We scan 2248 European websites every week — banking, pharma, e-commerce, government, tech. No individual sites are named. The question isn't who failed. It's which industries are exposed.
59.8/100
Average score
47%
Email spoofable
80%
No DNSSEC
63%
Missing security headers
68.8/100
Accessibility score
5.5
Pre-consent cookies avg
Security posture by industry — sorted by average score. Click an industry to see its detailed breakdown.
| Industry | Sites | Score | Unprotected | Spoofable | Insecure | Grade distribution |
|---|---|---|---|---|---|---|
| Pharma | 46 |
|
57% | 57% | 7% |
C
D
|
| Technology | 887 |
|
69% | 51% | 9% |
C
D
|
| Media | 358 |
|
74% | 54% | 2% |
C
D
|
| Healthcare | 12 |
|
58% | 67% | 0% |
B
C
D
|
| E-Commerce | 214 |
|
58% | 38% | 12% |
C
D
|
| Banking | 135 |
|
46% | 39% | 13% |
C
D
|
| Education | 116 |
|
72% | 54% | 1% |
C
D
|
| Transport | 38 |
|
55% | 32% | 11% |
B
C
D
|
| Telecom | 50 |
|
66% | 38% | 0% |
C
D
|
| Government | 128 |
|
48% | 47% | 5% |
B
C
D
|
| Automotive | 42 |
|
50% | 50% | 5% |
B
C
D
|
| Insurance | 46 |
|
39% | 41% | 13% |
B
C
D
|
| Energy | 65 |
|
42% | 35% | 5% |
B
C
D
|
| Regulatory | 95 |
|
49% | 28% | 6% |
B
C
D
|
| Real Estate | 16 |
|
50% | 38% | 6% |
B
C
D
|
Sorted by average security score (lowest first). Column explanations: Unprotected = missing 3+ critical HTTP headers. Spoofable = no or weak DMARC. Insecure = no HTTPS redirect.
Security posture by country — click a country to see its detailed breakdown.
Austria
95 sites
Belgium
95 sites
Bulgaria
46 sites
Switzerland
95 sites
Cyprus
16 sites
Czech Republic
94 sites
Germany
241 sites
Denmark
92 sites
Estonia
48 sites
Spain
204 sites
European Union
18 sites
Finland
93 sites
France
228 sites
United Kingdom
64 sites
Greece
89 sites
Croatia
48 sites
Hungary
92 sites
Ireland
95 sites
Iceland
28 sites
Italy
193 sites
Liechtenstein
28 sites
Lithuania
18 sites
Luxembourg
9 sites
Latvia
7 sites
Malta
5 sites
Netherlands
67 sites
Norway
23 sites
Poland
37 sites
Portugal
17 sites
Romania
13 sites
Sweden
40 sites
Slovenia
4 sites
Slovakia
6 sites
Run a free security scan — no account needed. See your score, grade, and how you compare to your industry.
Scan your website nowThe most common security gaps across 2248 European websites — and the regulations they violate.
63%
Visitors are exposed to clickjacking, XSS, and content injection because critical HTTP headers are missing.
47%
Emails from these domains can be spoofed — invoices, password resets, anything. No DMARC enforcement.
80%
DNS responses are unsigned. Attackers can redirect visitors to fake sites without detection.
Beyond security — how Europe's websites perform on accessibility, Core Web Vitals, and cookie consent.
606 sites scanned · EAA / BFSG
68.8
Avg score
4.4
Avg violations
429
Critical total
606 sites scanned · ePrivacy / TTDSG
5.5
Pre-consent avg
214
No banner
199
No reject btn
590 sites scanned
83.8
Perf score
1.6s
LCP
0.078
CLS
1.1s
FCP
802.0ms
TBT
0ms
TTFB
How we scan, what we measure, how scores are computed.
Every site is scanned weekly across these security dimensions. Scores are computed on a 100-point scale.
HSTS, CSP, X-Frame-Options, X-Content-Type, Referrer-Policy, Permissions-Policy
Key strength, signature algorithm, chain depth, TLS version, forward secrecy
HTTP-to-HTTPS redirect for all visitors
SPF, DKIM (key strength), DMARC (policy enforcement)
DNSSEC signing, CAA records, DoH consistency, DANE/TLSA
Vulnerability disclosure contact per RFC 9116
Inbound email TLS enforcement (enforce vs. testing mode)
SMTP TLS failure reporting endpoint
No server version disclosure, no X-Powered-By, restricted CORS
Data based on automated weekly scans of publicly accessible websites.
No individual site names are disclosed. All statistics are anonymised by industry.
Regulatory references indicate which requirements relate to each finding. They do not assert non-compliance of any specific organisation.
Run a free security scan and see your score, your grade, and how you compare — in 30 seconds, no account needed.
This data is also available as JSON via the Benchmark API.