{state.loggedInUser.fullName} {state.loggedInUser.plan | ifNot 'Your account'}
{item.label}
{subitem.label}
Login
Making sense of the Internet
Support the Research

Get data. Get insights. Help affect change.

View joining options
DNSRF Corporate Logo - words and line shorter version
Search
{item._type | case 'page' 'Web page' 'blog/blog' publication 'adnewsfeed/news' 'News' 'docs/article' 'Docs'}{item.section.title} / {item.chapter.title} / {item.topic.title}  | {category.title}
{item.title}
{item.publishDate | date 'DD MMM YYYY' | append ': '}
{tag.title}

Blog

DNS Policy | Legal and Political

Trends in the Transposition Journey of Art 28 of NIS2

NIS2
Media current

Editor’s introduction

In this guest blog, Harriet Moynihan examines the transposition journey of NIS2’s article 28 from her perspective as a scholar of international law. Harriet used the DNS Research Federation’s NIS2 tracker, with the assistance of Joanna Grant, during her preparation of this blog. 

The blog is written as at December 2024, and its key findings are:

  • Of the 27 EU Member States, only four had transposed the Directive in time. The European Commission is taking legal proceedings against the remaining 23 Member States
  • With regard to Article 28, there is already a clear variation in approach at the Member State level. Some are transposing the Directive’s text as originally drafted, including Austria, Italy and Netherlands. Others, such as Belgium and Czech Republic go beyond the terms of the Directive; others have not fully adhered to the provisions in their transposition.
  • Article 28(6), designed to reduce the burden of duplication of data within the DNS industry, remains a key area for debate - with implications and costs yet to become clear.
  • Looking ahead, Harriet notes that as a result of uneven transposition, implementation and application of the rules will carry the risk of forum shopping in the future. Given the extraterritorial effect of NIS2, this will impact providers both within and outside the European Union.

The DNS Research Federation continues to update the NIS2 Tracker on a regular basis. Readers are encouraged to consult the tracker for up to date information.




1. Introduction

The DNS Research Federation has been following the transposition and implementation of the EU’s Network and Information Security Directive (Directive 2022/2055, ‘NIS2’) across all 27 EU Member States.

Article 28 of NIS2 imposes an obligation on domain name registries and other entities in the domain supply chain to verify and publish registration data (while complying with General Data Protection Regulation (GDPR)) and make available certain data upon request to legitimate access seekers.

This blog examines the extent to which EU Member States have implemented NIS2, and the ways in which they have are doing so, drawing on the DNSRF’s Tracker created in April 2024, and updated weekly based on desk research (see here for the methodology).

 This blog also considers the implications of the implementation of Article 28 for the different stakeholders with an interest in this process.

2. Background

Until 2018, anyone could look up the name and contact details for the owner of a domain name through a registration directory service called ‘WHOIS’.

It was a useful tool: law enforcement used it to investigate and combat online crime and abuse; intelligence agencies used the data to look for patterns or identify lines of inquiry; consumer brands used the information to enforce their IP rights. Research shows a clear link between criminal activity and the increased use of privacy/proxy services and redaction in domain name registration data. There are therefore good policy reasons for accurate domain name information to be made publicly available.  

At the same time, privacy advocates and regulators regularly raised concerns about the mandatory publication of every domain name holder’s name and contact details. As EU data protection laws started to emerge in the 2000s, European registries changed their approach (resulting in lower abuse rates than elsewhere), and when the EU’s GDPR came into force in May 2018, uncertainty over how to apply this complex piece of legislation, simply removed all personal data from the global WHOIS database due to GDPR’s extraterritorial reach.

Law enforcement and consumer brands (especially those based in the US) have been unhappy with this decision, and have lobbied EU Member States hard to try to change it.

3. The Network and Information Security Directive 2

In 2022, the EU stepped in with a regulatory solution, in the form of NIS2, which came into force in January 2023. For more information see our backgrounder.

Article 28

Under Article 28 of NIS2, registries and registrars are required to maintain their own independent databases of “accurate and complete domain name registration data.”

