December 2023 - DNS | Domains | IT Law

Article 28 of the NIS2 Directive and the DNS Industry

Thomas Rickert and Lars Steffen, eco Association, explain why complying with the NIS2 Directive and Article 28, in particular, presents challenges for the DNS industry. Everyone is responsible for everything, but not everyone has to do everything!

Article 28 of the NIS2 Directive and the DNS Industry- web

© putilich | istockphoto.com

At a workshop on the implications of Article 28 for the DNS industry organized by eco – Association of the Internet Industry in October 2023, stakeholders from the DNS industry, the European Commission, national governments, and the ICANN community convened to discuss the challenges facing the DNS industry and to work together on avoiding fragmentation as much as possible.

As we put it on the day: “Like it or not, we’re all on Team 28 now and have to make it work one way or the other”.

A detailed report of the workshop and the full recording can be found here. In this article, we summarize the main takeaways and outline the areas in which work needs to be done.

The NIS2 Directive

The NIS2 Directive (NIS2) is the EU-wide legislation on cybersecurity. It is a set of legal measures designed to improve the overall level of cybersecurity in the European Union. The Directive has significant implications for the domain name registration process in the EU, as well as the cybersecurity sector as a whole. It introduces measures such as cybersecurity frameworks, national strategies, incident response teams and risk management protocols. The domain name system (DNS) is given an important role in NIS2, which declares that a reliable, resilient and secure DNS is key to maintaining the integrity of the Internet.

NIS2 came into force on 16 January 2023, and Member States are required to implement its measures into national law by 17 October 2024. What makes NIS2 a challenge for the domain industry is that it is a directive. Directives mandate that EU Member States attain specific outcomes while allowing them the flexibility to determine the means to reach these goals. Member States are obligated to implement measures within their national legal frameworks (transpose) to fulfil the objectives outlined in the directive.

For the domain industry in particular, this national transposition contrasts with the global nature of the Internet, whose policies – at least for generic Top-Level Domains – are largely uniformly regulated on a worldwide basis by the Internet Corporation for Assigned Names & Numbers (ICANN). Stakeholders are, therefore, worried that they will have to comply with multiple sets of rules leading to fragmentation in the market. 

In future, there could be up to 27 different procedures for validating registrant data used to register a domain name. This not only leads to a high level of complexity for the companies and organizations concerned when transposing the NIS2 Directive, but also poses a risk to end customers, who may have to go through numerous validation procedures when registering domains with different endings. This not only causes inconvenience for customers but also becomes a significant competitive disadvantage in the long run for domain registrars that have to comply with the national transpositions of NIS2. 

Complying with NIS2 and Article 28, in particular, presents challenges for the DNS industry. There is still a lack of clarity – and hence much debate – on matters such as which entities are covered by the Directive, jurisdiction and territoriality issues, and the requirements for non-EU entities offering services in the EU. These challenges – and some answers – are covered in this article. First of all, why is this one article at the center of the debate?

Article 28 and the DNS industry

Article 28 of the NIS2 Directive will have a particular impact on the domain name ecosystem, affecting various stakeholders such as domain name registration service providers, TLD name registries, their resellers, privacy and proxy service providers as well as DNS service providers. It requires Member States to ensure the accurate collection and maintenance of domain name registration data in a dedicated database – widely known as WHOIS –, in compliance with EU data protection law. Moreover, it mandates timely public disclosure of non-personal domain name registration data and requires these companies to respond to disclosure requests adhering strictly to data protection laws. Further, compliance entails swift processing of such requests within 72 hours, public availability of data disclosure policies, and collaboration among TLD name registries and registration service providers to prevent duplication of data collection.

The scope of the NIS2 Directive

A lot of the discussion around Article 28 has centered around the precise scope of the Directive, in particular challenging issues such as which entities are addressed, the status of resellers, jurisdiction, and the legal basis for the collection of domain name registration data.

Critical entities

The NIS2 Directive mandates cybersecurity measures for ‘critical entities’ including TLD name registries, and DNS service providers. DNS service providers and TLD name registries are qualified as essential entities regardless of their size. Root name server operators are explicitly excluded. The European Union Agency for Cybersecurity, ENISA, has been tasked with managing a registry of entities and collecting relevant information for the competent authorities, such as entity details, addresses and the services provided.

