We scan 17592 European websites every week — banking, pharma, e-commerce, government, tech. No individual sites are named. The question isn't who failed. It's which industries are exposed.
53.9/100
Average score
50%
Email spoofable
83%
No DNSSEC
66%
Missing security headers
19%
High-risk pre-consent transfers
60.1/100
Accessibility score
5.0
Pre-consent cookies avg
Security posture by industry — sorted by average score. Click an industry to see its detailed breakdown.
| Industry | Sites | Score | Unprotected | Spoofable | Pre-Consent | Grade distribution |
|---|---|---|---|---|---|---|
| Sports | 395 |
|
83% | 75% | 29% |
D
F
|
| Hospitality | 518 |
|
79% | 70% | 23% |
C
D
F
|
| Logistics | 305 |
|
74% | 50% | 13% |
C
D
F
|
| Adult | 295 |
|
81% | 76% | 12% |
D
F
|
| NGO & Nonprofit | 345 |
|
73% | 68% | 23% |
C
D
F
|
| Media | 2433 |
|
79% | 59% | 22% |
C
D
|
| Travel | 227 |
|
64% | 57% | 11% |
B
C
D
F
|
| Fashion | 269 |
|
57% | 48% | 22% |
C
D
F
|
| Gambling | 272 |
|
68% | 52% | 13% |
C
D
|
| Food & Delivery | 222 |
|
66% | 54% | 12% |
C
D
F
|
| Real Estate | 354 |
|
69% | 52% | 21% |
C
D
|
| Healthcare | 541 |
|
67% | 50% | 18% |
C
D
|
| E-Commerce | 4320 |
|
65% | 47% | 16% |
C
D
|
| Transport | 416 |
|
60% | 49% | 19% |
C
D
|
| Technology | 2064 |
|
64% | 49% | 22% |
C
D
|
| Automotive | 367 |
|
59% | 51% | 15% |
C
D
|
| Pharma | 292 |
|
59% | 39% | 22% |
C
D
|
| Regulatory | 332 |
|
55% | 55% | 36% |
C
D
|
| Education | 926 |
|
69% | 62% | 23% |
C
D
|
| Telecom | 364 |
|
58% | 47% | 19% |
C
D
|
| Energy | 389 |
|
55% | 42% | 20% |
C
D
|
| Government | 989 |
|
57% | 50% | 24% |
C
D
|
| Banking | 623 |
|
44% | 27% | 11% |
C
D
|
| Insurance | 334 |
|
46% | 29% | 13% |
C
D
|
Sorted by average security score (lowest first). Column explanations: Unprotected = missing 3+ critical HTTP headers. Spoofable = no or weak DMARC.
Security posture by country — click a country to see its detailed breakdown.
België
469 sites
Bulgarije
306 sites
CA
1 sites
Cyprus
180 sites
Denemarken
422 sites
Duitsland
2361 sites
Estland
275 sites
Europese Unie
171 sites
Finland
394 sites
Frankrijk
1392 sites
Griekenland
618 sites
HK
1 sites
Hongarije
440 sites
IJsland
167 sites
Ierland
314 sites
Italië
1031 sites
Kroatië
253 sites
Letland
247 sites
Liechtenstein
74 sites
Litouwen
238 sites
Luxemburg
191 sites
Malta
179 sites
NZ
1 sites
Nederland
812 sites
Noorwegen
422 sites
Oostenrijk
436 sites
Polen
929 sites
Portugal
409 sites
RS
1 sites
Roemenië
384 sites
SG
1 sites
Slovenië
279 sites
Slowakije
311 sites
Spanje
747 sites
TR
4 sites
Tsjechië
461 sites
US
13 sites
Verenigd Koninkrijk
1408 sites
Zweden
626 sites
Zwitserland
623 sites
Run a free security scan — no account needed. See your score, grade, and how you compare to your industry.
Scan your website nowThe most common security gaps across 17592 European websites — and the regulations they violate.
66%
Visitors are exposed to clickjacking, XSS, and content injection because critical HTTP headers are missing.
50%
Emails from these domains can be spoofed — invoices, password resets, anything. No DMARC enforcement.
83%
DNS responses are unsigned. Attackers can redirect visitors to fake sites without detection.
Beyond security — how Europe's websites perform on accessibility, Core Web Vitals, and cookie consent.
17020 sites scanned · EAA / BFSG
60.1
Avg score
5.3
Avg violations
13244
Critical total
16916 sites scanned · ePrivacy / TTDSG
5.0
Pre-consent avg
7209
No banner
3365
No reject btn
16582 sites scanned
92.9
Perf score
1.8s
LCP
0.083
CLS
1.5s
FCP
80.0ms
TBT
0ms
TTFB
How we scan, what we measure, how scores are computed.
Every site is scanned weekly across these security dimensions. Scores are computed on a 100-point scale.
HSTS, CSP, X-Frame-Options, X-Content-Type, Referrer-Policy, Permissions-Policy
Key strength, signature algorithm, chain depth, TLS version, forward secrecy
HTTP-to-HTTPS redirect for all visitors
SPF, DKIM (key strength), DMARC (policy enforcement)
DNSSEC signing, CAA records, DoH consistency, DANE/TLSA
Vulnerability disclosure contact per RFC 9116
Inbound email TLS enforcement (enforce vs. testing mode)
SMTP TLS failure reporting endpoint
No server version disclosure, no X-Powered-By, restricted CORS
Data based on automated weekly scans of publicly accessible websites.
No individual site names are disclosed. All statistics are anonymised by industry.
Regulatory references indicate which requirements relate to each finding. They do not assert non-compliance of any specific organisation.
Run a free security scan and see your score, your grade, and how you compare — in 30 seconds, no account needed.
This data is also available as JSON via the Benchmark API.