The European domain name sector is finding itself having to prepare for multiple new regulatory initiatives. Regulatory pressure in this sector is not new, but it is definitely increasing writes Declan McDermott, Internet Policy and Compliance Officer at .ie.
A brief glimpse at the horizon shows that there are multiple regulations coming, like the Critical Entities Directive (CER); the eIDAS 2.0 Regulation, covering e-certificates for authentication, and electronic seals for electronic documents; or new regulations affecting intellectual property rights for everything from crafts to spirits. The one law that everyone in the domain name industry is (or should be) talking about though, is NIS2.
What is NIS2?
NIS2 is an EU directive for a “high common level of cybersecurity across the Union”. It replaces the first Network and Information Systems Directive (hence the name NIS2). As an EU Directive, NIS2 sets out a goal that EU member states must achieve. However, member states are allowed to develop their own national laws in order to reach that goal. The goal in NIS2 is to have a “high common level” of cyber resilience and cybersecurity across the Union.
In Ireland, NIS2 will be transposed into national law by October 17 2024 through the upcoming National Cyber Security Bill. This was announced in the Government’s Autumn 2023 Legislative Programme, but no further details on the contents of the Bill have been released. Just like any other law, the Bill will need to go through the normal legislative procedures of the Oireachtas.
Does NIS2 apply to me?
If your business is operating in the internet domain name space, then it probably applies to you. Article 2 of NIS2 explicitly names Top-Level Domain Registries (like the .ie registry), domain name service providers, and any “entity providing domain name registration services”. This includes domain name registrars and resellers – the companies that users purchase the rights of a .ie domain or a .com domain name from. Unlike other sectors and businesses affected by NIS2, there is no size cap for registrars and resellers. Any entity providing domain name registration services will be subject to NIS2, no matter how small.
What does NIS2 say, exactly?
For the domain name sector, there are a few parts of NIS2 that are most relevant:
• Database of Registration Data (Article 28) – Registries, registrars, and resellers alike will need to have a “dedicated database” of complete and accurate information of any registrant who signs up for a domain name. This database will need to include (at minimum) their name, email, phone number, and information for any administrative points of contact. This also means that registries and registrars will need to have verification processes.
• Legitimate Access Seekers (Article 28) – Registries and registrars will also need to disclose this registration information to “legitimate access seekers” within 72 hours, if the request is “lawful” and “duly substantiated”. This means that each request has to be examined carefully to make sure that it is lawful.
• Cyber Security Risk Management (Article 21) – Article 21 has a long list of cybersecurity measures that some entities have to implement. Registries like .ie will need to implement these measures as a designated “essential entity”. Registrars are not mentioned in Article 21 but may also be impacted because they are part of a registry’s supply chain, and one of the measures is to ensure “supply chain security”.
More specific requirements will be clarified in a separate set of laws called implementing acts. These laws come from the European Commission, and will be passed by 17 October 2024.
The impacts and risks of NIS2
NIS2 presents an opportunity for Ireland to improve its cybersecurity resilience. But in the domain name industry, it risks bringing severe unintended consequences, particularly for small companies, if not transposed carefully in Ireland.
The requirement to have verification processes for registration data could overburden smaller registrars, especially if the information that must be verified is comprehensive or difficult to collect. Even the requirement to provide access to legitimate access seekers may overburden registrars if this term is defined too broadly. If the definition for legitimate access seekers goes beyond things like law enforcement, or government regulators, it will just make it harder and more expensive for companies to verify the access seeker’s identity.
The cybersecurity measures under Article 21 may also impact smaller entities. We don’t know yet what the requirement measures will be, or how they will affect smaller companies that are part of the supply chain for essential entities (like .ie). Consideration needs to be given to an entity’s exposure to risk when prescribing these requirements. Those who will be within the scope of the NIS2 regulations need to have certainty without delay.
Because of the risk that NIS2, specifically Article 28, poses to the EU domain name sector, the Council of European National Top-Level Domain Registries (CENTR) has developed a series of recommendations for member states and the NIS Cooperation Group on how Article 28 should be implemented. It is recommended that national laws:
1. should be proportionate to a registry’s and registrar’s actual exposure to risk;
2. should allow for diverse approaches to how registration data is verified;
3. should allow for gradual implementation of any new systems or processes to apply to the millions of domains already registered;
4. should be flexible and allow for risk-based processes to be adopted;
5. should allow for hybrid models, where either the registry or registrar can do the required verification;
6. should be respectful of GDPR and the principle of data minimisation;
7. should be flexible for when verification is done;
8. should allow registries and registrars access to national databases and eID infrastructure if applicable; and,
9. should allow for self-identification of legal status (individual versus legal representative).
If member states and officials negotiating the implementing acts follow these recommendations, it would promote harmonised verification processes across the Union and increase the prospects of NIS2 being implemented effectively and harmoniously.
At .ie we are committed to demonstrating leadership for our sector and providing good governance. This includes meeting all our regulatory requirements, including NIS2. It is not an easy task, but .ie has the benefit of an expert multi-stakeholder Policy Advisory Committee that ensures its policies and procedures are consensus-driven and will help .ie navigate the rough regulatory waters ahead. On this matter, .ie will also continue to advocate for its stakeholders to policymakers, and collaborate with cross-border partners and government officials to mitigate any possible adverse impacts on registrars and internet users.