NIS2 does not name DMARC explicitly. But Article 21's requirement for "appropriate technical measures" to manage cyber risk, combined with ENISA's technical guidance that regulators across the EU reference, points squarely at email authentication as an expected control for in-scope organisations.
Only 3.87% of domains currently meet the full email security baseline.
What NIS2 requires on email
NIS2's Article 21 requires essential and important entities to implement measures covering, among other areas: access control, supply chain security, incident detection, and the security of network and information systems. Email is a primary attack vector for all of these.
ENISA's guidance on implementing Article 21 specifically references email authentication (SPF, DKIM, DMARC) as technical measures appropriate for managing email-based risks. The NCSC Ireland, which is responsible for NIS2 supervision of most Irish entities, aligns with this guidance.
What's at stake
Penalties under NIS2 for essential entities can reach €10 million or 2% of global turnover. For important entities: €7 million or 1.4%. These are not hypothetical — Irish regulators are building enforcement capability now, and supervisory assessments of in-scope entities have begun.
Beyond fines: if your organisation suffers a Business Email Compromise incident and NIS2 regulators find that DMARC enforcement wasn't in place, the absence of a basic, well-documented control will be difficult to defend in a supervisory review.
What "appropriate technical measures" looks like for email
The baseline that satisfies NIS2's email security expectation:
- SPF published and correctly configured (all sending services listed, under the 10-lookup limit)
- DKIM configured for your email provider and any other services that send on your behalf
- DMARC at enforcement (
p=quarantineorp=reject) — notp=none, which provides zero protection
DMARC at p=none — which 24.89% of domains that publish DMARC use — provides no actual protection and would not satisfy a regulatory expectation of appropriate technical measures.
Check your current status
Run the free DomainScores check to see your current email authentication grades — and whether your domain meets the NIS2 baseline today.
Need to close the gap before a supervisory review? Domain Fix from €1,197 — we implement the full email authentication stack and provide a before-and-after security report suitable for regulatory evidence. Grade B+ guaranteed, or your money back.