814856 sites analysed

State of EU Web Security

A deep technical analysis of 814856 European websites. TLS configuration, email authentication, security headers, and DNS security — measured, not estimated.

91.8%

TLS 1.3

7.8%

DMARC reject

20%

HSTS

CSP

15%

DNSSEC

44%

HTTPS

18%

IPv6 ready

HTTP/3

88%

NS redundancy

sec.txt CRA

11%

Mixed content

CSP reporting

In this report

TLS & Certificates Security Headers Email Security DNS Security

More reports

Privacy Report Accessibility Report Technology Report

TLS & Certificates

806213 sites scanned

TLS encrypts data in transit. TLS 1.3 is the current standard — older versions have known vulnerabilities. Required by GDPR Art. 32 (encryption of personal data), NIS2 Art. 21 (state of the art security measures), and PCI DSS 4.0 (TLS 1.2+ mandatory since March 2025).

TLS Version Distribution

TLSv1.3

91.8%

TLSv1.2

8.1%

Unknown

0.1%

Certificate Features

39%

Forward Secrecy

100%

Certificate Transparency

34%

OCSP Stapling

32%

Wildcard Certs

Deprecated TLS

HTTP Security Headers

861108 sites scanned

HTTP security headers instruct browsers to enable protections like XSS filtering, clickjacking prevention, and content type enforcement. OWASP recommends all six headers. NIS2 Art. 21 and ISO 27001 A.8.9 require appropriate technical measures — missing headers indicate gaps.

Header Adoption Rates

Strict-Transport-Security (HSTS)

20%

X-Content-Type-Options

20%

X-Frame-Options

14%

Referrer-Policy

Content-Security-Policy (CSP)

Permissions-Policy

44%

HTTPS Redirect

HSTS Preload Ready

security.txt

78%

Open CORS

HSTS < 6 months

Unsafe Referrer-Policy

COOP Enabled

Server Misconfigs

Email Security

843288 sites scanned

SPF, DKIM, and DMARC prevent email spoofing and phishing. Without DMARC enforcement, attackers can send emails that appear to come from your domain. Required by NIS2 Art. 21 (supply chain security), DORA Art. 9 (ICT risk management), and BSI IT-Grundschutz APP.5.3.

DMARC Policy Distribution

24.8%

60.8%

Reject 7.8% Quarantine 6.6% None (monitor only) 24.8% No DMARC 60.8%

Email Authentication

68%

SPF

27%

DKIM

39%

DMARC

36%

STARTTLS

36%

Modern SMTP TLS

Blacklisted

DKIM Key Size Distribution

1024-bit 24.8%

1048-bit 0.0%

1148-bit 0.0%

2024-bit 0.0%

2048-bit 75.0%

3072-bit 0.0%

384-bit 0.0%

4096-bit 0.1%

512-bit 0.0%

768-bit 0.1%

8192-bit 0.0%

Email Spoofability by Industry

Percentage of sites without effective DMARC policy (spoofable via email)

Food

89% 235964

Hospitality

88% 113533

Beauty

88% 31136

Pets

87% 3558

Sports

86% 47445

Culture

86% 30595

Travel

86% 23864

Automotive

85% 37527

Fashion

85% 29125

Home Garden

85% 27884

Real Estate

85% 12235

Education

84% 99774

Healthcare

84% 53001

Construction

84% 14010

Ngo

84% 12075

Pharma

82% 14518

Professional Services

80% 15983

Tech

73% 18301

Media

72% 4159

Ecommerce

57% 4527

DNS Security

861418 sites scanned

DNS security features protect against cache poisoning, domain hijacking, and man-in-the-middle attacks. DNSSEC is recommended by ENISA and required under NIS2 for essential entities. CAA prevents unauthorized certificate issuance (RFC 8659). MTA-STS enforces TLS for inbound email.

DNSSEC Signing

15%

DANE/TLSA

CAA Records

TLS-RPT

MTA-STS

BIMI

MTA-STS Mode Breakdown

enforce (2346)

testing (1003)

unknown (638)

none (86)

Zone Transfer (AXFR) open on 1% of domains — full DNS zone data is publicly accessible.

Methodology

How this data was collected and what it represents.

All data is collected through automated, non-intrusive scans of publicly accessible websites. No login credentials are used, no forms are submitted, and no private data is accessed.

Sites are scanned across multiple dimensions: HTTP headers, TLS certificates, DNS records, and email authentication (SPF/DKIM/DMARC). Privacy, accessibility, and technology data are available in dedicated reports.

No individual sites are named. All statistics are aggregated and anonymised. Regulatory references indicate which requirements relate to each finding — they do not assert non-compliance of any specific organisation.

Where does your website stand?

Run a free security scan and see how you compare — TLS, headers, email, DNS — in 30 seconds, no account needed.

Scan your website now Industry benchmark

Based on automated scans of 814856 European websites. Updated continuously.