March 2026
Analytics Governance Benchmark 2026
We scanned 1,022 regulated organisations across 19 EU/EEA markets and 14 sectors to measure the state of analytics governance in regulated industries.
Grade Distribution
Of the 654 organisations that returned a conclusive scan, the majority scored well - but a significant minority have serious governance gaps.
Sites that blocked automated scanning, returned errors, or had insufficient data for a reliable grade.
Key Findings
Root cause analysis across all organisations that scored below an A grade.
Non-EU data transfers
Nearly half of all root cause analyses identified non-EU data transfers as the primary governance weakness. Tags sending data to US-based processors without adequate transfer mechanisms remain the most common issue.
Consent not enforced
Consent management platforms are present but not properly enforcing consent signals. Tags fire before or regardless of user consent choices, undermining the entire consent architecture.
No consent infrastructure
A small but notable group of regulated organisations have no consent management platform deployed at all. All tags fire unconditionally on page load.
Session replay detected
106 organisations were found to be running session replay tools, which capture detailed user interactions and raise significant data protection questions under GDPR.
Server-side GTM adoption
Only 27 organisations have adopted server-side Google Tag Manager, a key mitigation for cross-border data transfer risks. Adoption remains extremely low.
Performance by Sector
Average governance scores and grade distribution across 14 regulated sectors.
| Sector | Organisations | Avg. Score | A | F |
|---|---|---|---|---|
| Insurance | 163 | 87 | 98 | 7 |
| Banking | 120 | 83 | 62 | 13 |
| Energy | 84 | 83 | 45 | 7 |
| Telecoms | 65 | 85 | 29 | 2 |
| Fintech | 38 | 86 | 23 | 2 |
| Credit Union | 36 | 86 | 23 | 2 |
| Healthcare | 34 | 81 | 13 | 4 |
| Pharma | 28 | 88 | 13 | — |
| Investment | 21 | 87 | 11 | — |
| Utilities | 14 | 79 | 5 | 1 |
| Legal | 14 | 87 | 5 | — |
| Gambling | 14 | 83 | 3 | 1 |
| Transport | 13 | 85 | 7 | 1 |
| Property | 10 | 84 | 1 | — |
Scoring Dimensions
Each organisation is scored across five weighted dimensions.
Methodology
Each organisation was scanned using Obscurity's automated governance scanner, which loads the homepage in a headless browser, observes all network requests before and after consent interactions, and evaluates five governance dimensions. Scans were conducted over a two-week period in March 2026. Organisations were selected from publicly available regulatory registers across 19 EU/EEA jurisdictions.
This benchmark measures observable, external governance signals only. It does not assess internal policies, contractual arrangements, or server-side processing that is not visible from the browser.
Already been scanned?
Enter your website URL to see if your organisation was included in the benchmark.
Check your organisation's governance score
Run an instant, free governance scan to see how your organisation compares to the benchmark.