Home · Live brief · Weekly 2026-W20
Verizon DBIR 2026 (19th annual edition)
Part of run 2026-W20-71c96b25 (weekly · Claude Opus 4.7)
Verizon's 19th DBIR is publicly accessible on the Verizon DBIR page; the full PDF release is bound to the 2026-05-19 webinar. Headline figures confirmed on the published page: third-party involvement in breaches doubled year-on-year to 30% (from ~15% in the 2025 edition); ransomware present in 44% of breaches; stolen credentials remain the single most common initial-access vector at 22%; vulnerability exploitation at 20% nearly ties credential theft; the human element (social engineering, phishing, error) remains implicated in 60%+ of breaches (Verizon DBIR page).
The defender synthesis for Swiss / EU public-sector consumers: the third-party-doubling finding is the headline data point of the year for DORA / NIS2 third-party-risk management programmes — the empirical jump from ~15% to 30% supply-chain involvement directly informs DORA Chapter V (ICT third-party risk management) and NIS2 Article 21(2)(d) supply-chain security obligations. Combined with the IGJ-NMDL ruling ( and the EU CRA Article 14 reporting milestone landing on 2026-09-11 (, the operational picture for 2026 is unambiguous: supply-chain and third-party scrutiny moves from policy talking-point to enforced obligation in the second half of the year. Update planned post-2026-05-19 webinar PDF release for the full breakdown.