NordVPN Promotion

Home / Blogs

NIS2 Article 28 Guidance: A Positive Step Toward Reducing DNS Abuse Across Europe

The European Union (EU) has set a high bar by tackling domain name system (DNS) abuse head on via government regulation and seems to have successfully resisted attempts to water down DNS stewardship obligations. Recent guidance from a key European Commission cooperation group (the NIS Cooperation Group) handling sections of the Network and Information Security Directive (NIS2) intends for a robust implementation of Article 28, which will go a long way toward helping to mitigate some of the longstanding problems that persist in the DNS.1

Article 28 transposition guidance

The cooperation group advising EU member states on transposition of Article 28—the NIS2 article critical to those in the domain name industry—clarifies the treatment of domain name registration data (“WHOIS”) under the General Protection Data Regulation (GDPR) and establishes specific duties for all parties along the domain name supply chain to fulfill:

  • Syntactical and operational accuracy of registration records;
  • A “risk-based” approach to registrant identity verification for suspicious registrations;
  • Suspension or cancellation of domain names that fail verification;
  • Establishment as legitimate access seekers with a legal basis for data access those that have a stake in the prevention or mitigation of online crimes, including those against intellectual property rights holders;
  • Fulfillment of legitimate data requests within 72 hours;
  • A constructive, helpful statement of reasons for data access denial, in the event the data cannot be provided; and
  • A 24-hour turnaround for data disclosure resulting from urgent requests.

While these measures certainly do not go as far as they could in terms of the strength of available anti-abuse tools, they’re a significant improvement over the status quo, which offers very little to parties seeking to protect end users, businesses, rights holders, and others suffering from online criminal behavior. European regulators understand that while cybercrime is seemingly always on the increase, they would be negligent to not equip responsible authorities with the tools they need.

Detractors will no doubt say these steps are too burdensome for them to put in place, that they’ll unreasonably drive-up registration costs, that the criminals are too smart or too evasive to get caught in this intensified net, or come up with some other excuses for not acting. However, the time for arguing is over—the good guys need backup against the bad guys, and right now the bad guys have the upper hand thanks to lax registration requirements and the lack of access to accurate WHOIS data. A fresh set of tools will undoubtedly help. There’s no excuse for not trying.

Belgium is setting the example

Belgian authorities have advanced helpful requirements via their full transposition of Article 28 into their national law, including:

  • Accurate and complete registration data, maintained by both registries and registrars;
  • Verification procedures to ensure accuracy;
  • Immediate publication of non-personal data following registration;
  • A 72-hour maximum window for registration data publication following legitimate requests, and immediate publication for urgent requests;
  • Requirements that both top-level domain name registries and entities providing domain name registration services immediately block the operation of a domain name and prevent it from being transferred if the registration/WHOIS data are incorrect, inaccurate, or incomplete.

This reads like the consumer protection law that it is shaping up to be and is very much needed. This is a strong development—consumers and businesses need to know about unscrupulous businesses online.

Legitimate Access Seekers

Industry authorities continue to weigh in as well on the practicalities of NIS2’s requirements. For example, refer to Recital 110 of NIS2, which defines “legitimate access seeker(s)” of domain name registration data (commonly known as WHOIS) as “any natural or legal person making a request pursuant to Union or national law.”

As expressed in a letter dated May 2024, Amy Cadagin, Executive Director of the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) stated:

“It is the experience of M3AAWG members that law enforcement agencies often collaborate with and rely upon independent researchers and non-governmental organizations to track and combat illegal online activity.”2 Cadagin added that that “This is consistent with the approach taken by the European Cybercrime Centre, which aims to engage public and private sector stakeholders whose skills, resources, and reach are needed alongside law enforcement efforts to create a safer digital environment.”3

Conclusion

Members of our coalition, plus the countless others that have been desperate for help for many years, are grateful for the European Commission coordination group’s and Belgium’s robust national law implementation as well as the authoritative voices of those on the front lines of abuse. We hope that other EU Member States will follow the excellent example that Belgium has set and will continue to heed good advice when offered. We look forward to continuing the battle against DNS abuse, both within the ICANN sphere and with governmental partners in the months to come.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By David Hughes, Executive Director at Coalition for Online Accountability

Filed Under

Comments

Putting your money where your mouth is Rubens Kuhl  –  Oct 31, 2024 7:30 AM

I guess onlineaccountability.net could use SSL/TLS so we could know whether we are looking at the real website or at a forgery ?

Also, it’s curious that it seems WHOIS data is for a different organization:
Registrant:
Name: PERFECT PRIVACY, LLC
Email: .(JavaScript must be enabled to view this email address)
Whois Server: whois.register.com
Phone: +1.5707088622
Mailing Address: 5335 Gate Parkway care of REGISTER.COM, Jacksonville, FL, 32256, US

Onlineaccountability.net has been unmasked David Hughes  –  Oct 31, 2024 5:31 PM

Rubens,
Thank you for pointing this out. 
The information on onlineaccountability.net has now been unmasked, and we will add a SSL certificate as well.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

NordVPN Promotion