Verizon DBIR 2026 (19th annual edition)

Verizon's 19th DBIR is publicly accessible on the Verizon DBIR page; the full PDF release is bound to the 2026-05-19 webinar. Headline figures confirmed on the published page: third-party involvement in breaches doubled year-on-year to 30% (from ~15% in the 2025 edition); ransomware present in 44% of breaches; stolen credentials remain the single most common initial-access vector at 22%; vulnerability exploitation at 20% nearly ties credential theft; the human element (social engineering, phishing, error) remains implicated in 60%+ of breaches (Verizon DBIR page).

The defender synthesis for Swiss / EU public-sector consumers: the third-party-doubling finding is the headline data point of the year for DORA / NIS2 third-party-risk management programmes — the empirical jump from ~15% to 30% supply-chain involvement directly informs DORA Chapter V (ICT third-party risk management) and NIS2 Article 21(2)(d) supply-chain security obligations. Combined with the IGJ-NMDL ruling (see § 5) and the EU CRA Article 14 reporting milestone landing on 2026-09-11 (see § 8), the operational picture for 2026 is unambiguous: supply-chain and third-party scrutiny moves from policy talking-point to enforced obligation in the second half of the year. Update planned post-2026-05-19 webinar PDF release for the full breakdown.