Drupal CMS

Drupal CMS inherits Drupal 11's full Entity/Field API — 20+ core field types (text, integer, float, decimal, boolean, datetime, entity_reference, file, image, link, list, email, telephone, timestamp), unlimited custom content types, and schema-as-code via YAML config export. Polymorphic/union references require contrib (Entity Reference Revisions). The same raw power as Drupal core exists under the Drupal CMS distribution, though the marketer-facing UI simplifies some of the developer-facing schema tooling.

Entity Reference fields provide robust cross-content-type references with Views-based reverse traversal for bidirectional querying. Entity Reference Revisions adds revision-aware references (used heavily with Paragraphs). Polymorphic references possible via contrib. GraphQL contrib reached 5.0.0 stable in 2026, improving relationship querying for Drupal 11. Not graph-native by design — bidirectional queries still require Views configuration rather than being implicit.

Paragraphs module remains the de facto standard for component-based content with unlimited nesting and reusable component types, with 200k+ active installations. Drupal Canvas (default in Drupal CMS 2.0, Jan 2026) introduces Single Directory Components (SDC) as reusable building blocks with Twig/JS/CSS encapsulation, plus a component system and site templates (Byte). Layout Builder in core adds layout composition. Rich text output from CKEditor 5 is HTML blobs rather than structured portable content (Portable Text / AST), limiting portability.

Drupal's Typed Data / Validation API built on Symfony Validator supports field-level constraints: required, unique, min/max length, regex, cross-field validation via Form API #states, file type/size, enumeration via allowed values. Custom validation via hook_entity_presave() and custom constraints. Comprehensive, but implementing custom validators requires PHP code — no UI-driven custom rule builder as found in some commercial platforms.

Full revision history stored per entity with revert capability. Content Moderation in core provides configurable workflow states (Draft, In Review, Published, Archived). Scheduled Transitions module for scheduled state changes at a specific date. Diff module for visual revision comparison. Drupal CMS ships with editorial workflow and scheduling pre-configured via Publishing Tools installer option. No native content branching/forking prevents a higher score.

Drupal Canvas shipped as the default editing experience in Drupal CMS 2.0 (Jan 2026), delivering true drag-and-drop visual page building with live preview, in-place editing, and component management — marketers can rearrange layouts without developer involvement, plus AI page generation from text prompts. However, Canvas is still maturing: multilingual sites break the editor (language-prefixed URLs prevent loading, translations overwrite each other), with fixes only available via the contrib Canvas Multilingual module (1.0.0-beta1, Mar 2026), and complex field types remain on the mid-2026 roadmap.

CKEditor 5 integration in Drupal 10/11 is solid with an extensible plugin architecture, media embedding, configurable toolbars per text format, and good paste handling. Supports inline media (images, video) via Media Embed plugin, custom styles, and code blocks. Output remains HTML blobs rather than structured portable content (AST), limiting channel portability. Custom mark/annotation support requires CKEditor plugin development.

Core Media module provides a reusable media library with grid-based browser, media type system (image, video, file, remote video, audio), and folder-like organization. Image Styles provide automated server-side transforms (resize, crop, scale) with WebP output supported in core since 9.2; AI alt-text generation arrived in Drupal CMS 2.0. Focal Point available via popular contrib module. Not a full DAM — transforms are pre-defined server-side, not URL-based on-the-fly, and rights management/brand governance require external DAM integrations (Acquia DAM, Brandfolder).

Drupal CMS has no real-time co-editing capability. Content Lock contrib module provides pessimistic locking to prevent conflicting edits, but this is sequential access control, not collaborative editing. No presence indicators, no OT or CRDT-based concurrent authoring. CKEditor 5 has premium real-time collaboration features, but these are not bundled with Drupal and require a separate CKEditor Cloud subscription. Canvas autosave reduces lost work but does not add co-editing.

Drupal CMS ships with editorial workflow pre-configured: Draft → Needs Review → Published → Unpublished, with Scheduled Publishing enabled by default; as of March 2026 all content types are auto-opted into the editorial workflow with scheduling. Workflows + Content Moderation in core support multiple configurable workflow states and role-based transition permissions. ECA (Event-Condition-Action) module enables conditional routing and automated actions. Missing out-of-the-box parallel approval paths and native notification system without contrib.

JSON:API in core since Drupal 8.7 is spec-compliant with filtering, sorting, pagination, sparse fieldsets, and relationship includes — one of the most capable core REST implementations in any CMS. GraphQL contrib reached 5.0.0 stable for Drupal 10.4/11 in 2026, with PHP-attribute plugin definitions, node preview URL support, and cacheability fixes — a meaningful maturity step from beta. Both APIs support locale-aware queries. Strict JSON:API spec compliance is both a strength and a limitation for unconventional query patterns.

Drupal CMS is self-hosted with no built-in CDN. Cache tag-based invalidation in core is excellent for reverse proxy integration (Varnish, Fastly, Cloudflare), enabling granular cache purging on content publish. Purge module ecosystem provides CDN-specific integrations, and next-drupal supports on-demand ISR revalidation at the edge for decoupled builds. However, CDN is a hosting-level decision (Acquia Cloud, Pantheon, Platform.sh), not a Drupal CMS feature. No edge computing or sub-second purge without hosting add-ons.

Drupal core has a robust internal event system via Symfony Event Dispatcher, but outbound webhooks remain contrib territory. The Webhooks module covers entity CRUD, user events, and system hooks (cron, cache_flush) with configurable HTTP dispatch, and the newer Entity Webhook module adds admin-UI-configured bidirectional webhooks (broadcast entity changes outward and ingest JSON payloads inward) with no custom code. Still no built-in retry logic, HMAC payload signing, or delivery logs without custom development — well behind commercial SaaS CMS webhook systems.

JSON:API in core enables fully headless delivery to web, mobile, kiosks, and IoT, and headless Drupal is a well-established 2026 pattern. The next-drupal package provides Next.js integration with preview, authentication, and ISR revalidation; GraphQL 5.0 stable strengthens decoupled querying. However, Drupal CMS is primarily positioned as a traditional CMS with headless capability layered on — Canvas visual editing does not carry over to headless deployments, rich text output is HTML blobs (not portable AST), and official vendor-maintained SDKs for mobile/IoT are absent.

Drupal CMS has no native audience segmentation engine. Acquia Personalization — previously the main enterprise segmentation path — reached end-of-life January 31, 2026, narrowing options. Contrib paths remain: Smart IP/Context for rule-based conditions, the External Personalization (XP) recipe for CDP-driven segments, and the Personalization module for geolocation/taxonomy targeting. Score lowered slightly to reflect the loss of the flagship enterprise option.

Serving different content per audience still requires contrib modules or an external personalization engine — nothing ships natively in Drupal CMS 2.1. The External Personalization (XP) module provides a recipe for authoring personalized content while delegating decisions to external CDP/CRM engines. Acquia Personalization's EOL removes the visual overlay option, but the Personalize module ecosystem (with Executors) provides a Drupal-native variant path. Canvas does not include audience-aware variant rendering.

No native A/B testing ships with Drupal CMS 2.1. The contrib ecosystem has broadened: Server-side A/B Testing module serves variants server-side before HTML delivery, Personalize A/B adds a decision agent with no third-party dependency, and A/B Paragraphs handles split-content tests. None are core recipes, statistical significance reporting is thin, and results dashboards depend on external analytics.

No algorithmic recommendation engine exists natively in Drupal CMS. Manual editorial curation via Related Content fields is the default path. ML-based recommendations require external services or custom builds. No official recipe or marketplace module ships this in Drupal CMS 2.1.

Drupal Core includes a Search module with full-text indexing and basic relevance ranking. The Search API contrib module (de-facto standard for production) adds faceting, filtering, and autocomplete. Out-of-the-box core search lacks typo tolerance and relevance tuning — that requires the Search API + backend pairing.

The Search API framework remains one of Drupal's strongest ecosystem assets: official modules exist for Apache Solr, Elasticsearch, Algolia, Typesense, and MeiliSearch — all with Drupal 11 support. Webhook-driven index sync, faceted search, and autocomplete are well-documented. Breadth and quality of search backend support exceeds most CMS platforms.

Drupal Commerce 3.x is a mature, full-featured commerce module: product catalog, cart, checkout, pricing rules, inventory, and order management are all built-in. The new Commerce Recipe: Core packages Commerce for recipe-based installs, and Commerce Kickstart is aligning its site templates with Drupal CMS. Genuine native ecommerce within the ecosystem, though not bundled in the Drupal CMS default install.

The Shopify eCommerce module syncs products as fieldable, theme-able Drupal entities with webhook/cron updates, while Shopify powers checkout and back office. BigCommerce and commercetools integrations exist via contrib but are less polished. No deep bidirectional sync or product picker UI at the level of dedicated composable commerce connectors.

Drupal Commerce supports rich product content modeling: variation fields for variants, attribute-driven product types, media fields for images, rich text descriptions. The content model is genuinely Drupal-native (fieldable, revisionable). Not a purpose-built PIM but strong for editorial product content adjacent to commerce.

Drupal CMS has no native content performance analytics dashboard. Contrib options are emerging — Content Reporting tracks page views/time-on-page with chart dashboards, and Page Performance Insight (1.0.1, May 2026) surfaces Lighthouse metrics in admin — but neither ships with Drupal CMS 2.1. Author productivity and content lifecycle metrics still require custom reporting.

