|
This article provides an overview of the obligations under Art. 28 NIS2, its applicability and discusses the issue of duplication.
On December 14, 2022, the European Parliament adopted the Directive on measures for a high common level of cybersecurity across the Union (Directive (EU) 2022/2555) hereinafter referred to as “NIS2”), which was published in the official journal on December 27, 2022. Being a directive, NIS2 requires transposition into national law.
According to Art. 41 of NIS2, the transposition into national law must take place by October 17, 2024 and the measures must be applied as of October 18, 2024.
One of the concerns expressed by many stakeholders was that EU Member State legislators would impose different or even conflicting requirements when transposing the directive into national law.
Fortunately, with the first (draft) laws becoming publicly available, there seems to be a trend that Art. 28 NIS2 is being more or less translated into national languages with little or no changes of the substance. While this is good news as far as the risk of fragmentation is concerned, there is little to no guidance as to how the language of Art. 28 NIS2 should be understood and implemented.
There are a lot of questions and issues that have been discussed over the last months, and it seems unlikely that there will be alignment on how to operationalize the requirements. An overview of the issues can be found in the report of a workshop held by the eco Association on day zero of the ICANN meeting in Hamburg. This article aims to answer the question of who needs to do what.
Some interventions made during discussion of NIS2 suggest that NIS2 must be observed by all companies involved in domain name registrations. This is not true, but sometimes, it will be difficult to determine if and to what extent NIS2 is applicable.
“TLD name registries” and DNS service providers are considered essential infrastructure (Art. 3 (1) (b) NIS2) and need to observe a range of duties. It is worth noting that TLD name registries are excluded in “situations where TLD names are used by a registry only for its own use” (Art. 6 (21) NIS2), so dotBrands could be off the hook.
And then there is Art. 28 of NIS2, which addresses TLD name registries and “entities offering domain name registration services”, i.e., a registrar or an agent acting on behalf of a registrar, such as a privacy or proxy registration service provider or reseller (Art. 6 (21) NIS2).
In summary, TLD name registries and entities offering domain name registration services must comply with Art. 28 NIS2, but TLD name registries and DNS service providers need to do more.
However, there may be more to consider, so companies should assess the applicability of NIS2 to them, which may also arise from other roles they might play, for example in the context of a supply chain, cloud or hosting services.
If a TLD name registry or an entity offering domain name registration services is not established in the EU but offers services within the EU, it may fall under the scope of NIS2, and it must designate a representative in the EU according to Art. 26 (3) in conjunction with Art. 26 (1) (b) NIS2 (see also Recital 116 of NIS2).
In doing so, NIS2, like other EU laws such as the General Data Protection Regulation (GDPR), applies the Market Location Principle and extends its applicability to entities outside the EU if they provide services to the EU. The European Court of Justice (CJEU) has upheld the extraterritorial reach of EU laws in cases such as Google Spain (C-131/12) and Weltimmo (C-230/14), establishing that entities offering goods or services to EU data subjects are subject to EU regulations. This principle is consistent with the prohibition of extraterritoriality in international law, which limits the ability of a state to enforce its laws beyond its borders without a sufficient connection to the territory.
In operational terms, the question is when there is a sufficiently strong link to the EU is given. Clearly, this will be the case for EU-based TLD name registries working with EU-based registrars. If a TLD name registry outside the EU that does not fall under NIS2 works with a registrar that is not covered by NIS2, Art. 28 NIS2 should not apply to the domain name registrations in that business. For everything in between, careful assessment is warranted.
Art. 28 NIS2 sets out four tasks for TLD name registries and entities providing domain name registration services, namely:
“1. For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall require TLD name registries and entities providing domain name registration services to collect and maintain accurate and complete domain name registration data in a dedicated database with due diligence in accordance with Union data protection law as regards data which are personal data.
2. For the purposes of paragraph 1, Member States shall require the database of domain name registration data to contain the necessary information to identify and contact the holders of the domain names and the points of contact administering the domain names under the TLDs. Such information shall include:
(a) the domain name;
(b) the date of registration;
(c) the registrant’s name, contact email address and telephone number;
(d) the contact email address and telephone number of the point of contact administering the domain name in the event that they are different from those of the registrant.
3. Member States shall require the TLD name registries and the entities providing domain name registration services to have policies and procedures, including verification procedures, in place to ensure that the databases referred to in paragraph 1 include accurate and complete information. Member States shall require such policies and procedures to be made publicly available.
4. Member States shall require the TLD name registries and the entities providing domain name registration services to make publicly available, without undue delay after the registration of a domain name, the domain name registration data, which are not personal data.
5. Member States shall require the TLD name registries and the entities providing domain name registration services to provide access to specific domain name registration data upon lawful and duly substantiated requests by legitimate access seekers, in accordance with Union data protection law. Member States shall require the TLD name registries and the entities providing domain name registration services to reply without undue delay and, in any event, within 72 hours of receipt of any requests for access. Member States shall require policies and procedures with regard to the disclosure of such data to be made publicly available.”
It is noteworthy that Art. 28 (1) to (5) NIS2 contains the following language for all of these four tasks: “Member States shall require the TLD name registries and the entities providing domain name registration services….”, which may suggest that all of these entities must perform all of these obligations.
And then there is Art. 28 (6) NIS2, which reads:
“6. Compliance with the obligations laid down in paragraphs 1 to 5 shall not result in a duplication of collecting domain name registration data. To that end, Member States shall require TLD name registries and entities providing domain name registration services to cooperate with each other.”