Under Article 28(5), those same organisations will need to provide access to specific domain name registration data (including personal data) ‘upon lawful and duly substantiated requests by legitimate access seekers, in accordance with Union data protection law’ and within 72 hours.

As NIS2 is a directive rather than a regulation, under EU law it does not automatically become part of the domestic law of the 27 EU Member States. Rather, Member States are required to ‘transpose’ the provisions of the directive into their national law in an accurate and timely way.

The deadline for implementation of NIS2 into national law was 16 October 2024.

4. Transposition Trends

Member States are adopting broadly similar procedures to transpose NIS2 into their domestic law. For most Member States, this involves the executive drafting a new law that includes the provisions of NIS2; holding public consultations on that draft law; revising the draft to factor in responses to the consultation; laying the draft law before parliament for approval; and then adopting the new law. However, as our Tracker shows, EU Member States differ significantly when it comes to the timeliness of their transposition.

Timeliness

Only four Member States – Belgium, Croatia, Italy and Lithuania - had transposed the provisions of Article 28 in time for the deadline of 16 October 2024.

On 28 November 2024, the European Commission brought infraction proceedings against the remaining 23 Member States (i.e., Bulgaria, Czechia, Denmark, Germany, Estonia, Ireland, Greece, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, Malta, Netherlands, Austria, Poland, Portugal, Romania, Slovenia, Slovakia, Finland and Sweden) for failure to transpose NIS2.

If Member States do not respond and complete their transposition within two months, the Commission may decide to issue an opinion, and ultimately could bring the case before the EU’s Court of Justice, which may impose financial penalties. If, however, Member States respond promptly, the proceedings can be dropped.

Greece has since transposed NIS2 through the enactment of a new law on 26 November 2024. Provided the Commission is content that the new law accurately transposes NIS2, the Commission is likely to drop proceedings against Greece.

Also in the pipeline: Slovakia expects to have its law in place before the end of 2024; and Sweden in January 2025.

Hungary and Latvia have both adopted new laws on cybersecurity that seek to transpose elements of NIS2, but not the provisions of Article 28. Both States have been included in the Commission’s infraction proceedings.

This appears to be something of a trend for Hungary - the Commission’s scoreboard notes that while Hungary has the second lowest transposition deficit, i.e. nearly the highest number of completed directives, it also has the highest number of incorrectly transposed directives. Hungary has now decided to draft a completely new Cybersecurity Act which aims to implement both NIS2 and the Critical Entities Resilience Directives. On 29 October, this draft law was submitted to Parliament. Latvia’s new Cybersecurity Law does not cover Article 28, which is to be addressed in secondary legislation, also causing delays.

While most States have missed the deadline for transposition, the majority at least have the process well under way. So far, 21 Member States have held public consultations on a draft law to transpose NIS2 (Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Finland, France, Germany, Greece, Hungary, Latvia, Lithuania, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, and Sweden).

Reasons for delay

Various factors may account for the delays in transposition by Member States. Firstly, the democratic process for adopting a new law involves multiple stages, including actions by the executive, the legislature and the public (where public consultations are held), which all takes time. NIS2 also covers many sectors beyond ICT services such as domain names - including energy, financial markets, food and chemicals.

Many States have chosen to transpose the entirety of NIS2 into a new law, rather than just Article 28, which requires careful consideration of how the new law fits with existing legislation across this range of sectors.

In some cases, there may be challenges in aligning existing provisions on registration and verification systems with what is required under NIS2. Language can also create legislative hurdles when it comes to accurately translating into each Member State’s language and reflecting specific terminologies in legal texts in accordance with regulatory requirements.

Denmark has decided to implement NIS2 through three new laws, relating to the financial, energy and telecoms sectors respectively, rather than a single law, which adds a further layer of complexity to the process. Some Member States, such as France and Germany, have drafted a new law designed to transpose not only NIS2 but also other directives at the same time, necessitating more complex consultations and review.

