Digital Trust Mark: Tick. What Next?

Ireland's national domain registry .IE launched something genuinely useful this week — the Digital Trust Mark, described as "an NCT for your online identity, websites, and emails." If you have not heard of it yet, you will. It launched to coverage in the Irish Examiner, ThinkBusiness, and TechCentral, and .IE's Chief Growth Officer Louise McKeown Doogan has set an ambitious target: for it to become "a digital equivalent of the NCT and an essential part of interacting online in Ireland within the next year."

That is a bold ambition, and it is well-founded. The research published alongside the launch makes sobering reading: 17% of Ireland's key organisations have experienced a significant cyber attack since 2024, with phishing accounting for 60% of incidents and the exploitation of system weaknesses for a further 21.3%. Garda figures published the same week showed fraud-related offences more than doubled over the past year, rising 137%, with bank scams, phishing, and smishing as the principal drivers.

The Digital Trust Mark is a direct and practical response to this environment. It gives Irish businesses a way to demonstrate, independently and visibly, that their digital foundations are correctly configured. That matters — both for customer confidence and for the business owner who wants to know whether their website and email are set up to a recognised standard.

So what does the mark actually test? And if you earn it, what should you do next?

What the Digital Trust Mark Tests

The assessment runs 28 automated checks across four broad areas: your website's HTTPS configuration, your TLS (encryption) setup, your email authentication records, and your HTTP security headers. In plain terms, it is checking whether your website is served securely, whether your email cannot be easily spoofed, and whether your web server is configured to protect visitors from certain classes of attack.

The specific controls it examines include whether you have an SPF record (which tells receiving mail servers which servers are authorised to send email on your behalf), whether DKIM is enabled (which digitally signs outgoing emails so they cannot be tampered with in transit), and whether you have a DMARC policy (which tells receiving servers what to do with emails that fail those checks). It also checks whether your website uses HTTPS, whether your TLS configuration is up to date, and whether you have deployed security headers such as HSTS and a Content Security Policy.

These are genuine, meaningful controls. Getting them right does reduce your attack surface. A business that earns the Digital Trust Mark has done something real — not just ticked a box.

"Until now there has been no visible way for consumers to know that a website meets a recognised standard and no way for businesses or organisations to signal that they do." — Louise McKeown Doogan, Chief Growth Officer, .IE

The wolfhound symbol that accredited businesses can display on their website or email signature is a visible trust signal in a market where online fraud is rising sharply. That is worth having.

Free Resource: Download The Irish SME Cyber Survival Guide — 10 controls based on NCSC Ireland & ENISA guidance. Plain English, no jargon.

What the Digital Trust Mark Does Not Test

Here is the honest part, and it is important to understand this not to diminish the mark — but to help you understand what comes next.

The 28 automated checks the Digital Trust Mark runs are all technical configuration checks. They can be performed without anyone ever speaking to your business, visiting your premises, or understanding what you actually do. That is by design — it is what makes the assessment fast, affordable, and scalable. But it also means there is a significant category of risk that the mark cannot see.

A business could score 100% on the Digital Trust assessment and still be breached tomorrow. Here is why.

The mark does not test whether your staff can recognise a phishing email. It does not check whether your employees use strong, unique passwords or whether multi-factor authentication is enabled on your email accounts. It does not assess whether your servers and software are patched and up to date. It does not look at your backup and recovery procedures, your incident response plan, or whether you have a process for handling a ransomware attack. It does not evaluate your supply chain security, your access controls, or whether your team understands what data they hold and how to protect it.

Phishing — the attack type that accounts for 60% of Irish cyber incidents — is almost entirely a human and process problem, not a technical configuration problem. No DNS record prevents a well-crafted phishing email from landing in an inbox. No HTTP header stops an employee from clicking a malicious link. Those risks require different controls: staff awareness training, simulated phishing exercises, MFA, and a clear process for reporting suspicious emails.

This is not a criticism of the Digital Trust Mark. It is doing exactly what it says it does. The point is simply that the mark is a starting line, not a finish line.

The Practical Next Steps

If you have earned the Digital Trust Mark — congratulations. You have done something that many Irish businesses have not. Now here is how to build on it.

Fix the email authentication gap first. If your Digital Trust assessment flagged a missing or weak DMARC record, address it before anything else. DMARC is the control that prevents attackers from sending emails that appear to come from your domain — a technique used in business email compromise attacks, which are among the most financially damaging cyber crimes affecting Irish SMEs. Adding a DMARC record takes five minutes and costs nothing. Our guide to SPF, DKIM and DMARC walks through exactly how to do it.

Enable multi-factor authentication on every account. If there is one control that the Digital Trust Mark does not test but that has the single greatest impact on your security, it is MFA. Enabling MFA on your email, your cloud storage, your accounting software, and any other business-critical system means that a stolen password alone is not enough to access your accounts. The NCSC Ireland recommends MFA as a baseline control for all organisations. It is free on most platforms and takes minutes to enable.

Train your team to recognise phishing. Since phishing accounts for 60% of Irish cyber incidents, staff awareness is not a nice-to-have — it is a core control. This does not require an expensive training programme. It starts with a conversation: what does a suspicious email look like? What should staff do when they receive one? What is the process for reporting it? A structured security awareness training programme, even a basic one, measurably reduces the likelihood of a successful phishing attack.

Check your DNS security configuration. The Digital Trust Mark tests some DNS controls, but DNS security is a broader topic. DNSSEC, which prevents DNS cache poisoning attacks, and CAA records, which restrict which Certificate Authorities can issue certificates for your domain, are both worth implementing. Neither requires ongoing maintenance once configured.

Understand what NIS2 means for your business. If your business operates in a regulated sector — energy, transport, healthcare, food, manufacturing, digital services, or the supply chain of any NIS2-regulated organisation — the Digital Trust Mark is a useful step, but NIS2 compliance requires a considerably more comprehensive programme. The NIS2 Directive came into effect in Ireland in 2024 and carries penalties of up to €10 million or 2% of global annual turnover for essential entities.

A Note on the Bigger Picture

The Digital Trust Mark is part of a broader and genuinely important conversation about digital trust in Ireland. The concept of digital trust — the confidence that consumers, partners, and regulators can place in an organisation's digital presence — is becoming a competitive differentiator. Businesses that can demonstrate they take their digital responsibilities seriously are better positioned to win contracts, retain customers, and satisfy the due diligence requirements of larger organisations in their supply chain.

PwC's Digital Trust Insights Survey 2026, published in October 2025, found that Irish organisations are increasingly aware of the gap between their cyber ambitions and their actual capabilities. The Digital Trust Mark is one practical way to close part of that gap. But the businesses that will be genuinely resilient are those that go beyond the technical configuration layer and build a security culture — one where staff understand the risks, leadership takes ownership, and the organisation has a tested plan for when something goes wrong.

That is the work of a vCISO engagement, not an automated assessment. But the Digital Trust Mark is an excellent place to start.

Ready to Go Beyond the Mark?

If you have earned your Digital Trust Mark and want to understand what comes next — or if your assessment flagged issues you are not sure how to fix — we can help. Pragmatic Security works with Irish SMEs to build practical, proportionate security programmes that go beyond technical configuration to address the full range of cyber risk.

Book a free 20-minute strategy call with our vCISO team. We work with small and medium businesses across Ireland — no jargon, no scare tactics, just clear actionable advice.

Book Your Free Strategy Call