Skip to main content
Updated weekly · 809960 sites

EU Website Security Benchmark

We scan 809960 European websites every week — banking, pharma, e-commerce, government, tech. No individual sites are named. The question isn't who failed. It's which industries are exposed.

41.8/100

Average score

83%

Email spoofable

84%

No DNSSEC

77%

Missing security headers

How does your industry compare?

Security posture by industry — sorted by average score. Click an industry to see its detailed breakdown.

Industry Sites Score Unprotected Spoofable Pre-Consent Grade distribution
Hospitality 108615
40.0
81% 86% 17%
D
F
Food & Delivery 227439
40.3
81% 87% 12%
D
F
beauty 29838
40.5
81% 86% 12%
D
F
culture 29535
41.5
79% 84% 17%
D
F
pets 3433
41.5
76% 85% 14%
D
F
Travel 22988
41.5
78% 83% 17%
D
F
Sports 45694
41.8
79% 84% 16%
D
F
Automotive 35413
42.0
76% 82% 16%
D
F
construction 13251
42.0
81% 81% 13%
D
F
home-garden 26795
42.0
75% 83% 14%
D
F
Real Estate 11846
42.6
78% 83% 23%
D
F
Healthcare 50966
42.8
77% 81% 14%
D
F
Education 95923
42.9
70% 81% 21%
D
F
professional-services 15275
43.0
78% 76% 16%
D
F
Fashion 27954
43.5
66% 83% 19%
D
F
NGO & Nonprofit 11691
43.5
77% 81% 19%
D
F
Pharma 13637
45.3
68% 77% 15%
D
F
Technology 17646
45.8
73% 67% 17%
D
F
Logistics 2197
46.3
75% 72% 16%
D
F
Media 4100
48.5
78% 67% 24%
C
D
F
Insurance 2985
49.5
66% 70% 14%
C
D
F
Adult 332
49.9
77% 74% 14%
C
D
Energy 1764
50.6
66% 63% 18%
C
D
F
E-Commerce 4494
55.0
61% 46% 17%
C
D
Transport 495
55.8
57% 49% 18%
C
D
Gambling 325
55.9
67% 50% 13%
C
D
Telecom 379
56.7
53% 48% 20%
C
D
Regulatory 348
58.0
52% 46% 36%
C
D
Government 1610
58.3
52% 50% 23%
C
D
Banking 2991
58.5
35% 58% 14%
C
D

Click a column header to sort. Column explanations: Unprotected = missing 3+ critical HTTP headers. Spoofable = no or weak DMARC.

A B C D F

Security across Europe

Average security score by country — hover for details, click to explore.

Austria: 38.9/100 (33376 sites) Belgium: 39.4/100 (23225 sites) Bulgaria: 40.7/100 (3878 sites) Switzerland: 43.2/100 (28341 sites) Cyprus: 42.1/100 (1239 sites) Czech Republic: 39.7/100 (17265 sites) Germany: 44.2/100 (224134 sites) Denmark: 41.9/100 (15281 sites) Estonia: 42.3/100 (3264 sites) Spain: 38.9/100 (35328 sites) Finland: 41.1/100 (12420 sites) France: 40.7/100 (86336 sites) United Kingdom: 43.5/100 (87009 sites) Greece: 39.6/100 (7641 sites) Croatia: 40.8/100 (5683 sites) Hungary: 38.7/100 (7334 sites) Ireland: 40.4/100 (10091 sites) Italy: 39.2/100 (52275 sites) Lithuania: 38.7/100 (3672 sites) Luxembourg: 42.9/100 (1643 sites) Latvia: 41.5/100 (2134 sites) Netherlands: 43.5/100 (56795 sites) Norway: 43.0/100 (9360 sites) Poland: 37.6/100 (42126 sites) Portugal: 41.2/100 (7118 sites) Romania: 40.5/100 (6191 sites) Sweden: 40.8/100 (10788 sites) Slovenia: 39.8/100 (3085 sites) Slovakia: 42.2/100 (10601 sites)
Worse
Better

How does your country compare?

Security posture by country — click a country to see its detailed breakdown.

