Skip to main content
Updated weekly · 814434 sites

EU Website Security Benchmark

We scan 814434 European websites every week — banking, pharma, e-commerce, government, tech. No individual sites are named. The question isn't who failed. It's which industries are exposed.

43.5/100

Average score

86%

Email spoofable

84%

No DNSSEC

58%

Missing security headers

How does your industry compare?

Security posture by industry — sorted by average score. Click an industry to see its detailed breakdown.

Industry Sites Score Unprotected Spoofable Pre-Consent Grade distribution
Hospitality 109378
42.4
61% 89% 17%
D
F
Real Estate 11928
42.8
55% 85% 23%
D
F
beauty 29981
42.9
60% 89% 12%
D
F
Food & Delivery 228753
42.9
62% 89% 13%
D
F
construction 13310
43.0
57% 84% 13%
D
F
Automotive 35720
43.2
56% 85% 16%
D
F
NGO & Nonprofit 11758
43.3
55% 84% 19%
D
F
pets 3452
43.3
60% 87% 16%
D
F
Sports 45996
43.3
59% 86% 16%
D
F
culture 29704
43.5
60% 86% 17%
D
F
Education 96448
43.5
53% 84% 20%
D
F
Travel 23124
43.6
60% 86% 18%
D
F
Healthcare 51220
43.8
55% 84% 15%
D
F
home-garden 26937
43.9
57% 85% 15%
D
F
professional-services 15383
44.2
56% 80% 16%
D
F
Fashion 28105
44.4
49% 86% 19%
D
F
Logistics 2212
44.6
50% 78% 16%
D
F
Pharma 13678
45.2
51% 82% 15%
D
F
Adult 327
46.2
40% 80% 11%
D
F
Technology 17721
46.3
54% 73% 17%
D
F
Insurance 2978
46.5
43% 77% 14%
D
F
Media 4099
47.8
53% 72% 25%
D
F
Energy 1767
48.3
45% 70% 17%
C
D
F
Gambling 322
48.4
31% 61% 11%
C
D
F
Regulatory 345
50.4
23% 61% 34%
C
D
F
Transport 488
50.9
36% 60% 18%
C
D
F
Telecom 370
52.6
27% 56% 21%
C
D
Government 1607
52.8
36% 60% 23%
C
D
F
E-Commerce 4352
52.9
43% 57% 16%
C
D
Banking 2970
53.3
23% 65% 14%
C
D
F

Click a column header to sort. Column explanations: Unprotected = missing 3+ critical HTTP headers. Spoofable = no or weak DMARC.

A B C D F

Security across Europe

Average security score by country — hover for details, click to explore.

Austria: 42.9/100 (33536 sites) Belgium: 45.9/100 (23330 sites) Bulgaria: 44.2/100 (3904 sites) Switzerland: 47.9/100 (28463 sites) Cyprus: 42.5/100 (1250 sites) Czech Republic: 46.0/100 (17369 sites) Germany: 42.6/100 (224849 sites) Denmark: 45.2/100 (15339 sites) Estonia: 46.6/100 (3274 sites) Spain: 42.5/100 (35729 sites) Finland: 44.2/100 (12458 sites) France: 41.5/100 (86882 sites) United Kingdom: 42.7/100 (87632 sites) Greece: 44.7/100 (7709 sites) Croatia: 44.5/100 (5698 sites) Hungary: 44.1/100 (7408 sites) Ireland: 46.4/100 (10155 sites) Italy: 42.1/100 (52708 sites) Lithuania: 44.1/100 (3691 sites) Luxembourg: 45.4/100 (1646 sites) Latvia: 45.1/100 (2143 sites) Netherlands: 46.4/100 (57136 sites) Norway: 46.3/100 (9393 sites) Poland: 41.5/100 (42273 sites) Portugal: 45.9/100 (7182 sites) Romania: 45.4/100 (6222 sites) Sweden: 44.8/100 (10983 sites) Slovenia: 43.5/100 (3090 sites) Slovakia: 48.0/100 (10649 sites)
Worse
Better

How does your country compare?

Security posture by country — click a country to see its detailed breakdown.

