Skip to main content
820107 sites analysed

EU Web Technology Landscape

CMS, hosting providers, and consent platforms across 820107 EU websites

WordPress

Top CMS (59.8%)

50708

Sites with CMS

Apache

Top Server (29.0%)

55%

EU-hosted providers

CMS Distribution

50708 sites with detected CMS

CMS choice directly affects security posture — outdated CMS versions are a leading attack vector. Plugin ecosystems, update frequency, and default security configurations vary significantly between platforms, impacting vulnerability exposure and patch cycles.

WordPress
59.8% (30331)
Wix
9.7% (4905)
Drupal
3.5% (1754)
Joomla
3.4% (1728)
Squarespace
3.4% (1727)
Magento
3.3% (1672)
TYPO3
3.1% (1576)
Next.js
2.6% (1303)
Shopify
2.5% (1258)
One.com Web Editor
1.7% (871)
Jimdo Creator
1.6% (835)
Webnode 2
1.3% (647)
BaseKit
0.6% (309)

Server Technology

74314 sites with detected server

Web server software and runtime frameworks. Server version disclosure can aid attackers — but also helps identify outdated, vulnerable infrastructure. End-of-life PHP versions receive no security patches.

Web Servers

Apache
29.0%
nginx
27.6%
Cloudflare
14.9%
Pepyaka
6.6%
LiteSpeed
6.5%
Apache 2.4
3.2%
Microsoft-IIS 10.0
2.5%
Squarespace
2.4%
openresty
2.2%
Simply.com
1.4%
webnode
1.2%
Vercel
0.9%
Apache 2
0.8%
hcdn
0.5%
nginx 1.18
0.4%

Frameworks & PHP Versions

PHP 7.4 ⚠
15.7%
ASP.NET
15.2%
PHP 8.3
14.0%
PHP 8.2
13.1%
PHP 8.4
8.4%
PHP 8.1
7.8%
PHP 8.5
5.6%
PHP 8.0 ⚠
5.2%
PHP 5.6 ⚠
3.3%
Express (Node.js)
3.1%
PHP 7.3 ⚠
2.9%
PHP 7.2 ⚠
2.1%
PHP 7.0 ⚠
1.5%
PHP 5.3 ⚠
1.0%
PHP 5.4 ⚠
1.0%

Hosting Provider Landscape

858237 sites with hosting data

GDPR Art. 28 requires data processing agreements specifying where data is stored. Art. 44-49 regulate international transfers — hosting with US-headquartered providers triggers Schrems II (CJEU C-311/18) and CLOUD Act considerations, requiring SCCs with supplementary measures.

55%

EU-headquartered provider

45%

Non-EU provider (CLOUD Act / Schrems II)

Top hosting providers

Cloudflare (US · non-EU) 86630 10.1%
IONOS (1&1) (DE · EU) 65156 7.6%
Amazon Web Services (US · non-EU) 55356 6.4%
Hetzner (DE · EU) 50152 5.8%
OVHcloud (FR · EU) 45100 5.3%
Google Cloud (US · non-EU) 37650 4.4%
Strato (DE · EU) 28556 3.3%
Wix (IL · non-EU) 26586 3.1%
Aruba S.p.A. (IT · EU) 14338 1.7%
GoDaddy (US · non-EU) 12789 1.5%

Top hosting countries

DE
29.6%
US
20.7%
FR
9.8%
NL
6.3%
GB
4.5%
IT
3.7%
PL
3.7%
CH
2.3%
DK
2.3%
IE
2.2%

Server location via IP geolocation (MaxMind GeoLite2). Company HQ from ASN registry. A site may be physically hosted in the EU but use a US-headquartered provider subject to the CLOUD Act — per Schrems II (CJEU C-311/18), this requires SCCs with supplementary measures. · GDPR Art. 44–49

Methodology

How this data was collected and what it represents.

CMS detection uses multiple signals: HTTP response headers (X-Powered-By, X-Generator), HTML meta generator tags, characteristic URL patterns, CSS class naming conventions, and JavaScript global variables. Detection covers WordPress, Joomla, Drupal, Typo3, Shopify, Wix, Squarespace, and 40+ other platforms.

CMP detection identifies consent management platforms via script sources, cookie names, DOM elements, and IAB TCF API presence (window.__tcfapi). Over 33 CMP vendors are tracked including Cookiebot, OneTrust, Usercentrics, Borlabs Cookie, and Complianz.

Hosting provider identification combines IP geolocation (MaxMind GeoLite2) for server location with ASN/WHOIS data for provider identification and company headquarters mapping.

No individual sites are named. All statistics are aggregated and anonymised. The data represents a snapshot and is updated continuously as new scans complete.

Where does your website stand?

Run a free security scan and see how you compare — TLS, headers, email, DNS, accessibility, cookies — in 30 seconds, no account needed.

Based on automated scans of 820107 European websites. Updated continuously.