NIS2 Cooperation Group guidance - a risk-based approach to domain name verification
By Emily Taylor, Kieren McCarthy
Guidance from the NIS2 Cooperation Group - practical advice on compliance
Each EU Member State was due to have passed domestic laws to implement the NIS2 Directive by October 2024. Most states failed to meet that deadline, but as the transposition process progresses, it is already clear that there are divergent approaches at EU member state level.
So, in an effort to avoid a patchwork of different and potentially conflicting laws, the European Commission has established a NIS Cooperation Group to “ensure cooperation and information exchange among Member States.” Members of the group comprise national experts and member state representatives.
The Cooperation group has produced recommendations for the domain name industry, including on verification of registration data. While it is important to note the recommendations “are not legally binding; they serve as an advisory guideline”.
However, the NIS Cooperation Group document notes that “recommendations are to be considered as minimum requirements that the Member States are recommended to include in their transposition laws to fulfil the objectives of Article 28”. Regardless of the strict legal status, it is anticipated that the NIS Cooperation Group’s guidance will help to drive common approaches. The group has recommended that:
- A registrant’s contact email address and telephone number be syntactically validated and operationally verified. This means that the data should be properly formatted and consistent across fields, and that an email address works, or a phone number is operational.
- A risk-based approach is used to verify the name of the registrant at registration and renewal, to check that ‘the registrant is who they say they are’, and that the preference should be for electronic verification. Importantly, the group is not recommending that all new and renewing domains are subject to identity checks, only where they are flagged for medium or high risk.
- For the most part, the guidance only applies to “all new registrations ...and for the subsequent renewals of such registrations” (emphasis added). However, it is recommended that periodic checks are undertaken for medium to high risk domains, as well as at specific points in the domain name lifecycle.
- When deciding whether or not to verify registrant identities, the risk based approach should be “based on best practices used within the industry…[and] take account of the state of the art of predictive algorithms techniques.”
- The guidance provides a list of national authorities (including law enforcement, CERTS and CSIRTS) that are “designated as legitimate access seekers”. In a move that will be welcomed by the intellectual property community, the group also suggests that member states may optionally designate private entities including those enforcing intellectual property rights.
- Any negative replies to requests for non-public domain name registration data should include a statement of reasons. The guidance also suggests that Member States could establish a procedure for urgent requests (for example, in circumstances that pose an imminent threat to life, serious injury, threat to government institutions, critical infrastructure, etc) under which the data requested from legitimate access seekers could be provided within 24 hours, rather than the 72 hours stipulated under Article 28(5).
Reactions to the Cooperation Group’s guidance
The NIS2 Cooperation Group’s guidance demonstrates that its members have a clear understanding of the domain name lifecycle, and the different points at which registration data could or should be checked: on renewal, transfer of registrar, update to certain key fields, in response to written motivated complaints.
Industry group CENTR, has welcomed the application of a risk based approach and the lack of a retroactive application (meaning, that only new registrations rather than all existing registrations should be caught by the new rules). CENTR is critical of the lack of guidance in relation to GDPR, and of the inclusion of private sector intellectual property enforcers within the ambit of ‘legitimate access seekers’. The latter may be surprising to those outside the ICANN community, which is characterised by polarisation between the groups representing intellectual property representatives and the community of registrars and registries (see for example, the comment thread on this article about Article 28. However, our research on the way consumer focus groups react to the presence of brands in scam links, highlights the overlap between brand abuse and criminal activity. Moreover, the GDPR at articles 23 and 49 recognises certain restrictions to the protection of fundamental rights in the enforcement of civil law claims, and provides for derogations in specific situations such as the establishment, exercise or defence of legal claims.
The Cooperation Group’s guidance provides clear, practical operational steps for those in the domain community, both within and outside of the EU on how to implement the new obligations relating to registration data at specific points in the domain name lifecycle. This is to be welcomed, given the vague language of the Directive’s provisions. The guidance also differentiates between syntactical and operational checks which are recommended for every new and renewing domains, versus a risk based approach (both at registration and periodically throughout the domain name lifecycle) for medium or high risk domains.
The guidance on legitimate access seekers attempts to provide a compromise between the two polarised positions of the domain industry and IP rights enforcers. By both including private sector intellectual property defenders and making those provisions optional, the guidance misses an opportunity to create much-needed clarity – no doubt ensuring that the polarised positioning and lobbying will continue into the future.
The Cooperation Group’s guidance does not exist in a vacuum. Recital 112 of NIS2 calls on the European Commission to provide guidelines to promote harmonized practices across the EU. In time we expect to see EU Member States undertaking additional measures to incorporate the guidelines into their law.