Data from the SiteGuardian EU Web Security Benchmark — April 2026, 704,044 websites assessed across 30 countries.
94.8% Fail
We scanned 704,044 European websites automatically — across six dimensions: HTTP security headers, TLS configuration, DNS security, email authentication, accessibility, and cookie compliance.
The results:
| Grade | Share |
|---|---|
| A | 0.0% (16 websites) |
| B | 0.2% |
| C | 5.0% |
| D | 52.5% |
| F | 42.3% |
These are not niche sites. The benchmark includes enterprises, government agencies, hospitals, banks, and e-commerce platforms from across the EU — organisations operating under NIS2, DORA, or GDPR that process personal data every day.
The Regulatory Landscape: What the EU Demands
Over the past three years, the EU has built a regulatory framework that turns web security from a nice-to-have into a legal obligation. Three regulations stand out:
NIS2 (Directive 2022/2555) — due for national transposition since October 2024. Article 21(2) requires essential and important entities to implement concrete measures: cryptography, incident response, supply chain security, and — in paragraph (e) — vulnerability handling and disclosure. Sectors covered include energy, transport, healthcare, digital infrastructure, manufacturing, food, postal services, and digital providers. Penalties: up to EUR 10 million or 2% of global annual revenue.
DORA (Regulation 2022/2554) — in force since January 2025 for the financial sector. Articles 6-8 mandate ICT risk management including vulnerability identification and remediation. Affected entities include banks, insurers, investment firms, crypto-asset service providers, and their critical ICT third-party suppliers.
Cyber Resilience Act (Regulation 2024/2847) — mandatory reporting of actively exploited vulnerabilities from September 2026 (Art. 11), coordinated vulnerability disclosure from December 2027 (Art. 14). Applies to manufacturers, importers, and distributors of digital products. Penalties: up to EUR 15 million or 2.5% of revenue.
The requirements are in place. What does reality look like?
HTTP Security Headers: The First Line of Defence Is Missing
Security headers are server-side instructions that protect the browser — against cross-site scripting, clickjacking, MIME confusion, and downgrade attacks. They cost nothing, typically require a single line of configuration, and yet remain barely adopted:
| Header | Adoption | What It Protects |
|---|---|---|
| Strict-Transport-Security (HSTS) | 27.6% | Prevents downgrade to HTTP |
| X-Content-Type-Options | 27.7% | Blocks MIME sniffing |
| X-Frame-Options | 19.2% | Prevents clickjacking |
| Referrer-Policy | 13.1% | Controls referrer leaks |
| Content-Security-Policy (CSP) | 10.8% | Mitigates XSS and injection |
| Permissions-Policy | 6.4% | Restricts browser APIs |
Three out of four websites allow unencrypted connections, even though a TLS certificate is present — HSTS is missing. 24.3% do not even redirect to HTTPS automatically.
Content Security Policy — the single most effective defence against XSS attacks — is absent on 89% of websites.
Email Security: Phishing Made Easy
Phishing and Business Email Compromise are the most common attack vectors in Europe. The technical countermeasures have existed for years — and remain undeployed:
| Standard | Adoption | Purpose |
|---|---|---|
| SPF | 75.7% | Sender verification |
| STARTTLS | 56.3% | Transport encryption |
| DMARC | 46.8% | Policy enforcement |
| DKIM | 31.1% | Message integrity |
| MTA-STS | 0.5% | Enforced transport encryption |
SPF alone is not enough. Without DMARC set to reject or quarantine, anyone can send emails on behalf of your domain. Of the 46.8% that have DMARC, 63% set the policy to none — meaning no enforcement. The domain remains spoofable.
The misconfigurations we find in the wild are particularly revealing. We see DMARC policies like quarantaine, rejet, keiner, brak (Polish for "missing"), beleidsnaam (Dutch for "policy name") — and one website that pasted its entire RSA key into the policy field. These configuration errors are hard to catch — the record exists, the compliance checklist is ticked, but the protection does not work. This is exactly the gap between "configured" and "effective" that SiteGuardian was built to close: automated checks that verify not just the presence, but the correct function of every measure.
