The deployment of a set of key Internet standards and best practices helps us understand what the status of Internet-related infrastructures is in the EU in five main categories: browsing, routing, emailing, naming, and addressing. In this website, we periodically provide a summary of the adoption status of standards belonging to these categories.
Data used in this website come from two types of sources:
The methodology that is described below is followed to calculate the full series of indicators presented in the ‘Internet Standards’ series of reports. The EU Internet Standards Deployment Monitoring Website shows a selection of these indicators; for more detailed information please consult the ‘Internet Standards’ reports.
The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the TCP/IP protocol suite model that provides the foundation of the World Wide Web (WWW). As with many other protocols implemented in the early days of the Internet when the threat landscape was completely different, HTTP was not designed with security in mind. The extension of HTTP to support secure communications, that is HTTP over SSL or TLS, is named Hypertext Transfer Protocol Secure (HTTPS). An additional measure for secure communications over HTTP to mitigate attacks and security vulnerabilities is HTTP security headers, such as the HTTP Strict Transport Security (HSTS) header. On the performance side, the increasing use of the WWW as a platform for bandwidth-demanding and latency-sensitive applications on the one hand and the shift towards securing this traffic (for example, using TLS) on the other, created the need for a more efficient transport solution, i.e., HTTP/3.
This website provides an estimation of the adoption rate of modern HTTP-related technologies (that is, HTTPS, HSTS security response header and HTTP/3) in the EU Member States. The methodology that is described below is followed to calculate the full series of indicators presented in the ‘Internet Standards’ series of reports. The EU Internet Standards Deployment Monitoring Website shows a selection of these indicators; for more detailed information please consult the ‘Internet Standards’ reports. The data stem from the publicly available sources listed below.
The data is provided by the company's W3Techs division, which reports the adoption rates of several web technologies by the top 10 million (top 10M) websites worldwide. Among the technologies considered are HTTPS and HTTP/3 worldwide, as well as by country. This top 10M list is a combination of the Alexa top 10M and the Tranco top 1M lists, excluding unused websites; for example, sites with only a default web server page. When there are subdomains and redirected domains of a main domain they are counted only as a single website, that is, the main domain. Regarding the collected data, each website is visited approximately once a month, while the reports are updated daily.
This source hosts data reported by a crawler on website security-related metrics. It uses the Tranco top 1M list and provides free access to the raw data collected daily. The metrics provided are adoption rates of HTTP security headers, such as HTTP Strict Transport Security (HSTS), Content Security Policy (CSP), X-Frame-Options (XFO), and X-Content-Type-Options (XCTO).
One million domains obtained by averaging various rankings (lists) over the past 30 days.
HTTPS adoption rates shown in this website come from open data sources listed above. They are visually represented without further processing.
Since Q3 2023, HSTS and HTTP/3 adoption rates are calculated using our own analysis on the Tranco Top 1M list.
The adoption rates in each Member State is presented as a percentage, whereas the EU average is the arithmetic average of the rates of all 27 EU Member States
One of the most critical building blocks of the reliable operation of the Internet is its global routing system, which is based on the Border Gateway Protocol (BGP). In this context, BGP is used to exchange routing and reachability information among Autonomous Systems (ASs). As is the case with other protocols used since the early days of the Internet, BGP was not built with security in mind, creating a source of vulnerabilities to the global routing system. The lack of sufficient security controls has resulted in thousands of incidents every year, such as route hijacking, route leaks, IP address spoofing and Denial of Service (DoS) attacks. These incidents lead among others to misrouted traffic, increased latency, slower performance, traffic inspection, lost revenue and damage in reputation.
Mutually Agreed Norms for Routing Security (MANRS) is a global initiative that establishes a security baseline of specific actions for involved parties, such as network operators and Internet Exchange Points (IXPs), to improve the security of the global routing system. These actions are in the form of industry best practices and technical solutions that operators running BGP are encouraged to implement in order to address the most common threats against routing.
The EU Internet Standards Deployment Monitoring Website provides an estimation of the adoption rate of MANRS actions in the EU from network operators. The methodology that is described below is followed to calculate the full series of indicators presented in the ‘Internet Standards’ series of reports. The EU Internet Standards Deployment Monitoring Website shows a selection of these indicators; for more detailed information please consult the ‘Internet Standards’ reports. The data stem from the publicly available sources listed below.
