Executive summary: The article examines how the EU can proactively close email security gaps by leveraging the NIS2 Directive to mandate robust, harmonized standards like DMARC, DKIM, and SPF across all member states. By acting now, the EU not only protects its digital ecosystem but also sets a global benchmark for cybersecurity best practices.
Key takeaways:
- The NIS2 Directive presents a pivotal opportunity for the EU to mandate universal adoption of email security protocols (DMARC, DKIM, SPF), addressing longstanding vulnerabilities and harmonizing standards across all member states.
- Recent moves by major providers (Google, Yahoo!) and industry standards (PCI DSS 4.0.1) have made email authentication best practices more common, but existing requirements remain insufficient—highlighting the need for stricter, enforceable EU-wide mandates.
- Coordinated EU action, led by bodies like ENISA and the NIS Cooperation Group, can drive the implementation of robust email security, close regulatory gaps, and position the EU as a global leader in cybersecurity best practices.
As the digital backbone of modern communication, email remains a critical vulnerability for organizations across Europe, often exploited due to outdated or inconsistent security measures. The EU’s forthcoming NIS2 Directive, building on the legacy of GDPR, presents a pivotal opportunity to mandate stronger, harmonized email security standards across all member states.
By requiring the adoption of protocols like DMARC, DKIM, and SPF, and leveraging the EU’s regulatory influence, the bloc can not only protect its own digital ecosystem but also set a global precedent for cybersecurity best practices. With some member states already leading the way, the time is ripe for a united, EU-wide approach that closes gaps and ensures robust protection for all.
Taking a leaf from GDPR
The Network Information Systems 2 Directive (NIS2) is the successor to the Network Information Systems Directive (NIS) that in 2016 became the first EU-wide legislation on cybersecurity, requiring European Union (EU) member states to transpose a multitude of requirements into national law and work together with essential and digital service providers to improve cybersecurity. NIS2 includes stricter conditions on what administrative fines must be possible. Email security is one of many explicit requirements covered by the directive.
As one of the world’s largest trading blocs, the EU has the ability to drive a safer consumer ecosystem. We witnessed impetus with the General Data Protection Regulation (GDPR) and ePrivacy Directive (ePD), which led to significant improvements to privacy and data protection, and rapid mainstream attention.
Moreover, when the EU adopts stricter regulatory standards, it often sets a global precedent, influencing policies and practices beyond its borders. A good example is directives that apply extraterritorially, affecting any organization that does business with the EU or processes EU personal data. Although GDPR is an EU-specific regulation, many American companies, recognizing the complexity of maintaining separate data policies, have chosen to apply GDPR standards universally to all users, not just EU citizens.
This approach not only simplifies compliance but also elevates data protection globally and has a positive return on investment. Similarly, if the EU enforces stricter cybersecurity standards, such as those outlined in the NIS2 Directive, it’s likely that businesses outside the EU will adopt these higher standards to ensure seamless operations and compliance creating a “trickle-down” effect that enhances global security practices. While avoiding Non-adherence challenges such as monetary fines and other non-financial penalties.
How does NIS2 relate to email security?
Email by default is insecure, requiring no authentication, authorization, or even encryption in transit. All of these aspects had to be developed and bolted on afterwards. Anyone that has had to configure a service that sends email will have come across DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF), two mechanisms that help authorize and authenticate sending email. DKIM in particular provides strong cryptographic authorization and authentication of emails.
However, what happens if the email can not be verified as “passing” DKIM or SPF was left up to the receiver to decide for themselves? This is the key purpose of Domain-based Message Authentication, Reporting, and Conformance (DMARC). Developed to provide domain owners a mechanism to explicitly state that email receivers should reject any emails that are not authorized with either DKIM or SPF. This signals that they have properly configured all services that are authorized to send on their behalf.
Is your email secure?
Do you know your current DMARC status? Check for free now.
Support for DMARC, DKIM and SPF by all parts of the email ecosystem, across both senders and receivers, has been strong in some sectors but uneven, but it was not until early 2024 that they became de facto industry mandates thanks in part to Google and Yahoo!’s new bulk sender requirements and best practices recommended by the Payment Card Industry Data Security Standard (PCI DSS 4.0.1).
The impact of the new requirements was enormous, after just six months, Google reported a 65% reduction in unauthenticated emails, 50% more bulk senders following those best practices and 265 billion fewer unauthenticated messages.