Drupal CMS ships one-click recipes for Google Analytics and Google Tag Manager. GA4, Segment, and Matomo contrib modules are well-maintained. Event streaming from content operations is webhook-driven via contrib. Solid integration depth for the major analytics platforms.

Drupal supports multi-site via the Domain Access module (domain-based multi-site sharing content) and native multi-site setup (separate databases, shared codebase). Sites can share content via Domain Access but governance tooling is manual. Not a SaaS-style multi-tenant management console — more silo-based with sharing possible via modules.

Drupal's multilingual system is one of the strongest in any CMS: field-level translation built into core (Content Translation module), locale fallback chains, locale-specific publishing, and 100+ supported languages via Interface Translation. All content types and configurations are translatable. A core strength since D8.

The Translation Management Tool (TMGMT) module provides TMS integrations for multiple providers including Microsoft Translator, Google Translate, and via sub-modules for Phrase (Memsource) and other TMS connectors. Bulk export/import workflows and machine translation hooks are supported. Not all major TMS providers have maintained official modules but the ecosystem is solid.

Multi-brand management via Domain Access allows different branding per domain under a shared Drupal install. Cross-brand approval workflows and global style enforcement require custom development — no native multi-brand governance tooling exists. Adequate for shared-content multi-brand but lacks centralized policy enforcement.

Drupal Core's Media Library provides organized asset management with metadata fields, custom tagging, folder-like organization, and usage tracking via contrib. Drupal CMS's Image recipe preconfigures media types and focal point cropping. It still lacks asset versioning, rights/expiry management, and advanced bulk operations — capabilities reserved for standalone DAMs. Solid mid-market asset management but not a purpose-built DAM.

Drupal core (11.2+) now converts image styles to AVIF with WebP fallback, and Drupal CMS's Image recipe ships responsive image styles with focal-point-based cropping out of the box — a real improvement over the prior no-modern-formats posture. Transforms remain predefined server-side styles rather than on-the-fly URL-based transformation, and CDN delivery still requires external integration (Cloudflare, Fastly, CDN module).

Drupal CMS supports video file uploads and embeds (YouTube/Vimeo via oEmbed) natively through Media entities. No native video transcoding, adaptive bitrate streaming, or caption management. Video hosting requires external services (Mux, Cloudflare Stream, Vimeo).

Drupal Canvas is the default editing experience in Drupal CMS 2.x: drag-and-drop component assembly, in-place editing with live preview, multi-step undo, multi-page preview before publish, in-browser code components, and the Mercury component library. Canvas 1.3.2 (March 2026) ships first-class in Drupal CMS 2.1, and site templates (Byte, Haven) provide pre-assembled Canvas pages. Maturing rapidly but still younger than Sitecore Pages or AEM's editor.

Drupal Core ships Workflows and Content Moderation modules: custom workflow states, role-based state transitions, and audit trail via content revisions. Drupal CMS's Publishing Tools preconfigures Draft → In Review → Published across content types, with notes fields for reviewer comments during state changes. No native SLA timers or parallel approval paths without contrib.

The Scheduler module (D11 compatible) handles scheduled publish/unpublish with date/time, and Drupal CMS enables Scheduled Publishing by default when Publishing Tools is selected at install. Moderation Scheduler extends this for workflow-integrated publishing. No native content calendar view (requires contrib) and release bundles require custom development.

Drupal CMS has no real-time multi-author editing, presence indicators, or inline commenting natively. Content locking via the Content Lock contrib module prevents last-write-wins conflicts. Version history with author attribution is built-in via revisions; workflow notes allow asynchronous reviewer comments but not inline annotation. Canvas 1.3 adds no collaboration features.

The Webform module remains best-in-class among open-source CMS form builders: conditional logic, multi-step forms, hidden fields, progressive profiling, CAPTCHA/spam protection, submission storage with export, and webhook/handler integrations on submit. Drupal CMS includes Webform as a standard component, and site templates like Byte ship with contact forms preconfigured.

Drupal CMS ships a one-click Mailchimp recipe that authenticates, pulls audiences automatically, and creates signup form blocks ready to drop into Canvas pages. HubSpot, Marketo, and Campaign Monitor contrib modules provide list sync and triggered sends from form submissions. No native email send capability or content-side email composer.

Mautic (open-source marketing automation) has deep Drupal integration and is the primary path for behavioral triggers and drip campaigns on the Drupal stack. HubSpot integration via forms provides nurture flows. Not native — requires a separate MA platform — but integration quality is higher than most traditional CMS peers.

No native CDP in Drupal CMS. Segment integration via contrib (Segment.io module for event streaming) and the External Personalization (XP) recipe formalizes a pattern for consuming external CDP decisions in Drupal content. Real-time identity resolution and unified customer profiles require significant external tooling.

Drupal.org hosts 50,000+ contributed modules — the largest open-source CMS ecosystem by module count. Drupal CMS 2.1 adds first-class free and premium site templates with an in-installer selection step, plus one-click recipes for Mailchimp, GA, GTM, and more. A site template marketplace MVP was shown around DrupalCon Chicago (March 2026). Partner ecosystem (Acquia, Pantheon, DDEV) is mature.

Drupal supports outbound webhooks via the Webhooks contrib module covering create/update/delete/publish events, widely used to trigger on-demand ISR revalidation in Next.js frontends. No native webhook UI in Drupal CMS core — configuration requires the Webhooks or ECA/Rules modules. Signed payloads and retry logic are available via contrib but require configuration.

JSON:API ships in core, and Next.js for Drupal (next-drupal) provides mature draft preview — editors click Preview in Drupal admin and see unpublished content in the Next.js frontend via Draft Mode. The NextJS Headless Preview contrib module packages this. No built-in branch environments or environment promotion UI — that requires platform-level tooling (Acquia, Pantheon).

Drupal Core has one of the most granular RBAC systems in the CMS landscape: custom role definition, per-permission granularity (500+ permissions), field-level access control via Field Permissions module, content-type-level access, locale-specific permissions via Content Language Access. SSO via SimpleSAML/LDAP modules. SCIM requires contrib. Permissions UI is complex but powerful.

Drupal CMS 2.0 (built on Drupal core 11.3) inherits the fully spec-compliant JSON:API v1.1 core module with consistent resource naming, relationships, sparse fieldsets, filtering, and sorting. The contrib GraphQL module remains actively maintained — 8.x-4.14 released April 2026 plus a 5.0.0 beta for Drupal 10.4/11. JSON Schema support for content models landed in 11.2. Docs are auto-generated without rich examples; no OpenAPI/Swagger without contrib, which caps the score below purpose-built API platforms.

No vendor SLA or documented rate limits since Drupal CMS is self-hosted by default. Drupal CMS 2.0 ships on core 11.3, which delivered a 26–33% increase in requests at the same database load — described as the best performance improvement in a decade. Dynamic Page Cache and Internal Page Cache provide layered caching, and JSON:API responses can sit behind Varnish/CDN, but there is no CDN-backed delivery or built-in rate limiting out of the box.

Still no official multi-language SDKs maintained by the Drupal Association or Drupal CMS project. The JavaScript ecosystem has next-drupal (TypeScript-first Next.js helpers for JSON:API) and drupal-jsonapi-params; no official Python, Java, .NET, or Go SDKs. Developers rely on generic HTTP clients or community packages — a meaningful gap versus purpose-built headless CMS platforms with 6+ official SDKs.

Drupal CMS accesses the full Drupal.org ecosystem of 50,000+ contributed modules spanning payment, DAM, CRM, search, AI, email, social, and analytics, plus the curated expert-picked module set vetted for Drupal CMS. Drupal CMS 2.1.0 added first-class support for free and premium site templates with an in-installer marketplace selection step. Module quality varies and the actively maintained Drupal 11-compatible subset is smaller, which keeps this below pure-marketplace leaders.

Extensibility remains the platform's strongest dimension. The Recipes system provides declarative building blocks; OOP hooks via PHP attributes (complete in 11.2, themes in 11.3) modernize the hook system; Plugin API, Symfony DI, and event subscribers extend every layer. Drupal Canvas (formerly Experience Builder), default in Drupal CMS 2.0, adds Code Components with third-party npm package imports via a Vite-based CLI and render-time prop validation — genuine custom-UI extension points in the visual builder itself.

SAML 2.0 (samlauth), OIDC (OpenID Connect), and OAuth2 (Simple OAuth) contrib modules are mature and available to any Drupal CMS install with no plan gating — an advantage over tier-gated SaaS competitors. MFA via the TFA module; API auth via OAuth2 bearer tokens. SSO requires contrib setup rather than turnkey configuration, which keeps this below platforms with built-in enterprise SSO.

Inherited from Drupal 11 core: hundreds of granular permissions, fully custom roles, and the node access grants system for content-instance-level access control. Field-level permissions via the Field Permissions contrib module; Content Moderation gates access by workflow state; the Group module enables audience-based access. Meets the field-level plus instance-level bar for a top-tier score; only the reliance on contrib for field-level control keeps it from higher.

Drupal CMS is open-source; certifications are hosting-provider dependent rather than inherent. Acquia holds FedRAMP + SOC 2 Type 2 + ISO 27001; Pantheon and Platform.sh hold SOC 2; Amazee.io offers ISO 27001-certified Drupal hosting. The GDPR contrib module provides consent management and DSAR tooling. HIPAA eligibility requires appropriate hosting configuration — the platform itself carries no certifications, capping this score.

2026 brought four core advisories including SA-CORE-2026-004, a highly critical SQL injection in the database abstraction API (PostgreSQL sites) — the most severe core flaw in years, echoing Drupageddon's vulnerability class. Handling was exemplary: an advance PSA (PSA-2026-05-18) gave operators notice before the May 20 coordinated release, and patches shipped across all supported branches. The Drupal Security Team, HackerOne disclosure program, and transparent advisory database remain strengths, but a highly critical core SQLi warrants a penalty versus last cycle's moderately-critical-only year.

Drupal CMS supports self-hosted (any PHP/MySQL environment), managed platforms (Acquia, Pantheon, Platform.sh), Docker via DDEV, and private cloud. Composer-based deployment is portable across environments with no SaaS lock-in — ideal for regulated industries. Maximum flexibility at the cost of operational complexity, which is scored in other items.

No inherent SLA — Drupal CMS is self-hosted by default and the customer owns uptime. Hosting-provider SLAs apply where used: Acquia Cloud Enterprise 99.95%, Pantheon 99.9%. No central status page because there is no central SaaS service. Scores appropriately lower than SaaS platforms per the self-hosted anti-pattern guidance.

Drupal is proven at massive scale (government portals, global media), and Drupal CMS 2.0's core 11.3 foundation carries the 26–33% throughput improvement. Cache tag-based invalidation enables granular CDN/reverse-proxy management, and horizontal scaling patterns (load balancers, read replicas, Redis/Memcached, Varnish, CDN) are well documented. The ceiling is high but reaching it requires operational expertise rather than vendor-managed auto-scaling.

Configuration Management exports full site configuration as version-controlled YAML; database and file backups run via standard MySQL/PostgreSQL tooling plus the Backup and Migrate contrib module; Migrate API provides robust data portability with open formats and no lock-in. RTO/RPO are hosting-environment dependent with no built-in multi-region failover — solid tooling but recovery targets are left to operators.

DDEV remains the officially recommended local environment with one-command, near-production-parity Docker setup (database, mail, Solr, Redis) and dedicated Drupal CMS install docs at new.drupal.org. Drush handles config, database, cache, and code generation. New since last cycle: @drupal-canvas/workbench, a Storybook-inspired local dev server for building and maintaining Canvas code components, strengthening the frontend-component workflow.

Configuration Management is purpose-built for CI/CD — all configuration flows as YAML through version control via drush config:export/import, and Drupal 11.2's 3–4x faster module/config installation speeds pipelines. The Recipes system enables declarative, reproducible setup; the Canvas CLI adds pull/build workflows for code components. Branch-based environments come from hosting (Pantheon Multidev, Platform.sh) rather than the platform itself.

Drupal CMS documentation at new.drupal.org matured with the 2.0 release — focused getting-started guides (including DDEV install paths), Recipes documentation, and site-builder guidance — and Drupal Canvas now has a dedicated docs site covering code component concepts and guides. Underlying api.drupal.org reference remains auto-generated and thorough but not beginner-friendly, with no interactive API playground and uneven contrib module docs.

Drupal CMS is PHP-based, but TypeScript footing improved: Drupal Canvas's code component compiler now supports TypeScript syntax (via SWC parsing — no type checking), the Canvas CLI handles TSX components, and the contrib TypeScript Definition Generator and ts_for_core provide entity/core type definitions. Still no official auto-generated types from content models in core and no official TS SDK, keeping this in the community-tooling band.

Drupal CMS sustains a ~28-day average between stable releases: 2.0 (Jan 2026), 2.0.1 (Feb 2026), 2.1.1 (Apr 10, 2026), 2.1.2, and 2.1.3 (June 2, 2026). Core cadence is equally strong — 11.4.0-beta1 shipped June 3, 2026 with stable due the week of June 22, and Drupal 12 targets the week of August 10, 2026. Raised from 78: monthly stable releases plus an on-track major qualify for the 80 band; not higher because the distribution itself is still under 18 months old.

drupal.org/project/cms/releases provides per-release structured notes (2.0.1 documented bug fixes and the new Blank site template; 2.1.1 documented launcher export and the 11.4 menu shim). Core change records (drupal.org/list-changes) flag API changes with migration steps, and security PSAs are published in advance (PSA-2026-05-18). Not 80+ because CMS-distribution notes remain lighter than the mature core notes.

The Drupal 12 release plan is tracked in a public meta-issue with three published contingency windows (June/Aug/Dec 2026) and open beta-requirement status updates. The AI Initiative publishes a detailed 2026 roadmap with named workstream leads (QED42 innovation, 1xINTERNET product). Public issue queues and core blogs ('Help us reach Drupal 12's second release window') provide unusual transparency. Not higher due to absence of a community voting portal like Canny.

Drupal follows semver-aligned deprecation: APIs are deprecated for at least one minor cycle before removal, documented via change records, with the upgrade_status contrib module automating compatibility checks ahead of Drupal 12 (Aug 2026). Drupal CMS 2.1.1 shipped a Content-create menu shim specifically to smooth the 11.4 transition — evidence the distribution actively manages compatibility. Not higher because cross-major upgrades still require manual effort.

Drupal remains one of the largest open-source CMS communities: 800+ Slack channels, 40,000+ registered contributors on drupal.org, ~1.2% of all tracked websites and a clear #2 behind WordPress among the top-10K/100K/1M sites by traffic. Two annual DrupalCons (Chicago March 2026, Rotterdam Sept 2026) continue to draw global participation. Not a 90 because raw size metrics (GitHub stars, npm downloads) are less prominent for a PHP platform vs. JS ecosystems.

DrupalCon Chicago (March 2026) saw a surge of support for the AI Initiative — 31 agencies contributing funds and team members — and DrupalCon Rotterdam 2026 has published a full program including five specialized summits. 28+ organizations pledge 23+ FTE contributors with 50+ individuals active across workstreams. Not higher because community commentators have raised concerns about DrupalCon attendance counting and inclusion, and the developer survey shows almost no participants under 21.

The Drupal Certified Partner program lists hundreds of agencies globally with tiered certification; top-tier agencies (Lullabot, Palantir, 1xINTERNET, QED42) plus Acquia as the Vista-backed commercial anchor. The AI Initiative formalized delivery partnerships with QED42 and 1xINTERNET leading named workstreams. Not 85+ because major global SIs (Accenture, Deloitte) are not Drupal Certified Partners, unlike AEM's ecosystem.

Decades of tutorial content: thousands of YouTube videos, Udemy/LinkedIn Learning courses, DrupalCon session archives, and extensive drupal.org documentation. Agencies (Droptica, Annertech, Stone Circle, 1xINTERNET, PreviousNext) publish steady 2026 coverage of Drupal 11.4, Drupal 12, and Drupal CMS 2.x; trade press (TheDropTimes, CMSWire, CMSCritic) covers each release. Near the top of this metric among open-source CMSs.

Drupal Jobs (jobs.drupal.org) remains active and Drupal developers are available in volume across North America, Europe, and South Asia. However, the generational pipeline concern persists: the developer survey shows no respondents under 21 and minimal participation from developers with under one year of experience, indicating a narrowing inflow. Near-term availability remains strong, so not lower.

Momentum remains bifurcated. Drupal CMS ships monthly and the AI Initiative drew 31 agencies at DrupalCon Chicago 2026, but overall market share continues its long decline (7.2% of CMS share in 2013 to ~1.1–1.2% in 2025–26 per W3Techs) as smaller sites churn to simpler tools. Enterprise position holds — clear #2 behind WordPress in the top-10K/100K/1M sites by traffic. Not below 55 given the AI tailwind and enterprise stickiness; not higher while aggregate share still erodes.

The AI Initiative met its $1M goal in five months (June–Oct 2025) and grew to $1.5M with 31 contributing agencies by DrupalCon Chicago (March 2026), backed by the Drupal Association Board's Vision Fund. Non-profit governance plus Acquia (Vista Equity-owned) as commercial anchor makes the project immune to VC pressure. Not higher because the Association has itself flagged financial sustainability challenges in recent years.

Drupal CMS positions as the accessible, AI-powered open-source alternative to proprietary DXPs, and the AI Initiative reaching 'production-ready' status at DrupalCon Chicago 2026 sharpens that story. However, no current Gartner MQ names Drupal CMS, aggregate market share keeps eroding, and analyst visibility remains below peak-Drupal years. Clear differentiation vs. WordPress and commercial DXPs keeps it above 60.

G2 remains 3.9/5 with 470 reviews as of mid-2026 — unchanged since the last scoring pass. Per the scoring formula, sub-4.0 with <500 reviews lands in the 45–60 band; mid-band is appropriate given review volume. Themes are stable: praised for flexibility and customization, criticized for steep learning curve, complex coding requirements, and performance on large applications. Drupal CMS 2.x targets these complaints but hasn't yet moved the aggregate.

Drupal CMS is fully open-source and free — no licensing fees, no pricing tiers to navigate. The software cost is unambiguously zero, and Drupal CMS 2.0 (Jan 2026) kept all new features (Canvas, site templates, AI) free. Scores well but not ceiling because total cost clarity still requires researching hosting and implementation separately.

