Skip to main content
Updated weekly · 819122 sites

EU Website Security Benchmark

We scan 819122 European websites every week — banking, pharma, e-commerce, government, tech. No individual sites are named. The question isn't who failed. It's which industries are exposed.

40.4/100

Average score

100%

Email spoofable

84%

No DNSSEC

44%

Missing security headers

How does your industry compare?

Security posture by industry — sorted by average score. Click an industry to see its detailed breakdown.

Industry Sites Score Unprotected Spoofable Pre-Consent Grade distribution
Real Estate 11979
38.5
36% 100% 22%
D
F
Hospitality 110142
39.4
44% 100% 17%
D
F
NGO & Nonprofit 11825
39.7
40% 100% 19%
D
F
Automotive 35938
39.8
42% 100% 16%
D
F
pets 3479
40.2
44% 100% 15%
D
F
Sports 46273
40.2
45% 100% 16%
D
F
construction 13347
40.3
49% 100% 13%
D
F
Education 96799
40.3
39% 100% 20%
D
F
home-garden 27075
40.3
42% 100% 15%
D
F
Logistics 2218
40.4
36% 100% 16%
D
F
Travel 23257
40.4
45% 100% 17%
D
F
culture 29855
40.6
47% 100% 17%
D
F
Food & Delivery 230315
40.6
48% 100% 13%
D
F
beauty 30136
40.7
49% 100% 12%
D
F
Fashion 28266
40.7
36% 100% 18%
D
F
Media 4112
40.7
35% 100% 24%
D
F
Pharma 13715
40.8
37% 100% 14%
D
F
Healthcare 51501
40.9
45% 100% 14%
D
F
professional-services 15474
41.0
45% 100% 16%
D
F
Energy 1777
41.5
30% 100% 17%
D
F
Adult 330
41.6
42% 100% 11%
D
F
Technology 17820
41.6
42% 100% 17%
D
F
Insurance 2988
41.7
31% 100% 13%
D
F
E-Commerce 4371
41.9
21% 100% 16%
D
F
Transport 490
42.7
26% 100% 18%
D
F
Telecom 371
43.2
20% 100% 21%
D
F
Government 1616
44.0
23% 99% 24%
D
F
Banking 2980
44.1
15% 100% 14%
D
F
Gambling 325
44.1
30% 99% 11%
D
F
Regulatory 347
45.5
24% 100% 34%
D
F

Click a column header to sort. Column explanations: Unprotected = missing 3+ critical HTTP headers. Spoofable = no or weak DMARC.

A B C D F

Security across Europe

Average security score by country — hover for details, click to explore.

Where does your website fit in this picture?

Run a free security scan — no account needed. See your score, grade, and how you compare to your industry.

Scan your website now

What we found

The most common security gaps across 819122 European websites — and the regulations they violate.

44%

Missing Security Headers

Visitors are exposed to clickjacking, XSS, and content injection because critical HTTP headers are missing.

NIS2 Art. 21

100%

Weak Email Authentication

Emails from these domains can be spoofed — invoices, password resets, anything. No DMARC enforcement.

NIS2 Art. 21 / DORA Art. 9

84%

No DNSSEC

DNS responses are unsigned. Attackers can redirect visitors to fake sites without detection.

NIS2 Art. 21
Show all findings
99%
No MTA-STS
Inbound emails can be downgraded to plaintext by an attacker — the server doesn't enforce TLS.
NIS2 Art. 21
98%
No SMTP Encryption
Email is transmitted in cleartext. Anyone on the network can read it.
GDPR Art. 32
99%
No security.txt
No public vulnerability disclosure contact — security researchers have nowhere to report issues.
CRA Art. 11
97%
No CAA Records
Any certificate authority can issue certificates for this domain — no restrictions.
NIS2 Art. 21
80%
No HTTPS Redirect
Visitors connect over unencrypted HTTP. Credentials and data are visible on the network.
GDPR Art. 32
94%
No DANE/TLSA
No certificate pinning for email transport — vulnerable to man-in-the-middle on SMTP.
NIS2 Art. 21

Methodology & Scoring

How we scan, what we measure, how scores are computed.

Every site is scanned weekly across these security dimensions. Scores are computed on a 100-point scale.

Security Headers 25 pts

HSTS, CSP, X-Frame-Options, X-Content-Type, Referrer-Policy, Permissions-Policy

SSL/TLS Certificate 20 pts

Key strength, signature algorithm, chain depth, TLS version, forward secrecy

HTTPS Enforcement 10 pts

HTTP-to-HTTPS redirect for all visitors

Email Authentication 15 pts

SPF, DKIM (key strength), DMARC (policy enforcement)

DNS Security 15 pts

DNSSEC signing, CAA records, DoH consistency, DANE/TLSA

security.txt 5 pts

Vulnerability disclosure contact per RFC 9116

MTA-STS 3 pts

Inbound email TLS enforcement (enforce vs. testing mode)

TLS-RPT 2 pts

SMTP TLS failure reporting endpoint

Server Privacy 5 pts

No server version disclosure, no X-Powered-By, restricted CORS

Data based on automated weekly scans of publicly accessible websites.

No individual site names are disclosed. All statistics are anonymised by industry.

Regulatory references indicate which requirements relate to each finding. They do not assert non-compliance of any specific organisation.

Your competitors are in this data. Are you better or worse?

Run a free security scan and see your score, your grade, and how you compare — in 30 seconds, no account needed.

This data is also available as JSON via the Benchmark API.