This website is provided by the official MANRS initiative and provides manrs participation metrics for network operators for each specific action. For each action different metrics are used from different data sources (more info here) in order to compute a manrs readiness index (that is, an indication of the compliance degree) for each action. These data are publicly available in a per month and per country basis, while historical data are also available.
This is the official website of the MANRS initiative. It provides MANRS participation information for four categories of entities: (a) network operators, (b) IXPs, (c) CDNs and cloud providers, and (d) equipment vendors. Apart from the MANRS Observatory data which concern network operators, the manrs.org website provides publicly available participation data for IXPs, CDNs and cloud providers, and equipment vendors that were used to compute MANRS adoption.
PCH provides an IXP directory of all IXPs worldwide.
APNIC is the Regional Internet Registry (RIR) that administers IP addresses for the Asia-Pacific region. In its website it provides uptake statistics for Route Origin Authorisation (ROA) and Route Origin Validation (ROV) in a global, as well as in a per country scale.
MANRS-related adoption statistics visually represented in this website come from the combination of data from the open data sources listed above for network operators only; for the rest of the categories please consult the ‘Internet Standards’ reports. These data are retrieved, processed and updated twice a year (Q1 and Q3).
For network operator MANRS readiness, the degree of compliance (as a percentage) in each of the MANRS actions of network operators in Member States is presented. These data are readily available from the MANRS Observatory. The EU average is the arithmetic average of the rates of all 27 EU countries.
In order to calculate the MANRS adoption rate from IXPs, data from manrs.org and PCH were used. The manrs.org website provides data about the IXPs supporting MANRS and the country that each one resides (an IXP can be present in more than one country). PCH is a directory of all the IXPs worldwide. By using these two sources, a MANRS-participating IXP to total country IXPs ratio was calculated for each Member State and selected countries worldwide. Also, an average EU ratio was calculated by dividing the total number of EU MANRS-participating IXPs to the total number of EU IXPs. Similarly, the world adoption rate was calculated by dividing the total number of MANRS-participating IXPs worldwide to the total number of IXPs worldwide.
The RPKI ROA and ROV metrics measure the adoption of ROA and ROV per country, using data from APNIC. In the first case, the percentages of IPv4 and IPv6 address space for which ROA have been generated are presented. In the second, the percentages of announcements that are being validated through ROV are demonstrated.
The adoption rate of newer MANRS programs, namely CDN/cloud providers and equipment vendors are also presented. These programs were initiated in Mar. 2020 and Sept. 2021 respectively and thus data are limited. Due to the lack of related data sources, only the total number of providers and vendors globally is provided.
The Simple Mail Transfer Protocol (SMTP) was originally designed under the assumption that servers and communications over IP networks (such as the Internet) could be trusted; therefore, no security measures where foreseen. Since its creation in the pre-Internet era, different email security standards have been developed to complement SMTP and to protect email communications, such as StartTLS, Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC), DNS-based Authentication of Named Entities (DANE) and Domain Name System Security Extensions (DNSSEC)).
Today, millions of emails are sent and delivered worldwide on a daily basis over SMTP; however, these communications are not necessarily secure. This is because the implementation of concrete email security standards is not mandatory, neither by design of the protocols nor by a legal framework. Internet email providers can deploy fully functional email services without implementing any of the existing security standards to protect the communications with other Internet email providers.
The current level of adoption of email security standards by email providers is far from ideal. The results of a survey campaign that JRC conducted in 2018 and 2019 revealed serious gaps in the adoption of modern email security standards in the global email ecosystem. This lack of adoption of email security standards goes unnoticed in most cases, because there is a lack of transparency towards end-users. Unlike what happens with web communications, where end users can quickly identify unprotected sites (i.e., not using HTTPS) by checking the presence of the padlock in the browser, email users lack such a feedback. Moreover, there is also a lack of promotion of the importance of securing email communications. As a result, there is a lack of demand from end-users and policy makers for such features, which translates into a lack of incentives for the industry to invest in the adoption of email security standards. In addition to this lack of incentives, there are also implementation challenges, with no clear guidelines or best practices on how to implement these security standards.
