Skip to main content
Marsh logo

Report

Europe Cyber Claims Report 2025

Analysis of Europe’s 2025 cyber claims landscape — trends, sector impacts, evolving extortion tactics, and NIS2-driven reporting and preparedness recommendations.

Executive summary

Europe’s cyber claims landscape in 2025 broadly reflected the themes that have been observed by Marsh globally: expanding privacy exposure, evolving extortion tactics, third‑party and supply chain amplification, and increasingly sophisticated social engineering often aided by AI. However, Europe showed region‑specific cyber claims characteristics: a higher prevalence of privacy components within claims, active regulatory reporting expectations (such as NIS2 and GDPR), and a shifting industry impact mix, with manufacturing and food and beverage rising as notable sources of notifications.

Key takeaways

  • Claim notifications in Europe fell year‑on‑year in 2025, driven by fewer mass events and maturing cybersecurity practices. Despite these lower counts, incident severity and the potential for individual material losses remained high.
  • Privacy was a dominant feature in European cyber claims with a larger share of incidents including a privacy component compared to the global set. This elevated regulatory risk and increased the need for privacy‑aware incident response once again highlighting the multilayered approach needed in cyber incident management.
  • Extortion (including ransomware‑related and data‑theft/leak threats) and social engineering continue to drive costly response and recovery activity.
  • Third‑party and supply chain incidents are a growing source of cyber incidents and claims.
  • Sector dynamics were fluid with manufacturing and food and beverage companies increasing their share of notifications in 2025. Communications, media, and technology (CMT) companies and financial institutions remain among the industries with the highest notification volume.

The cyber claims experience in Europe in 2025 highlights the importance of preparedness, cross‑functional coordination, and appropriate insurance program design. Organisations adopting such strategies can be better positioned to manage future cyber events and emerging risks with greater resilience and reduce the impacts of losses.  

Regional and country claims notifications decline

Europe recorded a notable decline in claim notifications in 2025 compared to 2024. This mirrors the global pattern of lower notification counts following the large‑scale events of prior years. A reduction in mass events, mostly driven by the CrowdStrike software update outage in 2024, and improvements in baseline cyber defenses contributed to the decrease.

01 | Decreasing number of claims notifications in Europe in 2025

Germany was an exception to the regional downward trend, with notifications up by 22% year‑on‑year. We attribute Germany’s claims count rise to a combination of a higher threat actor focus on German organisations, as well as a further increase in claim reporting practice changes with a larger volume of precautionary notifications under insurance policies.

02 | Germany outpaced all other countries' notifications

Industry claims are dynamic

  1. Manufacturing  sector claims rose again in 2025 and now represent a larger share of European notifications (approximately 20%). Increased IT/OT complexity, legacy control gaps, and operational disruption potential make manufacturing an attractive target for malicious actors and increase both the frequency and severity of loss.
  2. Food and beverage sector claims showed a sharp increase in notifications in 2025 from a low base in 2024, as the industry faces similar cybersecurity challenges as the manufacturing industry. 
  3. Communications, media, and technology (CMT) companies continue to account for a significant share of notifications (~17%). CMT companies are attractive targets and can often act as multipliers — a single incident at a provider can cascade to multiple customers.
  4. Financial institutions (FIs) reported fewer notifications, reflecting both high and still increasing cybersecurity maturity. Also, FIs typically have higher policy retentions, which can affect notification behavior. FIs also continue to show a higher concentration of third‑party-related breaches — 20% of notifications involved a third party. 

03 | Top 10 industries by claims count in Europe

Privacy breaches dominate business event types as severity increases

  1. Privacy breach elements featured in a higher share (73%) of European notifications versus the global average. These events extend beyond classic data breaches into areas such as website tracking, consent management, and governance failures.
  2. Extortion and ransomware‑associated incidents (15% of notifications) remain a material loss driver. The modern extortion model frequently combines encryption threats, data theft and leak demands, and operational disruptions, which together compound response and liability costs, as well as business interruption losses.
  3. Social engineering and business email compromise (BEC) remain frequent and increasingly effective, in part due to AI‑assisted targeting and impersonation. BEC‑linked fraudulent transfer events — while numerically smaller (9% of notifications) — often generate very high single‑loss amounts.
  4. Both the frequency and the severity of these incidents highlight the need to drive awareness among employees and at every level of the organisation of the advanced tactics being used by cybercriminals.

04 | Privacy breach notifications significantly grew in Europe 

Third‑party dependencies and multi‑entity complexity increase vulnerabilities

  • Third‑party providers and supply chain partners continue to amplify both the frequency and severity of European claims.
  • Incidents at digital service providers, such as HR platforms, managed service providers, cloud or SaaS vendors, or payment processors can create multi‑entity operational outages and drive complex incident response and recovery.
  • In 2025, a meaningful portion (14%) of European notifications were linked to third parties, and we expect this proportion to grow.
  • For organisations, this underscores the need for vendor concentration mapping, contractual clarity on incident responsibilities, and coordinated multi‑party incident playbooks. 

