NIS2 and DORA are the two regulatory frameworks most likely to land on a CISO’s desk during 2026 with email infrastructure questions attached. NIS2 has been enforceable since October 2024 across EU member states (with national transposition timelines that vary). DORA went live for financial entities in January 2025. By Q2 2026 we are seeing the first wave of formal audits and the questions auditors actually ask are different from what compliance vendors prepared organizations for.
This is the practical guide we wrote after sitting in on actual NIS2 audits and DORA examinations of our European clients during 2025-2026. It is not legal advice — your DPO and external counsel handle that. It is operational guidance about what compliance with email-infrastructure aspects of these frameworks actually looks like.
NIS2 in plain language
NIS2 is the EU’s network and information security directive (the “2” because it replaces the original 2016 NIS directive). It applies to “essential and important entities” across 18 sectors. The full sector list runs from energy to digital infrastructure to manufacturing of medical devices. Most B2B SaaS companies, most managed service providers, most healthcare organizations, and most financial entities are covered.
The relevant article for email infrastructure is Article 21, which requires “appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems.” That sentence is deliberately broad. The implementing details come from member state national transpositions (Germany’s IT-SiG, France’s national NIS2 law, Italy’s decree, Spain’s law, etc.) and from technical guidance issued by competent authorities (BSI in Germany, ANSSI in France).
Email is mentioned explicitly in the German BSI baseline guidance and the French ANSSI security recommendations. The relevant controls:
- Email authentication (SPF, DKIM, DMARC) for sent communications — to prevent your domain being used for phishing.
- Email security gateway / filtering for received communications — to detect inbound phishing.
- Incident response plan covering email-borne incidents — phishing, business email compromise, account takeover.
- Logging and monitoring of email systems — to enable detection and forensics.
What auditors actually ask:
- “Can you produce evidence that your DMARC policy is at enforcement (
p=quarantineor stricter) for all domains in scope?” If you cannot, you have a finding. - “Can you show monitoring data for the last 12 months proving the DMARC enforcement has held without significant alignment failures?” If you cannot, you have a partial finding.
- “What is your incident response procedure if your domain is used in a phishing campaign?” Vague answers are partial findings.
- “Show me the log retention policy and a sample query for an email-forensic incident from last quarter.” Operational test.
DORA in plain language
DORA is the Digital Operational Resilience Act, applicable to financial entities (banks, investment firms, insurance, crypto-asset service providers, payment institutions, etc.) since January 2025. It is more prescriptive than NIS2 and has its own ICT risk management framework.
The directly email-relevant pieces:
- Article 5-15 (ICT risk management framework): requires identifying, protecting, detecting, responding to, and recovering from ICT risks. Email is part of ICT.
- Article 17-23 (ICT-related incident reporting): incidents that affect critical functions must be reported. Phishing-driven business email compromise that resulted in fraud or data breach falls under this.
- Article 28-44 (third-party ICT risk): detailed requirements for managing risks from third-party ICT providers, which absolutely includes email infrastructure providers.
DORA’s practical effect for email infrastructure:
- Your email provider needs a signed DPA and you need documented sub-processor list.
- Your email provider needs to demonstrate operational resilience (SLAs, incident response, BCP).
- Critical or important functions running on email (transactional notifications for trading systems, MFA tokens, account confirmations) need redundancy planning.
- Email-related incidents may be reportable to your competent authority within strict timelines.
| Requirement type | NIS2 (general) | DORA (financial entities) |
|---|---|---|
| Sector coverage | 18 sectors, broad | Financial only, narrow |
| Email authentication mandate | Implicit via Article 21 + national guidance | Implicit via Articles 5-15 |
| Incident reporting timeline | 72h initial notification | 4h initial, 72h intermediate, 1 month final |
| Maximum fine | €10M or 2% turnover | 1% daily turnover for non-compliance |
| Third-party (your email provider) | Sub-processor inventory required | Detailed DPA + register of agreements + exit strategy |
| Audit frequency | Risk-based | Annual ICT audit + threat-led penetration testing for significant entities |
Both frameworks overlap for financial entities — they are subject to NIS2 AND DORA simultaneously, with DORA acting as lex specialis where conflicts exist.