The current level of adoption of email security standards by email providers is far from ideal. The results of a survey campaign that JRC conducted in 2018 and 2019 revealed serious gaps in the adoption of modern email security standards in the global email ecosystem. This lack of adoption of email security standards goes unnoticed in most cases, because there is a lack of transparency towards end-users. Unlike what happens with web communications, where end users can quickly identify unprotected sites (i.e., not using HTTPS) by checking the presence of the padlock in the browser, email users lack such a feedback. Moreover, there is also a lack of promotion of the importance of securing email communications. As a result, there is a lack of demand from end-users and policy makers for such features, which translates into a lack of incentives for the industry to invest in the adoption of email security standards. In addition to this lack of incentives, there are also implementation challenges, with no clear guidelines or best practices on how to implement these security standards.
MECSA is an online tool designed and maintained by the Joint Research Centre (JRC) of the European Commission to assess the protection of email communications between email providers. It evaluates the capacity of email providers to secure email communications by analysing their usage of modern email security standards. MECSA analyses the support for StartTLS with X.509 certificates, SPF, DKIM, DMARC, DANE and DNSSEC, for the inbound and outbound services.
The Google Transparency Report is a public site where Google publishes data statistics of different Google services, like email or HTTP. Google issued the first transparency report in 2010 and has been updating it regularly with “[...] data that sheds light on how the policies and actions of governments and corporations affect privacy, security, and access to information online”. A sub-list of domains contained in the “Email Encryption in Transit” part of the last edition of the Google Transparency Report (a total of ca. 120,000 domains) is used to analyse the uptake of the target standards by country, dividing them into two groups: domains with ccTLD of a Member state, EU domains (5,492 domains), and a set of chosen non-EU ccTLD domains (12,283 domains).
The detailed results obtained by the MECSA platform following the analysis of a total of 5,000 domains are used. The average of the results for the assessment of each of the target standards (StartTLS, SPF, DMARC, DKIM, DANE, and DNSSEC) are used to compare against those obtained in the analysis of the Google Transparency Report domains described below.
The more in-depth analysis on the uptake of email standards is based on JRC's open source mecsa-st tool and the internet.nl service. Using each tool, we analyse the list of email domains obtained from the Google Transparency Report are analysed and classified based on their ccTLD.
Internet.nl is an initiative of the Dutch Internet Standards Platform. It checks the implementation of modern Internet Standards for email, web and Internet connection and provides a score, according to how many standards are supported correctly. The internet.nl tests are based on the Internet Standards on the 'comply-or-explain' list of the Dutch Standardisation Forum, on the security advice of the Dutch NCSC and on the relevant RFCs of IETF.
Mecsa-st is the command-line version of the MECSA online tool. It features a reduced version of the MECSA analysis engine limited to inbound tests. The analysis assessing the email domains under the ccTLDs of the EU Member States, including the `.eu' ccTLD. Mecsa-st was used to carry out the following specific tests:
Designed back in the 1980s, DNS is one of the most critical constituents of the Internet infrastructure. Even a minor disruption to the normal operation of a DNS server could inflict serious impairments to network services and instantly hinder access to network resources. DNS was not built with security in mind, therefore standard DNS queries are susceptible to a range of attacks, including DNS hijacking, tunnelling, and poisoning, which aim at redirecting the website's traffic to, say, a cloned one. Domain Name System Security Extensions (DNSSEC) , safeguard against DNS attacks by providing resolvers with cryptographic authentication of DNS data, authenticated denial of existence, and data integrity. This is done by digitally signing the data (RRs) to make sure of their validity; every zone's (except for the root one) public key is signed by its parent zone in a so-called "chain of trust". However, for strengthening the security of the Internet globally, DNSSEC must be broadly adopted firstly across all TLDs.
This website provides an estimation of the adoption rate of DNSSEC validation in the EU Member States. The methodology that is described below is followed to calculate the full series of indicators presented in the ‘Internet Standards’ series of reports. The EU Internet Standards Deployment Monitoring Website shows a selection of these indicators; for more detailed information please consult the ‘Internet Standards’ reports. The data stem from the publicly available source listed below.
DNSSEC 30-day average validation rates by region, subregion, and country worldwide
One million domains obtained by averaging various rankings (lists) over the past 30 days.
DNSSEC validation data shown in this website come from the open data sources listed above and are here visually represented without further processing; updated data are retrieved twice a year (Q1 and Q3).
