GoKawiilEuropean governments: 3.000 tracking sites, 1.000 phpMyAdmins, and 99% poorly encrypted email. Introducing SecurityBaseline.eu
On May 13, 2026, the website SecurityBaseline.eu was launched. It is a spin-off from the Dutch “Basisbeveiliging”, which has monitored baseline security for over a decade and is part of governmental policy. Three months ago we sent tens of thousands of e-mails to European governments indicating the new site would launch, giving them time to review the results and act on them in advance of publication.
This article details what SecurityBaseline monitors, how we visualize risks with maps, and dives into three worrisome metrics:
3.000 governmental sites use tracking cookies illegally Over 1.000 database management interfaces are publicly reachable 99% of governmental email is poorly encrypted
This data makes the web transparent and complies with tried-and-tested publication, measurement, and code-of-conduct policy. We target our findings at governments so they can protect their citizens. They can impose requirements on themselves and on the rest of the country.
Do you value transparency, security, sovereignty, accessibility, and privacy? Then ask us to do research or become a member of the Internet Cleanup Foundation and support our mission to improve the internet. We already monitor over 80,000 organisations and 500,000 addresses and make this information available to everyone. Find out more about membership or contact us.
Background: Over a thousand maps updated daily
Web Security Map, our software which powers Security Baseline, has been in development for over a decade. We believe that transparency is fundamental to a secure internet. Transparency includes being able to understand easily whether there is a problem. That’s why we show results on maps: maps for every country and every metric.
We measure all EU member states but also include countries inside the European Economic Area. For administrative purposes, we treat the European Union as a country as well; this helps with plotting pan-European initiatives, Computer Security Incident Response Teams (CSIRT) , for example. This totals 32 countries, including the EU, Switzerland, Norway, Iceland, and Liechtenstein. The United Kingdom is not included.
Countries divide themselves into all kinds of regions. Every country takes a different approach. Germany, for example, has a lot of structure. In fact, it has so much structure that it becomes confusing and hard to make maps that can be validated easily as correct. Other countries such as Sweden, are much simpler in that respect. In the end, the 32 countries result in 87 different maps with various types of regions: municipalities, cities, provinces, and so on.
... continue reading