Over the past twenty years of my engagement in the ICANN multistakeholder process, one topic that has always been near and dear to me has been improving the accuracy and access to domain name registration data in a way that respects the legal rights of both registrants and requestors of registration data. Sadly, the glacial pace at which ICANN develops and implements policy has prevented a holistic solution to the problem. I believe, however, that the European Union’s NIS 2.0 directive provides a framework for this holistic solution to become a reality.

My paper title, ”Suggestions for NIS 2.0 Implementation Guidance to Achieve the Goals of the European Union Regarding TLD Name Registries and Entities Providing Domain Name Registration Services under Articles 21 and 28” was inspired by the thought leadership that European ccTLDs have undertaken to enhance the accuracy and access to registrant registration data. Below are a series of recommendations that hopefully inform the work of Member States and the Cooperation Group.

• All domain names registered by a TLD name registry and entities providing domain name registration services shall publicly identify the registrant as either a natural or legal person.
• If the TLD name registry or entity providing domain name registration services permits privacy/proxy registration services, it shall identify the beneficial user/customer as the contact administering the domain name and their status as either a natural or legal person.
• TLD name registries and entities providing domain name registration services shall establish and abide by administrative processes to permit third parties to contest various aspects of domain names registered within that TLD, e.g. accuracy of all registrant data fields outlined in Article 28, access to non-public domain name registration data in the case of illegal/abusive activities, the registration and use of the domain name by an alleged natural person, etc. These administrative processes need to be publicly posted on the website of each TLD name registry and entity providing domain name registration services.
• TLD name registries and entities providing domain name registration services must provide differentiated[1] public access to the required data fields listed in Article 28 corresponding to the registrant type (e.g., natural/legal person).
• TLD name registries shall maintain a complete set of registration data (as required by NIS 2) in a dedicated database for that TLD.
• TLD name registries and entities providing domain name registration services shall take affirmative steps to identify any suspect registrations (e.g. inaccurate registration data or potential abuse) to flag for subsequent investigation/verification. Any registration flagged by a TLD Name Registry or entity providing domain name registration services shall undergo enhanced verification, e.g. eIDAS level “substantial.”

The full text of the white paper, available here, provides a detailed analysis of the basis for these and other recommendations.