Skip to main content
Updated weekly · 53856 sites

EU Website Security Benchmark

We scan 53856 European websites every week — banking, pharma, e-commerce, government, tech. No individual sites are named. The question isn't who failed. It's which industries are exposed.

48.1/100

Average score

69%

Email spoofable

83%

No DNSSEC

71%

Missing security headers

How does your industry compare?

Security posture by industry — sorted by average score. Click an industry to see its detailed breakdown.

Industry Sites Score Unprotected Spoofable Pre-Consent Grade distribution
construction 15
40.9
93% 60% 0%
D
F
beauty 68
43.0
71% 83% 4%
D
F
Hospitality 4392
43.2
78% 82% 20%
D
F
Food & Delivery 6697
43.4
78% 81% 13%
D
F
Sports 3100
44.3
80% 83% 19%
D
F
Automotive 2940
44.6
73% 79% 17%
D
F
culture 559
44.9
70% 73% 20%
D
F
Travel 1411
45.4
75% 75% 16%
D
F
Healthcare 3090
45.9
77% 77% 15%
D
F
Fashion 2740
46.5
65% 77% 22%
D
F
Real Estate 1980
46.5
78% 75% 25%
D
F
Logistics 1139
46.6
76% 67% 16%
D
F
Pharma 2947
46.6
66% 75% 15%
D
F
NGO & Nonprofit 2141
46.7
79% 77% 20%
D
F
pets 7
47.0
71% 67% 0%
C
D
F
Adult 332
47.3
77% 74% 14%
D
F
Education 4019
47.3
71% 77% 19%
C
D
F
professional-services 9
47.6
89% 57% 0%
D
home-garden 94
48.8
68% 79% 10%
D
F
Energy 1039
51.4
65% 60% 19%
C
D
F
Media 2484
51.9
79% 59% 24%
C
D
Insurance 1374
52.0
62% 61% 16%
C
D
F
Gambling 309
52.1
67% 51% 13%
C
D
E-Commerce 4322
54.8
65% 47% 17%
C
D
Transport 484
54.9
59% 50% 18%
C
D
Technology 2106
55.8
64% 49% 22%
C
D
Government 1604
56.1
53% 52% 23%
C
D
Regulatory 331
56.7
54% 53% 36%
C
D
Telecom 364
57.0
57% 48% 19%
C
D
Banking 1759
59.9
36% 45% 14%
C
D

Click a column header to sort. Column explanations: Unprotected = missing 3+ critical HTTP headers. Spoofable = no or weak DMARC.

A B C D F

Security across Europe

Average security score by country — hover for details, click to explore.

Austria: 48.1/100 (1670 sites) Belgium: 48.7/100 (1626 sites) Bulgaria: 45.3/100 (1033 sites) Switzerland: 52.1/100 (1801 sites) Cyprus: 43.7/100 (621 sites) Czech Republic: 48.5/100 (1414 sites) Germany: 47.5/100 (11478 sites) Denmark: 50.3/100 (1519 sites) Estonia: 48.4/100 (876 sites) Spain: 46.6/100 (2184 sites) Finland: 50.2/100 (1424 sites) France: 48.7/100 (2762 sites) United Kingdom: 52.7/100 (2798 sites) Greece: 44.0/100 (1465 sites) Croatia: 44.4/100 (1001 sites) Hungary: 43.7/100 (1330 sites) Ireland: 47.5/100 (1392 sites) Italy: 47.1/100 (2342 sites) Lithuania: 44.6/100 (871 sites) Luxembourg: 47.4/100 (630 sites) Latvia: 45.8/100 (764 sites) Netherlands: 54.1/100 (2131 sites) Norway: 52.6/100 (1194 sites) Poland: 47.0/100 (2151 sites) Portugal: 46.8/100 (1357 sites) Romania: 44.0/100 (1230 sites) Sweden: 51.0/100 (1545 sites) Slovenia: 43.0/100 (909 sites) Slovakia: 48.2/100 (1185 sites)
Worse
Better

How does your country compare?

Security posture by country — click a country to see its detailed breakdown.

