We scan 17591 European websites every week — banking, pharma, e-commerce, government, tech. No individual sites are named. The question isn't who failed. It's which industries are exposed.
53.9/100
Average score
50%
Email spoofable
83%
No DNSSEC
66%
Missing security headers
19%
High-risk pre-consent transfers
60.1/100
Accessibility score
5.0
Pre-consent cookies avg
Security posture by industry — sorted by average score. Click an industry to see its detailed breakdown.
| Industry | Sites | Score | Unprotected | Spoofable | Pre-Consent | Grade distribution |
|---|---|---|---|---|---|---|
| Sports | 395 |
|
83% | 75% | 29% |
D
F
|
| Hospitality | 518 |
|
79% | 70% | 23% |
C
D
F
|
| Logistics | 305 |
|
74% | 50% | 13% |
C
D
F
|
| Adult | 295 |
|
81% | 76% | 12% |
D
F
|
| NGO & Nonprofit | 345 |
|
73% | 68% | 23% |
C
D
F
|
| Media | 2432 |
|
79% | 59% | 22% |
C
D
|
| Travel | 227 |
|
64% | 57% | 11% |
B
C
D
F
|
| Fashion | 269 |
|
57% | 48% | 22% |
C
D
F
|
| Gambling | 272 |
|
68% | 52% | 13% |
C
D
|
| Food & Delivery | 222 |
|
66% | 54% | 12% |
C
D
F
|
| Real Estate | 354 |
|
69% | 52% | 21% |
C
D
|
| Healthcare | 541 |
|
67% | 50% | 18% |
C
D
|
| E-Commerce | 4320 |
|
65% | 47% | 16% |
C
D
|
| Transport | 416 |
|
60% | 49% | 19% |
C
D
|
| Technology | 2064 |
|
64% | 49% | 22% |
C
D
|
| Automotive | 367 |
|
59% | 51% | 15% |
C
D
|
| Pharma | 292 |
|
59% | 39% | 22% |
C
D
|
| Regulatory | 332 |
|
55% | 55% | 36% |
C
D
|
| Education | 926 |
|
69% | 62% | 23% |
C
D
|
| Telecom | 364 |
|
58% | 47% | 19% |
C
D
|
| Energy | 389 |
|
55% | 42% | 20% |
C
D
|
| Government | 989 |
|
57% | 50% | 24% |
C
D
|
| Banking | 623 |
|
44% | 27% | 11% |
C
D
|
| Insurance | 334 |
|
46% | 29% | 13% |
C
D
|
Sorted by average security score (lowest first). Column explanations: Unprotected = missing 3+ critical HTTP headers. Spoofable = no or weak DMARC.
Security posture by country — click a country to see its detailed breakdown.
Austria
436 sites
Belgium
469 sites
Bulgaria
306 sites
CA
1 sites
Croatia
253 sites
Cyprus
180 sites
Czech Republic
461 sites
Denmark
422 sites
Estonia
275 sites
European Union
171 sites
Finland
394 sites
France
1392 sites
Germany
2361 sites
Greece
618 sites
HK
1 sites
Hungary
440 sites
Iceland
167 sites
Ireland
314 sites
Italy
1031 sites
Latvia
247 sites
Liechtenstein
74 sites
Lithuania
238 sites
Luxembourg
191 sites
Malta
179 sites
NZ
1 sites
Netherlands
812 sites
Norway
422 sites
Poland
929 sites
Portugal
409 sites
RS
1 sites
Romania
384 sites
SG
1 sites
Slovakia
311 sites
Slovenia
279 sites
Spain
747 sites
Sweden
626 sites
Switzerland
623 sites
TR
4 sites
US
13 sites
United Kingdom
1408 sites
Run a free security scan — no account needed. See your score, grade, and how you compare to your industry.
Scan your website nowThe most common security gaps across 17591 European websites — and the regulations they violate.
66%
Visitors are exposed to clickjacking, XSS, and content injection because critical HTTP headers are missing.
50%
Emails from these domains can be spoofed — invoices, password resets, anything. No DMARC enforcement.
83%
DNS responses are unsigned. Attackers can redirect visitors to fake sites without detection.
Beyond security — how Europe's websites perform on accessibility, Core Web Vitals, and cookie consent.
17019 sites scanned · EAA / BFSG
60.1
Avg score
5.3
Avg violations
13244
Critical total
16917 sites scanned · ePrivacy / TTDSG
5.0
Pre-consent avg
7212
No banner
3369
No reject btn
16581 sites scanned
92.9
Perf score
1.8s
LCP
0.083
CLS
1.5s
FCP
80.0ms
TBT
0ms
TTFB
How we scan, what we measure, how scores are computed.
Every site is scanned weekly across these security dimensions. Scores are computed on a 100-point scale.
HSTS, CSP, X-Frame-Options, X-Content-Type, Referrer-Policy, Permissions-Policy
Key strength, signature algorithm, chain depth, TLS version, forward secrecy
HTTP-to-HTTPS redirect for all visitors
SPF, DKIM (key strength), DMARC (policy enforcement)
DNSSEC signing, CAA records, DoH consistency, DANE/TLSA
Vulnerability disclosure contact per RFC 9116
Inbound email TLS enforcement (enforce vs. testing mode)
SMTP TLS failure reporting endpoint
No server version disclosure, no X-Powered-By, restricted CORS
Data based on automated weekly scans of publicly accessible websites.
No individual site names are disclosed. All statistics are anonymised by industry.
Regulatory references indicate which requirements relate to each finding. They do not assert non-compliance of any specific organisation.
Run a free security scan and see your score, your grade, and how you compare — in 30 seconds, no account needed.
This data is also available as JSON via the Benchmark API.