🇦🇹

Austria

33376 sites

38.9 🇧🇪

Belgium

23225 sites

39.4 🇧🇬

Bulgaria

3878 sites

40.7 🇭🇷

Croatia

5683 sites

40.8 🇨🇾

Cyprus

1239 sites

42.1 🇨🇿

Czech Republic

17265 sites

39.7 🇩🇰

Denmark

15281 sites

41.9 🇪🇪

Estonia

3264 sites

42.3 🇪🇺

European Union

195 sites

56.9 🇫🇮

Finland

12420 sites

41.1 🇫🇷

France

86336 sites

40.7 🇩🇪

Germany

224134 sites

44.2 🇬🇷

Greece

7641 sites

39.6 🇭🇺

Hungary

7334 sites

38.7 🇮🇸

Iceland

1199 sites

45.3 🇮🇪

Ireland

10091 sites

40.4 🇮🇹

Italy

52275 sites

39.2 🇱🇻

Latvia

2134 sites

41.5 🇱🇮

Liechtenstein

179 sites

47.6 🇱🇹

Lithuania

3672 sites

38.7 🇱🇺

Luxembourg

1643 sites

42.9 🇲🇹

Malta

753 sites

45.7 🇳🇱

Netherlands

56795 sites

43.5 🇳🇴

Norway

9360 sites

43.0 🇵🇱

Poland

42126 sites

37.6 🇵🇹

Portugal

7118 sites

41.2 🇷🇴

Romania

6191 sites

40.5 🇸🇰

Slovakia

10601 sites

42.2 🇸🇮

Slovenia

3085 sites

39.8 🇪🇸

Spain

35328 sites

38.9 🇸🇪

Sweden

10788 sites

40.8 🇨🇭

Switzerland

28341 sites

43.2 🇬🇧

United Kingdom

87009 sites

43.5

Where does your website fit in this picture?

Run a free security scan — no account needed. See your score, grade, and how you compare to your industry.

Scan your website now

What we found

The most common security gaps across 809960 European websites — and the regulations they violate.

77%

Missing Security Headers

Visitors are exposed to clickjacking, XSS, and content injection because critical HTTP headers are missing.

NIS2 Art. 21

83%

Weak Email Authentication

Emails from these domains can be spoofed — invoices, password resets, anything. No DMARC enforcement.

NIS2 Art. 21 / DORA Art. 9

84%

No DNSSEC

DNS responses are unsigned. Attackers can redirect visitors to fake sites without detection.

NIS2 Art. 21
Show all findings
99%
No MTA-STS
Inbound emails can be downgraded to plaintext by an attacker — the server doesn't enforce TLS.
NIS2 Art. 21
46%
No SMTP Encryption
Email is transmitted in cleartext. Anyone on the network can read it.
GDPR Art. 32
97%
No security.txt
No public vulnerability disclosure contact — security researchers have nowhere to report issues.
CRA Art. 11
97%
No CAA Records
Any certificate authority can issue certificates for this domain — no restrictions.
NIS2 Art. 21
19%
No HTTPS Redirect
Visitors connect over unencrypted HTTP. Credentials and data are visible on the network.
GDPR Art. 32
94%
No DANE/TLSA
No certificate pinning for email transport — vulnerable to man-in-the-middle on SMTP.
NIS2 Art. 21

Deep-Dive Reports

Explore specific dimensions of Europe's web landscape in detail.

Security Report

TLS, headers, email auth, DNS security

Privacy Report

Cookies, consent, pre-consent transfers, hosting

Accessibility Report

WCAG 2.2 violations, Core Web Vitals

Technology Report

CMS platforms, CMP market share, hosting providers

Methodology & Scoring

How we scan, what we measure, how scores are computed.

Every site is scanned weekly across these security dimensions. Scores are computed on a 100-point scale.

Security Headers 25 pts

HSTS, CSP, X-Frame-Options, X-Content-Type, Referrer-Policy, Permissions-Policy

SSL/TLS Certificate 20 pts

Key strength, signature algorithm, chain depth, TLS version, forward secrecy

HTTPS Enforcement 10 pts

HTTP-to-HTTPS redirect for all visitors

Email Authentication 15 pts

SPF, DKIM (key strength), DMARC (policy enforcement)

DNS Security 15 pts

DNSSEC signing, CAA records, DoH consistency, DANE/TLSA

security.txt 5 pts

Vulnerability disclosure contact per RFC 9116

MTA-STS 3 pts

Inbound email TLS enforcement (enforce vs. testing mode)

TLS-RPT 2 pts

SMTP TLS failure reporting endpoint

Server Privacy 5 pts

No server version disclosure, no X-Powered-By, restricted CORS

Data based on automated weekly scans of publicly accessible websites.

No individual site names are disclosed. All statistics are anonymised by industry.

Regulatory references indicate which requirements relate to each finding. They do not assert non-compliance of any specific organisation.

Your competitors are in this data. Are you better or worse?

Run a free security scan and see your score, your grade, and how you compare — in 30 seconds, no account needed.

Scan your website now Learn about SiteGuardian

This data is also available as JSON via the Benchmark API.