NIS2 and Email Security — What the Directive Requires
What Is NIS2 and Why Does It Cover Email
NIS2 (Network and Information Security Directive 2, EU 2022/2555) is a European Union directive that significantly expands cybersecurity requirements for organizations operating within the EU. It entered into force in January 2023, and EU member states were required to transpose it into national law by 17 October 2024 — with most completing implementation in 2025.
Email is the most common attack vector in cybersecurity — phishing accounts for approximately 60% of initial intrusions according to the ENISA Threat Landscape 2025 report. NIS2 therefore emphasizes measures directly related to email security — cryptography, authentication, and incident management.
Who Falls Under NIS2
NIS2 dramatically expands the scope compared to the original NIS Directive. Organizations are classified into two categories:
Essential entities
- Energy, transport, banking, healthcare
- Water supply, digital infrastructure
- Public administration, space sector
Important entities
- Postal and courier services
- Waste management, chemicals
- Food production, manufacturers of critical products
- Digital service providers (cloud, DNS, data centers)
The criteria are organizational size (medium and large enterprises — 50+ employees or turnover above EUR 10 million) and sector of activity. Some entities fall under the regulation regardless of size — for example, DNS service providers or domain registrars.
Each organization must self-assess whether it falls under the regulation and register with the relevant national cybersecurity authority. Implementation timelines vary by member state, but the directive allows a maximum of 12 months from registration to implement required security measures.
NIS2 Requirements Relevant to Email
Article 21 of NIS2 defines minimum cybersecurity risk-management measures. Several directly relate to email security:
Cryptography and encryption — Article 21(2)(h)
NIS2 requires policies and procedures for the use of cryptography and, where appropriate, encryption. For email, this means:
- Transport encryption using TLS — both sending and receiving servers must support encrypted STARTTLS connections
- MTA-STS to enforce encrypted transport for incoming email and prevent downgrade attacks
- TLS-RPT for monitoring the success of encrypted connections
For a step-by-step deployment guide, see MTA-STS and TLS-RPT — Encrypting Email Transport.
Secure communications — Article 21(2)(j)
The directive requires secured voice, video and text communications, including email. The NIS2 Implementing Regulation (EU 2024/2690) specifies that organizations must:
- Use multi-factor authentication (MFA) on internet-facing systems, including email
- Ensure sender identity authentication
- Protect communications against unauthorized access and tampering
Email authentication using SPF, DKIM and DMARC is the technical foundation for meeting these requirements.
Incident handling — Article 21(2)(b)
Organizations must report significant cybersecurity incidents in three stages: an early warning within 24 hours of detection, an incident notification with initial assessment within 72 hours, and a final report within one month. Spoofing of your domain or a successful BEC attack are security incidents that require reporting. Without DMARC reporting, you may not even know such an incident occurred.
Supply chain security — Article 21(2)(d)
NIS2 requires supply chain risk management. Email authentication is a direct component — if a vendor sends email on behalf of your domain (invoicing system, CRM, marketing platform), their configuration affects your security.
How Email Authentication Maps to NIS2
Although NIS2 does not explicitly mention SPF, DKIM, or DMARC, deploying these protocols covers several directive requirements simultaneously:
| NIS2 requirement | How email authentication covers it |
|---|---|
| Cryptography and encryption | DKIM signs emails with a cryptographic key; TLS encrypts transport |
| Secure communications | SPF, DKIM, and DMARC verify sender identity |
| Incident handling | DMARC reports reveal spoofing attempts and domain abuse |
| Supply chain security | DMARC enforces authentication for third parties sending on your behalf |
| Risk management | Monitoring email authentication is part of ongoing cyber risk management |
The key is DMARC with a p=reject policy. A p=none policy only monitors — it provides no active protection. To meet the requirement for secured communications, organizations should aim for p=reject, which ensures unauthenticated emails are rejected. The setup process is described in How to Set Up DMARC.
The NIS2 requirements for email authentication overlap significantly with Google and Yahoo sender requirements — if you already meet those, you have a solid foundation.
Practical Steps for Compliance
1. Audit your current state
Check your domain security — the analyzer will verify SPF, DKIM, DMARC, and MTA-STS configuration and identify missing or incorrect records.
Alternatively, in the terminal:
dig example.com TXT +short | grep spf
dig _dmarc.example.com TXT +short
dig selector._domainkey.example.com TXT +short
If you operate multiple domains, check each one. NIS2 applies to the entire organization, not a single domain.
2. Deploy complete authentication
If you don't have complete email authentication (SPF + DKIM + DMARC), deploy it:
- SPF — authorize all servers that send email on behalf of your domain. Guide: How to Create an SPF Record.
- DKIM — enable signing for every sending service. Guide: How to Set Up DKIM.
- DMARC — start with
p=noneand direct reports to SPF Monitor:
v=DMARC1; p=none; rua=mailto:example.com@rua.spfmonitor.com
3. Analyze and enforce
Based on DMARC reports, identify all legitimate senders and gradually tighten the policy to p=quarantine and then p=reject.
4. Encrypt transport
Deploy MTA-STS to enforce encrypted transport for incoming email. Enable TLS-RPT for monitoring.
5. Ongoing monitoring
NIS2 requires ongoing risk management, not a one-time setup. DNS records can change, certificates can expire, a new third-party service can start sending without proper authentication.
DMARC reports provide an ongoing overview. SPF Monitor automatically processes, visualizes, and alerts on anomalies — no need to manually parse XML files.
Penalties for Non-Compliance
NIS2 establishes penalties based on the severity of the violation:
| Entity category | Maximum penalty |
|---|---|
| Essential entities | EUR 10 million or 2% of global annual turnover (whichever is higher) |
| Important entities | EUR 7 million or 1.4% of global annual turnover |
Beyond financial penalties, management bears personal responsibility. NIS2 explicitly states that senior management is accountable for approving and overseeing the implementation of cybersecurity measures.
Timeline
| Deadline | Event |
|---|---|
| October 2024 | NIS2 transposition deadline for EU member states |
| Varies by member state | Registration of regulated entities with national authority |
| 12 months from registration | Implementation of security measures |
Organizations that haven't addressed email authentication yet have limited time. Deploying SPF, DKIM, and DMARC typically takes weeks (depending on the number of sending services), while transitioning to p=reject requires months of data collection and report analysis.
From Best Practice to Legal Obligation
NIS2 doesn't introduce anything revolutionary for email security — authentication and encryption requirements have existed in best practices for years. But the directive transforms them from recommendations into a legal obligation with concrete penalties.
Complete email authentication (SPF + DKIM + DMARC with p=reject) and transport encryption (TLS + MTA-STS) cover multiple Article 21 NIS2 requirements. These are technically proven measures with clear deployment steps — and should be among the first steps in compliance preparation.
Check your domain security and find out where to start.
