NIS2 & Email Authentication — DMARC for Covered Entities
The EU’s NIS2 Directive is now being enforced: supervision regimes are live, several member states set mid-2026 audit milestones, and management can be held personally liable. Article 21 doesn’t name DMARC — but it requires secured communications, and ENISA’s implementation guidance points squarely at email authentication.
At a glance
Essential and important entities across 18 critical sectors in the EU — energy, transport, health, digital infrastructure, ICT service management, and more — generally medium-sized and larger, plus some entities regardless of size. Non-EU organizations providing in-scope services in the EU can also be covered.
| Instrument | Directive (EU) 2022/2555 — “NIS2” — replacing the 2016 NIS Directive |
|---|---|
| Transposition deadline | October 17, 2024 (national laws; member-state status still varies in 2026) |
| Who is covered | Essential and important entities across 18 critical sectors |
| Penalties (essential) | Up to €10M or 2% of global annual turnover, whichever is higher |
| Penalties (important) | Up to €7M or 1.4% of global annual turnover, whichever is higher |
| Does it name DMARC? | No — Article 21 requires “secured … communications”; ENISA guidance identifies email authentication (incl. DMARC) as a key practice |
Facts and citations verified July 13, 2026. Regulations change — confirm current details with the sources below.
What NIS2 actually requires
Article 21 of NIS2 obliges covered entities to take “appropriate and proportionate technical, operational and organisational measures” to manage cybersecurity risk, and lists ten minimum measure areas — including, in Article 21(2)(j), “the use of … secured voice, video and text communications.” The Directive is principles-based: it defines outcomes, and national transpositions plus ENISA guidance fill in the technical detail.
The enforcement machinery is what changed in 2024–2026. Member states transposed the Directive into national law (deadline: October 17, 2024, with several running late), supervisory authorities stood up proactive supervision for essential entities — regular audits and on-site inspections — and reactive supervision for important entities. Several national transpositions set June 30, 2026 as a first-audit or compliance-evidence milestone, though timelines vary by country.
NIS2 also puts management on the hook: governing bodies must approve and oversee the risk-management measures, and can be held liable for infringements. That has moved email security from an IT ticket to a board-level compliance item at covered entities.
Penalties under NIS2
| Entity class | Maximum administrative fines |
|---|---|
| Essential entities | €10,000,000 or 2% of total worldwide annual turnover — whichever is higher |
| Important entities | €7,000,000 or 1.4% of total worldwide annual turnover — whichever is higher |
| Management bodies | Personal liability for infringements; temporary bans possible for essential-entity management in serious cases |
Fines are imposed by national authorities under each member state’s transposition, so procedures and additional sanctions vary by country.
Where DMARC fits — the honest version
NIS2 does not list DMARC as a compliance requirement. What it requires is secured communications and demonstrable risk management — and ENISA’s technical implementation guidance identifies email authentication, including DMARC, as a key practice for meeting that bar. Domain spoofing is a standard entry vector for exactly the incidents NIS2 makes reportable, so supervisors read email authentication as evidence you’re managing the risk.
For an audit, the useful posture isn’t “we published a DMARC record” — it’s a documented control: SPF, DKIM, and DMARC at an enforcement policy across your sending domains, with monitoring, alerting, and records you can produce when a supervisory authority asks how you secure communications.
DDMARC gives covered entities that evidence trail: readable aggregate reports, continuous DNS monitoring with alert history, EU data residency, and a clear path from p=none to enforcement — so the control is real and provable, not a checkbox.
Your compliance checklist
- 1
Determine your classification
Check whether you’re an essential or important entity under your member state’s transposition — sector, size, and criticality all factor in.
- 2
Map every domain that sends or receives email
Include subsidiaries and country-level domains; supervision covers the entity, not just the primary brand domain.
- 3
Check your current posture
A free scan shows each domain’s DMARC, SPF, and DKIM state in seconds. Check your domain
- 4
Implement SPF, DKIM, and DMARC — then enforce
Publish DMARC with aggregate reporting, align every legitimate sender, and step up to p=quarantine or p=reject. DMARC setup guide
- 5
Build the evidence file for supervision
Keep policies, dashboards, alert history, and DNS-check logs ready — audits ask you to demonstrate the measure, not just claim it.
Start with step one — see where your domain stands in 30 seconds.
Run the free checkNIS2 Directive & DMARC — FAQ
Sources
- EUR-Lex — Directive (EU) 2022/2555 (NIS2), full text
- ENISA — NIS2 technical implementation guidance
- NIS2 transposition & timeline tracker (member-state status)
All claims on this page were verified against the sources above on July 13, 2026.
Is your domain compliant?
Check your DMARC, SPF, and DKIM posture free — then reach enforcement with readable reports, a policy simulator, and continuous monitoring.