Skip to main content

Is your email authentication ready for your NIS2 audit?

NIS2 requires essential and important entities to manage cyber risk and prove operational resilience, and email authentication is one of the most basic controls an auditor will expect to see. With first formal audits landing around 30 June 2026 and fines reaching 10 million euros or 2 percent of global turnover, now is the time to know where you stand. Check your domain in 30 seconds.

No signup. Read-only. Instant A to F posture grade.

Straight talk on the law

An honest note: NIS2 does not name SPF, DKIM, or DMARC in its legal text. It mandates appropriate technical and organizational measures, secure communications, and operational resilience. Email authentication is the cheapest and most visible way to satisfy that for the email channel, which is why an auditor will expect to see it. We state this plainly because any overclaim is easy to catch.

How the check works

  1. Read public DNS for SPF, DKIM, and DMARC.
  2. Grade your email posture A to F with per-control pass and fail.
  3. Produce a prioritized list of fixes. Read-only.

What NIS2 expects for the email channel

NIS2 does not name email-authentication records, so this maps the standard practical controls an auditor will look for to the risk-management duty. Note also the 24-hour duty to report a significant incident.

  • SPF valid. A valid SPF record is a baseline technical measure for the email channel.
  • DKIM signing. DKIM signing is the cryptographic baseline an auditor will look for.
  • DMARC published and moving toward enforcement. A published, enforcing DMARC policy demonstrates the email channel is actively managed.
  • Coverage across sending and brand domains. A resilience narrative needs every spoofable domain covered, not just the primary.
  • Monitoring in place. An auditor expects to see the control watched, not configured once and forgotten.

What failing costs

  • × Fines up to 10 million euros or 2 percent of turnover for essential entities, 7 million euros or 1.4 percent for important entities.
  • × Personal accountability for management bodies.
  • × A weak operational-resilience narrative when the auditor asks.
  • × Real impersonation risk for critical-infrastructure brands.

Frequently asked

Does NIS2 require DMARC?

Not by name. NIS2 does not name SPF, DKIM, or DMARC in its legal text. Email authentication is the standard way to meet the risk-management duty for the email channel, which is why auditors expect it.

When are the audits?

First formal audits land around 30 June 2026. Confirm your national transposition deadline, as it varies by member state.

What is the difference between essential and important entities?

The controls are the same. The classification affects the fine ceiling, with essential entities facing the higher cap.

Does the scan touch our infrastructure?

No. It reads public DNS only and is read-only.

Does this support our risk documentation?

It produces a dated, structured posture record you can attach to your risk-management evidence.

Our DMARC is passing. Are we done?

That is the authentication half. Lookalike domains remain, and they are the impersonation route a resilience auditor will ask about.

Know where you stand in 30 seconds

No signup. Read-only. Instant A to F posture grade.

Check my NIS2 readiness