The blind spot in European cybersecurity reporting: we’re focusing on the wrong KPIs 📊

In the Netherlands, we measure and track a lot.

• In 2024, nearly 40,000 data breaches were reported.
• In 2025, 65 ransomware attacks were officially reported to the police.

The actual number is likely higher.

What we don’t measure is how many companies go under as a result.

📝 Bankruptcies are recorded as:

• Liquidity problems
• Loss of revenue
• Debt position

While this could just as easily be the result of a data breach or ransomware incident.

Internationally, we do see the impact reflected in individual cases:

• Jaguar Land Rover (UK) saw production come to a prolonged standstill, with a major impact on suppliers and significant financial pressure
• Fasana (DE) had to halt production following a ransomware attack, resulting in major daily losses and ultimately bankruptcy
• Stoli Group (US) ran into financial trouble after cyber incidents and operational disruption, which contributed to its bankruptcy
• KNP Logistics (UK) went bankrupt after a ransomware attack that completely shut down its IT systems

These are not incidents.

These are business continuity risks.

As long as we fail to make that connection, we systematically underestimate the impact of cyber incidents and treat them as an IT problem.

Whereas in reality, it is a business continuity risk –

and therefore belongs at the boardroom table, not just with IT.

The most important KPI is not:

“How many incidents have we had?”

But:

“How many of these incidents could have caused our company to collapse?”