Nonetheless, the bar set by Google and Yahoo! is still relatively low, only requiring a weak DMARC policy of “none” – which does not instruct the receiver to reject unauthorized emails. Organisations have not yet been forced to properly inventory and configure all of their email sending systems, and users of email providers that are not as strict as Google or Yahoo! are more vulnerable to impersonation attacks than they need to be Likewise, at present the PCI DSS 4.0.1 encourages the use of DMARC, DKIM, and SPF for all organizations handling credit card data.
How the EU should make the difference
The enforcement of DMARC where organizations achieve a policy of p=reject will need considerable global cooperation and regulation and the EU through the NIS2 Directive is well equipped to lead the charge, at least for organisations that have an oversized impact on European society.
Article 21 obligates member states to ensure that those essential and important entities:
Taking into account the state-of-the-art and, where applicable, relevant European and international standards, as well as the cost of implementation, the measures referred to in the first subparagraph shall ensure a level of security of network and information systems appropriate to the risks posed. When assessing the proportionality of those measures, due account shall be taken of the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact.”
Article 21
NIS 2 Directive – European UnionAlthough the original directive does not explicitly mention email security, the annex of an Implementing Act that extends the Directive does, requiring relevant entities to:
develop and maintain a complete, accurate, up-to-date and consistent inventory of their assets. They shall record changes to the entries in the inventory in a traceable manner.”
Implementing Act
European CommissionWhile not specifically stated in the above text, “secure email communications to mitigate vulnerabilities” can be best addressed by adopting available tools including DMARC, DKIM and SPF. DMARC especially represents the best proactive, reasonable cybersecurity measures that afford your organization protection and are in line with best practices.
Besides Transport Layer Security (TLS), the protocol underpins encryption in transit for nearly all internet communication including email; no other standards or mechanisms offer the same ease of implementation and impact. SPF, though also in widespread use, is a much weaker mechanism than DKIM. S/MIME is much less widely used due to how complicated it is to deploy. Perhaps Mail Transfer Agent Strict Transport Security (MTA-STS) could be one further candidate, but is still tricky in some circumstances.
Members show inconsistent progress
Some progress has been made with several EU member states already having mandates for DMARC and DKIM, usually at least for public bodies, sometimes extending the requirement to some critical infrastructure sectors.
- Czechia since at least 2021 have required public bodies as well as important & essential entities to implement DMARC and DKIM
- Denmark since at least 2022 have required government bodies to implement DMARC and DKIM
- Estonia since at least 2023 have required public bodies to implement DMARC, in addition to MTA-STS or DANE
- Ireland since at least 2022 have required public service bodies to implement DMARC and DKIM.
- Netherlands since at least 2018 have required public bodies to implement DMARC and DKIM
- Poland since at least 2023 have required public and some private sector to implement DMARC and DKIM
- Former member state the United Kingdom has required DMARC for government digital services since at least 2016
The other 21 member states have no national mandates, and only a few have even produced some kind of guidance or advisory for their public bodies or business.
It’s time for a united front
The EU, with its 27 member states, can be most effective when all are united, reducing any barriers of friction when comparing current regulations from country to country. In fact, progress is already being made by an NIS Cooperation Group that is tasked with providing guidance to the member states’ competent authorities in relation to the transposition and implementation of the directive.
As early as 2017, CERT-EU, the Cybersecurity Emergency Response Team for the EU itself, published its own guidance recommending the usage of DMARC. CERT-EU is a member of the European CSIRTs network that supports the NIS Cooperation Group and was established by the original NIS Directive. ENISA, the European Union Agency for Cybersecurity (ENISA), is also a member of the NIS Cooperation group and is tasked with assisting member states to implement the Union policy and law regarding cybersecurity consistently in relation to the NIS Directive. Along those lines, ENISA and the NIS Cooperation Group have already produced several guidelines for the benefit of all Europeans, including for elections, 5G networks, domain name registries, incident reporting and vulnerability disclosure.
Further progress is needed and although email is insecure by default, we have all the tools in place, both technical and regulatory, to make it secure, at least in Europe. All that is missing is decisive action at the European and national levels. So, could ENISA help drive the adoption of email security regulations? In short, yes, if ENISA were to push the NIS Cooperation Group to provide clear, practical guidance for meeting legal email security requirements, then this could create a cooperative environment across member states that can ensure stronger email security for all EU citizens. By working together, the EU could be the first member body to lead by example and set the stage for the rest of the world to follow.