Use of DNSSEC by services. This chart, introduced in Q1 2023, shows the DNSSEC support of the top domains in the EU, i.e., the EU domains of the Tranco Top-1M list.
For DNSSEC the adoption rate in each EU country is presented as a percentage, whereas the EU average is the arithmetic average of the rates of all 27 EU Member States.
The deployment of IPv6 is of paramount importance to ensure the scalability, stability, and security of the Internet. In the last years, the number of devices connected to the Internet has increased dramatically, significantly surpassing the number of public IP addresses provided by IPv4; thus, the pool of available public IPv4 addresses is already exhausted. Several techniques have been successfully employed in the last decade to deal with this shortage of IP addresses, including Network Address Translation or Port Address Translation (NAT/PAT) or Carrier Grade NAT (CGN). However, these solutions bring along additional costs, create new market barriers and affect negatively the scalability and possibilities offered by Internet, particularly in light of new emerging paradigms such as the Internet-of-Things (IoT), Connected and Automated Vehicles (CAV), smart grids and smart cities.
In this website, we provide an overview of the current level of adoption of the IPv6 protocol across EU Member States by measuring the rate of adoption of IPv6 across two dimensions:
The methodology that is described below is followed to calculate the full series of indicators presented in the ‘Internet Standards’ series of reports. The EU Internet Standards Deployment Monitoring Website shows a selection of these indicators; for more detailed information please consult the ‘Internet Standards’ reports. The data stem from the publicly available sources listed below.
Google measures the adoption of IPv6 worldwide on a daily basis and makes these statistics publicly available. The measurements show the percentage of end-users that access Google serviecs over IPv6; thus, these results are limited to Google users only.
Asia Pacific Network Information Centre (APNIC) is the regional Internet address registry for the Asia-Pacific region. APNIC monitors IPv6 deployment on end-users utilising a JavaScript tracker in Google Analytics. It provides publicly available data with a daily frequency, as well as maps with average values over a number of days (by default 30 days).
Facebook collects and makes publicly available data on IPv6 adoption worldwide and by country. These data show the use of IPv6 for Facebook traffic around the world; thus, it is limited to the services offered by Facebook only.
Cloudflare provides content delivery network services, cloud cybersecurity, DDoS mitigation, and ICANN-accredited domain registration services. The data are provided by ``Cloudflare Radar'', a hub that showcases global Internet traffic, attack, and technology trends and insights. The adoption rates are collected from Cloudflare's global network, as well as aggregated and anonymized data from Cloudflare's 1.1.1.1 public DNS Resolver. It is important to note that for the sake of comparison with the previous rounds of reports, we did not take into account the adoption rates of this source for the calculation of average adoption rates, but rather used it as complementary to the other sources.
Akamai operates as a global content delivery network (CDN), while offering cloud services as well. It provides public access to IPv6 adoption data for countries, as well as for the top 200 networks ranked by total IPv6 hits. The collected data are based on the number of content requests made to the Akamai network over IPv6 divided by the total number of requests made to Akamai (over both IPv4 and IPv6).
For obtaining a reliable estimation of the client-side IPv6 adoption we combined data from the following sources: APNIC, Facebook, and Akamai. Updated raw data is retrieved twice a year (Q1 and Q3).
For calculating the adoption rate in each country individually, the data concerning the Member States from the aforementioned sources are used. Along with the average IPv6 adoption rate for each Member State (MS) among the sources used, the standard deviation (stdev) is calculated as well to obtain an indication of the distribution of the different values.
To determine the weighted mean client-side adoption rate for the EU as a whole, the above data are combined with contemporary ones from Eurostat, namely, (a) data regarding the population of the 27 MSs, and (b) the usage of Internet, i.e., the percentage of users which use Internet weekly (including daily usage). First, the number of citizens in each EU country is multiplied by the ratio of users who use the Internet at least once a week for approximating the total number of users with Internet connection per EU country (this approach also includes users who access the Internet through their mobile devices):
Then, for a given EU country, the result is multiplied by the country average IPv6 adoption rate, to calculate the number of citizens with IPv6 support for that specific country. The sum of the results shows the total number of citizens with IPv6 support in the EU and is then divided by the total number of citizens with Internet connection in the EU; the result is a weighted estimation of the IPv6 adoption for the EU as a whole: