The NIS Cooperation Group has released critical guidance for the implementation of Article 28 under the NIS 2 Directive, focusing on registration data accuracy obligations for top-level domain (TLD) registries, registrars, and related services in the EU. The guidance, issued on September 18, emphasizes the need for accurate data collection, verification, and publication of non-personal data to enhance cybersecurity across the European Union’s internet infrastructure.

CENTR’s mixed response: The recommendations have been welcomed by CENTR, an association representing European country-code TLDs (ccTLDs), which applauded the guidance for incorporating the concerns of European ccTLD operators. However, CENTR also expressed disappointment that the relationship between Article 28 and data protection regulations, particularly the General Data Protection Regulation (GDPR), remains inadequately addressed. This is especially concerning given the extraterritorial reach of the directive, which applies to both EU and non-EU domains, such as .com and .info.

Data accuracy obligations: Article 28 introduces stringent data accuracy obligations for TLD registries, requiring verification of domain holders’ data and permitting access to personal information by legitimate authorities. While the guidance offers flexibility, such as not applying obligations retroactively to existing domains, concerns persist over how to reconcile these demands with global privacy standards and avoid excessive data collection.

As EU Member States approach the October 17 deadline to transpose the directive into national law, questions around data protection, cooperation with global entities, and the extraterritorial enforcement of these obligations remain unresolved.