ICANN must act now to harmonize its domain name registration data (commonly known as WHOIS) policies with Article 28 of the European Union’s Network and Information Security (NIS2) directive, first to adhere to applicable laws as it fulfills its oversight responsibilities and, second, to keep its word to the community to preserve WHOIS to the fullest extent possible under law.

Despite recent developments, ICANN continues to maintain an out-of-date policy driven by registries and registrars—the very parties ICANN is meant to oversee—adopted as a result of the uncertainty created by GDPR in 2018. In fact, ICANN’s failure to update its WHOIS policy in response to the legal clarity provided by NIS2’s Article 28 will only lead to more NIS2-like legislation targeting TLD name registries and entities providing domain name registration services, and possibly even ICANN itself. All on the eve of worldwide governmental deliberations on the fate of DNS governance.

Government Action was Avoidable

In 2019, five years ago, I posted an article warning that if ICANN didn’t “step up to the plate and establish workable registration data access requirements” discontented governments would take pen to paper and force the issue. I later noted that “ICANN’s failed effort to achieve its goal of preserving the WHOIS domain name registration directory to the fullest extent possible” would mean that “governments would take up the legislative pen in order to fulfill the long-ignored needs of those combating domain name system harms.”

This was all prior to NIS2 and, at the time, my articles on this subject received plenty of comment (mostly negative). But now we’re staring down a fast-approaching October 18 deadline to comply with NIS2 Article 28 requirements on WHOIS laid down by governments who took pen to paper when ICANN dragged its heels.

More specifically, on October 18, the provisions of Article 28 of NIS2 will come into force in most EU member state jurisdictions and, with only weeks left before that date, somehow there remains debate about what Article 28 language actually requires of TLD name registries and entities providing domain name registration services. To date, ICANN has not served as a responsible oversight authority to update its global policy to benefit all stakeholders affected by WHOIS.

NIS2 Establishes a New Legal Basis to Publish, Process and Disclose WHOIS to Fight DNS Abuse

WHOIS remains important to anyone impacted by or involved with attempts to thwart the still-growing problem of fraud and abuse perpetrated through the domain name system (DNS)¹. To effectively stop and prevent these types of frauds and abuses, one first needs to know the perpetrators behind the domain name registration.

Article 28 addresses this very issue by requiring the “collect[tion] and maintain[ance] [of] accurate and complete domain name registration data” and requiring “TLD name registries and entities providing domain name registration services to provide access to specific domain name registration data upon lawful and duly substantiated requests by legitimate access seekers”. This is no longer an issue of permissibility to collect—it’s a legal requirement to ensure Whois data contains the necessary and accurate information to identify domain name registrants. NIS2 bases this requirement on GDPR Art. 6(1)(c) as a legal basis for processing registration data. This is much different from ICANN’s current compliance posture that defers entirely to registries and registrars to decide (especially when it comes to data that is not personal data or of legal persons) whether to disclose WHOIS in response to legitimate access seekers.

NIS2’s Article 28 obligations are clear, requiring that “for the purpose of contributing to the security, stability and resilience of the DNS” (the very mission of ICANN) TLD name registries and entities providing domain name registration services must:

• “collect and maintain accurate and complete domain name registration data”;
• maintain a “database of domain name registration data to contain the necessary information to identify and contact the holders of the domain names and the points of contact administering the domain names under the TLDs”;
• “have policies and procedures, including verification procedures, in place to ensure that the databases [of domain name registration data] include accurate and complete information”;
• “make publicly available, without undue delay after the registration of a domain name, the domain name registration data which are not personal data”; and
• “provide access to specific domain name registration data upon lawful and duly substantiated requests by legitimate access seekers ... [and] to reply without undue delay and in any event within 72 hours of receipt of any requests for access ... [and] require policies and procedures with regard to the disclosure of such data to be made publicly available”.

ICANN’s Failure to Harmonize WHOIS with NIS2 Raises Internet Governance Concerns

Yet ICANN Org’s response to date continues to be something akin to: “Hey, it’s up to our contracted parties (the very TLD name registries and entities providing domain name registration services named in Article 28) to decide whether to disclose.” This is consistent with its operation of the Registration Data Request System (RDRS), which creates no obligation to participate, let alone disclose. It’s no wonder that the RDRS is experiencing minimal participation by the requester community, who are deterred by the low rates of registrar participation, compliance, and meaningful disclosures.

As the saying goes, the rubber is about to meet the road. When October 18 arrives, so will the Article 28 requirements for ICANN’s contracted parties to collect, maintain, verify, create and publish policies around—and disclose to legitimate access seekers records from—a database of accurate domain name registration data. This will help combat cybercrime that in turn will help everyday consumers targeted by criminals who abuse the DNS to perpetrate their crimes.

Now is the time to address Article 28 implementation with the same fervor that the ICANN put into the GDPR-WHOIS policy harmonization in 2018, when ICANN interpreted that pending policy to mean WHOIS access should be fully redacted, and immediately suspended all its register contract obligations around WHOIS and replaced those obligations with a temporary specification all but eviscerating access to specific domain name registration data upon lawful and duly substantiated requests by legitimate access seekers. For ICANN to now treat harmonization of its WHOIS policies with NIS2 Article 28 any differently is for ICANN to ignore its DNS oversight mission and responsibilities.