The European Union’s Network and Information Security Directive (NIS1), introduced in 2016, aimed to strengthen cybersecurity among Member States. However, market fragmentation and growing digital threats led to the enactment of the NIS2 Directive. Effective from January 2023, NIS2 broadens NIS1’s scope, introducing cybersecurity frameworks, national strategies, incident response teams, and risk management protocols. Member States have until October 2024 to incorporate NIS2 into national law.

DNS Industry impacts: Article 28 of NIS2 significantly impacts the domain name ecosystem, involving stakeholders like domain name registrars and DNS service providers. It mandates accurate collection and maintenance of domain name data, public disclosure of non-personal registration data, and strict adherence to EU data protection law. The industry faces challenges, including compliance with swift incident responses and public data disclosure policies and ensuring collaboration to prevent data duplication.

Compliance challenges: The DNS industry is navigating challenges in aligning with Article 28 of NIS2. These include varying verification procedures across EU Member States and adjustments needed for businesses to meet NIS2 guidelines. Uncertainties remain regarding the Directive’s coverage, jurisdiction issues, and requirements for non-EU entities providing services in the EU.

The industry collaboration and response: In anticipation of the ICANN78 meeting, eco—Association of the Internet Industry organized a workshop to address Article 28’s implications for the DNS industry. The event gathered stakeholders, the European Commission, national governments, and the ICANN community to discuss challenges and develop unified responses to NIS2’s regulatory impact. Thomas Rickert of the eco Association emphasized the industry’s collective responsibility in adapting to these changes.