Key Takeaway: In 2026 ransomware is a regulatory event, not only a commercial one. Double extortion is the default, the ransomware-as-a-service economy has matured, and NIS2 Article 23 imposes a strict 24-hour and 72-hour notification clock. The organizations that handle ransomware best are the ones that treat it as an incident and as a notification obligation in parallel, not sequentially.
Ransomware has not gone away. It has matured. The threat model that defined 2020 and 2021, a one-time encryption event that a strong backup programme could resolve, is a memory. In 2026, a ransomware incident is a multi-stage extortion campaign aimed at commercial, reputational, and regulatory pressure at the same time, delivered by attackers who buy their tooling on subscription and operate on an industrial cadence.
This article summarizes what actually changed in ransomware through 2025-2026, the European-specific picture, how the ransomware-as-a-service economy looks today, and, crucially for in-scope entities, how NIS2 reporting obligations now overlap with every significant incident. It closes with a practical seven-item preparedness checklist for essential and important entities.
What actually changed in ransomware through 2025-2026
The headline number that matters most is that double extortion has stopped being optional. Industry threat reports for 2026 describe it as the default model. Attackers now assume that a modern target will have backups, so encryption alone no longer closes the commercial leverage. They exfiltrate data first and threaten publication to keep the pressure on even when restoration is technically successful.
Double extortion is the default
Data is stolen before systems are encrypted. Payment is demanded for both decryption and non-publication. Well-funded backup and restore programmes are necessary but no longer sufficient to close the incident, because the exfiltrated data remains in the attacker's possession.
Triple extortion is now routine for high-value targets
In addition to data theft and encryption, attackers add a third pressure vector: DDoS against customer-facing services, direct notification of the victim's customers or regulators, or harassment of specific employees. This turns ransomware into a multi-stakeholder crisis.
Initial access is dominated by identity, not malware
Most ransomware campaigns in 2026 begin with stolen credentials, social engineering, or exposed remote services rather than traditional malware. This is why MFA, privileged access management, and exposure-reduction work outpay more pure anti-malware investment.
Operational tempo has accelerated
Dwell time, the period between initial access and impact, has compressed. Some campaigns achieve impact within hours of initial access. This shortens the window for detection and response and raises the value of both automation and pre-rehearsed playbooks.
Supply chain ransomware is rising
Rather than attacking a target directly, attackers hit a common managed service provider, software vendor, or open-source dependency and propagate through its customer base. The npm and 2023 MOVEit campaigns showed the pattern; 2026 has continued it with recurring supply chain incidents every quarter.
The European picture differs from global headlines
Global ransomware statistics often overstate European risk because they are weighted toward the United States. The European picture is meaningfully different. Infection rates are lower, around 0.28 percent according to 2025-2026 industry data, compared to higher rates in Latin America and parts of Asia. But the impact per incident on European entities is often higher because of the regulatory overlay.
Why Europe looks lower on infection rates
- Mature cyber hygiene in large enterprises
- High baseline GDPR-driven data protection
- Stronger law enforcement cooperation (EC3, Europol)
- Less permissive payment environment (banks, insurers)
Why Europe looks worse on impact per incident
- NIS2 Article 23 notification triggers regulatory scrutiny
- GDPR overlap if personal data is exfiltrated
- Dense critical infrastructure in small geographies
- Sector-specific rules (DORA, NIS2, AI Act) may all apply in parallel
The ransomware-as-a-service economy in 2026
Ransomware is a market. Since around 2019, the supply side has steadily professionalised into what the industry calls ransomware-as-a-service (RaaS). Core operators develop the malware and infrastructure. Affiliates carry out the intrusions and negotiate payment. Specialists provide initial access, money laundering, or negotiation services. In 2026 this economy is mature, resilient, and adaptive.
The RaaS value chain
- Initial access brokers sell pre-obtained access to corporate networks, often for a few hundred to a few thousand dollars per target.
- Core operators develop the ransomware, run the leak sites, maintain negotiation infrastructure, and take a percentage of each successful campaign.
- Affiliates execute intrusions, perform lateral movement, exfiltrate data, and deploy the encryption payload.
- Negotiation and payment specialists handle victim communication and cryptocurrency flows.
- Laundering networks convert cryptocurrency proceeds into usable fiat, often through layered mixer and exchange services.
Law enforcement takedowns of major groups (LockBit in 2024, BlackCat/ALPHV in 2024, and several successor groups through 2025) have caused temporary drops in activity. In each case, the ecosystem reconstituted within weeks under new brand names, with affiliates moving between platforms. Takedowns help but do not solve the underlying economic incentive.
NIS2 obligations when you are hit
For essential and important entities, a ransomware incident is almost always a significant incident under NIS2 Article 23. That triggers a three-stage notification obligation to your national CSIRT or competent authority, running in parallel with your technical response and business recovery.
Within 24 hours: Early warning
An early warning to indicate whether the incident may have been caused by unlawful or malicious acts, and whether it could have a cross-border impact. This is not a full report. It is a signal that an incident is underway, enabling the authority to coordinate and offer support.
