EU Website Security Benchmark — April 2026

Security posture snapshot for April 2026 across 812023 monitored European websites.

Previous month Next month

38.5/100

Average score

91%

Email spoofable

84%

No DNSSEC

63%

Missing security headers

How does your industry compare?

Security posture by industry — sorted by average score. Click an industry to see its detailed breakdown.

Industry	Sites	Score ▲	Unprotected	Spoofable	Insecure	Grade distribution
Hospitality	109011	37.2	65%	92%	55%	D F
beauty	29902	37.7	67%	93%	55%	D F
Food & Delivery	227992	37.7	67%	93%	54%	D F
home-garden	26867	38.1	60%	91%	55%	D F
pets	3446	38.1	63%	91%	54%	D F
Travel	23053	38.1	63%	90%	56%	D F
culture	29613	38.2	65%	91%	54%	D F
Sports	45850	38.4	64%	91%	53%	D F
Education	96269	38.5	57%	90%	55%	D F
Real Estate	11899	38.5	63%	92%	47%	D F
Automotive	35564	38.7	62%	90%	54%	D F
professional-services	15345	39.6	64%	88%	53%	D F
construction	13282	39.7	69%	90%	49%	D F
Fashion	28027	39.7	53%	91%	51%	D F
Healthcare	51098	40.1	65%	90%	49%	D F
NGO & Nonprofit	11737	40.2	65%	90%	46%	D F
Technology	17667	40.7	59%	84%	52%	D F
Media	4081	42.2	66%	90%	32%	D F
Logistics	2208	42.3	60%	82%	46%	D F
E-Commerce	4342	42.5	46%	95%	46%	D F
Adult	326	42.9	67%	88%	21%	D F
Pharma	13636	43.0	60%	85%	40%	D F
Gambling	319	43.3	59%	86%	31%	D F
Energy	1758	44.5	50%	81%	44%	D F
Insurance	2970	44.6	54%	85%	41%	D F
Telecom	370	45.3	40%	86%	38%	D F
Transport	487	46.5	52%	84%	27%	D F
Regulatory	345	49.3	47%	71%	20%	C D F
Banking	2961	51.2	25%	80%	40%	C D F
Government	1597	51.3	49%	81%	22%	C D F

Click a column header to sort. Column explanations: Unprotected = missing 3+ critical HTTP headers. Spoofable = no or weak DMARC. Insecure = no HTTPS redirect.

A B C D F

What we found

The most common security gaps across 812023 European websites — and the regulations they violate.

63%

Missing Security Headers

Visitors are exposed to clickjacking, XSS, and content injection because critical HTTP headers are missing.

NIS2 Art. 21

91%

Weak Email Authentication

Emails from these domains can be spoofed — invoices, password resets, anything. No DMARC enforcement.

NIS2 Art. 21 / DORA Art. 9

84%

No DNSSEC

DNS responses are unsigned. Attackers can redirect visitors to fake sites without detection.

NIS2 Art. 21

Where does your website fit in this picture?

Run a free security scan — no account needed. See your score, grade, and how you compare to your industry.

Scan your website now

This data is also available as JSON via the Benchmark API.

EU Website Security Benchmark — April 2026

How does your industry compare?

What we found

Missing Security Headers

Weak Email Authentication

No DNSSEC

Where does your website fit in this picture?

Are you sure?