In Austria, the National Council voted against the draft law designed to transpose NIS2 in July 2024, and in October 2024, Luxembourg’s Council of State formally objected to its draft law, causing delays in both cases. Events such as elections, which many EU Member States held in 2024, have added to delays to the transposition process because parliament has to be dissolved.

Delays in transposition of EC Directives are not unusual. To put the transposition of NIS2 in context – according to the European Commission’s Single Market Scoreboard in relation to Transposition, in 2023, the average delay for transposition of EU Directives by Member States was 18.3 months, an all-time high. While it is disappointing that so many Member States have missed the transposition deadline in this case, it is likely that within a year of the deadline (i.e. 16 October 2025), the majority of Member States will have transposed NIS2, or nearly done so, with the Commission’s infraction proceedings keeping the pressure on.

However, a few States are significantly lagging behind, with Portugal having only recently published a draft law for consultation (on 22 November 2024, i.e. over a month after the deadline for transposition) and Spain holding consultations in September 2024 but without having yet published a draft law. Somewhat surprisingly, given its reputation as a leader in the field of cybersecurity governance, at the time of writing, Estonia has yet to publish a draft law either.

Adherence to the provisions of Article 28

As important as timeliness of transposition is accuracy of transposition. It is encouraging to see that many Member States (Austria, Bulgaria, Ireland, Italy, Luxembourg, Malta, Netherlands, Slovakia and Greece) have drafted new laws that adhere faithfully to the provisions of Article 28.

Some States (Belgium, Croatia, Czech Republic, Lithuania, Poland, Romania and Sweden) have drafted laws that go beyond the terms of Article 28, by providing additional guidance or including provisions that seek to facilitate compliance with the Article. For example, under Croatia’s law that transposes Article 28, if applicants for domain registration and domain users do not comply with the law, domain registration can be denied and the domain deleted (Article 47(1); registries and registrars are also required to keep data for 25 years after a user’s right to use the domain (Article 48(1)). Czech Republic goes further, by creating criminal offences for breaches of the transposed article 28, imposing a fine of 50m CZK (equivalent of $2m) per offence (article 60(3), (4), and (7)(c)).

A few States have not fully adhered to the provisions of Article 28 in their transposition, particularly in relation to Article 28 (6); likely the result of intensive lobbying within European capitals.

Article 28 (6) states that the new legal obligations should not result “in a duplication of collecting domain name registration data”; wording inserted to reflect the nature of the “thin WHOIS” model used by the .com registry among others, where most domain name data is held by the registrar (domain seller) and not the registry (the operator). The omission of Article 28(6) in some Member States leaves a potential avenue to reopen the issue of migration to “Thick WHOIS”, which was adopted as an ICANN consensus policy in 2014. In 2019, after the coming into force of GDPR had resulted in the redaction of the majority of WHOIS registration data, the ICANN Board of Directors decided to defer enforcement of the policy.

The draft laws of Finland and Croatia do not include an equivalent of Article 28(6). France’s draft law simply refers to the need to keep databases up to date, maintaining accurate and complete data, ‘without redundant collection’, which is not quite reflective of Article 28(6). Portugal’s draft law does not include the final part of Article 28(5), which provides that, ‘Member States shall require policies and procedures with regard to the disclosure of registration data to be publicly available’. (See below for more on interpretation of this clause.)

5. Application of Article 28 Domestically

Once the provisions of Article 28 have been incorporated into national law, Member States need to apply and enforce them in practice. This may include the enactment of secondary legislation that provides for the administration of the new provisions, including verification procedures and sanctions for non-compliance. The Commission has put various strategies in place to assist Member States in implementation, including guidance documents, expert working groups and websites, described below.

The Commission set up a Network and Information Systems Cooperation Group (the ‘NIS Group’) to ensure cooperation and information exchange among Member States, which looks at implementation, among other issues. It is composed of representatives of Member States, the Commission and ENISA.

On 18 September 2024, the NIS Group published clear and practical recommendations on the implementation of Article 28, which we have analysed for this blog series.