Resellers

Whether resellers are included in Article 21 (2)(d), which addresses supply chain security including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers, and what obligations will apply to them, is still under discussion. This will be addressed in the implementing acts which will drafted once all Member States have provided their input to the Commission.

Jurisdiction & non-EU entities

The jurisdiction and territoriality guidelines define the scope of jurisdiction for entities. Jurisdiction is exercised by the Member State where the entity has its main establishment, i.e., where decisions on cybersecurity risk management are predominantly taken.

Non-EU entities offering services in the EU must designate a representative (a natural or legal person) in a Member State where they operate and are then subject to the jurisdiction of that State.

The focus of the NIS2 is on the provision of services within Europe and entities operating outside the scope of the EU are excluded. The decisive factor for falling within the scope of the Directive is either the location of the main establishment of the entity or the provision of the service. The entire operational chain must be considered when discussing the registration of EU-related data. If a registrar operates within the EU, then an (EU) registry must be involved and thus falls under the scope of NIS2.

IP ranges

What is still unclear is the exact scope of the IP ranges that have to be provided to the competent national authority (Art. 27 (2)(f)). Does it include the IP range for the entire network, or only for the DNS or other specific services? The IP ranges are explicitly excluded from the information which is to be forwarded by the competent authority to ENISA for the register of entities, to which competent authorities can request access.

The legal basis for processing and disclosing domain name registration data

With the aim of preventing, detecting and responding to DNS abuse, Article 28 aims to establish a legal framework ensuring the accuracy, completeness, and accessibility of domain name registration data (so-called ‘WHOIS data’) for legitimate access seekers. The WHOIS data should contain specific information necessary to identify and contact domain name holders and points of contact.

It provides a clear legal basis for TLD registries and registration service entities to process data (Art. 6(1)(c) GDPR), allowing also data collection for other purposes (recital 109). Entities are obligated to process registration data and maintain publicly available data accuracy policies. They must promptly disclose non-personal information, such as legal entity information (excluding e-mail addresses that contain personal data, see Recital 112) as this is outside of the scope of protection of the GDPR. They must grant access to certain personal data within 72 hours of a duly substantiated request from a legitimate access seeker.

The role of registration data in the fight against DNS abuse

Recital 110 of the NIS2 Directive states that “the availability and timely accessibility of domain name registration data to legitimate access seekers is essential to prevent and combat DNS abuse and to prevent, detect and respond to incidents.” How effective is the use of domain name registration data in combating DNS abuse?

Various industry experts presented different views at the ICANN78 NIS2 workshop. Some, such as the Public Interest Registry, have found success in using the Quality Performance Index (QPI) to proactively reduce abuse without relying solely on registry data. Conversely, others, for example, iQ Global AS, focus on monitoring suspicious behavior using data from reputation block lists, avoiding the need for personal information.

Team Internet takes a reactive approach, using reports from multiple sources to identify potentially abusive domains, although they don't directly use personal data to investigate abuse. CleanDNS generally doesn't use registration data as evidence except when investigating compromised hosts, whereas law enforcement focuses on protecting victims by using registration data to identify and investigate compromised domains. Nominet UK highlighted its strategy of using compliance teams and algorithms to assess risk factors at registration, with registration data being one of several factors considered.

The importance of accurate data in mitigating DNS abuse is also a matter of debate. More accurate registration data may not be necessary for effective DNS abuse mitigation for several reasons. Determined criminals are adept at circumventing measures based on accurate data. Improving the accuracy of the data could eliminate existing errors and provide one less means of identifying fraudulent registrations. The existing robust compliance and data verification practices already in place within several European ccTLDs suggest that further emphasis on data accuracy may not be the most critical aspect of mitigating DNS abuse.

Others see more accurate data as leading to a reduction in abuse without causing collateral damage, as more accurate data can help differentiate between malicious registrations and compromised domains. In this case, more accurate account holder data will assist in the investigation of the perpetrators.

The operational and implementation challenges facing the DNS industry

TLD name registries and any entities providing domain name registration services will be required to have policies and procedures in place, including verification procedures, to ensure that databases contain accurate and complete information, to make domain name registration data that is not personal data publicly available, etc.

