A deep technical analysis of 9396 European websites. TLS configuration, email authentication, security headers, accessibility, cookie consent, and pre-consent data transfers — measured, not estimated.
81.5%
TLS 1.3
30.7%
DMARC reject
62%
HSTS
35%
CSP
22%
DNSSEC
64.0%
A11y score
72%
Cookie banner
20%
High-risk transfers
4791 sites scanned
14%
Forward Secrecy
100%
Certificate Transparency
70%
OCSP Stapling
44%
Wildcard Certs
0%
Deprecated TLS
8975 sites scanned
96%
HTTPS Redirect
11%
security.txt
18%
Open CORS
4786 sites scanned
90%
SPF
64%
DKIM
78%
DMARC
85%
STARTTLS
84%
Modern SMTP TLS
0%
Blacklisted
4781 sites scanned
9164 sites scanned · EAA / EN 301 549
64.0/100
Average score
5.2
Avg violations / site
7140
Critical violations
18264
Serious violations
| Violation | Impact | Sites affected |
|---|---|---|
|
region Ensure all page content is contained by landmarks |
moderate | 5848 |
|
color-contrast Ensure the contrast between foreground and background colors meets WCAG 2 AA minimum contrast ratio thresholds |
serious | 4735 |
|
link-name Ensure links have discernible text |
serious | 3894 |
|
landmark-unique Ensure landmarks are unique |
moderate | 3245 |
|
heading-order Ensure the order of headings is semantically correct |
moderate | 2869 |
|
target-size Ensure touch targets have sufficient size and space |
serious | 2560 |
|
image-alt Ensure <img> elements have alternative text or a role of none or presentation |
critical | 2125 |
|
button-name Ensure buttons have discernible text |
critical | 1653 |
|
landmark-one-main Ensure the document has a main landmark |
moderate | 1345 |
|
aria-allowed-role Ensure role attribute has an appropriate value for the element |
minor | 1130 |
4228 sites scanned · GDPR Art. 44
Third-party data transfers that occur before the user interacts with any cookie consent mechanism — potentially violating GDPR requirements for lawful data processing.
20%
Sites with high-risk transfers
97%
Sites with medium-risk transfers
3.1
Avg transfers / site
55.1
Avg third-party requests
0.2
Avg high-risk / site
2.7
Avg medium-risk / site
9145 sites scanned
89.9
Perf score
1.8s
LCP
1.3s
FCP
0.072
CLS
342ms
TBT
250ms
TTFB
How this data was collected and what it represents.
All data is collected through automated, non-intrusive scans of publicly accessible websites. No login credentials are used, no forms are submitted, and no private data is accessed.
Sites are scanned across multiple dimensions: HTTP headers, TLS certificates, DNS records, email authentication (SPF/DKIM/DMARC), accessibility (WCAG 2.2 AA via automated testing), cookie consent mechanisms, pre-consent data transfers, and Core Web Vitals.
No individual sites are named. All statistics are aggregated and anonymised. Regulatory references indicate which requirements relate to each finding — they do not assert non-compliance of any specific organisation.
Run a free security scan and see how you compare — TLS, headers, email, DNS, accessibility, cookies — in 30 seconds, no account needed.
Based on automated scans of 9396 European websites. Updated continuously.