Skip to main content
Updated weekly · 1023 sites

EU Website Security Benchmark

We scan 1023 European websites every week — banking, pharma, e-commerce, government, tech. No individual sites are named. The question isn't who failed. It's which industries are exposed.

55.8/100

Average score

54%

Email spoofable

79%

No DNSSEC

58%

Missing security headers

How does your industry compare?

Security posture by industry — sorted by average score. Click an industry to see its detailed breakdown.

Industry Sites Score Unprotected Spoofable Insecure Grade distribution
Pharma 40
48.1
55% 88% 15%
C
D
F
Automotive 20
49.6
60% 70% 25%
B
C
D
F
Banking 133
50.9
58% 56% 35%
C
D
F
E-Commerce 180
53.4
61% 62% 28%
C
D
F
Government 101
54.0
53% 66% 28%
C
D
F
Media 140
54.4
71% 71% 11%
C
D
Technology 274
59.7
54% 40% 18%
B
C
D
F
Insurance 43
60.1
44% 47% 26%
B
C
D
F
Regulatory 92
62.5
52% 29% 15%
B
C
D

Sorted by average security score (lowest first). Column explanations: Unprotected = missing 3+ critical HTTP headers. Spoofable = no or weak DMARC. Insecure = no HTTPS redirect.

A B C D F

Where does your website fit in this picture?

Run a free security scan — no account needed. See your score, grade, and how you compare to your industry.

Scan your website now

What we found

The most common security gaps across 1023 European websites — and the regulations they violate.

58%

Missing Security Headers

Visitors are exposed to clickjacking, XSS, and content injection because critical HTTP headers are missing.

NIS2 Art. 21

54%

Weak Email Authentication

Emails from these domains can be spoofed — invoices, password resets, anything. No DMARC enforcement.

NIS2 Art. 21 / DORA Art. 9

79%

No DNSSEC

DNS responses are unsigned. Attackers can redirect visitors to fake sites without detection.

NIS2 Art. 21
Show all findings
92%
No MTA-STS
Inbound emails can be downgraded to plaintext by an attacker — the server doesn't enforce TLS.
NIS2 Art. 21
11%
No SMTP Encryption
Email is transmitted in cleartext. Anyone on the network can read it.
GDPR Art. 32
75%
No security.txt
No public vulnerability disclosure contact — security researchers have nowhere to report issues.
CRA Art. 11
81%
No CAA Records
Any certificate authority can issue certificates for this domain — no restrictions.
NIS2 Art. 21
22%
No HTTPS Redirect
Visitors connect over unencrypted HTTP. Credentials and data are visible on the network.
GDPR Art. 32
93%
No DANE/TLSA
No certificate pinning for email transport — vulnerable to man-in-the-middle on SMTP.
NIS2 Art. 21

Methodology & Scoring

How we scan, what we measure, how scores are computed.

Every site is scanned weekly across these security dimensions. Scores are computed on a 100-point scale.

Security Headers 25 pts

HSTS, CSP, X-Frame-Options, X-Content-Type, Referrer-Policy, Permissions-Policy

SSL/TLS Certificate 20 pts

Key strength, signature algorithm, chain depth, TLS version, forward secrecy

HTTPS Enforcement 10 pts

HTTP-to-HTTPS redirect for all visitors

Email Authentication 15 pts

SPF, DKIM (key strength), DMARC (policy enforcement)

DNS Security 15 pts

DNSSEC signing, CAA records, DoH consistency, DANE/TLSA

security.txt 5 pts

Vulnerability disclosure contact per RFC 9116

MTA-STS 3 pts

Inbound email TLS enforcement (enforce vs. testing mode)

TLS-RPT 2 pts

SMTP TLS failure reporting endpoint

Server Privacy 5 pts

No server version disclosure, no X-Powered-By, restricted CORS

Data based on automated weekly scans of publicly accessible websites.

No individual site names are disclosed. All statistics are anonymised by industry.

Regulatory references indicate which requirements relate to each finding. They do not assert non-compliance of any specific organisation.

Your competitors are in this data. Are you better or worse?

Run a free security scan and see your score, your grade, and how you compare — in 30 seconds, no account needed.

Scan your website now Learn about SiteGuardian

This data is also available as JSON via the Benchmark API.