Open-source with zero licensing cost is the most predictable pricing model possible — no API meters, no seat counts, no bandwidth overages from the vendor. Hosting costs are separately controlled and predictable. The only concern is that total-cost predictability depends on implementation scope: 2026 guides put 3-year TCO at 1.7–2.6× initial build cost, which is variable.

All Drupal CMS features are included in the open-source distribution — no premium tiers, no paywalled modules at the platform level. Drupal CMS 2.0's headline features (Drupal Canvas visual builder, Byte site template, Mercury component library, AI agents, one-click Mailchimp/GA/GTM integrations) all ship free. Contrib ecosystem remains overwhelmingly free.

No software contract exists — you can stop using Drupal CMS at any time with no penalties. Hosting contracts are with third parties and vary, but many offer monthly billing. Startup and nonprofit programs exist through community hosting partners. Maximum flexibility from the platform vendor side.

Drupal CMS is permanently free for any use including commercial, and the free Drupal CMS Launcher desktop app now runs the full platform locally with zero hosting spend. Budget hosting starts at ~$5/month. No artificial capability restrictions, no time limits, commercial use fully permitted.

Drupal CMS 2.0 (Jan 2026) materially improved onboarding: the desktop Launcher runs a local site in minutes with no server setup, and site templates install a complete, pre-configured professional site in under three minutes. Production deployment still requires provisioning hosting (one-click installers widely available), keeping it short of the sub-hour SaaS ceiling.

Drupal CMS 2.0's site templates and Canvas visual builder shift simple marketing sites toward 'days instead of weeks' per the launch messaging, a real improvement over classic Drupal. But mid-size corporate builds still run 3–6 months and enterprise 6–12 months, and only one site template (Byte) shipped at launch, limiting the speedup's reach. Modest improvement, still above the 2–4 week ideal for most real projects.

Drupal development still commands a meaningful premium: 2026 North American rates run $80–$250/hour, with Acquia Elite partners billing $150–$250/hour vs. $80–$120 for general PHP developers — roughly 25–50% above generalist rates. Talent pool is smaller than WordPress, increasing scarcity-driven cost. Not as expensive as proprietary DXP specialists but clearly above market baseline.

Drupal CMS requires separate hosting — nothing is included with the platform. Budget shared hosting works for small sites ($5–50/mo) but performance degrades quickly. Production sites typically use managed Drupal hosting (Acquia from $141/mo for 100k pageviews to $516/mo for 1M, Pantheon $50–500+/mo) or self-managed cloud VPS with CDN. Enterprise portals can exceed $50,000/year in managed hosting.

Drupal CMS remains maintenance-heavy: regular core updates, security patches, contributed module updates, PHP version compatibility, and database maintenance. 2026 guidance budgets maintenance at 15–25% of initial build cost per year ($2,000–$8,000/month for enterprise deployments). Managed hosting offloads some of this but adds cost; self-hosted requires at minimum a part-time ops resource.

As open-source software storing data in standard MySQL/PostgreSQL databases, Drupal CMS has low vendor lock-in at the platform level. Content can be exported via Views Data Export, REST/JSON:API, or direct database dump; configuration exports in YAML via Drush. Moving to another platform requires ETL work but no proprietary data format. Hosting lock-in is separate and depends on provider choice.

Drupal CMS 2.0 (released 2026-01-28) ships Canvas as the default editing experience with the Mercury component library, so site builders no longer need to learn bespoke theming — community guides note new developers 'just need to understand the Canvas components.' However, custom development still requires the full entity/field/hook/Views/services stack, keeping concept density well above the <5-concept ideal. Slight improvement over prior score reflects Canvas reducing the theming/regions/blocks learning surface.

Drupal CMS has a dedicated getting-started hub (new.drupal.org/docs/drupal-cms) with a pre-configured DDEV path that auto-opens a working site, plus Drupalize.me structured learning and a template marketplace planned for 2026. Gaps remain: a Feb 2026 drupal.org forum thread documents missing instructions for installing CMS 2.0 without DDEV, and docs are still spread across drupal.org, Drupalize.me, and community blogs rather than a single guided path.

Backend remains PHP + Twig with Drupal-specific patterns, though Drupal 11 modernized DX with object-oriented hooks via PHP attributes, a standardized Icon API, and GitLab merge-request workflows replacing the bespoke patch system. Headless paths are solid — JSON:API in core, next-drupal (Chapter Three) with SSG/SSR/ISR and GraphQL support — but custom work still requires learning Drupal's PHP framework, which is foreign to JS-first developers.

Drupal CMS 2.0 shipped official Site Templates (drupal_cms_site_template_base starter kit) and the Mercury component library with cards, heroes, testimonials, menus, and accordions out of the box, with a curated/commercial template marketplace announced for 2026. For headless, next-drupal and Acquia's documented Next.js starter kit exist but are community/vendor-adjacent rather than core-maintained, and lack the polish of headless-first platforms' starters.

Drupal CMS ships pre-configured for DDEV (.ddev/config.yaml included), so local setup is effectively unzip + one command, or `composer create-project drupal/cms` for PHP-ready environments. Production still requires Composer dependency management, database config, settings.php/settings.local.php environment handling, and Drush for many admin operations — a config surface far heavier than SaaS platforms. Non-DDEV setup remains poorly documented per community reports.

Drupal's entity/field system has no field count limits, and Configuration Management (config export/import) provides version-controlled schema deployment. Field type changes on populated content still require migration scripts via the migrate API, but tooling support makes schema evolution lower-risk than platforms without migration paths. No material changes in Drupal CMS 2.0 to this layer.

Canvas 1.0 (stable since 2025-12-04) is now the default editing experience in every new Drupal CMS 2.0 install, providing true drag-and-drop with live preview and real-time responsive desktop/mobile previews — no setup required for traditional deployments. Decoupled setups have the next_preview module (preview iframe on node pages) and next-drupal Draft Mode, but these require frontend configuration. Not higher because headless preview is still multi-step and module-dependent.

Canvas and Site Templates mean site builders and frontend implementers need less Drupal-specific theming knowledge than before — Canvas components replace bespoke theme development for many sites. Custom module development still demands Drupal-specific PHP (entity API, services, hooks — now OO but still proprietary patterns), so generalist React/TypeScript developers cannot be productive on backend work without significant ramp-up. No certification is required.

Drupal CMS 2.0's launch messaging claims marketing teams can 'launch fully branded, professional websites in days instead of weeks' using templates and Canvas, and a solo developer can realistically ship a template-based site. Production implementations with custom functionality still typically need 2–3 roles (Drupal backend, frontend, DevOps/hosting), and enterprise builds more. The floor has dropped meaningfully; the ceiling for custom work has not.

Canvas as the default editing experience gives marketers drag-and-drop page building with live preview, the Mercury component library provides ready-made building blocks, and integrated AI tools assist content creation — all without developer involvement for day-to-day operations. Site Templates and Recipes let admins add features without code. New content types, custom components, and third-party integrations still route through developers, which caps the score.

The Drupal CMS 1.x → 2.0 transition (January 28, 2026) proved to be a non-event for existing sites: official release notes state existing installations need do nothing, since post-install Drupal CMS is a standard Drupal site updated like any other. Automatic Updates is now stable for patch releases on Drupal 11, and Canvas 1.2 adds automatic component instance updates so prop/slot changes don't break content. Recipes still have no update path, and major core upgrades (D11 → D12, due August 2026) remain Composer-driven — keeping this below SaaS-style scores.

The May 2026 highly critical SQL injection (SA-CORE-2026-004, CVE-2026-9082) demonstrated an exemplary process: PSA-2026-05-18 pre-announced a fixed release window, patches shipped simultaneously for all supported branches (11.3.x/11.2.x/10.6.x/10.5.x) plus extra releases for 11.1.x/10.4.x and even patch files for EOL D8/D9. Automatic Updates applies security patches in the background for patch-level releases, reducing operator friction versus classic composer workflows. Not higher because highly critical releases still demand operator coordination within a ~24-hour exploit window on self-hosted deployments.

The feared distribution-layer migration risk did not materialize: Drupal CMS 2.0 required no action from existing 1.x sites, and Drupal CMS ships on Drupal 11.3, so the December 9, 2026 D10 EOL does not affect it. Drupal 12 (targeted week of August 10, 2026) is designed to feel 'more like a minor update', with disruptive deprecations deferred to D13. The two-year major release cycle still imposes a recurring sequential-upgrade obligation, and recipe-based functionality lacks an update path at each transition — keeping this below 50.

Drupal CMS 2.0 still runs the full Symfony-based Drupal stack — PHP 8.3+, MySQL/MariaDB/PostgreSQL, Composer, Twig, Guzzle, contrib modules — and now adds Canvas and the Mercury component library as additional moving parts. Recipe version-locking complexity persists. The dependency surface is unchanged or slightly larger than classic Drupal, with no simplification of the graph.

Auto-update readiness checks at /admin/reports/status remain the main built-in operational signal; no native APM, alerting, or observability dashboard exists in Drupal CMS 2.0. Production monitoring still requires external tools (New Relic, Datadog, Uptime Kuma) or managed-hosting instrumentation from Acquia/Pantheon. Unchanged from the 1.x assessment.

Canvas 1.2's Automatic Component Instance Updates reduce content breakage when component props/slots change — a concrete content-ops improvement — and Drupal CMS 2.0 ships curated SEO tools and site templates that lower editorial setup burden. However, automated content hygiene (orphan detection, broken reference alerts, content expiry) still requires contrib modules or manual editorial discipline. The governance model remains fundamentally manual.

