NIS2 Email Security Checklist (2026)

Essential and important entities

NIS2 expands cybersecurity obligations beyond the old NIS Directive scope. Member states classify organizations as essential or important entities based on sector and size. Sectors include energy, transport, banking, health, digital infrastructure, public administration, and more. Important entities often include mid-market manufacturers, MSPs, food distributors, and B2B SaaS vendors that never thought of themselves as "critical infrastructure."

The European Commission's NIS2 implementation tracker (updated through 2025) shows all 27 member states had transposed the directive; enforcement timelines vary, but 2026 is the year fines and supervisory action stop being theoretical for many SMBs.

Why auditors start with email

Email is still the primary exfiltration and fraud path for SMB breaches. Article 21 measures must address risks to network and information systems. Unauthenticated mail (missing or broken SPF/DKIM/DMARC) is both a spoofing risk and a transmission integrity gap. Auditors know it. It is easier to verify than your SIEM correlation rules.

Article 21(2) lists measure types: policies on risk analysis, incident handling, business continuity, supply chain security, security in acquisition and development, and policies on cryptography and human resources. Paragraph 2(g) explicitly references encryption where appropriate.

For email infrastructure, assessors typically expect:

• Sender authentication (SPF, DKIM, DMARC with a documented policy path)
• Transport encryption posture (TLS on SMTP paths, often validated via MTA-STS and TLS-RPT)
• DNS integrity controls (no dangling records, CAA where applicable, change detection)
• Evidence that controls are monitored over time, not point-in-time screenshots

What Article 21 does not require verbatim

No EU text says "publish p=reject by Q3." Enforcement is risk-proportionate. A 12-person consultancy and a regional hospital face different bars. But both need documented measures and evidence they operated in the assessment period.

Work through these in order. Authentication before enforcement. Monitoring before you claim continuous compliance.

1. SPF published and valid

Root domain TXT includes v=spf1 with all authorized senders (M365, Google Workspace, ESP includes) and hard fail -all on production sending domains.

Check: no PermError (10 lookup limit), no duplicate SPF TXT records, no +all.

Quick fix reference: zerohook.org/fix/spf-permerror

2. DKIM signing enabled on all sending paths

Every system that sends as your domain signs with a published selector. M365: selector1/selector2 CNAMEs. Google Workspace: google._domainkey. ESPs: provider CNAME/TXT as documented.

Check: test message Authentication-Results shows dkim=pass for your domain.

3. DMARC published with aggregate reporting

_dmarc.yourdomain.com TXT exists with v=DMARC1, rua= to an address you actually read, and a documented policy roadmap (none → quarantine → reject).

Check: you can produce at least 30 days of aggregate XML or a parsed summary.

4. DMARC alignment on primary mail flows

Marketing ESP, transactional SaaS, and corporate M365/Google mail all achieve dmarc=pass on test sends. Alignment failures are tracked and remediated.

Quick fix reference: zerohook.org/fix/dmarc-alignment-failed

5. MTA-STS policy for inbound mail

DNS record at _mta-sts.yourdomain.com plus HTTPS policy file enforcing TLS for inbound SMTP to your domain.

Check: policy mode enforce or documented timeline to enforce after testing.

6. TLS-RPT reporting enabled

_smtp._tls.yourdomain.com publishes a reporting address. Someone reviews TLS failure reports quarterly minimum.

7. Outbound mail encryption posture documented

Document which systems send mail, which ports, and whether TLS is required/opportunistic. PCI-DSS v4.0 Requirement 4.2.1 (effective March 2025) and ISO 27001:2022 Annex A 8.24 both expect protection of information in transit; email is in scope for most cardholder and PII environments.

8. DNS change monitoring (continuous)

SPF, DKIM, DMARC, MX, and MTA-STS records are monitored on a defined cadence (daily or better for production domains). Changes trigger review within 24 hours.

Point-in-time scans before audit season fail the "continuous" question.

