The EU’s NIS2 Directive has transformed DNS security from a voluntary best practice into a regulatory requirement. If you operate DNS infrastructure serving European customers, you need to understand what’s required.
Who Is Covered
NIS2 explicitly classifies the following as “essential entities” subject to cybersecurity requirements:
- DNS service providers
- TLD registries
- Domain name registrars
Non-compliance can result in fines of up to 2% of global annual turnover or €10 million, whichever is higher. Management can be held personally liable.
What’s Required
The NIS2 Implementing Regulation directs covered entities to “apply best practices for the security of the DNS, and for Internet routing security and routing hygiene.” On June 26, 2025, ENISA published detailed guidance documents. In January 2026, the European Commission proposed targeted amendments to clarify requirements.
In practice, this means:
- DNSSEC deployment — signing your zones and validating responses
- DNS monitoring and logging — detecting and responding to anomalies
- Incident reporting — mandatory notification within 24 hours of a significant incident
- Business continuity — documented plans for DNS infrastructure resilience
DNSSEC Adoption Is Accelerating
Several European ccTLD registries have implemented incentive programs that are driving adoption well above global averages:
- .nl (Netherlands) — 66% DNSSEC adoption
- .se (Sweden) — 60%
- .cz (Czechia) — 55%
- .no (Norway) — 50%
- Global average — roughly 10%
What To Do
If you serve European customers:
- Sign your DNS zones with DNSSEC — HostDNS makes DNSSEC deployment straightforward with automated key management.
- Implement DNS query logging and monitoring. See our pricing plans for DNS hosting with built-in logging and compliance features.
- Document your incident response procedures.
- Review the ENISA guidance for detailed compliance requirements.
Sources: Center for Cybersecurity Policy, NLnet Labs