Drupal core 11.3 delivers what drupal.org calls the biggest performance improvement in a decade — 26–33% more requests on the same infrastructure — giving operators more headroom before tuning is needed. The management model is otherwise unchanged: cache tag/context configuration, Varnish/CDN setup, and database tuning remain operator responsibilities on self-hosted installs, while Acquia/Pantheon/Upsun absorb much of it for hosted deployments. Not higher because active cache and scaling management is still required.

The support model is unchanged: no first-party SLA from the Drupal Association; formal support comes via hosting partners (Acquia, Pantheon, Upsun) or contracted agencies, which is notable given Drupal CMS targets site builders and marketers. Acquia and Pantheon offer tiered SLAs for platform customers, and agency maintenance packages are widely available. Good support still requires a paid hosting or agency arrangement.

Dedicated #drupal-cms-support and #drupal-cms-development Slack channels remain active with Drupal Association staff participation, and 2026 reviews describe support as 'abundant, with countless resources, forums, and knowledgeable users.' After ~18 months in market, the Drupal CMS-specific knowledge base has matured meaningfully beyond the launch period. Slightly below classic Drupal's 75 because CMS-specific (recipes, Canvas) answered-question coverage is still thinner than core Drupal's two-decade archive.

The team delivered Drupal CMS 2.0 on its published roadmap date (January 28, 2026), Canvas iterated quickly (1.0 in December 2025 to 1.2 by mid-2026), and the May 2026 highly critical advisory was handled within a pre-announced window — all signs of healthy velocity. Drupal CMS-specific issue queues remain active but depend on a smaller maintainer team than core, and no SLA exists for non-security bugs. Score raised modestly for the demonstrated on-schedule major release.

Drupal CMS 2.0 (launched January 28, 2026) ships Canvas 1.0 — a drag-and-drop visual page builder with live preview, component-based layout design, and AI-assisted page generation ('Build me a landing page'). The Byte site template provides a preconfigured marketing site out of the box, and the Mercury component library supplies common building blocks. Marketers can compose pages from hero banners, card grids, and CTA blocks without touching code. Not quite 80+ because Canvas is new and the component library is still maturing.

Drupal CMS provides content scheduling (publish/unpublish dates) and content moderation workflows but has no native campaign management module — no multi-channel coordination, campaign analytics dashboard, or campaign lifecycle tooling out of the box. Contrib modules (Campaign Monitor, Mailchimp recipe) extend this but do not constitute a campaign management system. Scores above headless CMS (30–35) only because of scheduling and moderation.

The Drupal CMS SEO Tools recipe bundles Metatag (meta titles/descriptions/OG tags), Simple XML Sitemap, Pathauto (SEO-friendly URL generation), Redirect (301 management), and Schema.org Metatag for structured data — all available at install time. This is a comprehensive built-in SEO toolkit that rivals dedicated SEO platforms. Canonical URL management and robots.txt management also included. Not 85+ only because real-time SEO feedback tools are contrib, not core.

Drupal CMS 2.0 includes a Mailchimp integration recipe (one-click signup form blocks), and the Webform contrib module provides capable lead capture forms. However, there is no native UTM parameter tracking, conversion pixel management, or CTA performance analytics out of the box. Performance marketers still need external analytics (GA4, HubSpot) for conversion tracking. Scores above 35 because the Mailchimp recipe and form tooling are more turnkey than typical CMS platforms.

Drupal CMS has no native personalization engine. The Smart Content contrib module provides basic rule-based targeting (audience segmentation by context), and Acquia Personalization adds a full behavioral targeting layer as a commercial add-on. The Kameleoon module enables audience targeting and analytics. No native real-time behavioral personalization exists in CMS 2.0 core or standard recipes. Scores above headless CMS floor because Smart Content is a meaningful contrib option and the Drupal ecosystem has real personalization tooling — but it requires add-ons.

The new Server-side A/B Testing module (introduced April 2026) provides a genuine Drupal-native experimentation framework: server-side variant execution to eliminate flicker, content-based experiments using existing Drupal nodes as variants, sticky user assignments, and GA4/GTM integration for results analysis. A/B Paragraphs (updated February 2026) and the stable Kameleoon module offer additional options. Statistical analysis and winner selection still live in GA4 or external tools — no native stat-sig reporting or auto-winner in core. Now scores in the 'experimentation via tight integration' band rather than the no-capability floor.

Drupal CMS 2.0 Canvas 1.0 enables marketers to clone page templates, edit inline, add pre-built component blocks, and publish directly without developer involvement. AI-assisted page generation via text prompts ('Build me a landing page') further accelerates content creation. Bulk operations, content scheduling, and media library are all accessible in the editorial interface. Not quite 70+ because the component library is still maturing and complex layouts still benefit from developer assistance.

Drupal CMS provides RESTful and GraphQL JSON:API for headless/decoupled delivery to web, mobile, and other digital channels. Content structured in Drupal can be served to multiple front-end applications, IoT devices, and digital touchpoints via APIs. However, multi-channel is API-driven requiring front-end development per channel — no native social push, email, or SMS delivery from the CMS. Scores above purely headless CMS peers because Drupal's web-first experience is mature, and API delivery to additional channels is well-documented.

Drupal CMS 2.0 includes one-click Google Analytics 4 and Google Tag Manager recipe integrations — no technical setup required. Matomo and other analytics platforms have contrib modules. However, content performance metrics (engagement data, content decay, top-performing pages) remain in external analytics tools — no native analytics dashboard within the CMS. Scores above 45 because GA4 and GTM are genuinely one-click in CMS 2.0, a meaningful improvement over manual tag installation.

Drupal CMS 2.0 Canvas introduces a component-based architecture where brand themes enforce typography, color tokens, and approved component palettes via the theme system. The 2026 AI roadmap adds Context management for defining brand voice and style guides to steer AI-generated content. However, there are no hard enforcement mechanisms preventing marketers from overriding brand colors or creating off-brand layouts — Canvas offers guardrails through component selection but not enforceable style locks. Scores above 50 because the component system is a genuine improvement over unconstrained page building.

The SEO Tools recipe provides OG and Twitter/X card meta tag management for social preview cards. Contrib modules exist for social sharing widgets, social feed embeds (Twitter, Facebook), and basic social media integration. No native social scheduling or push-to-social workflow exists in Drupal CMS 2.0 — social distribution requires external tools (Buffer, Hootsuite). Scores at the standard 'OG plus social sharing' tier for traditional CMS platforms.

Drupal CMS includes a native Media Library with image transforms (via core Image module), video embedding, and basic asset tagging. Rights management and usage tracking require contrib. Full DAM capability is available via integrations — Acquia DAM (first-party for Acquia cloud deployments) and third-party DAMs (Kontainer, Brandfolder) have Drupal modules. Most deployments use Drupal's media library as a working asset store without enterprise DAM features. Scores above 35 because the media library is functional and Acquia DAM integration is real.

Drupal CMS has one of the strongest multilingual frameworks in open-source CMS: core Language, Content Translation, Interface Translation, and Configuration Translation modules provide field-level translation, locale-specific content scheduling, and per-language URL structures. The Translation Management Tool (TMGMT) contrib module adds translation workflow, professional translation service integrations, and transcreation workflows. Regional cookie consent and compliance can be managed per locale via contrib. Not 65+ because transcreation UI and market-level scheduling are contrib rather than recipe-ready.

Drupal CMS 2.0 ships with one-click recipe integrations for Mailchimp (email/MAP), Google Analytics 4, and Google Tag Manager. A broad contrib ecosystem covers HubSpot, Salesforce CRM, Marketo (via webhook/API modules), and social ad platform tag management via GTM. However, there are no first-party, deeply maintained pre-built connectors to major MAP platforms (Marketo, Pardot) or CDP systems out of the box. Scores above 45 because CMS 2.0 recipes make common MarTech connections genuinely easy, but the connector breadth is below commercial DXPs.

Drupal Commerce 3.x integrates natively with Drupal CMS, combining product data modeling, variant management, per-SKU media library, product taxonomy, and editorial content on a single platform. Commerce 3.3.0 (February 2026) overhauled order management into a unified single-page dashboard with modal-based workflows, plus new field formatters (product title with SKU, consolidated billing/payment cards). Over 42,000 active Drupal Commerce sites validate real-world depth. Not 80+ because Commerce setup still requires developer configuration.

Drupal Commerce provides category management, promotion and discount engines, and scheduled pricing — reasonable for an open-source commerce layer. However, there are no native search result merchandising tools, AI-driven cross-sell/upsell content blocks, or visual merchandising interfaces. Category management and promotional content scheduling exist but require custom development for advanced merchandising. Scores above 35 because Commerce's promotion engine is real.

Drupal Commerce is the native, deeply integrated commerce solution — no external platform needed. For headless commerce scenarios with Shopify or commercetools, contrib modules and custom API integrations exist but no first-party, maintained deep-sync connector is bundled with Drupal CMS. The native Commerce path is strong; third-party commerce platform integration is more of a custom build. Scores mid-range reflecting native strength offset by weaker third-party synergy.

