Spoofing incident — 142 fails from Russian IP
Compliance · NIS2
NIS2 and email authentication — concretely mapped.
NIS2 prescribes "appropriate technical measures" — what that means concretely for email security is shown in this mapping table: every requirement, every Mailantis feature that meets it.
NIS2 audit log
Security events fully documented.
Cert expires in 6 days — TLS continuity risk
Quarterly penetration test passed
Context
What NIS2 expects from the email layer
The NIS2 Directive (EU 2022/2555, transposed in Austria via NISG 2026, fully in force from October 2026) requires technical and organisational protection measures from approximately 18 sectors — explicitly including the security of electronic communications. Estimates suggest 4,000 to 5,000 Austrian companies fall within the new regulatory scope.[1]
While the directive does not name specific RFCs, a clear minimum standard has emerged in auditing practice: SPF, DKIM, DMARC with an active policy (at least p=quarantine), encrypted transport via TLS and MTA-STS, plus monitoring and reporting of those controls.
Mailantis fully covers this email layer of the NIS2 requirements — as one module within your overall cybersecurity programme.
Mapping table
NIS2 requirement ↔ Mailantis feature
Row by row, with reference to Article 21(2) of the directive.
| NIS2 aspect | Requirement | Mailantis feature | Status |
|---|---|---|---|
| Authenticity (Art. 21(2)(g)) | Sender authentication for your own domain | SPF + DKIM + DMARC with policy wizard | met |
| Integrity (Art. 21(2)(g)) | Tamper protection for email messages | DKIM signature audit, key rotation | met |
| Encryption (Art. 21(2)(h)) | Transport encryption between mail servers | MTA-STS policy hosting, TLS-RPT aggregation | met |
| Risk management (Art. 21(2)(a)) | Continuous assessment of cyber risks | Daily monitoring, anomaly detection, spoofing detection | met |
| Incident handling (Art. 21(2)(b)) | Detection of and response to incidents | Alert engine (Slack/PagerDuty), forensic reports | met |
| Reporting (Art. 21(2)(b)) | Verifiable documentation of measures | PDF reports, audit log, policy history | met |
| Supply chain security (Art. 21(2)(d)) | Security of service providers | EU hosting (certified EU data centres), GDPR-compliant, DPA downloadable | met |
| Access control (Art. 21(2)(i)) | Multi-user roles, audit log, MFA | Granular roles from Business, MFA by default | met (Business+) |
Note: This mapping table covers the email layer of the NIS2 requirements. NIS2 additionally requires measures in areas such as backup strategies, awareness training, incident reporting to authorities, and business continuity. Full NIS2 conformity requires a holistic approach — Mailantis is one building block, not a complete package.
Supply chain
The underestimated lever: supply chain security
For the first time, Article 21(2)(d) of NIS2 explicitly requires securing the supply chain. Essential and important entities must contractually verify the security of their direct service providers. The consequence — often underestimated by SMEs — is that NIS2 cascades.
"A small company supplying a regulated group is contractually forced to demonstrate the same extremely high cybersecurity standards. Without basic protocols like DMARC or S/MIME for confidential data, the supplier risks losing contracts."[1]
In practice this means: DMARC enforcement and S/MIME are becoming the entry ticket for B2B contracts with regulated large customers — regardless of whether you are personally subject to NIS2 or not. Vendor audit questionnaires already check these points routinely today.
Relevant at executive management level: NISG 2026 raises the personal responsibility of management bodies to statutory rank. Anyone who refuses the budget for documented state-of-the-art protection and then suffers a successful BEC attack can no longer fall back on the Business Judgment Rule — internal liability with reach into personal assets is possible.[1]
FAQ
Common NIS2 questions
Are we subject to NIS2?
NIS2 applies to roughly 18 sectors (energy, transport, healthcare, public administration, IT service providers, food, and others) from 50 employees or EUR 10M revenue upwards. Estimates put 4,000 to 5,000 Austrian companies in scope. National implementation in Austria is via NISG 2026, fully in force from October 2026.
What specific email requirements does NIS2 impose?
NIS2 does not name specific RFCs, but requires "appropriate technical measures" for authenticity and integrity. In practice, DMARC, SPF, DKIM and transport encryption (TLS, MTA-STS) are expected as the minimum standard.
What happens in case of non-compliance?
Fines up to EUR 10M or 2% of global annual turnover (essential entities), or EUR 7M / 1.4% (important entities). Personal liability of executive management is possible.
Is Mailantis sufficient on its own for NIS2?
No. Mailantis covers the email authentication aspect. NIS2 additionally requires risk management, incident response, backup, awareness training and more — a holistic approach is needed.
Does Mailantis provide audit evidence?
Yes. PDF reports including DMARC status, policy history and configuration snapshots are suitable as evidence. On request, Business and Enterprise customers also receive a written compliance confirmation.
Sources
[1] Synthesis of: Bavarian State Parliament — IT security hearing (Bay LT 2025); WKO — NISG 2026 overview; Mayer Brown — Management liability in cyber attacks; techbold / leukos.at — Due-diligence analyses on managing director liability. As of May 2026.
An NIS2-compliant email layer in 30 minutes.
All 8 standards with active policy and reporting.