Defaults.Exposed

Defaults.Exposed › Reports

Does NIS2 Require DMARC? Email Authentication and EU Cyber Hygiene (2026)

Published 2026-06-29

Figures as of 2026-06-29 · methodology v7. Aggregate census data by national domain ending (ccTLD, a proxy for the country, not company registration), across 261 million graded domains. “Can stop impersonation” = an enforcing DMARC policy (quarantine/reject). NIS2 references below are general; this is not legal advice. See how we grade.

Part of the DMARC pillar — DMARC adoption, maturity and league tables, measured across the whole census.

NIS2 doesn’t mention DMARC by name — but it requires “appropriate cyber-hygiene measures,” and stopping your domain being impersonated in email is about as baseline as cyber hygiene gets. The EU’s NIS2 Directive (transposition deadline October 2024) obliges essential and important entities to take appropriate, proportionate technical measures against cyber risk. Email authentication — SPF, DKIM and an enforcing DMARC policy — is the standard anti-spoofing control that maps to that obligation. The census shows most EU domains aren’t there yet.

How exposed are EU domains today?

Share of domains on each national ending with an enforcing DMARC policy (higher is better; the rest can be impersonated). As of 2026-06-29:

Country (ending)Can stop impersonation
Netherlands (.nl)29.43%
Poland (.pl)23.36%
Germany (.de)21.38%
Spain (.es)15.02%
Belgium (.be)14.91%
France (.fr)13.65%
Sweden (.se)10.18%
Ireland (.ie)8.79%
Italy (.it)5.24%

Even the EU leader, the Netherlands, only has 29.43% of its domains able to stop impersonation. Italy sits at 5.24%. For comparison, the global enforcement rate is just 10.59% — so Europe leads the world and still leaves the large majority of its businesses spoofable.

What this means for a NIS2-scoped business

If you’re an essential or important entity (or in the supply chain of one), email authentication is a cheap, visible, defensible measure to have in place:

NIS2 won’t hand you a checklist that says “set p=reject.” But when the directive asks for proportionate measures against obvious risks, an unprotected domain that anyone can impersonate is a hard gap to defend.

Frequently asked questions

Does NIS2 legally require DMARC? NIS2 doesn’t name DMARC. It requires appropriate, proportionate cyber-hygiene and risk-management measures; email authentication (SPF/DKIM/DMARC) is the standard control that addresses email-spoofing risk, so it’s widely treated as in scope. Confirm specifics with your compliance advisor.

What’s the minimum email-authentication posture? SPF and DKIM published, and DMARC set to an enforcing policy (quarantine or reject). A DMARC record at p=none monitors but doesn’t protect.

How do EU countries compare on this? As of 2026-06-29, enforcement ranges from about 5.24% (.it) to 29.43% (.nl). Most EU domains still can’t stop impersonation.

Is fixing it expensive? No — it’s DNS configuration, free to change. The cost is the time to do it in the right order.

Check your domain’s NIS2-relevant email posture

See whether your domain can be impersonated — and exactly what to fix — privately and free.

Check your domain → · Fix DMARC → · Europe vs the world → · Can someone spoof your domain? → · Aggregate data only. Data stored and processed in the EU.