9. Blacklist and reputation monitoring

Domain and sending IPs checked against major DNS blocklists. Delisting procedures documented.

10. Subdomain and dangling DNS audit

Inventory of all subdomains that send or receive mail. No orphaned CNAMEs pointing at deprovisioned SaaS (common subdomain takeover path).

11. Incident playbooks for mail abuse

Documented steps if your domain is spoofed, listed on a blocklist, or if DMARC reports show an unknown sender above threshold.

12. Evidence retention with integrity

Audit logs, scan results, and remediation tickets retained for the period your auditor specifies (often 12 months minimum; regulated sectors may require longer). Excel exports on a shared drive are weak evidence; hash-verified or immutable logs are stronger.

13. Supply chain mail security for vendors

Critical vendors who send as your domain (payroll, e-sign, marketing) listed with their authentication method and review date.

14. Executive attestation cadence

Someone with authority reviews mail security posture quarterly. Paper trail: meeting notes or signed compliance summary.

Assessors rarely say "fix your SPF." They cite framework controls.

You do not need separate DNS for each framework. One well-monitored authentication stack supports multiple attestations if evidence is mapped correctly.

We've seen teams maintain four spreadsheets for four frameworks. One monitoring export with control tags beats four stale screenshots every time.

Minimum viable evidence pack

• Current DNS exports for SPF, DKIM, DMARC, MTA-STS (dated)
• 90 days of DMARC aggregate summaries with pass/fail trends
• Monitoring alert history showing at least one detected change and response
• Change tickets linked to DNS modifications
• Named owner for mail security posture (job title, not just "IT")

Strong evidence (reduces follow-up questions)

• Tamper-verified audit log of monitoring results
• Auditor read-only portal access to monitoring history
• Generated PDF mapping controls to NIS2 Article 21 and ISO Annex A clauses
• Excel export with domain-level scores over time

Agency tier ($89/month) covers multi-domain monitoring and basic compliance summaries. Full automated evidence collection, auditor PDFs, and 365-day tamper-proof logs sit on Compliance Evidence Pack ($199/month, $1,910/year). That is roughly 82% below SecurityScorecard-style enterprise ratings (~$26,000/year benchmark on pricing materials) while producing DNS-specific artifacts assessors can verify.

What fails reviews

• "We check DNS before audits" with no dated history
• DMARC p=none for 3+ years with no enforcement roadmap
• Marketing sends through an ESP that is not in the SPF record
• No named person accountable for DMARC report review

NIS2 sets maximum fines at €10 million or 2% of global annual turnover for essential entities, and €7 million or 1.4% for important entities, whichever is higher (per Directive 2022/2555). Member state implementation varies; the point is not the theoretical maximum but supervisory appetite in your jurisdiction in 2026.

Compare that to continuous compliance tooling:

• Manual NIS2 readiness consulting: often $2,000-$5,000 for a one-time assessment (market range cited on compliance pricing pages)
• ZeroHook Evidence tier: $1,910/year with monitoring, exports, and copy-paste DNS fixes
• Cost of one successful BEC fraud via spoofed domain: FBI IC3 reported $2.9 billion in adjusted losses from business email compromise in 2023 (latest full-year IC3 report; 2024 edition showed similar order of magnitude)

Honestly, the fine is not always the first hit. Losing a enterprise renewal because your customer's vendor questionnaire flagged missing DMARC hurts sooner.

Treating M365 as "handled by Microsoft"

Microsoft secures their infrastructure. Your DNS records for your domain are still your problem. DKIM off by default until you publish CNAMEs.

Separate marketing subdomain with no DMARC

mail.yourdomain.com sends campaigns without its own SPF/DKIM/DMARC while root domain is "compliant." Auditors notice.

Evidence in personal inboxes

DMARC reports to a former employee's mailbox for 18 months. Continuous monitoring with team access fixes that.

Copy-pasting a consultant's template without ownership

A PDF checklist in SharePoint that nobody updates is not a measure. It is paperwork.