Drupal Commerce enables editorial commerce: buying guides, lookbooks, and shoppable content where customers can add products to cart directly from blog posts or editorial pages. Product references can be embedded inline in any content type alongside rich editorial content. Canvas 1.0 allows marketers to compose these editorial-commerce blended pages without developer help. Not 65+ because the 'shop the look' and hotspot-style visual storytelling patterns require contrib or custom development.

Drupal Commerce provides some CMS-manageable elements in the checkout flow — trust badges, promotional messaging, and upsell blocks can be placed on cart and checkout pages via Drupal's block system. However, there is no dedicated CMS-controlled content injection layer for transactional flows — checkout templates are primarily Commerce-controlled and require developer changes to introduce CMS-managed content blocks. Scores above the floor because the underlying Drupal block architecture technically enables content in checkout, but it's not a turnkey feature.

Drupal Commerce provides a customer dashboard where order history, address book, and payment management are accessible — and CMS content can be surfaced in this area via Drupal's block/view system. Order confirmation emails are templated and can include CMS-managed content. However, CMS-managed post-purchase sequences tied to order events (delivery tracking, review solicitation, loyalty content) require custom development or contrib modules. Scores above the floor because the Commerce customer portal exists.

Drupal Commerce has a proven B2B track record: customer-specific pricing via price resolvers, quote-request flows, account-level catalog segmentation (customer groups), purchase order workflows, and ERP/CRM integration capability. Gated product documentation and spec sheets are achievable via Drupal's access control system. The Commerce B2B contrib module extends these capabilities further. Over 42,000 active Drupal Commerce deployments include substantial B2B use. Not 65+ because the B2B content features require significant developer configuration.

Drupal Search API with Solr or Elasticsearch backend enables faceted product and content search, taxonomy-driven filtering, and search result blending of editorial and product content. Commerce-specific search landing pages are achievable via Views and Search API. Synonym management and search result merchandising require contrib customization. Scores at mid-range because Search API is powerful but requires significant configuration and no native blended content-product search UI exists out of the box.

Drupal Commerce ships with a promotion engine supporting time-based activation, percentage/fixed discounts, promo codes, tiered pricing, and scheduled pricing rules. Sale banners and countdown timers can be managed via Drupal's block and scheduling system. Channel-specific targeting requires additional configuration. The promotion engine is genuinely capable for an open-source platform. Not 60+ because channel-specific content targeting and countdown timer components require contrib.

Drupal Multisite combined with Drupal Commerce enables multiple storefronts from a single codebase — each storefront can have region-specific editorial content and legal content while sharing a product catalog. Shared content types and media are maintained centrally. However, storefront-specific editorial requires content duplication or custom sync logic — there is no native shared-product/isolated-editorial architecture. Scores at 55 because the multisite commerce architecture is real and production-proven but requires ops discipline.

Drupal's media library supports image galleries, video embedding, and basic image transforms. Product images with multiple angles are manageable. However, there is no native 360-degree product viewer, AR/3D model support, or image hotspot functionality in Drupal Commerce or Drupal CMS 2.0. These advanced visual commerce features require third-party integrations (Cloudinary, Viuer) or custom development. Scores above the floor because multi-image galleries and video on product pages are achievable without custom code.

Drupal Commerce marketplace capability exists via contrib (Commerce Marketplace module, custom multi-vendor setups) but is not a first-class out-of-the-box feature. Seller profiles, seller-contributed product descriptions, and content moderation at marketplace scale are achievable but require significant developer configuration. No turnkey marketplace content management solution ships with Drupal CMS 2.0. Scores in the 30s — not at the floor because the Drupal ecosystem has documented B2B marketplace deployments.

Drupal Commerce inherits Drupal's best-in-class multilingual framework — product titles, descriptions, and attributes can be translated per locale, with currency-aware content blocks, locale-specific pricing, and regional regulatory content (EU labels, legal disclaimers) manageable per language. Commerce 3.3 added translatable store email addresses and updated EU VAT rates, improving multilingual storefront support. The Translation Management Tool (TMGMT) applies to product content. Strong foundation, with the only gap being no AI-assisted product translation out of the box.

Drupal Commerce integrates with GA4 via the Google Analytics module, enabling basic ecommerce tracking (product views, add-to-cart, purchases). However, there is no native content-to-revenue attribution within the CMS — connecting which editorial pages assisted conversions requires GA4 or external analytics configuration. No content performance dashboard within Drupal CMS surfaces commerce conversion data. Scores at 35 as a CMS with GA4 ecommerce tracking available but no native content-commerce analytics.

Drupal's access control system is one of its historic strengths: granular RBAC per content type, node-level access control, field-level permissions, content-instance visibility, and SSO-backed authentication via SAML/OAuth/LDAP. Open Intranet Access provides hierarchical group-based permissions restricting content by team or departmental membership with inherited access for child groups. Not quite 80+ because department-level audience segmentation requires the distribution/contrib layer rather than being native to Drupal CMS itself.

Drupal CMS offers content moderation workflows (draft/review/publish/archive), revision history on all content, taxonomy-based knowledge classification, and Search API for internal search. Open Intranet now adds AI-powered search via RAG (Retrieval-Augmented Generation) with vector search to help employees find information fast. Solid for a CMS but not purpose-built for KM — lacks a guided knowledge lifecycle UI; most features require contrib or distribution selection.

Drupal has a genuine intranet ecosystem: Open Intranet (Droptica), Open Social distribution, and drunomics intranet solutions all provide news feeds, employee directories, social features, notifications, Microsoft 365/Google Workspace integration, and AI-assisted content — with documented deployments scaling to 7,000+ users. Open Intranet 1.7.0 (2026) modernized the UI with the Gin admin theme optimized for desktop and mobile. These are mature contributed distributions, not core features, meaning real enterprise deployments exist but setup requires distribution selection and configuration.

Open Intranet provides company news feeds, department-targeted announcements, and social interactions (comments, reactions). The 1.7.0 release (2026) added a Messenger module and SMSAPI integration, expanding multi-channel internal comms — notifications can now reach users including deskless workers without requiring a Drupal account. However, there is still no native read receipt, mandatory-read workflow, or formal acknowledgment tracking — these require custom development. Scores up slightly for the new multi-channel notification capability.

Open Intranet includes an employee directory module where staff can find contact information, roles, and expertise. Org chart visualization is achievable via Drupal contrib (Views + Hierarchical Select) but is not a native directory feature. HR system integration (Workday, BambooHR) requires custom API development or contrib connectors. Scores above 35 because a real employee directory ships with Open Intranet, but org chart and HR sync are add-on efforts.

Drupal provides revision history on all content, content moderation workflows (draft/review/publish), and scheduled content review via the Content Planner module. Document publishing with version control is achievable. However, there is no native mandatory-acknowledgment tracking, policy expiry reminders, or formal SOP management workflow in Drupal CMS 2.0 or Open Intranet. Policy management is possible via Drupal's content structures but requires custom configuration to match dedicated policy management tools.

Open Intranet's 2026 release added a Courses recipe providing Learning Management System-like functionality — course assignment, structured learning paths, and content sequencing. This enables role-specific onboarding content paths and progressive disclosure of material. Checklist-style onboarding tasks require contrib (Drupal Task module or custom). HR-triggered new-hire portal activation requires custom integration. Scores above 35 because the new Courses recipe makes structured onboarding achievable without full custom development.

Open Intranet 2026 includes AI-powered RAG search using vector search to help employees find information quickly — a significant upgrade for knowledge retrieval. Drupal Search API with Solr or Elasticsearch provides faceted filtering, relevance tuning, and search analytics. However, federated search across external systems (SharePoint, Confluence, Google Drive) is not native — it requires custom connectors. Scores below 65 because the RAG search is confined to Drupal content, not external system federation.

Open Intranet 1.7.0 (2026) added a Messenger module with SMSAPI integration, allowing notifications to reach deskless/frontline workers without a Drupal account — a genuine frontline-access improvement — and the Gin admin theme layout is now optimized for mobile. However, there is still no native iOS/Android app, no native push notifications, and no offline or kiosk/shared-device support. Scores up modestly for SMS reach to deskless workers but remains well below purpose-built frontline platforms.

Open Intranet's 2026 Courses recipe provides course creation, assignment, and structured learning paths — functional for basic LMS scenarios. Completion tracking and certification are achievable via this recipe. External LMS integration (Cornerstone, Workday Learning) requires custom API development. The Courses recipe is a meaningful addition that moves Drupal intranet above basic content hosting for training, but stops short of full LMS functionality with advanced tracking and xAPI support.

Open Intranet provides comments, reactions (likes), Kudos (peer recognition/employee appreciation), and Ideas (innovation management/idea submission) via the 2026 business recipes update. Social interactions are a core feature of the Open Intranet distribution. Discussion forums and community spaces by department are achievable via contrib. Polls/surveys require Webform or a dedicated contrib module. Scores above 50 because the combination of comments, reactions, recognition, and idea management is meaningful social infrastructure.

Open Intranet (Droptica) documents Microsoft 365 and Google Workspace integration as core features, enabling SSO via Azure AD and content surfacing within the intranet context. LDAP/SAML/OpenID Connect authentication connects to enterprise identity providers. Slack integration and Teams bot-driven notifications are not native — they require custom webhook development. Scores above 35 because M365 and Google Workspace integration are genuinely built-in, but the 'single pane' Teams/Slack experience is not.