What email infrastructure providers should be giving you
If your email infrastructure provider does not give you the following without you having to chase it, they are not equipped for clients with NIS2/DORA exposure:
1. Signed Data Processing Agreement (DPA) GDPR Article 28 standard, but updated with Schrems II considerations and explicit sub-processor handling.
2. Up-to-date sub-processor list With dates of any changes, jurisdictions of each sub-processor, and a notification mechanism for changes that requires your acceptance.
3. SOC 2 Type II or ISO 27001 audit reports Not just certification badges — the actual reports for review by your auditors. Most providers gate this behind NDA, which is fine; “we don’t have one” is not.
4. Incident response procedure documentation What happens when their MTA goes down? When a customer reports phishing using your domain? When credentials are compromised? Documented procedures, not promises.
5. SLA with measurable commitments 99.9% uptime is the floor for production email infrastructure. Providers offering “best effort” do not meet DORA Article 30 requirements for critical service providers.
6. Geographic data residency commitments Where your data is stored, where it transits, where backups live. For Schrems II + NIS2 + DORA layered requirements, EU-only is the safest answer.
7. Audit cooperation clause in contract You may need to bring your auditors to look at your provider’s controls. The contract should permit this, with reasonable notice and confidentiality protections.
Member state implementation differences
NIS2 was a directive, not a regulation, which means each member state implemented it through national law with variations. The differences matter operationally.
Germany (IT-SiG / BSI guidance): BSI is the most prescriptive about technical controls. Their baseline IT-Grundschutz catalog includes specific email security controls. Auditors in Germany are likely to apply BSI baseline as the minimum, even if the EU directive itself is more flexible.
France (LPM / ANSSI): ANSSI has issued specific cold email guidance, DMARC implementation recommendations, and a SecNumCloud framework that goes beyond NIS2 baseline. SecNumCloud-qualified providers are the strongest position for French public sector and finance.
Italy (Decreto NIS2): implementation is fairly close to the EU baseline. Italian DPA (Garante) has been active on Schrems II analysis but less prescriptive on email specifically.
Spain (Ley NIS2): implementation completed in 2024. INCIBE provides technical guidance similar to BSI but less detailed.
Netherlands (Cyberbeveiligingswet): closer to BSI in technical specificity.
Austria (NISG 2024): implementation similar to Germany but with national variations on critical infrastructure definitions.
For organizations with multi-country EU operations, the practical answer is: comply with the strictest member state guidance (typically Germany or France), and the rest follows.
What an actual NIS2-aligned email setup looks like
For a hypothetical mid-market European SaaS subject to NIS2 (covered sector: digital service provider, important entity classification):
Sending side:
- DMARC at
p=quarantineminimum on all sending domains, with the path top=rejectdocumented - BIMI deployed on customer-communication domain (signal that DMARC is at enforcement)
- DKIM rotation policy documented and executing (typical: quarterly)
- Sub-processor for email infrastructure is EU-incorporated with EU-only sub-processor chain
- Monthly placement reports retained for 12 months (auditor request)
- Incident response procedure for “domain used in phishing” event documented and tested
Receiving side:
- Inbound email gateway with SPF/DKIM/DMARC validation
- Phishing-resistant authentication (FIDO2 keys, not just SMS-OTP) for executive accounts
- Email retention policy aligned with sector requirements
- Logging into SIEM with specific use cases documented (account takeover detection, suspicious forwarding rules, etc.)
Governance:
- Annual review of email infrastructure controls
- Quarterly review of sub-processor list and contract changes
- Annual penetration test of email systems (or as part of broader pentest)
- Documented exit strategy if email provider relationship ends
This is not exotic. Most of it is standard hygiene that should already exist. The NIS2/DORA pressure makes documentation explicit where it was previously implicit.
