We scan 17588 European websites every week — banking, pharma, e-commerce, government, tech. No individual sites are named. The question isn't who failed. It's which industries are exposed.
54.0/100
Average score
50%
Email spoofable
83%
No DNSSEC
66%
Missing security headers
19%
High-risk pre-consent transfers
60.1/100
Accessibility score
5.0
Pre-consent cookies avg
Security posture by industry — sorted by average score. Click an industry to see its detailed breakdown.
| Industry | Sites | Score | Unprotected | Spoofable | Pre-Consent | Grade distribution |
|---|---|---|---|---|---|---|
| Sports | 393 |
|
83% | 75% | 29% |
D
F
|
| Hospitality | 517 |
|
79% | 70% | 23% |
C
D
F
|
| Logistics | 305 |
|
74% | 50% | 13% |
C
D
F
|
| Adult | 295 |
|
81% | 76% | 12% |
D
F
|
| NGO & Nonprofit | 345 |
|
73% | 68% | 23% |
C
D
F
|
| Media | 2432 |
|
79% | 59% | 22% |
C
D
|
| Travel | 227 |
|
64% | 57% | 11% |
B
C
D
F
|
| Fashion | 269 |
|
57% | 48% | 22% |
C
D
F
|
| Gambling | 272 |
|
68% | 52% | 13% |
C
D
|
| Food & Delivery | 222 |
|
66% | 54% | 12% |
C
D
F
|
| Real Estate | 354 |
|
69% | 52% | 21% |
C
D
|
| Healthcare | 541 |
|
67% | 50% | 18% |
C
D
|
| E-Commerce | 4320 |
|
65% | 47% | 16% |
C
D
|
| Transport | 416 |
|
60% | 49% | 19% |
C
D
|
| Technology | 2064 |
|
64% | 49% | 22% |
C
D
|
| Automotive | 367 |
|
59% | 51% | 15% |
C
D
|
| Pharma | 292 |
|
59% | 39% | 22% |
C
D
|
| Regulatory | 332 |
|
55% | 55% | 36% |
C
D
|
| Education | 926 |
|
69% | 62% | 23% |
C
D
|
| Telecom | 364 |
|
58% | 47% | 19% |
C
D
|
| Energy | 389 |
|
55% | 42% | 20% |
C
D
|
| Government | 989 |
|
57% | 50% | 24% |
C
D
|
| Banking | 623 |
|
44% | 27% | 11% |
C
D
|
| Insurance | 334 |
|
46% | 29% | 13% |
C
D
|
Sorted by average security score (lowest first). Column explanations: Unprotected = missing 3+ critical HTTP headers. Spoofable = no or weak DMARC.
Security posture by country — click a country to see its detailed breakdown.
Belgien
469 sites
Bulgarien
306 sites
CA
1 sites
Deutschland
2361 sites
Dänemark
422 sites
Estland
275 sites
Europäische Union
171 sites
Finnland
394 sites
Frankreich
1392 sites
Griechenland
618 sites
HK
1 sites
Irland
314 sites
Island
167 sites
Italien
1031 sites
Kroatien
253 sites
Lettland
247 sites
Liechtenstein
74 sites
Litauen
238 sites
Luxemburg
191 sites
Malta
179 sites
NZ
1 sites
Niederlande
812 sites
Norwegen
422 sites
Polen
929 sites
Portugal
408 sites
RS
1 sites
Rumänien
384 sites
SG
1 sites
Schweden
626 sites
Schweiz
621 sites
Slowakei
311 sites
Slowenien
279 sites
Spanien
747 sites
TR
4 sites
Tschechien
461 sites
US
13 sites
Ungarn
440 sites
Vereinigtes Königreich
1408 sites
Zypern
180 sites
Österreich
436 sites
Run a free security scan — no account needed. See your score, grade, and how you compare to your industry.
Scan your website nowThe most common security gaps across 17588 European websites — and the regulations they violate.
66%
Visitors are exposed to clickjacking, XSS, and content injection because critical HTTP headers are missing.
50%
Emails from these domains can be spoofed — invoices, password resets, anything. No DMARC enforcement.
83%
DNS responses are unsigned. Attackers can redirect visitors to fake sites without detection.
Beyond security — how Europe's websites perform on accessibility, Core Web Vitals, and cookie consent.
17017 sites scanned · EAA / BFSG
60.1
Avg score
5.3
Avg violations
13238
Critical total
16913 sites scanned · ePrivacy / TTDSG
5.0
Pre-consent avg
7199
No banner
3360
No reject btn
16581 sites scanned
92.9
Perf score
1.8s
LCP
0.083
CLS
1.5s
FCP
80.0ms
TBT
0ms
TTFB
How we scan, what we measure, how scores are computed.
Every site is scanned weekly across these security dimensions. Scores are computed on a 100-point scale.
HSTS, CSP, X-Frame-Options, X-Content-Type, Referrer-Policy, Permissions-Policy
Key strength, signature algorithm, chain depth, TLS version, forward secrecy
HTTP-to-HTTPS redirect for all visitors
SPF, DKIM (key strength), DMARC (policy enforcement)
DNSSEC signing, CAA records, DoH consistency, DANE/TLSA
Vulnerability disclosure contact per RFC 9116
Inbound email TLS enforcement (enforce vs. testing mode)
SMTP TLS failure reporting endpoint
No server version disclosure, no X-Powered-By, restricted CORS
Data based on automated weekly scans of publicly accessible websites.
No individual site names are disclosed. All statistics are anonymised by industry.
Regulatory references indicate which requirements relate to each finding. They do not assert non-compliance of any specific organisation.
Run a free security scan and see your score, your grade, and how you compare — in 30 seconds, no account needed.
This data is also available as JSON via the Benchmark API.