🇦🇹

Austria

1670 sites

48.1 🇧🇪

Belgium

1626 sites

48.7 🇧🇬

Bulgaria

1033 sites

45.3 🇭🇷

Croatia

1001 sites

44.4 🇨🇾

Cyprus

621 sites

43.7 🇨🇿

Czech Republic

1414 sites

48.5 🇩🇰

Denmark

1519 sites

50.3 🇪🇪

Estonia

876 sites

48.4 🇪🇺

European Union

171 sites

55.7 🇫🇮

Finland

1424 sites

50.2 🇫🇷

France

2762 sites

48.7 🇩🇪

Germany

11478 sites

47.5 🇬🇷

Greece

1465 sites

44.0 🇭🇺

Hungary

1330 sites

43.7 🇮🇸

Iceland

462 sites

49.1 🇮🇪

Ireland

1392 sites

47.5 🇮🇹

Italy

2342 sites

47.1 🇱🇻

Latvia

764 sites

45.8 🇱🇮

Liechtenstein

119 sites

48.1 🇱🇹

Lithuania

871 sites

44.6 🇱🇺

Luxembourg

630 sites

47.4 🇲🇹

Malta

400 sites

48.3 🇳🇱

Netherlands

2131 sites

54.1 🇳🇴

Norway

1194 sites

52.6 🇵🇱

Poland

2151 sites

47.0 🇵🇹

Portugal

1357 sites

46.8 🇷🇴

Romania

1230 sites

44.0 🇸🇰

Slovakia

1185 sites

48.2 🇸🇮

Slovenia

909 sites

43.0 🇪🇸

Spain

2184 sites

46.6 🇸🇪

Sweden

1545 sites

51.0 🇨🇭

Switzerland

1801 sites

52.1 🇬🇧

United Kingdom

2798 sites

52.7

Where does your website fit in this picture?

Run a free security scan — no account needed. See your score, grade, and how you compare to your industry.

Scan your website now

What we found

The most common security gaps across 53856 European websites — and the regulations they violate.

71%

Missing Security Headers

Visitors are exposed to clickjacking, XSS, and content injection because critical HTTP headers are missing.

NIS2 Art. 21

69%

Weak Email Authentication

Emails from these domains can be spoofed — invoices, password resets, anything. No DMARC enforcement.

NIS2 Art. 21 / DORA Art. 9

83%

No DNSSEC

DNS responses are unsigned. Attackers can redirect visitors to fake sites without detection.

NIS2 Art. 21
Show all findings
98%
No MTA-STS
Inbound emails can be downgraded to plaintext by an attacker — the server doesn't enforce TLS.
NIS2 Art. 21
15%
No SMTP Encryption
Email is transmitted in cleartext. Anyone on the network can read it.
GDPR Art. 32
93%
No security.txt
No public vulnerability disclosure contact — security researchers have nowhere to report issues.
CRA Art. 11
93%
No CAA Records
Any certificate authority can issue certificates for this domain — no restrictions.
NIS2 Art. 21
11%
No HTTPS Redirect
Visitors connect over unencrypted HTTP. Credentials and data are visible on the network.
GDPR Art. 32
94%
No DANE/TLSA
No certificate pinning for email transport — vulnerable to man-in-the-middle on SMTP.
NIS2 Art. 21

Deep-Dive Reports

Explore specific dimensions of Europe's web landscape in detail.

Security Report

TLS, headers, email auth, DNS security

Privacy Report

Cookies, consent, pre-consent transfers, hosting

Accessibility Report

WCAG 2.2 violations, Core Web Vitals

Technology Report

CMS platforms, CMP market share, hosting providers

Methodology & Scoring

How we scan, what we measure, how scores are computed.

Every site is scanned weekly across these security dimensions. Scores are computed on a 100-point scale.

Security Headers 25 pts

HSTS, CSP, X-Frame-Options, X-Content-Type, Referrer-Policy, Permissions-Policy

SSL/TLS Certificate 20 pts

Key strength, signature algorithm, chain depth, TLS version, forward secrecy

HTTPS Enforcement 10 pts

HTTP-to-HTTPS redirect for all visitors

Email Authentication 15 pts

SPF, DKIM (key strength), DMARC (policy enforcement)

DNS Security 15 pts

DNSSEC signing, CAA records, DoH consistency, DANE/TLSA

security.txt 5 pts

Vulnerability disclosure contact per RFC 9116

MTA-STS 3 pts

Inbound email TLS enforcement (enforce vs. testing mode)

TLS-RPT 2 pts

SMTP TLS failure reporting endpoint

Server Privacy 5 pts

No server version disclosure, no X-Powered-By, restricted CORS

Data based on automated weekly scans of publicly accessible websites.

No individual site names are disclosed. All statistics are anonymised by industry.

Regulatory references indicate which requirements relate to each finding. They do not assert non-compliance of any specific organisation.

Your competitors are in this data. Are you better or worse?

Run a free security scan and see your score, your grade, and how you compare — in 30 seconds, no account needed.

Scan your website now Learn about SiteGuardian

This data is also available as JSON via the Benchmark API.