How-to Compliance

NIS 2 Email Security: A Compliance Playbook

NIS 2 Article 21 mandates technical measures for secure electronic communications. Here is exactly which email-security controls map to which clauses, what evidence auditors look for, and how to produce it.

April 19, 2026 · 10 min read

TL;DR

  • 1 NIS 2 Article 21 requires authentication on electronic communications for essential and important entities.
  • 2 Practical map: DMARC at p=quarantine or p=reject, SPF aligned, DKIM signing, MTA-STS in enforce mode.
  • 3 Document continuous monitoring + reportable incident handling; auditors want evidence, not policy statements.

What it does

The NIS 2 Directive (Network and Information Systems Directive 2, applicable in EU member states from October 2024) imposes cybersecurity risk-management obligations on "essential" and "important" entities across critical sectors. Article 21 specifically requires authentication and encryption on electronic communications, which translates directly to DMARC enforcement plus SPF, DKIM, MTA-STS, and TLS-RPT for any organization that operates email at scale.

Beyond the email-auth stack, Article 21 covers detection of anomalous behavior and incident response — which maps to lookalike-domain monitoring (brand impersonation is anomalous behavior on the network) and a structured incident trail for reportable events. NIS 2's reporting requirements (early warning within 24 hours of becoming aware, full notification within 72 hours) raise the bar on having actual evidence to report, not just policy statements.

Practical compliance: DMARC at <code>p=quarantine</code> or <code>p=reject</code> with reporting; SPF and DKIM signing aligned across every sending source; MTA-STS in enforce mode with TLS-RPT visibility; continuous lookalike-domain monitoring; and a structured audit log linking detections to actions. Auditors want evidence, not policy declarations.

How it works

  1. 1

    <strong>DMARC at enforcement.</strong> Published at <code>p=quarantine</code> or <code>p=reject</code> with <code>pct=100</code>. The full ramp from <code>p=none</code> takes 8-12 weeks; see <a href="/learn/dmarc-rollout" class="text-brand-600 hover:underline">the rollout playbook</a>.

  2. 2

    <strong>SPF + DKIM alignment for every sender.</strong> Each ESP must sign with your <code>d=</code> via CNAME-delegated DKIM. Without alignment, DMARC fails for legitimate mail and the policy can't be enforced.

  3. 3

    <strong>MTA-STS in enforce mode.</strong> Forces TLS on inbound mail, blocks downgrade attacks. Pair with TLS-RPT so failures show up as daily reports rather than silent rejections.

  4. 4

    <strong>Continuous lookalike-domain monitoring.</strong> Article 21's detection-of-anomalous-behavior requirement covers brand impersonation. Monitor for typosquats, homoglyphs, and combosquats with multi-signal scoring; document the detection-to-action lifecycle.

  5. 5

    <strong>Structured audit log.</strong> Every detection, alert state transition, and takedown action linked to actor + timestamp + outcome. Auditors will ask for the trail; ad-hoc spreadsheets fail the test.

  6. 6

    <strong>Incident reporting workflow.</strong> 24-hour early warning + 72-hour full notification window means the workflow has to be rehearsed before an incident, not invented during one. Build the playbook now.

Common pitfalls

  • <strong>Reading NIS 2 as policy-only.</strong> The directive is operational. Auditors evaluate evidence (DMARC at <code>p=reject</code>, real reports, real audit logs), not whether you wrote a policy doc claiming you do these things.

  • <strong>Stopping at <code>p=quarantine</code>.</strong> Quarantine is monitoring with friction; <code>p=reject</code> is the actual enforcement level. NIS 2 "authentication" expects enforcement, not best-effort.

  • <strong>Treating brand monitoring as marketing.</strong> Article 21 covers detection of impersonation as an anomalous behavior on the network. Lookalike monitoring is a security control under NIS 2, not a marketing tool.

  • <strong>No rehearsed incident reporting workflow.</strong> The 24-hour and 72-hour clocks start the moment you become aware. Building the reporting flow during an incident is how organizations miss the deadlines.

  • <strong>Assuming the SME exemption applies.</strong> NIS 2's "important entities" category extends past traditional critical-infrastructure sectors. Verify your sector's coverage before assuming you're out of scope.