Tomorrow, June 30, 2026, Essential Entities across the European Union face the first formal compliance audit under the Network and Information Security Directive 2. If your organization operates in energy, transport, banking, healthcare, water, digital infrastructure, or any of the fourteen other covered sectors, and you have more than 50 employees and over 10 million euros in annual revenue, that deadline applies to you.
NIS2 does not mention DMARC by name. But its Article 21 requirements around cybersecurity risk management have been interpreted consistently by the national regulators who drafted implementation guidance: an email domain without DMARC at enforcement level is a documented control gap. And a DMARC record set to p=none is treated the same as no DMARC record at all.
What Article 21 Actually Requires
NIS2 Article 21 obligates Essential and Important Entities to implement appropriate and proportionate technical and organizational measures to manage the security risks to their network and information systems. The provision lists ten minimum-measure categories that include supply chain security, incident handling, cryptography, and access control.
Email authentication sits at the intersection of several of those categories simultaneously. The absence of DMARC at enforcement level is not a single gap. It is a gap that auditors can cite against as many as five separate Article 21 obligations:
Risk management processes. Without DMARC enforcement, an organization has no control over whether unauthorized senders can impersonate its domain. That is an unmanaged risk to the identity integrity of its communications infrastructure.
Policies and procedures for network security. Email is network infrastructure. A domain with p=none has not implemented the authentication-layer controls that every major cybersecurity framework now identifies as baseline for email network security.
Human factors and access control. Phishing emails that spoof your domain are the primary vector for credential theft. DMARC at p=quarantine or p=reject eliminates spoofed-domain phishing as an attack vector against your own organization and your partners.
Business continuity and incident response. A domain that can be freely spoofed creates an incident exposure surface with no defined boundary. When your domain is used to phish a business partner or a customer, the incident response burden falls on your organization regardless of whether the email came from your infrastructure.
Supply chain security. NIS2 explicitly requires that organizations manage the cybersecurity risks introduced by their technology suppliers. Email authentication configurations – including whether your organization’s authorized sending services are correctly aligned in your DMARC record – are a documented supply chain risk when they are not monitored and controlled.
The p=none Compliance Fiction
The most common DMARC configuration gap that auditors encounter is the p=none record published in haste to satisfy Gmail and Outlook’s bulk sender requirements in 2024 and 2025, and never advanced to enforcement.
p=none is a monitoring policy. It instructs receiving mail servers to take no action against messages that fail DMARC authentication. It collects data – through RUA aggregate reports – about what is sending mail that claims to be from your domain. But it does not block anything.
ENISA, the European Union Agency for Cybersecurity, published Technical Implementation Guidance on cybersecurity risk management measures in June 2025. That guidance, which NIS2 auditors use as the standard technical reference, identifies DMARC enforcement – meaning p=quarantine or p=reject – as the required control for organizations implementing Article 21. A p=none record demonstrates awareness but not control.
The distinction is not semantic. Awareness without enforcement means that an attacker can send phishing email from your domain without any technical barrier from your DNS configuration. That is not a managed risk. That is a documented unmanaged risk – exactly the category that triggers NIS2 enforcement action.
Penalties are GDPR-scale: up to 10 million euros or 2% of global annual turnover for Essential Entities, and up to 7 million euros or 1.4% of global annual turnover for Important Entities. Those numbers concentrate attention.
What the Audit Will Look For
NIS2 auditors checking email security configurations are not performing a checkbox exercise. They are assessing whether an organization has implemented a defensible email security posture with documentation to show it was intentional and is being maintained.
The specific items they will check:
DNS record existence and policy level. The auditor will query your domain’s DNS for a DMARC TXT record at _dmarc.your-domain.com. If no record exists, that is a clear gap. If a record exists at p=none, that is a gap. p=quarantine or p=reject is the expected minimum.
SPF and DKIM alignment. DMARC is only meaningful if the underlying authentication mechanisms are correctly configured. Auditors will verify that your SPF record covers all your legitimate sending sources without being excessively permissive, and that DKIM signing is active on the sending domains that appear in your From header.
RUA report configuration. ENISA guidance specifies that aggregate reporting must be active. An rua= tag pointing to a monitored address demonstrates that someone is actually reading the authentication data being generated. A domain with p=reject and no RUA reporting configured is missing a required visibility control.
Subdomain policy coverage. Many organizations publish DMARC on their apex domain but neglect to address subdomains explicitly. If your subdomain policy is not specified with an sp= tag, the apex domain’s policy applies – but the auditor will check whether your sending subdomains have been intentionally addressed in your configuration.
Documentation of the path to enforcement. This is the element that most organizations underestimate. NIS2 auditors are not looking only for a correctly configured DMARC record. They are assessing whether the organization has a repeatable process for maintaining that configuration. That means records of the aggregate report analysis that preceded enforcement, documentation of all authenticated sending sources, and evidence of periodic review.
What Germany’s BSI TR-03108 Has Made Explicit
While NIS2 itself leaves room for national interpretation, Germany’s Federal Office for Information Security has closed that gap entirely. BSI Technical Directive TR-03108, the most detailed national NIS2 implementation guidance in Europe, specifies DMARC at enforcement level as a required control for operators of email infrastructure.
The Netherlands’ National Cyber Security Centre and France’s ANSSI have issued guidance in the same direction. The European Central Bank’s supervisory expectations for financial institutions – which overlap significantly with NIS2 scope – identify email authentication as a baseline control.
What this means in practice: the countries that are home to most EU Essential Entities have either issued or are in the process of issuing explicit national guidance that treats DMARC enforcement as a non-negotiable component of NIS2 Article 21 compliance. Arguing that DMARC is optional under NIS2 because the directive text does not name it is an argument that national auditors are not accepting.
If You Are Reading This After the Deadline
If June 30 has already passed, the immediate priority is not panic. It is documentation.
Organizations that have implemented DMARC at p=none and are actively analyzing reports – with a documented timeline toward enforcement – are in a materially different position than organizations that have no DMARC record at all. Auditors and supervisory authorities can distinguish between an organization in a documented compliance transition and one that has ignored the requirement entirely.
The path from p=none to p=quarantine and then to p=reject is methodical. Aggregate report analysis to identify all sending sources typically takes four to eight weeks for a mid-size organization. Authentication and alignment of all identified sources takes additional time proportional to the complexity of the email infrastructure. Phased enforcement with monitoring at each step is safer than a rushed jump to p=reject.
The compliance gap is real. The path to closing it is well understood. What it requires is continuous DMARC visibility – the ability to see every source sending email under your domain, the authentication results for each source, and the volume trends that indicate whether something unexpected is happening across your mail streams.
NIS2 compliance for email authentication is not a one-time DNS record change. It requires continuous monitoring of your DMARC aggregate reports, a maintained inventory of authenticated sending sources, and the documentation that proves your controls are active and reviewed. Sign up for free to Excello Mail and get the ongoing visibility your Article 21 audit trail requires.