. Knowing the risks is already an important step toward greater safety.
Armis - How Financial Services Can Close the Exposure Window: 2026 Cyber Defense Strategies (armis.com)
SecurityBrief UK - Third-party cyber breaches surge 25% in Europe's top banks (SecurityScorecard data, securitybrief.co.uk)
CX Today - Supply Chain Cyber Attacks Rise, EU Breach Exposes Weakness (WEF Global Cybersecurity Outlook 2026, cxtoday.com)
CSO Online - CERT-EU blames Trivy supply chain attack for Europa.eu data breach (csoonline.com)
Digit.fyi - Major banks hit by vendor cyber-attack (Marks & Spencer figure, digit.fyi)
SecurityToday / Digital Chiefs - DORA und NIS2: persönliche Haftung und Drittanbieter-Pflichten 2026 (securitytoday.de, digital-chiefs.de)
Börse Express - Finanzsektor unter Druck: Cyberangriffe und neue Haftungsrisiken (boerse-express.com)
Created with