EU · NIS2
Check your domain against the NIS2 Article 21 email-authentication controls. NIS2 is in force EU-wide (transposition deadline was 17 Oct 2024) and national enforcement is rolling out — Germany's NIS2UmsuCG went live 6 Dec 2025. Maps DMARC, SPF, MTA-STS, TLS-RPT, and DNSSEC to the specific paragraphs auditors reference.
Why this matters now
The NIS2 Directive is in force across the EU — the transposition deadline was 17 October 2024 and national enforcement is rolling out now (Germany's NIS2UmsuCG went live 6 December 2025, with more Member States following in 2026). Essential and important entities — roughly anything from mid-market manufacturing to managed-service providers in 18 sectors — must demonstrate the technical and organisational measures listed in Article 21 §2. Three of the ten measures map directly to email authentication:
- §2(d) supply-chain security — auditors expect you to verify that DNS-borne identity (DMARC, SPF, DKIM) cannot be spoofed upstream. DNSSEC is the answer.
- §2(g) basic cyber hygiene — the standing example from EU Commission Implementing Regulation 2024/2690 is "deploy SPF, DKIM, and DMARC to prevent business-email compromise."
- §2(h) cryptography and encryption — covers encryption in transit for email, which translates to MTA-STS in enforce mode and TLS-RPT for visibility.
What this tool does
Run a domain through the scanner above. Each control is checked against the NIS2 baseline derived from the Commission's worked example and the national transposition guidance published by ANSSI (France), BSI (Germany), and CCB (Belgium). Every result links to a deeper protocol checker if you need to see the raw record.
The scan runs entirely in your browser via Cloudflare DoH. Nothing is sent to our servers and nothing is stored. If you want the same scorecard packaged as an auditor-ready PDF with a NIS2 control cross-walk, the paid tier emails it on a weekly cadence.
Article 21 §2 quick reference
| Paragraph | What it requires | Email-auth control |
|---|---|---|
§2(a) | Risk-analysis & information-system security policies | Out of scope for this tool |
§2(b) | Incident handling | DMARC rua reports feed your IR process |
§2(d) | Supply-chain security | DNSSEC for upstream record integrity |
§2(g) | Basic cyber hygiene & training | DMARC + SPF + DKIM |
§2(h) | Cryptography & encryption | MTA-STS enforce + TLS-RPT |
Scope check — does this apply to you?
NIS2 covers essential entities (energy, transport, banking, healthcare, ICT services, public administration, and more) and important entities (manufacturing, food, postal services, digital providers, research). If your organisation is over 50 employees and operates in any of the 18 listed sectors, you are almost certainly in scope. National transpositions narrow the definition — Germany's NIS2UmsuCG, for example, supervises ~29,500 entities through BSI; France routes through ANSSI. The first registration deadline for most Member States is mid-2026.
What this tool does not cover
Article 21 is broader than email. The seven §2 paragraphs not listed above — risk policies, incident reporting timelines, business continuity, vulnerability handling, access control, asset management, MFA — are organisational and process controls that DNS cannot speak to. Use this scorecard as the evidence pack for the email-specific portion of an Article 21 audit, not as a full NIS2 gap analysis.
Read the complete EU · NIS2 guide to learn more.