We scan 17592 European websites every week — banking, pharma, e-commerce, government, tech. No individual sites are named. The question isn't who failed. It's which industries are exposed.
53.9/100
Average score
50%
Email spoofable
83%
No DNSSEC
66%
Missing security headers
19%
High-risk pre-consent transfers
60.1/100
Accessibility score
5.0
Pre-consent cookies avg
Security posture by industry — sorted by average score. Click an industry to see its detailed breakdown.
| Industry | Sites | Score | Unprotected | Spoofable | Pre-Consent | Grade distribution |
|---|---|---|---|---|---|---|
| Sports | 395 |
|
83% | 75% | 29% |
D
F
|
| Hospitality | 518 |
|
79% | 70% | 23% |
C
D
F
|
| Logistics | 305 |
|
74% | 50% | 13% |
C
D
F
|
| Adult | 295 |
|
81% | 76% | 12% |
D
F
|
| NGO & Nonprofit | 345 |
|
73% | 68% | 23% |
C
D
F
|
| Media | 2433 |
|
79% | 59% | 22% |
C
D
|
| Travel | 227 |
|
64% | 57% | 11% |
B
C
D
F
|
| Fashion | 269 |
|
57% | 48% | 22% |
C
D
F
|
| Gambling | 272 |
|
68% | 52% | 13% |
C
D
|
| Food & Delivery | 222 |
|
66% | 54% | 12% |
C
D
F
|
| Real Estate | 354 |
|
69% | 52% | 21% |
C
D
|
| Healthcare | 541 |
|
67% | 50% | 18% |
C
D
|
| E-Commerce | 4320 |
|
65% | 47% | 16% |
C
D
|
| Transport | 416 |
|
60% | 49% | 19% |
C
D
|
| Technology | 2064 |
|
64% | 49% | 22% |
C
D
|
| Automotive | 367 |
|
59% | 51% | 15% |
C
D
|
| Pharma | 292 |
|
59% | 39% | 22% |
C
D
|
| Regulatory | 332 |
|
55% | 55% | 36% |
C
D
|
| Education | 926 |
|
69% | 62% | 23% |
C
D
|
| Telecom | 364 |
|
58% | 47% | 19% |
C
D
|
| Energy | 389 |
|
55% | 42% | 20% |
C
D
|
| Government | 989 |
|
57% | 50% | 24% |
C
D
|
| Banking | 623 |
|
44% | 27% | 11% |
C
D
|
| Insurance | 334 |
|
46% | 29% | 13% |
C
D
|
Sorted by average security score (lowest first). Column explanations: Unprotected = missing 3+ critical HTTP headers. Spoofable = no or weak DMARC.
Security posture by country — click a country to see its detailed breakdown.
Austria
436 sites
Belgia
469 sites
Bułgaria
306 sites
CA
1 sites
Chorwacja
253 sites
Cypr
180 sites
Czechy
461 sites
Dania
422 sites
Estonia
275 sites
Finlandia
394 sites
Francja
1392 sites
Grecja
618 sites
HK
1 sites
Hiszpania
747 sites
Holandia
812 sites
Irlandia
314 sites
Islandia
167 sites
Liechtenstein
74 sites
Litwa
238 sites
Luksemburg
191 sites
Malta
179 sites
NZ
1 sites
Niemcy
2361 sites
Norwegia
422 sites
Polska
929 sites
Portugalia
409 sites
RS
1 sites
Rumunia
384 sites
SG
1 sites
Szwajcaria
623 sites
Szwecja
626 sites
Słowacja
311 sites
Słowenia
279 sites
TR
4 sites
US
13 sites
Unia Europejska
171 sites
Wielka Brytania
1408 sites
Węgry
440 sites
Włochy
1031 sites
Łotwa
247 sites
Run a free security scan — no account needed. See your score, grade, and how you compare to your industry.
Scan your website nowThe most common security gaps across 17592 European websites — and the regulations they violate.
66%
Visitors are exposed to clickjacking, XSS, and content injection because critical HTTP headers are missing.
50%
Emails from these domains can be spoofed — invoices, password resets, anything. No DMARC enforcement.
83%
DNS responses are unsigned. Attackers can redirect visitors to fake sites without detection.
Beyond security — how Europe's websites perform on accessibility, Core Web Vitals, and cookie consent.
17020 sites scanned · EAA / BFSG
60.1
Avg score
5.3
Avg violations
13244
Critical total
16916 sites scanned · ePrivacy / TTDSG
5.0
Pre-consent avg
7209
No banner
3365
No reject btn
16582 sites scanned
92.9
Perf score
1.8s
LCP
0.083
CLS
1.5s
FCP
80.0ms
TBT
0ms
TTFB
How we scan, what we measure, how scores are computed.
Every site is scanned weekly across these security dimensions. Scores are computed on a 100-point scale.
HSTS, CSP, X-Frame-Options, X-Content-Type, Referrer-Policy, Permissions-Policy
Key strength, signature algorithm, chain depth, TLS version, forward secrecy
HTTP-to-HTTPS redirect for all visitors
SPF, DKIM (key strength), DMARC (policy enforcement)
DNSSEC signing, CAA records, DoH consistency, DANE/TLSA
Vulnerability disclosure contact per RFC 9116
Inbound email TLS enforcement (enforce vs. testing mode)
SMTP TLS failure reporting endpoint
No server version disclosure, no X-Powered-By, restricted CORS
Data based on automated weekly scans of publicly accessible websites.
No individual site names are disclosed. All statistics are anonymised by industry.
Regulatory references indicate which requirements relate to each finding. They do not assert non-compliance of any specific organisation.
Run a free security scan and see your score, your grade, and how you compare — in 30 seconds, no account needed.
This data is also available as JSON via the Benchmark API.