Within 72 hours: Incident notification
A fuller notification updating the early warning with an initial assessment of the incident, including severity, impact, and indicators of compromise where available. This is the formal record and tends to be the version that shapes subsequent supervisory engagement.
Within one month: Final report
A final report containing a detailed description, the type of threat, root cause, applied and ongoing mitigation measures, and, if applicable, cross-border impact. The final report often feeds into sector-wide lessons-learned work by ENISA and national authorities.
The parallel execution trap: Most ransomware incident response playbooks focus on technical containment, forensics, and recovery. Article 23 notification is a separate workstream with its own timeline, audience, and content requirements. Organizations that run them sequentially miss the 24-hour clock. Organizations that run them in parallel, with a named Article 23 owner in the incident room from the first hour, do not.
A 7-step ransomware preparedness checklist for 2026
If you do nothing else this quarter, the following seven items will meaningfully reduce both the probability and the impact of a ransomware incident under NIS2. They are ordered by highest return on effort first.
Phishing-resistant MFA on privileged and external-facing accounts
Since initial access now runs primarily through identity, MFA is the highest-leverage control. FIDO2 or smart cards for administrators. SMS and TOTP as minimum for everyone else. Track coverage and close known exceptions.
Immutable or offline backups and a tested restore path
Attackers target backups first. Backups that can be reached from production cannot be relied on. Implement immutability (object-lock, WORM) or true air-gapping, and run restore tests at least quarterly for critical systems.
Attack-surface reduction
Inventory all externally exposed services. Remove what is not needed. Patch what is needed on a defined SLA. Most 2026 ransomware campaigns still begin at an externally visible service that should not have been there.
Network segmentation
Flat networks multiply the blast radius. Segment by trust zone, enforce egress control, and separate administration networks from user networks. This is one of the controls that most directly limits dwell time impact once an attacker is inside.
Endpoint detection and response with behavioural analytics
Signature-based antivirus is not enough against 2026 ransomware tooling. EDR with behavioural analytics, alerting on suspicious patterns such as mass file modification, unusual process chains, and credential access, is the operational floor.
Rehearsed incident plan with Article 23 notification workstream
Exercise a ransomware scenario at least annually. The exercise must include Article 23 early warning and notification as a parallel workstream, not a downstream activity. Name the 24-hour notification owner and the final report author.
Clear, pre-approved policy on ransom payment and negotiation
In the first hour of a ransomware incident, no one should be discovering your organization's stance on payment. Decide in advance: under what circumstances, if any, will you pay; who approves; what legal, regulatory, and sanctions considerations apply; what is your public communications stance. Document and train the executive team.
Frequently asked questions
What is double extortion ransomware?
Double extortion is a ransomware model in which the attacker first exfiltrates sensitive data and then encrypts systems. The victim is pressured to pay both to decrypt and to prevent public release of the stolen data. In 2026 this is the de facto standard model, and backups alone no longer fully resolve the incident.
How common is ransomware in Europe in 2026?
Europe has one of the lowest ransomware infection rates globally, around 0.28 percent according to 2025 to 2026 industry data. The regulatory impact per incident is higher than in less-regulated regions because Article 23 notifications, GDPR overlap on personal data exfiltration, and sector rules such as DORA raise the total cost per incident.
Do I have to report a ransomware attack under NIS2?
Yes, if you are an essential or important entity and the incident qualifies as significant. A ransomware incident that causes or is capable of causing severe operational disruption or financial loss meets the Article 23 threshold. Submit an early warning within 24 hours, a full notification within 72 hours, and a final report within one month.
Should we pay the ransom?
This is a legal, regulatory, and commercial decision that should be made by the board in advance, not under pressure during an incident. EU sanctions regimes may prohibit payment to specific groups. Payment does not guarantee data return or non-publication. National authorities and Europol generally advise against payment. A documented position, agreed with counsel and insurers, is the minimum.
Does cyber insurance still cover ransomware?
Coverage has tightened significantly between 2023 and 2026. Insurers now typically require evidence of MFA, EDR, tested backups, and user training as a condition of cover. Ransom payment coverage is often sub-limited or excluded. Business interruption and breach response costs remain more commonly covered. Involve your insurer early in incident planning.
What is Ransomware-as-a-Service (RaaS)?
RaaS is a criminal business model where operators build the ransomware and lease it to affiliates who carry out the attacks, splitting the proceeds. It has lowered the technical barrier to entry, which is why ransomware volumes stay high even when large groups are disrupted by law enforcement. Most 2026 attacks on EU entities trace back to a RaaS affiliate.
What NIS2 Article 21 controls reduce ransomware exposure the most?
Measure (j) on MFA, measure (c) on business continuity with tested offline or immutable backups, measure (e) on supply chain security to stop MSP-vector intrusions, and measure (g) on basic cyber hygiene plus training. These four together address the initial access, lateral movement, and recovery stages of the typical 2026 ransomware intrusion.
Build ransomware resilience that also satisfies NIS2
We help essential and important entities design ransomware resilience programmes that map one-to-one to NIS2 Article 21 and Article 23 evidence. One programme, dual outcome: reduced incident risk and audit readiness.
Book a ransomware readiness review