In March, the Center for Cybersecurity Policy & Law convened a roundtable on DNS security in Brussels, Belgium. The roundtable brought together EU officials, member‑state representatives, and leading industry experts to examine the evolving threat landscape and chart a course toward more resilient DNS infrastructures across the EU and globally.

To help frame the discussion, participants received the Center’s DNS Security Primer, which highlights key vulnerabilities in the DNS protocol and outlines practical mitigation strategies.

By combining technical insights with policy perspectives, the roundtable sought to bridge the gap between DNS specialists and decision‑makers — and to raise general awareness of why protocol‑level defenses are critical.

This readout summarizes the key takeaways from the session, with a focus on implementation of the NIS2 Directive, which entered into force in October 2024.

The discussion focused on the role of multi stakeholder cooperation in driving adoption of DNS Security across the EU, including through a new forum led by Directorate-General for Communications Networks, Content and Technology (DG CONNECT) and ENISA which will establish “best available standards and deployment techniques.” Recommendations included:

• Clarifying how industry can participate in this forum.
• Expanding the use of self-assessment tools.
• Supporting DNS security adoption by Small and Medium Businesses (SMBs).
• Exploring liability reforms to drive protective DNS uptake.

Threat Landscape

Participants emphasized DNS as a foundational security control.

Since all devices rely on DNS to connect to the internet, it offers a unique and strategic opportunity to detect and block threats before they reach users. It is estimated that up to 92% of malware leverages DNS during some stage of its lifecycle, making DNS resolution a powerful security control.

By analyzing DNS traffic in real time, organizations can identify indicators of compromise, prevent data exfiltration, and disrupt phishing, ransomware, and command-and-control activity. Participants emphasized the importance of treating DNS as a security control not just a networking function.. Unlike other protocols that can be shut off in response to risk, DNS must remain operational, making its secure use essential for resilient cyber defense. 

Proactive Threat Detection

Participants discussed how cybersecurity firms detect and block DNS threats.

One common defense is blocking specific malicious domains. Firms with basic capabilities block domains with known malicious histories, while more advanced firms identify high-risk domains before they’re weaponized. 

These firms do so by analyzing broader malware infrastructure and threat actor behaviors, sometimes possessing more detailed intelligence than national authorities. For example, a case study from Infoblox revealed it had already been blocking domains cited in a Cybersecurity & Infrastructure Security Agency (CISA) advisory on BlackCat for over 163 days before the advisory’s publication. This proactive approach eliminates the need to wait for a “patient zero” and offers greater scalability than reactive defenses.

Challenges to Adoption

Participants identified key barriers to adopting DNS security tools and techniques.

While effective tools exist, adoption remains inconsistent across the EU. One challenge is the lack of specific guidance from national authorities. A flexible, non-prescriptive approach enables adaptation across sectors and encourages innovation, but also leaves organizations, especially those with limited cybersecurity resources, uncertain about what to implement.

The EU is addressing this gap through the implementation of the NIS2 Directive. Annex 6.7.2(l) of the European Commission’s 17 October 2024 Implementing Regulation (EU) 2024/2690 regarding technical and methodological requirements of cybersecurity risk-management measures (“NIS2 Implementing Regulation”) directs covered entities to “apply best practices for the security of the DNS, and for Internet routing security and routing hygiene.” ENISA’s related Implementing Guidance provides some recommended practices.

Still, vague guidance is not the only issue. Adoption is also hindered by a shortage of professionals with DNS security expertise, and by the fact that many popular detection tools do not monitor DNS traffic for threats.

Multistakeholder Forum

 Participants discussed a proposed multistakeholder forum aimed at harmonizing DNS security best practices.

Recital 8 of the NIS2 Implementing Regulation directs the Commission, ENISA, the telecoms industry, and other stakeholders to establish a forum to identify “best available standards and deployment techniques” across areas including:

1. The transition to next-generation network protocols.
2. The adoption of interoperable modern email standards.
3. DNS and internet routing security.

The forum, being established by DG CONNECT, will play a vital role not only in NIS2 implementation, but also in shaping standards for broader use within and beyond the EU. There was discussion of when the forum would be established and mechanisms to engage with it.

Reforming Liability Protections

Participants explored how liability reforms could incentivize adoption of DNS protections.

Currently, organizations are liable for DNS-related fraud. For instance, if a customer enters credentials on a spoofed bank website, the bank bears the loss. While domain-monitoring services can help, they’re underutilized.

A proposed strategy is for ISPs to offer a “secure network connection” that blocks known malicious domains. Customers who disable this service could regain full internet access—but would assume liability if they fall victim to fraud. Conversely, those using the service would still be protected. This opt-in/opt-out liability framework could encourage adoption while preserving user choice.

Possible Policy Actions

Participants identified potential actions governments and industry can take to improve the state of DNS security across the EU, including:

• Encourage Use of Self Assessment Tools - The Dutch Authority for Digital Infrastructure launched the NIS2 Quick Scan in October 2024. This 40-question tool assesses an organization’s cybersecurity posture. EU policymakers could promote its broader use to increase DNS security awareness and readiness.
• Provide TLD Registry Discounts - Several European country code top-level domain (ccTLD) registries (e.g., in the Netherlands, Norway, Sweden, and Czechia) offer DNSSEC adoption incentives. These have helped drive DNSSEC usage rates above 50%. Similar incentive programs should be considered across the EU.
• Invest in DNS Security Workforce – Even with clear best practices, there’s a need for skilled professionals to implement them. Policymakers and industry should invest in DNS security training to strengthen the talent pipeline.
• Create adoption programs – Many SMBs lack in-house DNS security capabilities. The EU, member states and industry should work to develop accessible adoption programs to close this gap and enable broader implementation.
• Clarify Industry Participation in the Multistakeholder Forum – To ensure the forum’s success, DG CONNECT and ENISA must adopt a transparent and inclusive approach. This includes publishing details on the forum’s structure, decision-making processes, meeting schedules, and membership criteria. Clear participation pathways will enhance trust and ensure private-sector input shapes practical, implementable DNS Security techniques under NIS2.

‍