The language of Art. 28 (6) NIS2 is ambiguous as it only mentions the processing activity of collection that shall not be duplicated.
There seem to be two ways in which Art. 28 NIS2 is understood, namely:
The first alternative would only prevent a duplication of the interaction with the registrant, but still require maintaining multiple databases, dealing with the verification of registration data, making non-personal registration data publicly available, and providing access to non-personal registration data.
Was it really the legislator’s intention to require such an approach which would not only require the duplication, but the multiplication of all but one of the obligations laid down in Art. 28 (1) to (5) NIS2?
There is some evidence in and around NIS2 that supports the view that this was not the case and that alternative 2 above is the right answer:
If the relevant parties cooperate, none of the tasks need be duplicated. However, if there is no cooperation, each party must fulfill the obligations.
As a consequence, it is possible for gTLD name registries to move to the minimum data set according to the new Registration Data Policy. Also, it is possible for TLD name registries (most likely many ccTLD name registries will use this option) to collect the registration data and share the responsibilities with registrars, resellers, and privacy and proxy service providers differently. It all depends on the operating model and the appropriate agreements. Fortunately, the national laws transposing NIS2 that have been published so far leave room for such diversity.
Sponsored byCSC
Sponsored byRadix
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byVerisign
Kudos Thomas on a well-researched and written article. We agree there are two potential interpretations for the “collection” requirement outlined in Art. 28 (6). However, allow me to explain why I believe your first definition/option is the more likely interpretation based upon existing European ccTLD best practices, as well as some additional data points that were omitted from your initial analysis.
DENIC (.DE)
DENIC has taken a very thoughtful and measured response in collaboration with its registrar members toward its NIS 2.0 obligations. While DENIC is deferring to its Registrars to collect and verify the Registrant data, DENIC is still maintaining a copy of that data from its registrars for several reasons. First, DENIC has a direct contractual relationship with the domain name registrant, therefore it makes no sense for them not to have a copy of this data. Second, DENIC is running a series of algorithms to determine high-risk and very high-risk domain names. Having access to this underlying registration data is likely critical to making these determinations, although DENIC has not made public their specific algorithm data points.
Punktum (.DK)
Punktum is in the final consultative process with its registrar network regarding its NIS 2.0 obligations, and its approach also appears to be consistent with your first option/definition. Punktum has traditionally taken the point in verifying registrants, using MitID for Danish registrants, and an out-of-band process for non-Danish registrants. Under the newly proposed procedures under consideration, Punktum would permit Registrars to do registrant verification but they would be required to provide the registration data to Punktum. Punktum would also reserve the right to audit the verification process undertaken by the Registrar.
I could continue with several additional European ccTLD best practices but that is the subject of another paper I am currently working on, so you will have to wait for that further analysis.
There are several additional data points that I think are missing from your initial analysis which should factor into any final determination by the Cooperation Group in interpretating Art. 28 (6):
- Your statement that “gTLD registries never collect data from the data subject” is just not correct. While the vast majority of gTLD Registries do not collect data from the data subject, there are some gTLDs that do, e.g. .BANK, .PHARMACY, as well as most/all Spec 13 Registries.
- The vast majority of ccTLD Managers have historically distinguished between natural and legal registrants. Unfortunately, most gTLD Registries do not. This feature alone could greatly minimize the potential duplication of PII.
- It is possible for a Registry Operator to process Registrant verification data without processing PII. I again would like to applaud the work that Verisign has done in various RSEP filings to comply with regulatory requirements imposed by the People’s Republic of China. See RSEPs 2023055, 2022044, and 2016030
- In addition to Verisign, multiple other ICANN registry operators have demonstrated how it is possible to comply with national registrant verification requirements.
- I believe the following excerpt for recital 111 will also play an important role in interpreting the text of Art. 28 (6), “TLD name registries and the entities providing domain name registration services should adopt and implement proportionate procedures to verify domain name registration data. Those procedures should reflect the best practices used within the industry and, to the extent possible, the progress made in the field of electronic identification.” I spent last week in Berlin attending the European Identity Cloud (EIC) conference where I saw several presentations on the European Digital Identity Wallet Architecture and Reference Framework. There are already several European ccTLDs that have integrated national digital IDs into their registration process and eIDAS 2.0 will likely expand this use. In fact, one of the eIDAS 2.0 Large Scale Pilots has already proposed using a wallet in connection with the registration and maintenance of domain names.
While I respect that we may not see eye to eye on this definitional issue, I would like to leave CircleID readers with the following reference point to determine which option/definition was most likely the intent of the legislators.
Occam’s razor states that all things being equal, simpler explanations are generally better than more complex ones.
- The purpose of NIS 2.0 was to “achieve a high common level of cybersecurity across the Union”
- It is widely acknowledged that European ccTLD have some of the lowest fraud/abuse rates of any TLD.
- Option/Definition 1 is consistent with the current and proposed business practices of DENIC and Punktum, but also many other European ccTLDs.
- Option/Definition 1 provides a framework for the European Union to advance other legislative initiatives such as eIDAS 2.0
- Option/Definition 2 has the potential to impede or break existing European ccTLD best practices that have resulted in the lowest fraud/abuse rates.
- Option/Definition 2 only appears to primarily benefit large non-European domain name registration authorities (registries and registrars) advancing their business interests.