Drupal CMS provides content scheduling (publish/unpublish dates), revision history, content moderation workflow (draft/review/published/archived states), and the Content Planner module for editorial scheduling. The 2026 Drupal AI roadmap proposes background agents that autonomously flag outdated articles, but these are roadmap items, not shipped features. Automated review reminders for stale content and systematic archival workflows still require contrib rather than being native to CMS 2.0. Scores at 50 because the moderation states and scheduling exist, but automated freshness enforcement needs additional setup.

Drupal intranet deployments rely on GA4 or Matomo for basic page view analytics, accessible in external tools rather than within the CMS/intranet interface. There is no native intranet analytics dashboard in Open Intranet or Drupal CMS showing department-level engagement, failed search terms, or adoption metrics. Search analytics are available in Drupal Search API but require additional configuration to surface insights. Scores at 35 — above the floor because Search API logs are available, but below 45 because there is no purpose-built intranet engagement dashboard.

Drupal Multisite provides silo-based isolation: each site gets its own database, configuration, files, and domain while sharing a single codebase. Three architectural modes exist (multi-tenant shared DB, hybrid, multi-instance). This is genuine isolation at the application level, though not a SaaS-native multi-tenant architecture with guaranteed zero data leakage at the infrastructure layer. Adequate for enterprise multi-brand but requires ops discipline to maintain isolation.

Drupal Multisite shares a single codebase, allowing themes, modules, and Canvas component libraries to be maintained centrally and consumed by all brand instances. Drupal distributions and install profiles can enforce shared design tokens and templates. Canvas 1.0 (with the Mercury component library) introduces a component system that further enables cross-brand reuse, and the Site Template Marketplace pilot (DrupalCon Chicago 2026) adds reusable site foundations. However, there is no native UI for 'global content' pushed to multiple sites — this requires custom sync or a contrib approach like Config Split. Federation is workaround-based rather than first-class.

Drupal provides centralized governance via granular role/permission management, content moderation workflows, and editorial policies enforceable across a multisite installation. Acquia Site Factory adds a commercial governance layer (centralized security, backups, user management, compliance) but is a separate product. The 2026 roadmap's Context Control Center aims to centrally enforce brand and governance rules, but it remains a proof of concept. Cross-brand content standard enforcement in vanilla Drupal CMS requires configuration (Config Sync, shared distributions) rather than a native governance console. Scores in the 60s because governance is possible and real but requires bespoke setup.

Drupal CMS is open source (GPL, no per-brand licensing fees), meaning additional brands add only infrastructure costs rather than license costs. A shared multisite codebase further reduces maintenance overhead across brands. Self-hosted or cloud-hosted via commodity providers. Compare to proprietary DXPs where each brand instance can cost six-figure license fees. The economics strongly favor Drupal for multi-brand scale, limited only by developer/hosting costs which remain relatively fixed.

Drupal supports per-brand sub-themes that inherit from a parent theme, allowing independent color palettes, typography, logos, and layout configurations per brand while sharing underlying component structure. Canvas 1.0 components are theme-aware and can be configured with brand-specific design tokens. Config Split enables per-site theme configuration. Not 65+ because there is no platform-level 'brand kit' abstraction — theming is done via CSS/config overrides rather than a visual brand management UI.

Drupal CMS supports multilingual content per brand site in a multisite setup — each site can have its own language configuration, translation workflows, and regional legal content. Per-brand translation approval workflows are achievable via content moderation and TMGMT. However, there is no native brand-locale intersection governance — managing Brand A's French translations separately from Brand B's French translations with different approval chains requires custom workflow configuration rather than being a native platform feature.

Drupal CMS has no native cross-brand analytics dashboard. Each site in a multisite setup sends analytics independently to GA4, Adobe Analytics, or other external tools. Portfolio-level aggregation requires manual setup in Google Analytics 360 (roll-up properties), custom reporting, or third-party analytics aggregation tools. The 2026 Context Control Center proof of concept shows some cross-site data awareness but is experimental. Scores at 30 — not at the absolute floor because GA4 is one-click per site and cross-property reporting is possible externally.

In a Drupal multisite setup, each site can have independently configured content moderation workflows via Config Split — Brand A can have a 4-stage editorial review while Brand B has a simple draft-publish workflow. However, central auditability across brand workflows requires custom reporting or contrib — there is no native cross-brand workflow audit console. Scores at 48 because per-brand workflow configuration is genuinely possible and documented, but central oversight is a gap.

Drupal has no native corporate-to-brand content syndication system. Content sharing between multisite instances requires custom development — typically via a shared content entity approach, Content Hub (Acquia commercial product), or REST API-based sync scripts. Press releases and legal disclaimers can technically be pushed via API but there is no native override-point mechanism where local brands can adapt syndicated content within defined bounds. Scores above the floor because Content Hub (Acquia) is a real commercial solution for this, even if not native to CMS.

Each site in a Drupal multisite can have independently configured cookie consent (EU Cookie Compliance module), accessibility settings, data residency preferences (via hosting), and GDPR-related modules. Per-brand compliance configuration is therefore achievable. However, there are no platform-level publishing guardrails that prevent non-compliant content from being published — compliance is enforced through configuration discipline rather than automated checks. Scores at 45 because per-brand compliance configuration is real but guardrails are manual.

Drupal's shared multisite codebase provides a centrally maintained component library via Canvas and the theme system. Canvas 1.0 components can be updated centrally and propagated to all brand instances via codebase updates. Brand-level extensions are achievable via sub-themes. However, there is no dedicated design system management UI — versioning, update propagation, and brand-level overrides are managed through Git-based deployments and config management rather than a visual design system platform.

In a Drupal multisite setup, users can be configured with cross-site accounts (shared user table mode) or isolated per-site. Central administrators can manage user roles across sites. SSO via SAML/OpenID Connect provides single authentication across brand sites. However, autonomous brand teams with per-brand user management while remaining centrally visible requires contrib or custom implementation. Acquia Site Factory adds a commercial central user management layer. Scores at 52 because the technical building blocks are sound but the native UX for cross-brand user management is limited.

Drupal's shared multisite codebase allows content types to be defined centrally and shared across brand sites. Brand-specific field extensions are achievable via contrib (Field Group, per-site Config Split) but currently require forking the base content type configuration — there is no native 'extend without fork' inheritance model for content types in Drupal. Config Split mitigates this but adds complexity. Scores at 48 because shared base models are real but per-brand extension without forking is a workaround rather than a first-class feature.

Drupal CMS has no native portfolio-level reporting dashboard. Executive reporting across brand sites — content freshness, publishing SLA adherence, cost allocation per brand — requires external business intelligence tools (Tableau, Looker) fed by GA4 or custom Drupal data exports. Acquia Site Factory provides some central site management visibility but is a commercial product, not part of the base Drupal CMS. Scores at 30 because multi-site management dashboards exist only in commercial add-ons.

Drupal CMS ships with the Klaro! open-source consent manager embedded by default since 1.0 (Jan 2025), with active 2025 work aligning it to purpose-based consent categories and Google Consent Mode V2. The GDPR contributed module adds consent tracking, SAR management, and 'forget me' erasure flows. However, the Drupal Association issues no vendor DPA — as open-source self-hosted software, GDPR compliance and any required DPAs remain the deploying organization's responsibility, and no EU data residency guarantee exists at the software level.

The Drupal Association does not issue Business Associate Agreements. Paubox's 2025 update reconfirms 'Drupal will not sign a business associate agreement and therefore is not HIPAA compliant' as a vendor. Drupal CMS can be deployed within a HIPAA-compliant ecosystem (BAA-signing host, encryption, access controls), but the platform itself provides no BAA and no documented HIPAA-eligible service offering.

Drupal remains the dominant CMS for government, used by over 50% of US federal agencies in 2026, and is recognized for easing FedRAMP and Section 508 compliance paths — but FedRAMP authorization applies to the entire hosted system boundary (Acquia, GovDataHosting), not the Drupal CMS open-source product, so it cannot be inherited. GDPR and CCPA compliance is achievable via the GDPR module and Klaro consent configuration. No IRAP, C5, PCI-DSS, or HITRUST certifications exist for the core software.

Drupal CMS is open-source software distributed by the Drupal Association; no SOC 2 Type 2 attestation exists for the platform itself, and 2026 searches confirm no Drupal Association certification. Hosting providers (Acquia, Pantheon, Platform.sh) hold their own SOC 2 Type 2 reports, but these cover hosting infrastructure, not the Drupal CMS software product. Per scoring guidance for open-source self-hosted platforms, the customer is wholly responsible.

No ISO 27001 certification exists for Drupal CMS as open-source software or for the Drupal Association in scope of the platform. ISO 27001-certified Drupal hosting (amazee.io, Acquia) refers to the hosting provider's ISMS, not the CMS software — the anti-pattern of inheriting hosting certifications applies. Customers deploying on certified infrastructure gain that coverage, but Drupal CMS itself neither holds nor conveys the certification.

No third-party security certifications (CSA STAR, PCI DSS, Cyber Essentials, FedRAMP) apply to the Drupal CMS open-source product. The platform's compensating factor remains strong: a dedicated Drupal Security Team with a structured public advisory process, scheduled security release windows, a 25-point vulnerability severity scale, and coordinated disclosure — exceeding typical open-source security practice (e.g., the May 2025 Klaro XSS fix was handled through this process). This positions Drupal CMS above minimally-maintained OSS but well below certified commercial platforms.

