The foundation's audit found ~3,000 government websites embedding third-party trackers and ~1,000 exposed phpMyAdmin interfaces across European government domains. They built securitybaseline.eu to make these failures publicly searchable, implicitly arguing that governments enforcing GDPR should meet the standards they impose on the private sector.
Submitted the story with significant community traction (188 points, 97 comments), highlighting the contrast between EU governments fining Big Tech billions for tracking violations while their own sites run the same trackers on pages where citizens access government services.
The editorial argues that while trackers represent policy hypocrisy, the ~1,000 publicly accessible phpMyAdmin instances are worse from a pure security standpoint. phpMyAdmin is one of the most commonly exploited entry points in any attacker's playbook, meaning these government databases may be actively vulnerable to compromise right now.
The foundation's approach mirrors their earlier internet.nl project — making compliance data publicly searchable to create accountability pressure. By launching securitybaseline.eu as a lookup tool for any government domain's security posture, they are betting that public visibility, not regulation, is what will drive remediation across European public sector infrastructure.
The audit found that 99% of government email systems fail to implement proper encryption — likely referring to MTA-STS, DANE, or SPF/DKIM/DMARC misconfigurations. While the tracker and phpMyAdmin numbers are striking, the near-universal email failure rate suggests a systemic neglect of basic security standards across virtually all European government digital infrastructure.
The Internet Cleanup Foundation — a Dutch nonprofit that previously built internet.nl, a widely-used standards compliance checker — has published the results of a large-scale audit of European government web infrastructure. The findings, released alongside the launch of their new securitybaseline.eu platform, are bleak by any standard.
Across European government domains, the foundation identified approximately 3,000 websites embedding third-party tracking scripts, roughly 1,000 publicly accessible phpMyAdmin interfaces, and email systems where 99% fail to implement proper encryption (likely referring to MTA-STS, DANE, or SPF/DKIM/DMARC misconfigurations). These aren't obscure corner cases — these are the digital front doors of institutions that regulate data protection for 450 million people.
The securitybaseline.eu platform makes these results publicly searchable, allowing anyone to look up a specific government domain and see its security posture. Think of it as Qualys SSL Labs, but scoped to the entire European public sector and covering far more than just TLS.
The irony here is structural, not incidental. European governments — particularly through GDPR enforcement — have positioned themselves as the global standard-bearers for digital privacy and security. The EU has fined Big Tech billions for tracking users without consent. Meanwhile, their own websites are running third-party trackers on thousands of pages where citizens interact with government services.
A government website running Google Analytics or Facebook pixels while that same government fines private companies for identical behavior isn't hypocrisy as a policy failure — it's hypocrisy as infrastructure.
The phpMyAdmin exposure is arguably worse from a pure security standpoint. phpMyAdmin is a web-based MySQL administration tool that, when publicly accessible, is one of the most commonly exploited entry points in any attacker's playbook. Finding ~1,000 instances on government domains means there are likely databases containing citizen data sitting behind nothing more than a login form — no VPN, no IP allowlist, no WAF. Automated scanners hit these endpoints constantly. If even a fraction run outdated phpMyAdmin versions (and statistically, many will), the attack surface is enormous.
The email encryption statistic — 99% poorly configured — maps to a known, persistent problem. Most European government mail servers still don't enforce transport-layer encryption (MTA-STS/DANE), meaning emails between agencies and with citizens can be intercepted in transit by any sufficiently positioned attacker. In 2026, this is not a cutting-edge requirement. MTA-STS has been an RFC since 2018. DANE has been around even longer. The tooling exists. The standards are mature. The adoption just hasn't happened.
For context, the Netherlands — where the Internet Cleanup Foundation is based — has historically been ahead of most EU members on these standards, partly because internet.nl made compliance visible and created public accountability. The foundation is clearly trying to replicate that pressure at a continental scale with securitybaseline.eu.
What makes this release notable isn't just the numbers — security audits with scary statistics are published weekly. It's the delivery mechanism. By building a public, searchable platform, the foundation is betting on the same theory that drove internet.nl's success in the Netherlands: when you make security failures visible and attributable to specific institutions, the political cost of inaction eventually exceeds the cost of fixing the problem.
This approach has precedent. The UK's NCSC pushed adoption of DMARC across .gov.uk domains by publishing league tables. Mozilla's Observatory graded websites publicly and moved the needle on HTTPS adoption. Certificate Transparency logs made misissued certificates discoverable. The pattern is consistent: sunlight works, but only when the data is structured, current, and tied to named entities.
The question is whether this will generate sufficient political pressure across 27 member states with wildly different IT governance models. A Dutch foundation naming and shaming a Bulgarian municipal website may not carry the same weight as domestic oversight.
If you work on anything that touches government infrastructure — procurement platforms, citizen-facing services, data exchanges, or GovTech integrations — this audit should recalibrate your trust assumptions.
Don't trust the transport layer. If you're exchanging data with government email systems, assume STARTTLS is opportunistic at best. Use end-to-end encryption for anything sensitive, regardless of what the other side claims about their email setup. Treat government email infrastructure the way you'd treat any unverified third-party system: encrypt before it leaves your boundary.
Audit your own exposure. The phpMyAdmin finding is a reminder that admin interfaces exposed to the internet are a solved problem — solved decades ago by VPNs, bastion hosts, and zero-trust architectures. Run a quick scan of your own infrastructure for accidentally public admin panels. Tools like Shodan, Censys, or even a simple nmap sweep of your public IP ranges against common admin ports and paths will surface surprises.
Check your third-party tracker inventory. If you operate in the EU, the GDPR enforcement lens that's been pointed at Big Tech will eventually point at everyone. Government sites running trackers without proper consent management are setting a legal precedent — but not the kind that protects you. Tag managers accumulate tracking scripts like sediment. Audit yours quarterly.
If you're building for gov clients, use securitybaseline.eu as a conversation starter. "Your domain scores X on securitybaseline.eu" is a more effective sales argument for security work than any slide deck.
The Internet Cleanup Foundation is effectively running an open-source accountability layer for European government IT. If securitybaseline.eu gains traction the way internet.nl did in the Netherlands, expect it to become a reference point in EU procurement requirements and parliamentary questions. The deeper signal here is that the gap between what governments mandate for the private sector and what they practice internally has become large enough — and now visible enough — that it's a political vulnerability. Whether that translates to actual infrastructure upgrades or just better-worded compliance checkboxes remains to be seen.
Today we launch SecurityBaseline: monitoring 67.000 governments and 200.000 sites.Headlines: 3.000 governmental sites use tracking cookies illegally, over 1.000 database management interfaces are publicly reachable, 99% of governmental email is poorly encrypted.
Colouring an area red because they don't have DNSSEC enabled on a domain seems excessive.A nice addition would be to add who is hosting their email. First handful I've looked at are all outlook.com, which seems a much bigger privacy & security risk than not using DNSSEC.
Great work. It's fun how these graphs indirectly hint at a cross-section of "e-Gov"/"tech-literacy in politics" per country with those incident-tables.1. Countries with strong e-government and HIGH understanding of its requirements rank LOW (good!)2. Countries with evol
At least for Hungary most of these are totally random websites with no connection to the government at all. 4/4 of the "region" websites are very random and all "district" sites seem to be pointing to a single decomissioned/archived site. The other lists I only spot-che
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
Might this be because any kind of genuine pentesting, unless it's explicitly been paid for, is highly illegal in countries like Germany (§ 202c StGB, § 202a StGB, etc.)?For example, I'd be more than happy to pentest some govt websites here in Germany, if the very act of visiting them with