Skip to content
Palisai
All articles
NIS21 March 20263 min read

What is NIS2 and what does it mean for your DNS?

By Jens Arnfelt

The NIS2 Directive is the biggest update to the EU's cybersecurity rules in years. For many organisations it means cybersecurity moves from "good practice" to a legal obligation with accountability at management level. One area that is often overlooked in that context is DNS — the system that translates domain names into IP addresses and governs how your email and services are found on the internet.

This article gives an overview of what NIS2 is, who is in scope, and why your DNS setup belongs on the checklist.

This article is general information, not legal advice. Whether your organisation is covered by NIS2, and which requirements apply in practice, should be confirmed by you and, where relevant, an adviser.

What is NIS2?

NIS2 (Directive (EU) 2022/2555) replaces the original 2016 NIS Directive. Its aim is to raise the level of cybersecurity across the EU by applying consistent requirements to more sectors than before. In Denmark the directive is being implemented in national law (the forthcoming cybersecurity act).

Broadly, NIS2 introduces:

  • Risk-management requirements. Covered organisations must take appropriate and proportionate technical and organisational measures to manage the risks to their network and information systems (Article 21).
  • Incident-reporting requirements. Significant incidents must be reported to the authorities within set deadlines.
  • Management accountability. Senior management must approve and oversee the security measures and can be held responsible.

NIS2 distinguishes between "essential" and "important" entities and typically applies to medium and large organisations in the covered sectors (including energy, transport, health, digital infrastructure, public administration and more). Check the exact size thresholds and sector definitions against the Danish law.

Why is DNS relevant to NIS2?

DNS is relevant in two ways:

1. DNS providers are directly in scope. NIS2 explicitly names "DNS service providers" and "TLD name registries" as part of the digital-infrastructure sector. If your organisation runs authoritative name servers or DNS services for others, you are likely in scope.

2. For everyone else, DNS is part of the risk picture. Even if you are not a DNS provider, your DNS and email setup is part of the attack surface that Article 21 obliges you to manage. A hijacked domain, spoofed email or broken name resolution can hit both operations and trust — exactly the kind of risk the risk-management requirement is about.

It is worth stressing: NIS2 does not require DNSSEC, SPF or DMARC by name. The law requires risk-based measures. But those technologies are among the most effective and widely recognised ways to reduce DNS and email risk, which makes them a natural place to start.

Concrete DNS measures

  • DNSSEC signs your DNS answers so they cannot be forged in transit. Read our DNSSEC explainer.
  • SPF, DKIM and DMARC protect your domain from being abused for phishing and spoofing.
  • Monitoring of changes to your DNS records, so unauthorised changes are noticed quickly.
  • Redundancy — more than one name server, ideally across more than one provider, so a single failure doesn't take you offline.
  • Access control for your DNS administration, so you know who can change what.

Getting started

You can get a long way with a couple of free checks:

NIS2 is not about buying a single product; it is about being able to demonstrate that you have your risks under control. A clean, signed and monitored DNS is a concrete, visible part of that work.