EU Industry Benchmark

NGO & Nonprofit

Anonymized security posture data for the ngo & nonprofit sector across the EU. Based on 348 monitored sites.

47.5

Avg. Score /100

D

Avg. Grade

348

Sites Tracked

-6.0

vs. EU Average

Critical findings in this industry

22 of 348 without HTTPS redirect

6.0%

7 of 348 with unencrypted email (no STARTTLS)

2.0%

55 of 348 without DMARC protection (spoofable)

16.0%

247 of 348 missing 3+ critical security headers

71.0%

74 of 348 without DNSSEC (vulnerable to DNS spoofing)

21.0%

89 of 348 without CAA records (unrestricted certificate issuance)

26.0%

88 of 348 without MTA-STS (email downgrade attacks possible)

25.0%

Grade Distribution

A

4 (1.0%)

B

23 (7.0%)

C

72 (21.0%)

D

129 (37.0%)

F

120 (34.0%)

Score by Country

🇦🇹 Austria

49.1 15 🇧🇪 Belgium

46.5 24 🇧🇬 Bulgaria

34.2 4 🇭🇷 Croatia

41.2 4 🇨🇿 Czech Republic

59.1 9 🇩🇰 Denmark

49.3 15 🇪🇪 Estonia

38.2 6 🇫🇮 Finland

53.6 13 🇫🇷 France

44.8 26 🇩🇪 Germany

55.7 23 🇬🇷 Greece

38.1 9 🇭🇺 Hungary

41.2 6 🇮🇪 Ireland

49.5 21 🇮🇹 Italy

43.5 26 🇱🇻 Latvia

44.0 3 🇱🇹 Lithuania

36.4 5 🇳🇱 Netherlands

58.1 19 🇳🇴 Norway

48.1 15 🇵🇱 Poland

36.2 10 🇵🇹 Portugal

40.7 12 🇷🇴 Romania

44.8 8 🇸🇰 Slovakia

42.8 4 🇸🇮 Slovenia

38.0 5 🇪🇸 Spain

47.3 23 🇸🇪 Sweden

47.8 18 🇨🇭 Switzerland

52.8 20 🇬🇧 United Kingdom

Hosting & Data Residency

45%

EU-headquartered provider

55%

Non-EU provider (CLOUD Act / Schrems II)

Cloudflare (US) 57 34.8%

Amazon Web Services (US) 29 17.7%

Hetzner (DE) 17 10.4%

OVHcloud (FR) 14 8.5%

Combell (BE) 10 6.1%

Server location via IP geolocation (MaxMind GeoLite2). Company HQ from ASN registry. A site may be physically hosted in the EU but use a US-headquartered provider subject to the CLOUD Act — per Schrems II (CJEU C-311/18), this requires SCCs with supplementary measures. · GDPR Art. 44–49

How does your site compare?

Run a free security scan and see your grade instantly.

All data is anonymized. No individual sites are identified. Statistics updated weekly.