AAuditOPE
Back to blog
Research·9 min read

What our first 100 audits reveal about EU web health (and where it hurts)

We've now run ~100 audits across Romanian SMBs, EU agencies, and a handful of fintech sites since launching. The aggregate data is grim and instructive. Median health score 58/100. 78% fail at least one EAA criterion. 91% miss DNSSEC. Here's what's broken at the population level — and the 3 patterns that explain most failures.

Three months after launching AuditOPE in beta, we have a dataset of ~100 audits across Romanian SMBs, EU agencies, e-commerce sites, and a small sample of regulated entities (fintech, healthcare). The data is anonymized at the aggregate level — no individual site identified. We share it because the population-level picture is more useful than any single audit, and because it shows where the industry is actually broken in 2026.

The headline numbers

  • Median health score: 58/100 (D grade). Mean 56. Min 22. Max 89. Standard deviation 14.
  • 78% fail at least one EAA criterion. Most common: missing alt text (54%), insufficient color contrast (41%), missing form labels (36%).
  • 91% no DNSSEC. Despite the March 2026 EU mandate framework starting to bite for public-sector procurement.
  • 67% missing security headers (no CSP, no Permissions-Policy, no HSTS preload).
  • 44% with at least one finding from the Cookie Dark Patterns rule set (CNIL 2026 framework: hidden reject, false-symmetry buttons, accept-by-scroll).
  • 23% had no structured data at all. Another 41% had only basic Organization schema with no sameAs identity links.

Three patterns that explain most failures

Pattern 1 — The "WordPress + 14 plugins" stack

About 60% of sites we audit are WordPress with 10-20 plugins. The compound effect: inconsistent CSP because every plugin loads its own scripts (kills security headers); jQuery-era patterns that fail keyboard navigation tests (kills WCAG); Yoast SEO generates basic schema but no sameAs (kills GEO citability). The plugin pattern delivers fast time-to-launch but builds in 3 categories of debt.

Pattern 2 — The "We migrated to a new CMS" rebuild

About 15% of audits show sites that recently migrated (Webflow → Next.js, WordPress → Astro, custom PHP → Strapi). These score better on performance but regress on SEO (lost meta hierarchies), accessibility (component libraries that forgot ARIA), and structured data (rebuilt without re-implementing JSON-LD). The rebuild fixes the wrong dimension and breaks the right one.

Pattern 3 — The "Compliance theater" site

About 20% of audited sites have a cookie banner and a privacy policy page but no actual implementation. Cookie banner accepts without clicks (dark pattern); privacy policy references "we use Google Analytics" but actual loaded scripts include 15 trackers (Facebook Pixel, LinkedIn, HotJar, Hubspot) not mentioned. This is the GDPR enforcement risk we see most often — DPAs increasingly audit actual loaded scripts vs declared subprocessors.

What surprised us (vs going in)

  • Performance is fine. Median Lighthouse mobile 78, desktop 92. The "Core Web Vitals crisis" narrative is mostly solved. INP regression (replacing FID) shifted some scores down 5-10 points but most sites adapted.
  • HTTPS is universal. 100% TLS. But 34% have at least one mixed-content warning (HTTP image, HTTP script). HTTPS shifted from "configure" to "configure correctly" as the bar.
  • Accessibility is worse than expected. We thought maybe 60% would fail at least one EAA criterion. The actual 78% suggests the June 2025 EAA enforcement timeline caught most operators unprepared.
  • GEO is underinvested. 64% of audited sites have zero AI crawler robots.txt configuration (no GPTBot rule, no Google-Extended distinction). They're getting trained on uncontrollably.

The 5 fastest wins by frequency

If you could change 5 things on the median site, in this order:

  1. Add missing alt text (54% of sites need this — fixes 1-2 axe violations and 4-6 EAA points)
  2. Add CSP with default-src 'self' + reportable list (67% need this — adds 8-12 security points)
  3. Add sameAs to Organization JSON-LD with LinkedIn + Wikidata (78% need this — adds 5-8 GEO points)
  4. Configure robots.txt for AI crawlers explicitly (64% need this — strategic GEO move, not score-direct)
  5. Audit cookie banner against CNIL dark patterns 2026 (44% need this — eliminates GDPR enforcement risk)

What we'll be tracking next

Now that we ship regression monitoring (v0.20.8), we can see whether sites that run quarterly Pro audits actually improve over time, or just stay flat with new finding patterns rotating in. We'll publish a "did anyone fix anything?" follow-up at 500 audits.

Methodology: data aggregated across audits performed Feb-May 2026. Site identities anonymized. No category includes fewer than 8 sites (to preserve k-anonymity for smaller verticals like fintech). Raw aggregate numbers available on request to research-friendly outlets.

Run your audit · Pricing

Want this kind of analysis on your own site?

Run a free audit →