Digital Trust Mark: Tick. What Next?

For Irish SMEs in Donegal and across Ireland.

Ireland's national domain registry .IE launched something genuinely useful this week — the Digital Trust Mark, described as "an NCT for your online identity, websites, and emails." If you have not heard of it yet, you will. It launched to coverage in the Irish Examiner, ThinkBusiness, and TechCentral, and .IE's Chief Growth Officer Louise McKeown Doogan has set an ambitious target: for it to become "a digital equivalent of the NCT and an essential part of interacting online in Ireland within the next year."

That is a bold ambition, and it is well-founded. The research published alongside the launch makes sobering reading: 17% of Ireland's key organisations have experienced a significant cyber attack since 2024, with phishing accounting for 60% of incidents and the exploitation of system weaknesses for a further 21.3%. Garda figures published the same week showed fraud-related offences more than doubled over the past year, rising 137%, with bank scams, phishing, and smishing as the principal drivers.

The Digital Trust Mark is a direct and practical response to this environment. It gives Irish businesses a way to demonstrate, independently and visibly, that their digital foundations are correctly configured. That matters — both for customer confidence and for the business owner who wants to know whether their website and email are set up to a recognised standard.

So what does the mark actually test? And if you earn it, what should you do next?

What the Digital Trust Mark Tests

The assessment runs 28 automated checks across four broad areas: your website's HTTPS configuration, your TLS (encryption) setup, your email authentication records, and your HTTP security headers. In plain terms, it is checking whether your website is served securely, whether your email cannot be easily spoofed, and whether your web server is configured to protect visitors from certain classes of attack.

The specific controls it examines include whether you have an SPF record (which tells receiving mail servers which servers are authorised to send email on your behalf), whether DKIM is enabled (which digitally signs outgoing emails so they cannot be tampered with in transit), and whether you have a DMARC policy (which tells receiving servers what to do with emails that fail those checks). It also checks whether your website uses HTTPS, whether your TLS configuration is up to date, and whether you have deployed security headers such as HSTS and a Content Security Policy.

These are genuine, meaningful controls. Getting them right does reduce your attack surface. A business that earns the Digital Trust Mark has done something real — not just ticked a box.

"Until now there has been no visible way for consumers to know that a website meets a recognised standard and no way for businesses or organisations to signal that they do." — Louise McKeown Doogan, Chief Growth Officer, .IE

The wolfhound symbol that accredited businesses can display on their website or email signature is a visible trust signal in a market where online fraud is rising sharply. That is worth having.

Free Resource: Download The Irish SME Cyber Survival Guide — 10 controls based on NCSC Ireland & ENISA guidance. Plain English, no jargon.

What the Digital Trust Mark Does Not Test

The 28 automated checks are all technical configuration checks. They can be performed without anyone speaking to your business or understanding what you actually do. That is by design — it is what makes the assessment fast and scalable. But it means there is a significant category of risk that the mark cannot see.

A business could score 100% on the Digital Trust assessment and still be breached tomorrow. Here is why.

The mark does not test whether your staff can recognise a phishing email, whether MFA is enabled on your accounts, whether your servers are patched, or whether you have a tested incident response plan. It does not evaluate your supply chain security, your access controls, or whether your team understands what data they hold and how to protect it.

Phishing — the attack type that accounts for 60% of Irish cyber incidents — is almost entirely a human and process problem, not a technical configuration problem. No DNS record prevents a well-crafted phishing email from landing in an inbox. No HTTP header stops an employee from clicking a malicious link. Those risks require different controls: staff awareness training, simulated phishing exercises, MFA, and a clear process for reporting suspicious emails.

This is not a criticism of the Digital Trust Mark. It is doing exactly what it says it does. The point is simply that the mark is a starting line, not a finish line.

The Practical Next Steps

If you have earned the Digital Trust Mark — congratulations. You have done something that many Irish businesses have not. Now here is how to build on it.

Fix the email authentication gap first. If your Digital Trust assessment flagged a missing or weak DMARC record, address it before anything else. DMARC is the control that prevents attackers from sending emails that appear to come from your domain — a technique used in business email compromise attacks, which are among the most financially damaging cyber crimes affecting Irish SMEs. Adding a DMARC record takes five minutes and costs nothing. Our guide to SPF, DKIM and DMARC walks through exactly how to do it.

Enable multi-factor authentication on every account. If there is one control that the Digital Trust Mark does not test but that has the single greatest impact on your security, it is MFA. Enabling MFA on your email, your cloud storage, your accounting software, and any other business-critical system means that a stolen password alone is not enough to access your accounts. The NCSC Ireland recommends MFA as a baseline control for all organisations. It is free on most platforms and takes minutes to enable.

Train your team to recognise phishing. Since phishing accounts for 60% of Irish cyber incidents, staff awareness is not a nice-to-have — it is a core control. This does not require an expensive training programme. It starts with a conversation: what does a suspicious email look like? What should staff do when they receive one? What is the process for reporting it? A structured security awareness training programme, even a basic one, measurably reduces the likelihood of a successful phishing attack.

Check your DNS security configuration. The Digital Trust Mark tests some DNS controls, but DNS security is a broader topic. DNSSEC, which prevents DNS cache poisoning attacks, and CAA records, which restrict which Certificate Authorities can issue certificates for your domain, are both worth implementing. Neither requires ongoing maintenance once configured.

Understand what NIS2 means for your business. If your business operates in a regulated sector — energy, transport, healthcare, food, manufacturing, digital services, or the supply chain of any NIS2-regulated organisation — the Digital Trust Mark is a useful step, but NIS2 compliance requires a considerably more comprehensive programme. The NIS2 Directive came into effect in Ireland in 2024 and carries penalties of up to €10 million or 2% of global annual turnover for essential entities.

How secure is your website? Check your score with our free Digital Trust Checker.

The Bigger Picture

The Digital Trust Mark is a useful starting line, not a finish line. Businesses that go beyond the technical configuration layer and build a genuine security culture — where staff understand the risks, leadership takes ownership, and the organisation has a tested plan for when something goes wrong — will be the ones that are genuinely resilient. That is the work of a structured security programme, not an automated assessment.

Book a free 20-minute strategy call with our vCISO team if you want to understand what comes next after earning your Digital Trust Mark.

Related Reading

• Email Security for Irish Businesses: SPF, DKIM and DMARC Explained
• DNS Security: The Overlooked Protection Layer for Small Businesses
• Five Things Every Donegal Business Owner Should Do This Week to Reduce Cyber Risk

[^1]: NCSC Ireland — Advice for Organisations [^2]: An Garda Síochána — Cyber Crime [^3]: Data Protection Commission Ireland

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.