When to outsource compliance vs build internal
For mid-market European organizations facing NIS2 for the first time, the practical question is: do we hire compliance internally, contract with a Big-4 advisory, or use a managed service for the operational layer?
Internal hire (compliance officer + email engineering) — works for organizations with steady-state compliance needs and existing email engineering capability. Costs roughly €120K-€180K fully-loaded annually for the operational layer. The compliance officer is a separate hire.
Big-4 advisory — works for one-time gap analysis and audit preparation. Excellent for the strategic layer. Wrong tool for the operational layer.
Managed services for operational layer — works for organizations who have a compliance officer (internal or fractional) but need the operational execution outsourced. Our managed DMARC and deliverability monitoring products fit here, with documentation that maps directly to NIS2 Article 21 and DORA Article 28-44 requirements.
The hybrid model — fractional compliance officer plus managed operational layer — is what we see most often for European mid-market clients. The fractional compliance officer (€2K-€8K monthly retainer through firms like KPMG smaller offices or specialist boutiques) handles the strategic layer; the managed service handles the operational execution.
Where enforcement actually stands in 2026
The frameworks stopped being horizon items. As of early 2026, roughly two-thirds of member states have completed NIS2 transposition, and the Commission moved from infringement proceedings against 23 states in late 2024 to reasoned opinions against 19 in mid-2025; the first administrative penalties under national NIS2 laws landed in the first quarter of 2026. Fines reach €10 million or 2% of global turnover, whichever is higher, and a compliance deadline for covered entities falls in October 2026, with the first verification audit pushed in several states to mid-2026. The scope is wide — more than 160,000 entities, up from around 10,000 under the old directive, with electronic communications services now pulled in as a covered sector in their own right.
DORA, applicable since January 2025, entered its first real supervisory cycle in 2026, with regulators acting on incident-reporting gaps and deficiencies in the Register of Information that financial entities must maintain on their ICT providers. For email, the practical pressure usually arrives through a contract: an EU financial client managing its DORA third-party risk amends the agreement to demand audit rights, incident cooperation, subcontractor transparency, and a documented exit plan. The vendor that can sign those clauses without renegotiation is the one that already operates to the standard.
Frequently asked questions
Does NIS2 apply to our email infrastructure?
Indirectly, and increasingly directly. If your organization is an essential or important entity under a member state’s transposing law, your email security sits inside the Article 21 risk-management obligations, and electronic communications services are now a covered sector in their own right. Even when your own entity is out of scope, in-scope customers push the obligations down to you through their contracts.
Do NIS2 and DORA overlap for a financial entity?
They do, and DORA prevails where they meet. DORA is lex specialis under NIS2 Article 4(1), so a financial entity subject to both follows DORA on the ICT-resilience obligations the two frameworks share, while NIS2 still governs anything DORA does not reach. A bank with a separately authorized data-centre subsidiary can sit under both at once, which is why the contract language matters more than the label.
Bottom line
NIS2 and DORA are not “DMARC enforcement laws,” but they create operational urgency around DMARC enforcement and broader email security that organizations cannot deflect by saying “no specific email regulation applies to us.”
The first wave of formal audits in late 2025 / early 2026 has been less punitive than feared but more prescriptive than expected. Organizations that did the operational hygiene (DMARC at enforcement, sub-processor inventory, documented incident response) passed cleanly. Organizations that did checkbox compliance (“we have DMARC published” — at p=none) got partial findings.
For European senders trying to get this right without overbuilding, the path is: get DMARC to enforcement, document what you did, ensure your email infrastructure provider is auditable and EU-incorporated, and treat ongoing monitoring as operational discipline rather than a project. NIS2 and DORA reward steady-state operational hygiene; they do not reward heroic last-minute pre-audit projects.