Privacy, regulatory actions, and cross‑border complexity

  • Privacy was a component in a larger share of European incidents than in the global dataset. In Europe, 73% of notifications included a privacy element. Europe’s regulatory environment (GDPR and evolving EU rules) increases the need for privacy‑forward preparation, incident response, and careful cross‑border coordination.
  • Regulatory actions were an element in a minority of notifications (approximately 4.5%). However, the risk of regulatory scrutiny and litigation remains a meaningful driver of cost and reputational impact.
  • Multinational organisations must manage overlapping and sometimes divergent notification and enforcement regimes across jurisdictions.

NIS2 and incident reporting expectations 

NIS2 introduces stricter incident reporting and resilience obligations for entities classified as essential or important. Key elements include:

  • Mandatory multi‑stage reporting to national CSIRTs/competent authorities — early warning within 24 hours; detailed notification within 72 hours; and a final report within one month.
  • Stronger expectations for documented incident response plans and demonstrable preparedness measures.
  • Expanded supervisory and enforcement reach across member states, increasing the operational complexity for cross‑border groups.

Organisations should ensure their incident response playbooks explicitly incorporate NIS2-related notification timing and content expectations, designate reporting roles, and practise cross‑border coordination.

Cyber claims observations and recommended actions

  1. Reassess limits and aggregation exposure — a small number of material incidents in Europe in 2025 exhausted insurance programs or approached purchased limits. Consider limit adequacy and options such as reinstatements where operationally relevant, as insurers and facilities (such as Marsh Cyber ECHO) are responding with reinstatement solutions.
  2. Prioritize data governance and privacy readiness — improve data inventories, retention discipline, consent governance, and privacy‑aware incident playbooks.
  3. Ensure robust out-of-band communication and collaboration capabilities are in place — establish resilient channels, such as Marsh Central, that provide 24/7 global access to critical information and documents and enable teams to communicate and collaborate securely when core systems are unavailable or potentially compromised.
  4. Test cross‑functional incident response through tabletop exercises and ensure insurer notification triggers are clear — mature response teams materially reduce downstream cost and liability.
  5. Strengthen third‑party risk management — map vendor dependencies, test third‑party incident scenarios, and align contractual incident obligations.
  6. Harden financial controls and payment verification processes to reduce BEC/fraudulent transfer exposures (out‑of‑band verification, approval workflows).
  7. Prioritize IT/OT segmentation, resilience testing, and supplier continuity plans if in an industry, such as manufacturing or food and beverage, facing legacy systems and OT exposure challenges.

Europe’s 2025 cyber claims profile reflects the same core global drivers — privacy, extortion, third‑party dependence, and sophisticated social engineering — with a region‑specific emphasis on privacy and regulatory reporting. While notification counts declined, severity remained a concern. 

High‑impact incidents in 2025 highlight the importance of preparedness, cross‑functional coordination, and appropriate insurance program design aligned to emerging loss pathways. By taking such steps, organisations can be better positioned to manage cyber events with greater resilience and reduce the impacts of losses.  

Conclusion

Europe’s 2025 cyber claims profile reflects the same core global drivers — privacy, extortion, third‑party dependence, and sophisticated social engineering — with region‑specific emphasis on privacy and regulatory reporting. While notification counts declined, severity remained a concern and a small number of high‑impact incidents highlight the importance of preparedness, cross‑functional coordination, and insurance program design aligned to aggregation and emerging loss pathways.

For more information on Marsh’s cyber insurance solutions, and how we can support you in your journey to cyber resilience, please get in touch or contact your local Marsh representative

Get in touch

Contacts

Gamze Konyar

Europe Head of Cyber

  • Germany

Macarena Bandrés

Placement Leader, Cyber & Technology Practice, Marsh Specialty Europe

  • Spain

Salome Santos

Europe Cyber Product Leader & Cyber Claims Co-Leader

  • Portugal

Florian Sättler

Europe Cyber Incident Management Leader & Cyber Claims Co-Leader

  • Germany

Sjaak Schouteren

Sjaak Schouteren

Cyber Growth Leader, Marsh Europe

  • Netherlands

Placeholder Image

Elodie Aubertel

Cyber Strategic Client Advisor, Marsh Europe

  • France

Related insights

Colorful car lights trail in motion on freeway

Event

SMMT International Automotive Summit 2026

30/06/2026
Business professionals discussing strategy during office meeting

Article

Legality of Ransomware and Ransom Payments in Cyber Insurance Policies

24/06/2026
Business meeting in office

Article

Streamlining incident reporting & supply‑chain resilience

18/06/2026
Person using smartphone in city setting with lights

Article

Privacy and ransomware risks intertwine as threat actors change tactics

17/06/2026
View more