Skip to main content
819122 sites analysed

State of EU Web Security

A deep technical analysis of 819122 European websites. TLS configuration, email authentication, security headers, and DNS security — measured, not estimated.

92.2%

TLS 1.3

0.7%

DMARC reject

14%

HSTS

6%

CSP

15%

DNSSEC

19%

HTTPS

20%

IPv6 ready

3%

HTTP/3

88%

NS redundancy

0%

sec.txt CRA

4%

Mixed content

2%

CSP reporting

TLS & Certificates

785969 sites scanned

TLS encrypts data in transit. TLS 1.3 is the current standard — older versions have known vulnerabilities. Required by GDPR Art. 32 (encryption of personal data), NIS2 Art. 21 (state of the art security measures), and PCI DSS 4.0 (TLS 1.2+ mandatory since March 2025).

TLS Version Distribution

TLSv1.3
92.2%
TLSv1.2
7.7%
Unknown
0.1%

Certificate Features

100%

Forward Secrecy

100%

Certificate Transparency

30%

OCSP Stapling

33%

Wildcard Certs

0%

Deprecated TLS

HTTP Security Headers

864269 sites scanned

HTTP security headers instruct browsers to enable protections like XSS filtering, clickjacking prevention, and content type enforcement. OWASP recommends all six headers. NIS2 Art. 21 and ISO 27001 A.8.9 require appropriate technical measures — missing headers indicate gaps.

Header Adoption Rates

Strict-Transport-Security (HSTS)
14%
X-Content-Type-Options
13%
X-Frame-Options
10%
Referrer-Policy
7%
Content-Security-Policy (CSP)
6%
Permissions-Policy
4%

19%

HTTPS Redirect

4%

HSTS Preload Ready

1%

security.txt

80%

Open CORS

2%

HSTS < 6 months

1%

Unsafe Referrer-Policy

1%

COOP Enabled

7%

Server Misconfigs

Email Security

846986 sites scanned

SPF, DKIM, and DMARC prevent email spoofing and phishing. Without DMARC enforcement, attackers can send emails that appear to come from your domain. Required by NIS2 Art. 21 (supply chain security), DORA Art. 9 (ICT risk management), and BSI IT-Grundschutz APP.5.3.

DMARC Policy Distribution

97.8%
Reject 0.7% Quarantine 0.2% None (monitor only) 1.3% No DMARC 97.8%

Email Authentication

4%

SPF

1%

DKIM

2%

DMARC

5%

STARTTLS

5%

Modern SMTP TLS

0%

Blacklisted

DKIM Key Size Distribution

1024-bit 21.2%
2048-bit 78.6%
3072-bit 0.0%
384-bit 0.0%
768-bit 0.1%

Email Spoofability by Industry

Percentage of sites without effective DMARC policy (spoofable via email)

Food
99% 237253
Hospitality
99% 114164
Education
99% 100030
Healthcare
99% 53203
Sports
99% 47669
Automotive
99% 37681
Beauty
99% 31259
Culture
99% 30720
Fashion
99% 29241
Home Garden
99% 27999
Travel
99% 23960
Tech
99% 18381
Professional Services
99% 16044
Pharma
99% 14542
Construction
99% 14037
Real Estate
99% 12275
Ngo
99% 12129
Ecommerce
99% 4537
Media
99% 4169
Pets
99% 3582

DNS Security

864750 sites scanned

DNS security features protect against cache poisoning, domain hijacking, and man-in-the-middle attacks. DNSSEC is recommended by ENISA and required under NIS2 for essential entities. CAA prevents unauthorized certificate issuance (RFC 8659). MTA-STS enforces TLS for inbound email.

DNSSEC Signing
15%
DANE/TLSA
6%
CAA Records
3%
MTA-STS
1%
TLS-RPT
1%
BIMI
0%

MTA-STS Mode Breakdown

enforce (2542)
testing (1113)
unknown (625)
none (104)

Zone Transfer (AXFR) open on 1% of domains — full DNS zone data is publicly accessible.

Methodology

How this data was collected and what it represents.

All data is collected through automated, non-intrusive scans of publicly accessible websites. No login credentials are used, no forms are submitted, and no private data is accessed.

Sites are scanned across multiple dimensions: HTTP headers, TLS certificates, DNS records, and email authentication (SPF/DKIM/DMARC). Privacy, accessibility, and technology data are available in dedicated reports.

No individual sites are named. All statistics are aggregated and anonymised. Regulatory references indicate which requirements relate to each finding — they do not assert non-compliance of any specific organisation.

Where does your website stand?

Run a free security scan and see how you compare — TLS, headers, email, DNS — in 30 seconds, no account needed.

Based on automated scans of 819122 European websites. Updated continuously.