Skip to main content
809955 sites analysed

State of EU Web Security

A deep technical analysis of 809955 European websites. TLS configuration, email authentication, security headers, and DNS security — measured, not estimated.

86.6%

TLS 1.3

9.3%

DMARC reject

28%

HSTS

11%

CSP

16%

DNSSEC

77%

HTTPS

0%

IPv6 ready

0%

HTTP/3

1%

NS redundancy

0%

sec.txt CRA

0%

Mixed content

0%

CSP reporting

In this report

TLS & Certificates Security Headers Email Security DNS Security

More reports

Privacy Report Accessibility Report Technology Report

TLS & Certificates

810235 sites scanned

TLS encrypts data in transit. TLS 1.3 is the current standard — older versions have known vulnerabilities. Required by GDPR Art. 32 (encryption of personal data), NIS2 Art. 21 (state of the art security measures), and PCI DSS 4.0 (TLS 1.2+ mandatory since March 2025).

TLS Version Distribution

TLSv1.3
86.6%
TLSv1.2
13.4%
Unknown
0.1%

Certificate Features

13%

Forward Secrecy

100%

Certificate Transparency

34%

OCSP Stapling

32%

Wildcard Certs

0%

Deprecated TLS

HTTP Security Headers

857923 sites scanned

HTTP security headers instruct browsers to enable protections like XSS filtering, clickjacking prevention, and content type enforcement. OWASP recommends all six headers. NIS2 Art. 21 and ISO 27001 A.8.9 require appropriate technical measures — missing headers indicate gaps.

Header Adoption Rates

Strict-Transport-Security (HSTS)
28%
X-Content-Type-Options
28%
X-Frame-Options
19%
Referrer-Policy
13%
Content-Security-Policy (CSP)
11%
Permissions-Policy
7%

77%

HTTPS Redirect

5%

HSTS Preload Ready

3%

security.txt

36%

Open CORS

2%

HSTS < 6 months

1%

Unsafe Referrer-Policy

2%

COOP Enabled

4%

Server Misconfigs

Email Security

838546 sites scanned

SPF, DKIM, and DMARC prevent email spoofing and phishing. Without DMARC enforcement, attackers can send emails that appear to come from your domain. Required by NIS2 Art. 21 (supply chain security), DORA Art. 9 (ICT risk management), and BSI IT-Grundschutz APP.5.3.

DMARC Policy Distribution

9.3%
29.3%
53.5%
Reject 9.3% Quarantine 7.8% None (monitor only) 29.3% No DMARC 53.5%

Email Authentication

76%

SPF

31%

DKIM

46%

DMARC

55%

STARTTLS

54%

Modern SMTP TLS

0%

Blacklisted

DKIM Key Size Distribution

1024-bit 30.2%
1048-bit 0.0%
1148-bit 0.0%
2024-bit 0.0%
2048-bit 69.6%
3072-bit 0.0%
384-bit 0.0%
4096-bit 0.1%
512-bit 0.0%
768-bit 0.1%
8192-bit 0.0%

Email Spoofability by Industry

Percentage of sites without effective DMARC policy (spoofable via email)

Food
87% 234544
Hospitality
86% 112800
Beauty
86% 30971
Pets
85% 3541
Culture
84% 30436
Sports
83% 47195
Fashion
83% 28971
Home Garden
83% 27722
Travel
83% 23733
Real Estate
83% 12160
Automotive
82% 37248
Education
81% 99347
Healthcare
81% 52714
Construction
81% 13962
Ngo
81% 12021
Pharma
78% 14442
Professional Services
76% 15873
Insurance
70% 3099
Tech
68% 18206
Media
67% 4142

DNS Security

858411 sites scanned

DNS security features protect against cache poisoning, domain hijacking, and man-in-the-middle attacks. DNSSEC is recommended by ENISA and required under NIS2 for essential entities. CAA prevents unauthorized certificate issuance (RFC 8659). MTA-STS enforces TLS for inbound email.

DNSSEC Signing
16%
DANE/TLSA
6%
CAA Records
3%
MTA-STS
1%
TLS-RPT
1%
BIMI
0%

MTA-STS Mode Breakdown

enforce (2485)
testing (1099)
unknown (623)
none (96)

Zone Transfer (AXFR) open on 1% of domains — full DNS zone data is publicly accessible.

Methodology

How this data was collected and what it represents.

All data is collected through automated, non-intrusive scans of publicly accessible websites. No login credentials are used, no forms are submitted, and no private data is accessed.

Sites are scanned across multiple dimensions: HTTP headers, TLS certificates, DNS records, and email authentication (SPF/DKIM/DMARC). Privacy, accessibility, and technology data are available in dedicated reports.

No individual sites are named. All statistics are aggregated and anonymised. Regulatory references indicate which requirements relate to each finding — they do not assert non-compliance of any specific organisation.

Where does your website stand?

Run a free security scan and see how you compare — TLS, headers, email, DNS — in 30 seconds, no account needed.

Scan your website now Industry benchmark

Based on automated scans of 809955 European websites. Updated continuously.