As self-hosted open-source software, Drupal CMS provides complete data residency flexibility — organizations can deploy in any region or on-premises with no vendor constraining data location, an intrinsic advantage over SaaS platforms. However, there are no vendor-issued contractual residency guarantees because there is no vendor-customer hosting relationship. CDN and sub-processor data flows are determined entirely by the deploying organization's infrastructure choices.

Drupal CMS includes built-in consent management (Klaro) and the GDPR contrib module provides a documented data subject request workflow: 'forget me' and export actions, SAR management via the GDPR Tasks dashboard, and field-level personal data marking for targeted deletion. Content export is available via core JSON:API or the GDPR Export submodule. Post-termination retention is not governed by a vendor policy (self-hosted), so retention is the deployer's responsibility — strong control, but requiring deliberate policy enforcement.

Drupal core (11.3, underlying Drupal CMS 2.0) includes the Database Logging (dblog) and Syslog modules tracking content operations, user actions, and authentication events; Syslog enables forwarding to SIEMs via the system syslog daemon — an integration path without native push connectors. The Admin Audit Trail contributed module extends coverage to configuration changes and entity-level operations. Log retention is configurable but defaults to database storage without automated rotation, so production deployments require explicit log pipeline configuration.

Drupal's Claro admin theme documents WCAG 2.1 AA conformance, accessibility is enforced as a core merge gate (keyboard navigation, screen reader support, focus management), and the project targets ATAG 2.0 for authoring interfaces with WCAG 2.2 AA for public-facing code. Drupal CMS 2.0 (Jan 28, 2026) made the Canvas drag-and-drop visual editor the default authoring experience and added AI-assisted alt text and an editorial accessibility checker, but Canvas's accessibility conformance is not yet formally documented, preventing a higher score.

Drupal.org maintains a dedicated accessibility page documenting WCAG 2.2 AA targets and ATAG 2.0 commitments, and the community supports ACR generation via the OpenACR/VPAT process (OpenACR released under CC BY-SA 2.0), with issue #3335955 tracking a formal core ACR. However, no single published, downloadable product-level VPAT/ACR for Drupal CMS is available for direct procurement use — third-party Drupal ACRs are implementation-specific, not Drupal Association documentation.

Drupal CMS 2.0 (GA January 2026) ships AI Automators (field-level rewriting, summarization, tone adjustment, chained pipelines), AI CKEditor integration, page generation from a single prompt via Drupal Canvas, and the Context Control Center for brand voice/audience/messaging. AI module 1.3.0 (March 2026) added Field Widget Actions for one-click AI operations directly in content fields and a native Guardrails system that enforces output rules without code, addressing the prior gap where brand controls depended solely on manual configuration. Stops at 70 because bulk generation and content-type-aware prompt template libraries remain less polished than dedicated SaaS leaders.

AI-powered alt text generation ships GA in Drupal CMS 2.0 across image fields site-wide, and AI 1.3.0 Field Widget Actions add one-click image generation from text and information extraction from images directly in the editorial UI. Image generation routes through the provider abstraction (DALL-E, Stable Diffusion) plus AI-assisted media categorization in the media library. Scores 52 because generation is provider-integrated rather than a native DAM product, and smart focal-point/crop and AI video processing are absent.

The AI Translate sub-module provides one-click multilingual publishing, and the AI Content Translation module (drupal.org/project/ai_content_translation) supports LLM translation of complex structured content including paragraphs and entity references. TMGMT integration is available for TMS handoff and the agentic framework supports custom glossaries. Scores 60 because these remain contrib modules outside the default Drupal CMS editorial workflow, and brand voice preservation across locales depends on agent configuration rather than built-in controls.

The ai_seo module provides on-demand SEO analysis in the node edit view, contentai auto-generates SEO titles, keywords, and meta descriptions, and AI Automators handle taxonomy auto-tagging. AI 1.3.0 (March 2026) added metadata autofill as a one-click Field Widget Action in the core editorial flow, and the AI Content Strategy module (updated Jan 2026) covers gap/positioning recommendations. Scores 60 because capabilities are still distributed across multiple contrib modules rather than a single integrated SEO workflow, and on-page scoring is on-demand rather than continuous.

AI Automators provide field-level automation (auto-tagging, transcription, OCR, scraping, social post generation, chained pipelines), and autonomous content agents (GA in AI v1.2) detect outdated information and propose site-wide updates with human review gates. AI 1.3.0 Field Widget Actions (March 2026) embed one-click operations — FAQ generation, audio summaries, extraction, autofill — directly into daily publishing, deepening editorial integration. Scores 67 because smart scheduling and duplicate detection remain less prominent, though automator breadth is well above average for open-source CMS.

The AI Agents framework is stable production quality (AI v1.2+), with a no-code agent builder, loop-based execution, sub-agent composition, and BPMN.io visual pipeline design; the Orchestration module (1.0, Oct 2025) connects Drupal agents to external platforms and ECA enables trigger-based agentic workflows. AI 1.3.0 Guardrails now wrap agent interactions with policy enforcement. Scores 55 because there is still no named production content-workflow agent product comparable to Contentstack Agent OS, and the bundled agents target site-building rather than editorial pipelines.

The AI Content Strategy module (updated Jan 2026) analyzes existing content for strategic recommendations including content gap identification, autonomous agents detect stale/outdated content site-wide, and ai_seo includes SEO gap identification per node. There is no native content health dashboard or AI-driven ROI attribution engine. Scores 42 for covering gap analysis and stale detection but lacking unified performance scoring, topic clustering, or editorial priority dashboards.

AI External Moderation provides content safety and policy compliance checks before publishing, AI Validations enables field-level AI validation against custom prompts, and autonomous agents can audit content for outdated facts at scale. There is still no comprehensive brand voice compliance audit suite or AI accessibility scanning integrated into Drupal CMS — the new 1.3 Guardrails govern AI interactions rather than auditing existing site content. Scores 38 for covering the moderation/safety dimension but lacking multi-dimensional quality auditing at the 45+ threshold.

The AI Search module implements RAG-based semantic vector search integrated with Search API, with vector backends for Milvus, Pinecone, PostgreSQL/pgvector, Azure AI Search, and SQLite. As of mid-2026 only the SQLite VDB provider has a stable release; production-grade backends remain beta and require manual configuration. Scores 48 because semantic search is functional and documented but not production-stable out-of-the-box in Drupal CMS.

Drupal CMS has no native ML-driven personalization engine; the 2026 AI roadmap lists AI recommendation engines as a priority but nothing has shipped as of June 2026. Partner agencies build custom ML personalization on Drupal, confirming it remains ecosystem-level rather than product-level. Scores 28 because the open API allows building personalization but no out-of-the-box predictive segmentation, next-best-content recommendations, or cold-start handling ships in the platform.

The base Drupal MCP module is stable (1.2.3+, updated through May 2026) and the mcp_server module implements the full MCP spec with tool-level RBAC, token auth, STDIO/HTTP transports, Tool API integration, and MCP Studio for no-code tool creation — but mcp_server itself still has no stable release as of spring 2026, with OAuth 2.1 listed as upcoming. An mcp_client module connects Drupal to external MCP servers. Scores 38, within the announced/beta band, reflecting substantial and actively maintained implementation that has not yet reached production-stable status.

BYOK is the core design principle of the Drupal AI module, with 48+ providers switchable via admin UI without code: OpenAI, Anthropic, Google Gemini, Mistral, Hugging Face, Ollama, LM Studio, amazee.ai, and more, including local/air-gapped deployment for data residency. AI 1.3.0 Guardrails (March 2026) add platform-managed bidirectional filtering that prevents sensitive data leaking to external models — closing the prior gap where data controls were purely provider-dependent. Reaches 80 for full multi-provider BYOM with platform-level data controls; not higher because residency assurances still ultimately rest on the chosen provider.

Drupal AI exposes a plugin-based AIFunctionCall system for registering custom agent tools, the Tool API makes Drupal capabilities machine-readable for MCP and agent consumption, and JSON:API/REST expose structured content for LLM context. AI Search generates embeddings for RAG-ready delivery and ECA provides event triggers for AI workflows, with official docs and community integration guides. Scores 65 because there is no dedicated AI SDK distinct from the module plugin API, and LLM-optimized delivery endpoints remain a roadmap item.

AI 1.3.0 (March 2026) shipped the native Guardrails system: configurable bidirectional filters that block sensitive data from reaching external models and validate responses before they return to Drupal, definable by compliance teams without code — delivering the 'advanced governance' previously only on the roadmap. This sits atop AI Logging (full interaction records), human-in-the-loop as a design principle, AI External Moderation, role-based tool/agent access, and configuration rollback for AI-generated changes. Scores 65 — solid audit trails plus enforceable guardrails — but short of 75+ because IP indemnification and hallucination confidence scoring are still absent.

AI 1.3.0 (March 2026) added native OpenTelemetry support with real-time tracking of AI usage, costs, and agent decisions, exportable to Datadog, Grafana, or Sentry — adding the cost/usage visibility that was previously absent. This complements the AI Dashboard (feature/provider overview), AI Logging (interaction records), and AI Explorer (prompt testing). Scores 48 because cost and usage tracking now exist but dashboards live in external APM tools rather than in-platform, and per-user quotas, prompt effectiveness analytics, and quality trend monitoring are still missing.