{state.loggedInUser.fullName} {state.loggedInUser.plan | ifNot 'Your account'}
{item.label}
{subitem.label}
Login
Making sense of the internet
Support the Research

Get data. Get insights. Help affect change.

View joining options
DNSRF Corporate Logo - words and line shorter version
Search
{item._type | case 'page' 'Web page' 'blog/blog' publication 'adnewsfeed/news' 'News' 'docs/article' 'Docs'}{item.section.title} / {item.chapter.title} / {item.topic.title}  | {category.title}
{item.title}
{item.publishDate | date 'DD MMM YYYY' | append ': '}
{tag.title}

Blog

Regulation

NIS2 and Know Your Customer: An Overview

NIS2, KYC
Media current
,

Cybercrime is a large and growing problem1. Its global cost over the next five years is projected to rise from $8.3 trillion in 2023 to nearly $14 trillion by 20282, equivalent to the GDP of China. Scams alone are estimated to cost up to $1 trillion a year3

The spiralling cost of online fraud and scams has prompted a wide range of efforts – including regulation and voluntary measures by industry. Among them are new legal obligations on registries and registrars to verify the registration details for domain names.

In the European Union, the NIS2 Directive will see all 27 Member States introduce new laws (starting October 2024) that will oblige the domain name industry to collect and maintain accurate registrant data4. The impact of NIS2 goes beyond Europe and will affect the industry globally as the laws apply if the provider offers its services in the EU, regardless of where that provider is based5.

Our DNS Knowledge Base provides an overview of the NIS2 Directive as it applies to the domain name environment, and of the recent guidance on implementation produced by a group of governmental representatives. 

While Article 28 of the NIS2 Directive requires the domain industry to have ‘verification procedures’, it contains little detail to help the industry know how to comply with the new legal obligations. Recital 111 provides background to the verification procedures:

  • they should ‘reflect the best practices used within the industry’
  • including ‘progress made in the field of electronic identification.’
  • they may include ‘controls carried out at the time of the registration’ and ‘controls carried out after the registration’; and 
  • the affected parties should ‘verify at least one means of contact of the registrant.’

Recitals do not have legal force but are useful for interpretation. 

Know Your Customer (KYC) is not mentioned in the NIS2 Directive text, yet in the industry dialogue relating to NIS2 and its implementation, it has emerged as a key topic that the affected parties believe may help compliance efforts. Other stakeholders such as those representing public safety, brands and business, have long advocated for the domain industry to implement KYC.

Data accuracy has long been a contentious issue within the domain name industry. With this new legislation however, the debate is no longer whether verification should be required but how it can be done most effectively to meet legal obligations. Compliance practices include verifying registrant details, likely through government-issued IDs, and may require suspending domains that have not been verified. A failure to meet requirements is expected to result in fines.

This blog series is intended to serve as a guide to organisations seeking to understand this new reality and the different approaches and techniques used to understand who businesses are interacting with online. 

The series includes:

  • A summary of key NIS2 provisions relating to domain name registration data
  • Analysis of the NIS Cooperation Group’s guidance
  • An explanation of what KYC is, its advantages and limitations
  • Case studies on KYC implementation in comparator industries including online dating, crypto and financial services, as well as the domain name industry
  • The use of AI in KYC practices

The aim is to show how KYC is used across different industries, some case studies on how the DNS industry currently verifies the data it receives from domain name registrations, how those practices are changing, and what the introduction of new practices and technologies are likely to mean for the DNS industry.

During 2025, as EU Member States complete the transposition of the NIS2 Directive into national law, it is anticipated that domain name industry actors both within and outside of the EU will adjust their practices to reflect the new legal obligations. This blog series will continue to keep track of KYC adoption throughout the domain industry, and seek to understand trends and common practices as the new laws bed in.

______________________

1 - https://www.independent.co.uk/advisor/vpn/cybercrime-statistics
2 -  Fleck, A., Cybercrime Expected To Skyrocket in Coming Years, Statistica, February 2024 https://www.statista.com/chart/28878/expected-cost-of-cybercrime-until-2027/
3 - Global State of Scams Report, 2023 https://www.gasa.org/research
4 - https://eur-lex.europa.eu/eli/dir/2022/2555
5 - See NIS2 Directive, Article 26(1)(b) and 26(3)”If an entity as referred to in paragraph 1, point (b) [including TLD name registries, and entities providing domain name registration services] , is not established in the Union, but offers services within the Union, it shall designate a representative in the Union. The representative shall be established in one of those Member States where the services are offered. Such an entity shall be considered to fall under the jurisdiction of the Member State where the representative is established. In the absence of a representative in the Union designated under this paragraph, any Member State in which the entity provides services may take legal actions against the entity for the infringement of this Directive. “

Join the discussion

#NIS2 #KYC #verification #know your customer

Thank you for signing up for our mailing list.
Unfortunately we could not sign you up for our mailing list at this time. Please try again later

Latest posts here

{blogitem.title}
Top
This section: News
Other sections
Categories