98% of France’s Largest Companies Affected by Third-Party Breaches, New SecurityScorecard Report Finds

SecurityScorecard today published its 2025 France Cybersecurity Report, which found that 98 of the country’s 100 largest companies experienced at least one third-party breach in the past 12 months.

PARIS — 14th May 2025 — SecurityScorecard today published its 2025 France Cybersecurity Report, which found that 98 of the country’s 100 largest companies experienced at least one third-party breach in the past 12 months. The report assesses the external cyber risk posture of France’s top firms by market capitalization and highlights persistent exposure across critical supply chain dependencies.

The report, now in its second year, draws on SecurityScorecard’s proprietary data and examines key risk factors such as network security, endpoint hygiene, patching cadence, application vulnerabilities, and DNS health. While some firms have improved internal defenses, the data shows that most breaches are now entering through vendors, not enterprise infrastructure.

Key Findings:

98% of France’s top 100 companies were affected by at least one third-party breach in the past year.
100% had at least one breached fourth-party supplier.
Direct breaches dropped slightly—from 7% last year to 4% this year—with insider threats and malware as the primary causes.
The top 25 companies experienced over twice the number of third-party breaches as the bottom 25.
94% of companies with an “A” security rating had no known breaches.
29% of companies were rated “C” or lower, down from 40% in last year’s report.

“Direct breaches are down, but third-party exposure now affects nearly every major French company,” said Corian Kennedy, Senior Manager of Threat Insights & Attribution at SecurityScorecard. “Internal controls are no longer enough. Without visibility into vendors and their dependencies, the breach path remains wide open.”

Sector Highlights:

Construction & Infrastructure: All evaluated companies were rated “C” or below and experienced third-party breaches, indicating a high level of risk.
Industrial: This sector showed notable improvement, with only 13% of companies rated “C” or lower, down from 42% last year.
Financial: This sector reported the lowest level of third-party breach exposure, with 93.75% of companies affected—still high, but below the national average.

Recent Incidents Underscore the Stakes:

In August 2024, RansomHouse targeted the University of Paris-Saclay, extracting sensitive academic records and disrupting operations. During the 2024 Summer Olympics, the Grand Palais Museum Network experienced a ransomware attack that forced a shutdown of internal systems. These cases demonstrate how digital risks can extend beyond the private sector, affecting public institutions and critical events.

International Comparison:

France’s supply chain breach exposure (98% third-party, 100% fourth-party) surpasses that of neighboring countries. By comparison, companies rated “C” or below represent 24% in the UK, 34% in Germany, and 41% in Italy. Scandinavian firms lead with only 20% rated at this level. The results point to the need for improved supply chain governance and vendor accountability in France.

Recommendations:

To strengthen digital supply chain resilience, SecurityScorecard recommends that organizations:

Improve visibility into third- and fourth-party relationships.
Prioritize application and network security as foundational defenses.
Replace periodic vendor assessments with continuous monitoring.
Require secure-by-design practices in vendor contracts and procurement.
Apply strong access controls, multi-factor authentication, and timely patching.

France’s cyber risk posture reflects a global reality in which digital supply chains have become the primary attack surface.Adversaries are exploiting indirect paths at scale, and traditional controls are no longer sufficient. Security now demands real-time, evidence-based oversight across the entire vendor ecosystem. That includes fourth-party relationships. Anything less leaves critical systems exposed.

Read the full report and access data by sector here.

About SecurityScorecard
SecurityScorecard modernizes Third Party Risk Management (TPRM) using AI and threat intelligence to continuously manage, detect, and respond to global supply chain risk. The TITAN AI Platform unifies threat intelligence and third-party data to deliver real-time visibility and insights that accelerates both risk reduction and compliance. The AI platform is built to deliver the full spectrum of modern TPRM outcomes while strengthening resilience. It reduces compliance burden and administrative friction, drives measurable risk reduction, and prioritizes the most critical exposures. With robust reporting and streamlined workflows, it modernizes TPRM from a reactive compliance exercise into a proactive, risk-driven program.

Learn more at securityscorecard.com or follow us on LinkedIn.

View full press release.

Media Contact

10Fold for SecurityScorecard

securityscorecard@10fold.com