EU Website Security Benchmark — June 2026

Security posture snapshot for June 2026 across 816129 monitored European websites.

Previous month

42.9/100

Average score

99%

Email spoofable

84%

No DNSSEC

57%

Missing security headers

How does your industry compare?

Security posture by industry — sorted by average score. Click an industry to see its detailed breakdown.

Industry	Sites	Score ▲	Unprotected	Spoofable	Insecure	Grade distribution
Real Estate	11947	41.5	54%	99%	54%	D F
Hospitality	109653	41.6	58%	99%	57%	D F
Automotive	35822	42.4	56%	99%	55%	D F
NGO & Nonprofit	11774	42.6	56%	98%	53%	D F
Travel	23176	42.6	57%	99%	55%	D F
Food & Delivery	229329	42.7	60%	99%	55%	D F
pets	3462	42.7	58%	99%	53%	D F
Sports	46082	42.7	59%	99%	53%	D F
construction	13325	42.8	62%	98%	52%	D F
culture	29759	42.9	59%	99%	53%	D F
home-garden	26996	42.9	56%	99%	53%	D F
beauty	30039	43.0	61%	99%	53%	D F
Education	96591	43.2	53%	99%	52%	D F
Logistics	2215	43.4	51%	98%	54%	D F
Fashion	28156	43.5	49%	99%	53%	D F
Adult	327	43.7	36%	98%	68%	D F
Healthcare	51306	43.7	58%	99%	50%	D F
Media	4101	43.7	50%	98%	56%	D F
professional-services	15420	43.8	60%	98%	50%	D F
Pharma	13690	43.9	47%	98%	57%	D F
Technology	17753	44.2	52%	98%	55%	D F
Energy	1769	45.0	42%	97%	60%	D F
Insurance	2979	45.5	46%	98%	55%	D F
Gambling	322	45.9	34%	97%	71%	D F
Transport	488	45.9	34%	95%	66%	D F
E-Commerce	4352	46.0	33%	96%	64%	D F
Regulatory	345	46.6	24%	96%	72%	C D F
Telecom	370	46.8	28%	97%	65%	C D F
Government	1608	48.8	35%	96%	60%	C D F
Banking	2972	49.6	23%	96%	62%	C D F

Click a column header to sort. Column explanations: Unprotected = missing 3+ critical HTTP headers. Spoofable = no or weak DMARC. Insecure = no HTTPS redirect.

A B C D F

What we found

The most common security gaps across 816129 European websites — and the regulations they violate.

57%

Missing Security Headers

Visitors are exposed to clickjacking, XSS, and content injection because critical HTTP headers are missing.

NIS2 Art. 21

99%

Weak Email Authentication

Emails from these domains can be spoofed — invoices, password resets, anything. No DMARC enforcement.

NIS2 Art. 21 / DORA Art. 9

84%

No DNSSEC

DNS responses are unsigned. Attackers can redirect visitors to fake sites without detection.

NIS2 Art. 21

Where does your website fit in this picture?

Run a free security scan — no account needed. See your score, grade, and how you compare to your industry.

Scan your website now

This data is also available as JSON via the Benchmark API.

EU Website Security Benchmark — June 2026

How does your industry compare?

What we found

Missing Security Headers

Weak Email Authentication

No DNSSEC

Where does your website fit in this picture?

Are you sure?