🇦🇹

Austria

33536 sites

42.9 🇧🇪

Belgium

23330 sites

45.9 🇧🇬

Bulgaria

3904 sites

44.2 🇭🇷

Croatia

5698 sites

44.5 🇨🇾

Cyprus

1250 sites

42.5 🇨🇿

Czech Republic

17369 sites

46.0 🇩🇰

Denmark

15339 sites

45.2 🇪🇪

Estonia

3274 sites

46.6 🇪🇺

European Union

191 sites

53.7 🇫🇮

Finland

12458 sites

44.2 🇫🇷

France

86882 sites

41.5 🇩🇪

Germany

224849 sites

42.6 🇬🇷

Greece

7709 sites

44.7 🇭🇺

Hungary

7408 sites

44.1 🇮🇸

Iceland

1203 sites

46.9 🇮🇪

Ireland

10155 sites

46.4 🇮🇹

Italy

52708 sites

42.1 🇱🇻

Latvia

2143 sites

45.1 🇱🇮

Liechtenstein

179 sites

46.1 🇱🇹

Lithuania

3691 sites

44.1 🇱🇺

Luxembourg

1646 sites

45.4 🇲🇹

Malta

759 sites

45.5 🇳🇱

Netherlands

57136 sites

46.4 🇳🇴

Norway

9393 sites

46.3 🇵🇱

Poland

42273 sites

41.5 🇵🇹

Portugal

7182 sites

45.9 🇷🇴

Romania

6222 sites

45.4 🇸🇰

Slovakia

10649 sites

48.0 🇸🇮

Slovenia

3090 sites

43.5 🇪🇸

Spain

35729 sites

42.5 🇸🇪

Sweden

10983 sites

44.8 🇨🇭

Switzerland

28463 sites

47.9 🇬🇧

United Kingdom

87632 sites

42.7

Where does your website fit in this picture?

Run a free security scan — no account needed. See your score, grade, and how you compare to your industry.

Scan your website now

What we found

The most common security gaps across 814434 European websites — and the regulations they violate.

58%

Missing Security Headers

Visitors are exposed to clickjacking, XSS, and content injection because critical HTTP headers are missing.

NIS2 Art. 21

86%

Weak Email Authentication

Emails from these domains can be spoofed — invoices, password resets, anything. No DMARC enforcement.

NIS2 Art. 21 / DORA Art. 9

84%

No DNSSEC

DNS responses are unsigned. Attackers can redirect visitors to fake sites without detection.

NIS2 Art. 21
Show all findings
100%
No MTA-STS
Inbound emails can be downgraded to plaintext by an attacker — the server doesn't enforce TLS.
NIS2 Art. 21
65%
No SMTP Encryption
Email is transmitted in cleartext. Anyone on the network can read it.
GDPR Art. 32
98%
No security.txt
No public vulnerability disclosure contact — security researchers have nowhere to report issues.
CRA Art. 11
97%
No CAA Records
Any certificate authority can issue certificates for this domain — no restrictions.
NIS2 Art. 21
56%
No HTTPS Redirect
Visitors connect over unencrypted HTTP. Credentials and data are visible on the network.
GDPR Art. 32
94%
No DANE/TLSA
No certificate pinning for email transport — vulnerable to man-in-the-middle on SMTP.
NIS2 Art. 21

Deep-Dive Reports

Explore specific dimensions of Europe's web landscape in detail.

Security Report

TLS, headers, email auth, DNS security

Privacy Report

Cookies, consent, pre-consent transfers, hosting

Accessibility Report

WCAG 2.2 violations, Core Web Vitals

Technology Report

CMS platforms, CMP market share, hosting providers

Methodology & Scoring

How we scan, what we measure, how scores are computed.

Every site is scanned weekly across these security dimensions. Scores are computed on a 100-point scale.

Security Headers 25 pts

HSTS, CSP, X-Frame-Options, X-Content-Type, Referrer-Policy, Permissions-Policy

SSL/TLS Certificate 20 pts

Key strength, signature algorithm, chain depth, TLS version, forward secrecy

HTTPS Enforcement 10 pts

HTTP-to-HTTPS redirect for all visitors

Email Authentication 15 pts

SPF, DKIM (key strength), DMARC (policy enforcement)

DNS Security 15 pts

DNSSEC signing, CAA records, DoH consistency, DANE/TLSA

security.txt 5 pts

Vulnerability disclosure contact per RFC 9116

MTA-STS 3 pts

Inbound email TLS enforcement (enforce vs. testing mode)

TLS-RPT 2 pts

SMTP TLS failure reporting endpoint

Server Privacy 5 pts

No server version disclosure, no X-Powered-By, restricted CORS

Data based on automated weekly scans of publicly accessible websites.

No individual site names are disclosed. All statistics are anonymised by industry.

Regulatory references indicate which requirements relate to each finding. They do not assert non-compliance of any specific organisation.

Your competitors are in this data. Are you better or worse?

Run a free security scan and see your score, your grade, and how you compare — in 30 seconds, no account needed.

Scan your website now Learn about SiteGuardian

This data is also available as JSON via the Benchmark API.