DNS: The Foundation Is Unsecured
| Standard | Adoption | Purpose |
|---|---|---|
| DNSSEC | 15.8% | Protection against DNS spoofing |
| CAA | 3.0% | Control over certificate issuance |
| MTA-STS | 0.5% | Enforced email encryption |
| DANE/TLSA | <1% | Certificate pinning for SMTP |
84% of European domains have no DNSSEC protection. An attacker who can manipulate DNS responses can redirect users to fraudulent sites — complete with a valid TLS certificate, if no CAA record restricts issuance. 97% have none.
The security.txt Indicator
RFC 9116 defines a simple text file at /.well-known/security.txt that provides security researchers with a standardised reporting channel. ENISA recommends it as a best practice, NIS2 requires vulnerability disclosure, and the Cyber Resilience Act makes coordinated disclosure mandatory.
Adoption rate in the EU: 2.8%.
The interesting finding: security.txt correlates strongly with overall website maturity.
| Metric | WITH security.txt | WITHOUT | Factor |
|---|---|---|---|
| Composite Score | 55 | 42 | +31% |
| HSTS | 72% | 26% | 2.8x |
| Content Security Policy | 47% | 10% | 4.7x |
| Grade F | 6% | 44% | 7x fewer |
security.txt is not a silver bullet. Those who take the time to set it up have usually taken care of everything else too. It is a proxy for security maturity — if it is missing, everything else usually is too.
Where Europe Stands: The Country Ranking
| Rank | Country | Score | Count |
|---|---|---|---|
| 1 | Malta | 46 | 640 |
| 2 | Iceland | 45 | 928 |
| 3 | Germany | 45 | 203,075 |
| 4 | United Kingdom | 44 | 73,769 |
| 5 | Luxembourg | 44 | 1,303 |
| 6 | Switzerland | 43 | 26,248 |
| 7 | Norway | 43 | 8,814 |
| 8 | Netherlands | 43 | 37,893 |
| ... | |||
| 26 | Spain | 39 | 26,214 |
| 27 | Austria | 39 | 30,804 |
| 28 | Hungary | 38 | 6,886 |
| 29 | Lithuania | 38 | 3,539 |
| 30 | Poland | 37 | 30,694 |
Germany leads among the large EU member states — but at 45 out of 100 points. The best of a bad lot. The gap between rank 1 and rank 30 is just 9 points. Europe has no frontrunner setting the standard. It has a continent-wide deficit.
What CISOs Should Do Now
1. Measure your baseline. You cannot manage what you do not measure. Scan your domains — automatically, regularly, across all six dimensions.
2. Enable security headers. HSTS, CSP, X-Content-Type-Options — three headers that mitigate the majority of common web attacks. Most web frameworks can add them with a single configuration line.
3. Set DMARC to reject. Start with quarantine and pct=10, monitor the reports, then escalate to reject. policy=none protects no one.
4. Enable DNSSEC. Talk to your DNS provider. Most major providers support it — it just needs to be switched on.
5. Set up security.txt. Five minutes of effort, RFC 9116. Two required fields: Contact and Expires. ENISA lists it as a best practice, and NIS2 Art. 21(2)(e) requires vulnerability disclosure.
6. Do not just scan the homepage. Subdomains, APIs, mail servers — the attack surface is larger than the homepage. An automated benchmark systematically uncovers what manual audits miss.
Methodology
This article is based on the SiteGuardian EU Web Security Benchmark covering 704,044 websites across 30 European countries (as of April 2026). The benchmark evaluates six dimensions: HTTP security headers, TLS certificates, DNS security (DNSSEC, CAA, DANE, MTA-STS), email authentication (SPF, DKIM, DMARC, STARTTLS), accessibility (WCAG 2.2 AA), and cookie compliance. All scans run automatically and continuously, without manual selection or sponsorship.
The benchmark is freely accessible at siteguardian.io/benchmark.
SiteGuardian is an EU-based compliance and monitoring tool for web security, developed in Germany.