Some of the challenges involved in implementing the requirements of Article 28 include:

  1. Implications for the gTLD space: Registries and registrars need to collaborate to streamline operations and avoid duplication of efforts, focusing on responsibilities for data collection, verification, provision of public WHOIS data, processing disclosure requests and communication with registrants. gTLD operators maintain that most if not all requirements can be met with existing policies and ICANN requirements.
  2. Implications for the ccTLD space: There may be challenges in implementing verification processes due to diverse data accuracy practices and the overlap with other regulatory requirements, e.g., the General Data Protection Regulation (GDPR). ccTLD operators wish to preserve their independence in policy-making.
  3. Responsibility for verification: There are different perspectives on whether registrars or registries should handle verification. There needs to be flexibility in any methods prescribed and a balance between stringent verification and accommodating diverse registrar operations.
  4. ICANN’s RDAP: The adoption of the Registration Data Access Protocol (RDAP) in ICANN agreements can facilitate the implementation of NIS2 compliance across different registry models. This will require cooperation between registries and registrars at the policy level.
  5. Distinguishing legal entities from natural persons: There are challenges in identifying legal entities behind domain registrations, particularly regarding how to deal with personal data in email addresses, raising concerns about GDPR compliance and the need for certain information.
  6. Impact on SMEs: There are concerns about the difficulty for smaller companies to comply with Article 28 requirements and the potential market disadvantages they might face.
  7. Contractual arrangements: It is important to establish clear contractual arrangements between the various parties involved in the domain registration process, including registries, registrars, resellers, and privacy and proxy service providers. The power dynamics and potential imbalances in the relationships between registries, registrars, and resellers can make it difficult to enforce compliance.
  8. Standardized verification processes: Domain name verification processes should be standardized across the industry to ensure a more streamlined and customer-friendly experience. Mutual recognition of verifications could help as could the use of existing identifiers like the Legal Entity Identifier (LEI).
  9. Verifying existing registrations: The practical implications of enforcing new policies on long-standing domain registrations need to be considered carefully.
  10. Handling disclosure requests: Conducting a comprehensive risk assessment when evaluating access requests under the NIS2’s disclosure clause and the 72-hour deadline for response is important to ensure that registrars and registries do not inadvertently expose themselves to penalties or liability due to fraudulent access requests.

Conclusion

The need for a comprehensive approach that facilitates user-friendly domain registrations while ensuring compliance with the Directive / its transpositions into national laws is clear. In order to facilitate this goal, national law makers should only regulate minimum requirements to allow for the industry to provide as harmonized a response as possible.

Flexibility must be allowed in the verification and other processes and the DNS industry must further assess to extent to which existing policies and approaches can be used or built upon to reach adaptable solutions that can evolve with the regulatory landscape until October 2024, when the Directive must be implemented.

The tasks arising from Art. 28 in terms of maintaining a database of accurate registration data, the verification, publication and disclosure may seem overwhelming, but whilst everyone is responsible for everything, not everyone needs to do everything.

Thus, the success of the implementation of the NIS2 Directive in the domain industry will depend on maintaining an open dialog between industry stakeholders and regulators as well as the willingness to cooperate and share responsibilities to achieve a balance between regulation and flexibility.

 

Follow the debate and policy developments online on the homepages of the eco Names & Numbers Forum and eco’s topDNS initiative.

 

Authors:

Attorney-at-law and domain law expert Thomas Rickert is Director of the Names & Numbers Forum at eco - Association of the Internet Industry (international.eco.de). Thomas Rickert is a member of the GNSO (Generic Names Supporting Organization) Council of the Internet Corporation for Assigned Names and Numbers (icann.org). In 2022, he initiated the topDNS Initiative (topdns.eco) that unites members of the eco Association to fight DNS abuse. Furthermore, Thomas Rickert is managing director of the law firm Rickert Rechtsanwaltsgesellschaft mbH (rickert.law), which is specialized in legal issues of the digital economy.

 

Lars Steffen is Head of International, Digital Infrastructures & Resilience at eco – Association of the Internet Industry (international.eco.de), the largest Internet industry association in Europe. At eco, he coordinates all international, infrastructure and security-related activities of the association and takes care of the members from the domain name industry. He is also the Vice-President of EuroISPA, the umbrella organization of European provider associations.