Skip to content
← All compliance guidesEU regulation

NIS2 & Email Authentication — DMARC for Covered Entities

The EU’s NIS2 Directive is now being enforced: supervision regimes are live, several member states set mid-2026 audit milestones, and management can be held personally liable. Article 21 doesn’t name DMARC — but it requires secured communications, and ENISA’s implementation guidance points squarely at email authentication.

At a glance

Essential and important entities across 18 critical sectors in the EU — energy, transport, health, digital infrastructure, ICT service management, and more — generally medium-sized and larger, plus some entities regardless of size. Non-EU organizations providing in-scope services in the EU can also be covered.

InstrumentDirective (EU) 2022/2555 — “NIS2” — replacing the 2016 NIS Directive
Transposition deadlineOctober 17, 2024 (national laws; member-state status still varies in 2026)
Who is coveredEssential and important entities across 18 critical sectors
Penalties (essential)Up to €10M or 2% of global annual turnover, whichever is higher
Penalties (important)Up to €7M or 1.4% of global annual turnover, whichever is higher
Does it name DMARC?No — Article 21 requires “secured … communications”; ENISA guidance identifies email authentication (incl. DMARC) as a key practice

Facts and citations verified July 13, 2026. Regulations change — confirm current details with the sources below.

What NIS2 actually requires

Article 21 of NIS2 obliges covered entities to take “appropriate and proportionate technical, operational and organisational measures” to manage cybersecurity risk, and lists ten minimum measure areas — including, in Article 21(2)(j), “the use of … secured voice, video and text communications.” The Directive is principles-based: it defines outcomes, and national transpositions plus ENISA guidance fill in the technical detail.

The enforcement machinery is what changed in 2024–2026. Member states transposed the Directive into national law (deadline: October 17, 2024, with several running late), supervisory authorities stood up proactive supervision for essential entities — regular audits and on-site inspections — and reactive supervision for important entities. Several national transpositions set June 30, 2026 as a first-audit or compliance-evidence milestone, though timelines vary by country.

NIS2 also puts management on the hook: governing bodies must approve and oversee the risk-management measures, and can be held liable for infringements. That has moved email security from an IT ticket to a board-level compliance item at covered entities.

Penalties under NIS2

Entity classMaximum administrative fines
Essential entities€10,000,000 or 2% of total worldwide annual turnover — whichever is higher
Important entities€7,000,000 or 1.4% of total worldwide annual turnover — whichever is higher
Management bodiesPersonal liability for infringements; temporary bans possible for essential-entity management in serious cases

Fines are imposed by national authorities under each member state’s transposition, so procedures and additional sanctions vary by country.

Where DMARC fits — the honest version

NIS2 does not list DMARC as a compliance requirement. What it requires is secured communications and demonstrable risk management — and ENISA’s technical implementation guidance identifies email authentication, including DMARC, as a key practice for meeting that bar. Domain spoofing is a standard entry vector for exactly the incidents NIS2 makes reportable, so supervisors read email authentication as evidence you’re managing the risk.

For an audit, the useful posture isn’t “we published a DMARC record” — it’s a documented control: SPF, DKIM, and DMARC at an enforcement policy across your sending domains, with monitoring, alerting, and records you can produce when a supervisory authority asks how you secure communications.

DDMARC gives covered entities that evidence trail: readable aggregate reports, continuous DNS monitoring with alert history, EU data residency, and a clear path from p=none to enforcement — so the control is real and provable, not a checkbox.

Your compliance checklist

  1. 1

    Determine your classification

    Check whether you’re an essential or important entity under your member state’s transposition — sector, size, and criticality all factor in.

  2. 2

    Map every domain that sends or receives email

    Include subsidiaries and country-level domains; supervision covers the entity, not just the primary brand domain.

  3. 3

    Check your current posture

    A free scan shows each domain’s DMARC, SPF, and DKIM state in seconds. Check your domain

  4. 4

    Implement SPF, DKIM, and DMARC — then enforce

    Publish DMARC with aggregate reporting, align every legitimate sender, and step up to p=quarantine or p=reject. DMARC setup guide

  5. 5

    Build the evidence file for supervision

    Keep policies, dashboards, alert history, and DNS-check logs ready — audits ask you to demonstrate the measure, not just claim it.

Start with step one — see where your domain stands in 30 seconds.

Run the free check
FAQ

NIS2 Directive & DMARC — FAQ

Is your domain compliant?

Check your DMARC, SPF, and DKIM posture free — then reach enforcement with readable reports, a policy simulator, and continuous monitoring.