Skip to main content
All Benchmarks
812023 sites · April 2026

EU Website Security Benchmark — April 2026

Security posture snapshot for April 2026 across 812023 monitored European websites.

38.5/100

Average score

91%

Email spoofable

84%

No DNSSEC

63%

Missing security headers

How does your industry compare?

Security posture by industry — sorted by average score. Click an industry to see its detailed breakdown.

Industry Sites Score Unprotected Spoofable Insecure Grade distribution
Hospitality 109011
37.2
65% 92% 55%
D
F
beauty 29902
37.7
67% 93% 55%
D
F
Food & Delivery 227992
37.7
67% 93% 54%
D
F
home-garden 26867
38.1
60% 91% 55%
D
F
pets 3446
38.1
63% 91% 54%
D
F
Travel 23053
38.1
63% 90% 56%
D
F
culture 29613
38.2
65% 91% 54%
D
F
Sports 45850
38.4
64% 91% 53%
D
F
Education 96269
38.5
57% 90% 55%
D
F
Real Estate 11899
38.5
63% 92% 47%
D
F
Automotive 35564
38.7
62% 90% 54%
D
F
professional-services 15345
39.6
64% 88% 53%
D
F
construction 13282
39.7
69% 90% 49%
D
F
Fashion 28027
39.7
53% 91% 51%
D
F
Healthcare 51098
40.1
65% 90% 49%
D
F
NGO & Nonprofit 11737
40.2
65% 90% 46%
D
F
Technology 17667
40.7
59% 84% 52%
D
F
Media 4081
42.2
66% 90% 32%
D
F
Logistics 2208
42.3
60% 82% 46%
D
F
E-Commerce 4342
42.5
46% 95% 46%
D
F
Adult 326
42.9
67% 88% 21%
D
F
Pharma 13636
43.0
60% 85% 40%
D
F
Gambling 319
43.3
59% 86% 31%
D
F
Energy 1758
44.5
50% 81% 44%
D
F
Insurance 2970
44.6
54% 85% 41%
D
F
Telecom 370
45.3
40% 86% 38%
D
F
Transport 487
46.5
52% 84% 27%
D
F
Regulatory 345
49.3
47% 71% 20%
C
D
F
Banking 2961
51.2
25% 80% 40%
C
D
F
Government 1597
51.3
49% 81% 22%
C
D
F

Click a column header to sort. Column explanations: Unprotected = missing 3+ critical HTTP headers. Spoofable = no or weak DMARC. Insecure = no HTTPS redirect.

A B C D F

What we found

The most common security gaps across 812023 European websites — and the regulations they violate.

63%

Missing Security Headers

Visitors are exposed to clickjacking, XSS, and content injection because critical HTTP headers are missing.

NIS2 Art. 21

91%

Weak Email Authentication

Emails from these domains can be spoofed — invoices, password resets, anything. No DMARC enforcement.

NIS2 Art. 21 / DORA Art. 9

84%

No DNSSEC

DNS responses are unsigned. Attackers can redirect visitors to fake sites without detection.

NIS2 Art. 21

Where does your website fit in this picture?

Run a free security scan — no account needed. See your score, grade, and how you compare to your industry.

Scan your website now

This data is also available as JSON via the Benchmark API.