NIS2 Directive: What It Means for the Domain Name Industry

The EU's NIS2 (Network and Information Systems) Directive, which came into force in January 2023, is set to have significant implications for the domain name industry in Europe and potentially beyond. As a major update to the EU's cybersecurity legislation, NIS2 aims to bolster security and resiliency of network and information systems.

For domain name registries, registrars, resellers, and DNS service providers, NIS2 imposes new obligations around the processing of domain name registration data.

What is the NIS2 Directive?

NIS2 is an EU-wide cybersecurity law that replaces the original NIS Directive from 2016. Its goal is to harmonize cybersecurity standards across the EU and improve overall cyber preparedness and response. NIS2 defines stricter security requirements for companies in critical sectors, establishes an EU-level incident response framework, and strengthens regulatory oversight and enforcement.

Crucially for the domain industry, NIS2 declares that a reliable, resilient and secure DNS is essential to the integrity of the Internet. As such, it mandates specific cybersecurity measures for "critical entities" like TLD registries and DNS providers.

NIS2 and the GDPR

NIS2 intersects with the EU's General Data Protection Regulation (GDPR) when it comes to the processing of domain name registration data, often referred to as WHOIS data.

Since the GDPR came into effect in 2018, the domain industry has grappled with how to handle WHOIS data in a privacy-compliant way. NIS2 provides some clarity by establishing a legal basis under the GDPR for the collection of registration data for the purposes outlined in NIS2.

However, questions remain about how to meet NIS2's data accuracy and disclosure requirements while fully upholding GDPR principles like data minimization. Striking the right balance will be crucial.

Implications for Domain Organizations

So, what does NIS2 mean in practice for those in the domain name ecosystem? Here are some of the key implications:

• Scope: NIS2 applies directly to EU-based TLD registries, registrars, and DNS providers. It may also impact non-EU entities that offer services in the EU market. Resellers are likely covered too, though their precise obligations are still being ironed out.
• Registration data: Companies must collect and maintain accurate and complete domain registration data, and have policies and procedures in place to verify that data. This includes distinguishing between personal data and non-personal data of legal entities.
• Public WHOIS: Non-personal registration data must be made public without undue delay. But personal data like registrant email addresses must be protected.?
• Disclosure requests: Registries and registrars will have to provide legitimate access seekers with registration data, including personal data, within 72 hours of a duly justified request. Policies for handling such requests need to account for both NIS2 and GDPR compliance.?
• Harmonized approaches: With each EU member state transposing NIS2 into national law, there's a risk of ending up with a patchwork of divergent requirements. To avoid fragmentation, the industry should work towards standardized approaches to verification, disclosure, and other NIS2 obligations as much as possible.
• Contractual clarity: Having clear contractual arrangements and delineation of responsibilities between different entities in the domain registration chain will be important, particularly given power imbalances between some actors.?

The Road Ahead

The domain industry has until October 2024, when NIS2 must be implemented in national laws, to adapt. Success will depend on ongoing collaboration between industry players and governments to strike a workable balance between achieving NIS2's security aims and minimizing fragmentation and operational burdens.

Organizations should assess how their current practices align with NIS2 and start planning any necessary adjustments to policies, procedures and systems.

While NIS2 undoubtedly raises complex challenges for the domain space, it's also an opportunity to strengthen the security and integrity of the DNS in line with the globally interoperable nature of the Internet.