The Council of European National Top-Level Domain Registries (CENTR), an industry group for European country code TLDs, has issued its own recommendations to national authorities (Recommendations to the national implementation of data accuracy provisions in Article 28 of Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2), 10 November 2023). CENTR’s recommendations highlight the low levels of abuse among the European ccTLDs, and advocate for an approach that is aligned with data protection principles such as data minimisation and accuracy.

On 17 October 2024 (i.e., the day after the deadline for implementation), the EU published an Implementing Regulation (Recommendations to the national implementation of data accuracy provisions in Article 28 of Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2)), which lays down rules for the application of NIS2, in particular, the technical and methodological requirements of the cybersecurity risk management measures and incident reporting.

Finally, the European Union Agency for Cybersecurity (ENISA) has the role of managing a registry of entities (as provided for under Article 27 of NIS2) and collecting relevant information for competent authorities of Member States, such as entity details, addresses and the services they provide. ENISA conducted a public consultation on its draft guidance on the technical and methodological requirements of the Commission’s Implementing Regulation, which closed on 9 December 2024. It is anticipated that ENISA will publish its guidance in 2025.

 6. Implications for Stakeholders

The new framework strikes a balance in protecting data, while also enabling access to data in specific circumstances. As such, it is likely to provide a better framework than currently for consumer brands, law enforcement and intelligence services, all of whom may want to request the data for necessary and legitimate purposes, such as the identification of bad actors.

The GDPR itself makes clear, in its preamble, that the right to protection of personal data is not an absolute right. The right must be ‘considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality’ (recital 4). The GDPR also recognises certain restrictions to the protection of fundamental rights in the enforcement of civil law claims (Article 23) and provides for derogations in specific situations such as the establishment, exercise or defence of legal claims (Article 49). A recent advisory by the UK’s data protection agency confirms that “Data protection law does not prevent organisations from sharing personal information, if they do so in a responsible, fair and proportionate way”.

However, for stakeholders, the devil will be in the detail when it comes to whether transposition of Article 28 benefits them in practice or not.

While most Member States will likely have the provisions of Article 28 on their statute books by the end of 2025, it is important to distinguish transposition – which is likely to be relatively harmonised and over which the Commission has some levers – from application and enforcement on the ground, over which the Commission has fewer powers.

The IP lobby, consumer brands and law enforcement all want to see stringent application of Article 28 and more, including fines for transgression. By contrast, the domain name industry will want a looser application of these new provisions. Both are lobbying Member States hard on either side.

Will Member States strictly enforce the 72-hour deadline for lawful requests? How will Member States interpret whether a request for registration data is ‘lawful and duly substantiated’? In some cases, applicants will be able to draw on provisions in EU data protection law to support their data access requests, including (for requests by law enforcement authorities) the EU’s e-Evidence Regulation for law enforcement access, or the powers of CSIRTs under NIS2. In other cases, the application and interpretation of the provisions may be more challenging.

Interpretation of Article 28(6)

There has been some debate about the interpretation of Article 28(6) – the provision designed to reduce the burden of duplication of data on registrars/resellers/privacy and proxy services.

Some argue that “collection” means that only one entity shall be required to obtain data from the data subject, but all entities involved in the domain name registration need to perform all obligations arising under Article 28 after an “internal” transfer of the data to all entities.

Others argue that “collection” means not only obtaining the data from the data subject but also the “internal” transfer, which means that multiple entities holding copies or being controllers or processors of registration data shall be avoided.

Whichever interpretation is adopted will carry implications and costs for the domain name industry.

Sanctions for non-compliance

Article 28 itself does not provide for penalties for non-compliance. Article 34 of NIS2 requires Member States to ensure that where they infringe Article 21 or 23, ‘essential entities’ are subject to administrative fines, and that ‘important entities’ are subject to fines of a lesser level. Internet infrastructure actors, such as TLD registries, DNS service providers and IXPs are recognised as ‘essential digital’ infrastructure actors. Article 21 of NIS2 relates to the risk management of supply chains, and explicitly mentions DNS service providers and TLD name registries in this context.

