EU Website Security Benchmark — May 2026

Security posture snapshot for May 2026 across 816171 monitored European websites.

Previous month Next month

42.9/100

Average score

99%

Email spoofable

84%

No DNSSEC

58%

Missing security headers

How does your industry compare?

Security posture by industry — sorted by average score. Click an industry to see its detailed breakdown.

Industry	Sites	Score ▲	Unprotected	Spoofable	Insecure	Grade distribution
Real Estate	11949	41.5	55%	99%	55%	D F
Hospitality	109659	41.6	59%	99%	58%	D F
Automotive	35824	42.4	56%	99%	56%	D F
NGO & Nonprofit	11774	42.6	57%	98%	55%	D F
construction	13325	42.7	62%	98%	54%	D F
pets	3462	42.7	59%	99%	54%	D F
Sports	46087	42.7	60%	99%	53%	D F
Travel	23178	42.7	59%	99%	55%	D F
Food & Delivery	229346	42.8	62%	99%	55%	D F
culture	29759	42.9	61%	99%	54%	D F
home-garden	26993	42.9	57%	99%	53%	D F
beauty	30041	43.1	63%	99%	53%	D F
Education	96592	43.3	53%	99%	53%	D F
Fashion	28157	43.6	50%	99%	53%	D F
Logistics	2215	43.6	51%	98%	53%	D F
Healthcare	51308	43.7	59%	98%	51%	D F
professional-services	15420	43.7	60%	98%	52%	D F
Pharma	13692	44.1	49%	98%	57%	D F
Technology	17755	44.6	55%	97%	53%	D F
Media	4101	44.8	59%	98%	46%	D F
Energy	1770	45.5	44%	97%	57%	D F
Insurance	2979	45.6	45%	98%	54%	D F
Adult	327	46.4	64%	98%	38%	D F
E-Commerce	4352	46.9	40%	96%	56%	D F
Transport	488	48.3	45%	95%	47%	C D F
Government	1608	49.1	36%	96%	58%	C D F
Telecom	370	49.2	39%	97%	48%	C D F
Gambling	322	49.4	56%	97%	41%	C D
Banking	2972	50.0	24%	96%	59%	C D F
Regulatory	345	51.4	42%	96%	40%	C D F

Click a column header to sort. Column explanations: Unprotected = missing 3+ critical HTTP headers. Spoofable = no or weak DMARC. Insecure = no HTTPS redirect.

A B C D F

What we found

The most common security gaps across 816171 European websites — and the regulations they violate.

58%

Missing Security Headers

Visitors are exposed to clickjacking, XSS, and content injection because critical HTTP headers are missing.

NIS2 Art. 21

99%

Weak Email Authentication

Emails from these domains can be spoofed — invoices, password resets, anything. No DMARC enforcement.

NIS2 Art. 21 / DORA Art. 9

84%

No DNSSEC

DNS responses are unsigned. Attackers can redirect visitors to fake sites without detection.

NIS2 Art. 21

Where does your website fit in this picture?

Run a free security scan — no account needed. See your score, grade, and how you compare to your industry.

Scan your website now

This data is also available as JSON via the Benchmark API.

EU Website Security Benchmark — May 2026

How does your industry compare?

What we found

Missing Security Headers

Weak Email Authentication

No DNSSEC

Where does your website fit in this picture?

Are you sure?