On June 3, 2020, EURid, the registry for .EU domains, published its timeline and action plan to withdraw and delete .EU domains registered to entities and individuals located in the U.K.

Background and Brexit

Following the .EU regulations that were published on March 29, 2019, registrations of .EU domain names may be held by EU citizens, citizens of Iceland, Liechtenstein, and Norway, independent of their place of residence—as well as organizations that are established in the EU.

Due to these regulations and subsequently Brexit Day, the day the U.K. formally left the EU, organizations that registered their .EU domains with their U.K. establishments will become non-compliant after the end of the transition period, which is from now until December 31, 2020.

Timeline and action plan

Check that your .EU domain names are registered with entities established in the EU. If any of them are not, modify the registration information in these .EU domain names to those of a legally established entity from one of the eligible EU member states, or be sure to register .UK domain names as alternatives. You must complete any changes by December 31, 2020 because you will not be able to modify any aspect of your .EU domain registrations after January 1, 2021.

What are the risks?

Unless you’re not planning on renewing certain .EU domain names after January 1, 2021, there are three immediate risks that you must take note of with regards to this notification:

1. Disruption to VPN, VoIP, website, services, dependencies, servers, networks, or email

If any of the .EU domain names in your portfolio are being used for your organization, the domain names should be updated to full compliance so they continue to work and outlast Brexit’s transition period.

Use includes:

• Virtual private network (VPN) network
• Voice over IP (VoIP) services
• A content website
• As part of the server infrastructure or network of servers within your organization
• A dependent service, like email, web traffic, or any other way you may not be privy to

2. Loss of control and ownership

Non-compliant .EU domains will cease to work after January 1, 2021 and you will lose control of these domains. At that point, you won’t be able to modify the domain registration information to make them work. The registry will round them up and make them available for general registration after January 1, 2022, and you’ll only be able to make attempts at registering them if you fulfill the .EU registration criteria.

3. Hijacked activity trail from abandoned domain names

We reiterate the core message in our article that an abandoned domain name could hurt you. An abandoned corporate domain name often carries a footprint of activity that can be leveraged as an attack vector by cyber criminals. If any of your .EU domain names were receiving email before, they could continue receiving email correspondence from unsuspecting entities that don’t know you abandoned the domains.

A re-registered domain name gives the new registrant access not only to emails—but also the ability to reset passwords to accounts, like management or financial portals, databases, and social media—giving criminals the opportunity to compromise your business through phishing attacks, data leaks, social engineering, and more.

In addition, if any of your .EU domain names get a certain level of web traffic, you should continue renewing them. KrebsOnSecurity further wrote that such domain names, if not renewed, could pose as a huge security risk to the organization. Reason being, the domain names could then be scooped up by crooks who could use them to set up fake eCommerce sites that steal credit card details from unwary shoppers. These sites capitalize on the visitor traffic that goes towards these sites even after the domain names expire.

Reducing these risks is the rationale behind why EURid will only purge non-compliant .EU domain names after withdrawing them from the active zone for a full year. Although one year may be a long enough period for significant levels of visitor traffic to die down, the other risks are not completely diminished.

Resourceful bad actors could still potentially register and restore expired domain names, and leverage them in the aforementioned ways.

What you can do right now

Review your .EU domain portfolio for non-compliance issues that will arise after the end of the Brexit transition period and modify their registration information where possible, and use tools that can help narrow down your vital domains.