Fines, if provided for, are likely to be dealt with in secondary legislation. However, some States have provided for fines in their primary legislation. For example, the Czech Republic’s draft legislation provides for fines of up to 2% of worldwide annual turnover for essential entities, as well as including specific fines for breach of Article 28 as highlighted above. Italy’s law provides that failure to register by the deadline will incur up to 0.1% of the entity’s annual worldwide turnover, plus a requirement on entities that are essential or important to appoint a compliance officer and to provide further information. Sweden’s draft law provides for fines of 2% of worldwide turnover for essential entities and 1.4% for important entities.

Levels of enforcement

Notwithstanding the Commission’s push for even implementation across Member States, levels of enforcement are likely to vary, influenced by the Member State’s history and culture in relation to DNS issues. Some Member States may be tempted to apply NIS2 with loose validation requirements (for example, a simple email validation), especially if they want to leverage a commercial advantage through encouraging the presence of registries and other domain name providers; others may require a complete verification process involving multiple data points.

For example, Germany is known for being a ‘pro privacy’ jurisdiction in relation to DNS issues: several big registrars are based there, and regulators are culturally disposed to privacy-based arguments. The attitude of both Germany and Romania is reflected in the fact that they both lodged constitutional objections to the EU’s Data Retention Directive (2006/24/EC), which was ultimately declared invalid by the European Court of Justice on human rights grounds, particularly the right to privacy.

By contrast, Belgium traditionally attaches importance to fighting online abuse and takes proactive measures to collaborate with law enforcement. In keeping with this, Belgium has transposed the provisions in Article 28 promptly and its new law contains provisions designed to facilitate lawful access requests for data. As our Tracker notes, the Belgian cybersecurity authorities, police, judiciary, intelligence services, tax authorities and business ministry all have the right to ask for personal data. As well as the standard response deadline of 72 hours, the law provides for an additional 24-hour required response period in the case of an "emergency access request."

Forum shopping

Uneven transposition, implementation and application of the rules therefore carries the risk of forum shopping, including by entities based outside the EU. NIS2 extends to entities outside the EU if they provide services to the EU; the ultimate service in this case being the registration of the domain names. Therefore Article 28 of NIS2 does apply to TLD name registries, or entities offering domain name registration services, that are not established in the EU but offer these services within the EU. If so, under Article 26 of NIS2 they must designate a representative in the EU.

Many domain name registries and registrars, particularly those active in the generic Top Level Domain space, are based in North America. The careful drafting of Article 26(1), (2) and (3), which contains multiple references to domain name industry actors, suggests a legislative intent for Article 28 to cover the gTLD space as well as domestic ccTLDs.

Non-EU TLD registries that are within scope will be watching carefully how Member States decide to enforce the provisions of Article 28, in case some Member States apply the provisions less stringently. Some may even prefer to limit their services to outside the EU, in jurisdictions which do not require the collection of personal data at all, although it is difficult to see this as a feasible option, especially for existing registrations.

As well as the assessment required as to whether entities outside the EU are included within the scope of NIS2, there are also practical questions for those within scope, including how verification will work regarding foreign registration and legal entities.

There is also an intriguing prospect of forum shopping within the EU itself, with different actors seeking to leverage stricter or more relaxed interpretations of Article 28 across the Union.

7. Conclusion

Unlike the EU’s Data Retention Directive (explored above), Article 28 of NIS2 is likely to be implemented across the EU. But it remains to be seen as to how user-friendly Member States choose to make the process for maintaining and requesting data, and how assiduously they enforce the provisions.

It is crucial that TLD registries, or entities offering domain name registration services that offer services within the EU no matter where they are based, act quickly to ensure they are prepared for the new requirements. Our website and Tracker will be regularly updated to reflect the new laws and secondary legislation being adopted by Member States in this area during 2025, and to analyse further emerging trends.

NIS2
Thank you for signing up for our mailing list.
Unfortunately we could not sign you up for our mailing list at this time. Please try again later

Latest posts here

{blogitem.title}
Top
This section: News
Other sections
Categories