NIS2 Article 21.2: What Your DNS and Email Layer Reveal About Your Readiness

NIS2 is here, and the DNS layer is the cheapest place to start

The EU's second Network and Information Security directive (NIS2) extends "essential" and "important" entity status across most of the digital economy: managed service providers, payment processors, datacenter operators, online marketplaces, healthcare networks, manufacturers, and any organisation their supply chain depends on. The Member State transpositions are landing right now.

Most NIS2 readers focus on the bureaucratic side — board-level governance, risk registers, incident reporting timelines. Those matter. They are also hard. The DNS and email-authentication layer of your infrastructure, by contrast, is small, observable, and disproportionately weighted in Article 21.2 because it sits at the edge of every external attack path.

This article does two things. It explains exactly which Article 21.2 measures the DNS and email layer can answer for, and it shows you how to read the score you get from the free <a href="https://intodns.ai/nis2">IntoDNS.ai NIS2 quickscan</a>.

What Article 21.2 actually asks

Article 21.2 lists ten measures that essential and important entities must "take" — risk-based, proportionate to exposure. The full text is dense; the operational summary is short:

• a. Policies on risk analysis and information security
• b. Incident handling
• c. Business continuity (backup management, disaster recovery, crisis management)
• d. Supply chain security
• e. Security in acquisition, development and maintenance of network and information systems
• f. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
• g. Basic cyber-hygiene practices and cybersecurity training
• h. Policies and procedures on the use of cryptography and, where appropriate, encryption
• i. Human resources security, access control and asset management
• j. Use of multi-factor authentication, secured voice/video/text communications, and secured emergency communication systems

The ten measures, mapped onto DNS and email evidence

IntoDNS.ai already runs deterministic checks for each piece of evidence below. The NIS2 quickscan is presentation layer — it does not invent new probes. Each measure carries a weight; the total comes back as a single 0-100 readiness score with a per-measure breakdown.

• 21.2.a Risk analysis & ISMS — proxied by /.well-known/security.txt and CAA records (you have a published contact policy and a controlled certificate-issuance posture).
• 21.2.b Incident handling — security.txt contact + valid Expires field.
• 21.2.c Business continuity — multiple nameservers, MX redundancy, DNSSEC signed with a complete chain of trust, glue records when needed.
• 21.2.d Supply chain — strict SPF (-all), CAA limiting authorised CAs, verification-record hygiene (no dormant vendor TXT records).
• 21.2.e Secure development — HTTPS availability, HTTPS redirect, HSTS, HSTS max-age >= 6 months, HTTP/3.
• 21.2.f Effectiveness — security.txt validity, CAA, blocklist posture (no critical DNSBL listings).
• 21.2.g Cyber hygiene & email — SPF strict, DKIM signing, DMARC enforced (quarantine or reject), MTA-STS enforced, BIMI for brand-controlled inbox logos.
• 21.2.h Cryptography — DNSSEC signed and valid, modern signing algorithm (ECDSA P-256 or Ed25519), modern DS digest, DANE / TLSA where applicable, HSTS.
• 21.2.i Asset & access management — no lame nameservers, valid SOA serial format, no TXT-record leakage of secrets or internal hostnames.
• 21.2.j MFA & secure communications — MTA-STS in enforce mode, HTTPS DNS records advertising HTTP/3, valid DANE/TLSA on mail and web endpoints.

Run the scan, then read the score

Open <a href="https://intodns.ai/nis2">intodns.ai/nis2</a> and enter your domain — the same input that drives every other check on the site. The result is a hero card with a 0-100 readiness number, a pass / warning / fail tally, and a list of "critical gaps". Below it sits a per-measure accordion: expand any of the ten Article 21.2 measures to see exactly which checks passed, which failed, and which were not applicable.

A measure can also be marked **not applicable**. The most common reason is a TLD that does not support DNSSEC at the registry level — .ai is the textbook case. The scoring engine downweights those measures proportionally so the total reflects only what was observable. That is intentional: a .ai domain cannot reach a perfect 100, because the cryptography measure has nothing to test against.

# JSON output for automated pipelines
curl -s "https://intodns.ai/api/scan/nis2?domain=example.com&lang=en" | jq '{
  total,
  status,
  critical: .criticalGaps,
  fails: [.measures[] | select(.status == "fail") | .id]
}'

The five gaps almost every domain has

Across the domains we have scanned for the public State-of-DNS-Security research, five gaps appear in well over half of the results. Each one is cheap to fix and each one shows up in the NIS2 quickscan as a failing piece of evidence under measure g, h, or j.

• DMARC at p=none — the record exists but enforces nothing. Move to p=quarantine after two weeks of monitoring reports.
• No MTA-STS policy file — inbound mail can be downgraded to cleartext under an active MITM. Publish the TXT record and the /.well-known/mta-sts.txt policy in enforce mode.
• DNSSEC missing or with weak algorithms — algorithm 7 (RSASHA1-NSEC3) and 5 (RSASHA1) still exist in production. Move to algorithm 13 (ECDSA P-256) or 15 (Ed25519).
• SPF ending in ~all instead of -all — softfail is fine while you discover senders, but compliance posture wants the hard fail once your inventory is complete.
• No CAA records — any public CA can issue for the domain. A two-line CAA record limits issuance to your contracted CA.

What the quickscan cannot tell you

Honest framing matters when a regulator or auditor will be the reader. The NIS2 quickscan is a readiness indicator, not a compliance certificate. It evaluates the DNS and email layer only. The following are explicitly **out of scope** and require separate evidence:

• Application-layer vulnerabilities (OWASP-style web audit, authenticated probing of your portals).
• Supply-chain inventories — what software your suppliers ship and how they patch it.
• Organisational processes — risk registers, ISMS adoption, executive sign-off, incident-response runbooks.
• Workforce — security training records, joiner / mover / leaver discipline, MFA coverage across internal systems.
• Physical and personnel security controls.

Three steps you can take this week

If you do nothing else, do these three. Each shows up on the NIS2 score within the next scan cycle:

• Move DMARC from p=none to p=quarantine. Keep the rua= reporting address. Two weeks later, move to p=reject.
• Publish MTA-STS in enforce mode. Both the TXT record at _mta-sts and the HTTPS-served policy file at /.well-known/mta-sts.txt are required.
• Add CAA records that restrict certificate issuance to the CAs you actually use. One line per allowed issuer.

What is next for the IntoDNS.ai NIS2 track

The current quickscan is Sprint 2 of a multi-sprint NIS2 track. Sprint 3 adds a downloadable PDF report and exposes the same scoring engine as a tool in the IntoDNS MCP server, so AI agents in Claude, Cursor and Windsurf can drive an NIS2 quickscan with one tool call.

If you want notifications when these ship, watch the <a href="https://intodns.ai/changelog">changelog</a> or follow <a href="https://x.com/intodnsai">@intodnsai</a>. Until then, the score on <a href="https://intodns.ai/nis2">intodns.ai/nis2</a> is the most honest free signal you will get on the DNS and email part of NIS2 Article 21.2.