Defaults.Exposed › Reports
Does NIS2 Require DMARC? Email Authentication and EU Cyber Hygiene (2026)
Published 2026-06-29
Figures as of 2026-06-29 · methodology v7. Aggregate census data by national domain ending (ccTLD, a proxy for the country, not company registration), across 261 million graded domains. “Can stop impersonation” = an enforcing DMARC policy (
quarantine/reject). NIS2 references below are general; this is not legal advice. See how we grade.
Part of the DMARC pillar — DMARC adoption, maturity and league tables, measured across the whole census.
NIS2 doesn’t mention DMARC by name — but it requires “appropriate cyber-hygiene measures,” and stopping your domain being impersonated in email is about as baseline as cyber hygiene gets. The EU’s NIS2 Directive (transposition deadline October 2024) obliges essential and important entities to take appropriate, proportionate technical measures against cyber risk. Email authentication — SPF, DKIM and an enforcing DMARC policy — is the standard anti-spoofing control that maps to that obligation. The census shows most EU domains aren’t there yet.
How exposed are EU domains today?
Share of domains on each national ending with an enforcing DMARC policy (higher is better; the rest can be impersonated). As of 2026-06-29:
| Country (ending) | Can stop impersonation |
|---|---|
| Netherlands (.nl) | 29.43% |
| Poland (.pl) | 23.36% |
| Germany (.de) | 21.38% |
| Spain (.es) | 15.02% |
| Belgium (.be) | 14.91% |
| France (.fr) | 13.65% |
| Sweden (.se) | 10.18% |
| Ireland (.ie) | 8.79% |
| Italy (.it) | 5.24% |
Even the EU leader, the Netherlands, only has 29.43% of its domains able to stop impersonation. Italy sits at 5.24%. For comparison, the global enforcement rate is just 10.59% — so Europe leads the world and still leaves the large majority of its businesses spoofable.
What this means for a NIS2-scoped business
If you’re an essential or important entity (or in the supply chain of one), email authentication is a cheap, visible, defensible measure to have in place:
- SPF + DKIM + enforcing DMARC stops criminals sending email as your organisation — the mechanism behind invoice fraud and CEO-fraud scams.
- It’s free DNS configuration, not a product purchase — so its absence is hard to justify in an audit.
- It’s externally checkable — auditors, insurers and partners can verify it in seconds, which is exactly why “domain can be spoofed” is a finding worth closing before someone else raises it.
NIS2 won’t hand you a checklist that says “set p=reject.” But when the directive asks for proportionate measures against obvious risks, an unprotected domain that anyone can impersonate is a hard gap to defend.
Frequently asked questions
Does NIS2 legally require DMARC? NIS2 doesn’t name DMARC. It requires appropriate, proportionate cyber-hygiene and risk-management measures; email authentication (SPF/DKIM/DMARC) is the standard control that addresses email-spoofing risk, so it’s widely treated as in scope. Confirm specifics with your compliance advisor.
What’s the minimum email-authentication posture?
SPF and DKIM published, and DMARC set to an enforcing policy (quarantine or reject). A DMARC record at p=none monitors but doesn’t protect.
How do EU countries compare on this? As of 2026-06-29, enforcement ranges from about 5.24% (.it) to 29.43% (.nl). Most EU domains still can’t stop impersonation.
Is fixing it expensive? No — it’s DNS configuration, free to change. The cost is the time to do it in the right order.
Check your domain’s NIS2-relevant email posture
See whether your domain can be impersonated — and exactly what to fix — privately and free.
Check your domain → · Fix DMARC → · Europe vs the world → · Can someone spoof your domain? → · Aggregate data only. Data stored and processed in the EU.