Home / Blogs

New EU WHOIS Verification Recommendations Take Center Stage

The EU has once again turned its attention to domain name registration data (WHOIS)—this time reinforcing requirements to collect, maintain, verify, and disclose WHOIS for IP enforcement purposes through its “Commission Recommendation” on measures to combat counterfeiting and enhance the enforcement of IP Rights. Published last month, this regulatory action demonstrates the EU’s commitment to restore WHOIS despite the reluctance of ICANN and the domain name industry to update their policies and practices in response to recent developments. It’s welcome progress after years of growth in online abuse via the domain name system (DNS) with virtually no tools made available for identifying offenders.

A Toolbox for Enforcement

The document, known also as a “toolbox,” focuses on intellectual property rights and describes the varied tools and laws that enable the protection and enforcement of those rights. Significantly, the toolbox demonstrates how existing laws, such as the EU Directive on Network and Information Security (NIS2) and the EU Directive 2004/48/EC14 on the Enforcement of Intellectual Property Rights, support the legitimate interests of IP rights holders to receive WHOIS data for enforcement purposes. The Commission even calls out the unique role that domain name providers (registrars and registries) play in “ensuring the protection of IP rights in the domain name system.” This clarification should remove any doubt that domain name registrars and registries are required to disclose WHOIS for IP enforcements. WHOIS remains an important tool in the box, and one the EU seeks to see responsibly employed.

Best Practices for Verification

What particularly stands out in this document is the recommendation that WHOIS data be verified. This is the second time we’ve seen EU authorities underline the need for verified data—such a provision is a key element of the NIS2, a directive currently under transposition into binding law by EU member states.

Recital 14 of the toolbox recommendation enumerates EU expectations on the part of domain name registries and registrars as it relates to verification:

“Directive (EU) 2022/2555 obliges Member States to require top-level-domain (‘TLD’) name registries and entities that provide domain name registration services to collect and maintain accurate and complete domain name registration data...”(emphasis added)

Registries and registrars are then encouraged:

“...to provide for verification procedures for domain name registration data, by using, e.g., electronic identification solutions and/or publicly accessible registers such as civil and commercial registers to verify the identity of the registrant in full compliance with the right to data protection.” (emphasis added)


“...to take voluntary measures to detect incorrect registration data for existing domain names, and to give registrants a reasonable time period to correct or complete such data, after which a notice of suspension of the delegation of their domain name may be given.” (emphasis added)

Starved for WHOIS data for six years now, and confronted with often wildly inaccurate data in the rare instances legitimate disclosure requests are granted, perhaps we have at least a slight break in the logjam thanks to responsible policymakers interested in doing the right thing.

As I wrote in December, EU representatives reminded registries and registrars during the ICANN78 meeting in Hamburg that the requirement for complete, accurate and verified WHOIS is well on the way, and some operational retrofitting is likely necessary.

Warning of Future Regulation

And the authorities, further now with publication of this toolbox, will be watching. According to the recommendation, the European Commission and EUIPO:

“...will closely monitor the effects and implementation of this recommendation. On this basis, the Commission will assess the effects of the Recommendation within three years from adoption. The Commission will then decide whether additional measures are needed at the EU level.”

It seems obvious that verification as a step in the collection and maintenance of WHOIS data is imminent. This is a welcome development to those not only interested in combating online counterfeiting and IP infringement, but more broadly in the reduction of harms now so prevalent in the DNS.

By Mason Cole, Internet Governance Advisor at Perkins Coie

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign


Sponsored byVerisign