The second Directive of Network and Information Security, NIS2, was adopted in late 2022, and brings in obligations on the domain name industry in relation to the collection, maintenance, accuracy and availability of registration data (or WHOIS data as it is colloquially known). NIS2 updates the original Network Information Security Directive (NIS), which came into force in 2018. Beyond recognising the role of EU ccTLDs as providing critical infrastructure, the original law imposed few specific obligations on them.

This blog explains the NIS2 Directive’s provisions that relate to WHOIS data. At the time of writing (November 2024), the EU member states are transposing the Directive into national law, and we are following progress with our NIS2 tracker and explanatory blogs.

As noted in our paper, Habits of Excellence, debates about WHOIS data have raged within the domain name community for more than 20 years. The discussions have been characterised by polarisation and lack of consensus on how to balance the legitimate but sometimes conflicting interests of different stakeholders. On one side, individuals have a legitimate expectation of privacy in registration data. At the same time, there is a legitimate expectation that certain stakeholders should be provided with access to domain name registration data, to protect the public from cybercrime and other online harms. 

NIS2 seeks to add legislative clarity into the WHOIS debate, by providing specific legal obligations with respect to registration data. Those obligations apply to both registries and ‘entities providing domain name registration services’, a defined term meaning ‘a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller' (Article 6(22)). 

What does Article 28 say? 

Under NIS2, registries, registrars, resellers and proxy providers must ‘collect and maintain accurate and complete domain name registration data in a dedicated database with due diligence in accordance with Union data protection law as regards data which are personal data’ (Article 28). The text requires the collection and maintenance of registration data to be consistent with data protection law. It also makes a connection between accurate and complete registration data as ‘contributing to the security, stability and resilience of the DNS.’ (Article 28(1)).

Article 28(2) sets out the data points that comprise ‘the necessary information to identify and contact’ domain name registrants:

a) the domain name;
b) the date of registration;
c) the registrant’s name, contact email address and telephone number;
d) the contact email address and telephone number of the point of contact administering the domain name in the event that they are different from those of the registrant.

Article 28(3) imposes a new requirement on registries and registrars to have ‘verification procedures’ to ensure accurate and complete registration data, as follows (emphasis added):

Member States shall require the TLD name registries and the entities providing domain name registration services to have policies and procedures, including verification procedures, in place to ensure that the databases referred to in paragraph 1 include accurate and complete information. Member States shall require such policies and procedures to be made publicly available. 

Article 28(4) requires TLD registries and registrars to make registration data publicly available, other than personal data, and to provide disclosure of registration data upon lawful and duly substantiated requests by legitimate access seekers (Article 28(5)). 

Article 28(6) provides that compliance with the obligations set out in Article 28 ‘shall not result in a duplication of collecting domain name registration data. To that end, Member States shall require TLD name registries and entities providing domain name registration services to cooperate with each other.’ This provision may be intended to recognise the .com registry’s ‘thin’ WHOIS model as potentially compliant. Since the adoption of NIS2, two other major gTLD registry operators, the Public Interest Registry¹ Google domains and Identity Digital², have adopted a ‘thin’ WHOIS model - ceasing to collect and maintain domain name registration data at the registry level. While some have praised the move as enhancing individuals’ privacy protections, one impact of the change is to increase the obligations and therefore the compliance costs, for downstream providers such as registrars, resellers and proxy providers.

NIS2 imposes a new requirement for EU ccTLDs to have data ‘verification procedures’. No definition of ‘verification procedures’ is given in the Directive, but some guidance is contained at recital 111 (emphasis added):

Those procedures should reflect the best practices used within the industry and, to the extent possible, the progress made in the field of electronic identification. Examples of verification procedures may include ex ante controls carried out at the time of the registration and ex post controls carried out after the registration. The TLD name registries and the entities providing domain name registration services should, in particular, verify at least one means of contact of the registrant.

The recital seems to envision some kind of know your customer processes involving use of electronic identification. The text also provides options for different compliance approaches - checks taking place at the point of registration, or afterwards.

NIS2: long-arm jurisdiction

The NIS2 Directive carries implications for EU based TLD registries and registrars and to the global industry, thanks to its extra-territorial effect. Under Article 26(3) Member States may take legal actions against TLD registries, and entities providing registration services to customers within the EU, regardless of whether or not the entity is established or has a point of contact in that territory.

For gTLD registries, registrars, resellers and proxy providers that provide services within the EU, this means that the NIS2 obligations relating to registration data will apply, no matter where in the world the organisation is based.

Summary: regulatory changes for the domain name industry

Article 28 and the associated provisions form a small part of the overall NIS2 Directive, but have drawn a great deal of attention from the domain name community. Although the Directive provides some detail, for example of key data fields, and makes clear that the obligations are intended not just to cover domain registries and registrars but also resellers and proxy providers. However, there remains a lack of clarity on what would be acceptable as compliance steps. A group of government experts, the NIS2 Cooperation Group, has provided some helpful guidance, which is explored in this blog series.

Moreover, it is already clear that EU member states are taking variable approaches in their transposition of the NIS2 Directive. This may lead to an uneven approach across the European Union and internationally - given the Directive’s long-arm jurisdiction. Over the next year, through this blog series, the DNSRF will continue to track implementation of the Directive and highlighting approaches to data verification and know your customer across the domain industry and comparator sectors.

____________________________

¹The second Directive of Network and Information Security, NIS2
²See Michele Neylon, Blacknight, LinkedIn update May 2024, https://www.linkedin.com/posts/mneylon_public-interest-registry-pir-who-run-the-activity-7204139659260522496-_kUn?utm_source=combined_share_message&utm_medium=member_ios