The European Union (EU) has set a high bar by tackling domain name system (DNS) abuse head on via government regulation and seems to have successfully resisted attempts to water down DNS stewardship obligations. Recent guidance from a key European Commission cooperation group (the NIS Cooperation Group) handling sections of the Network and Information Security Directive (NIS2) intends for a robust implementation of Article 28, which will go a long way toward helping to mitigate some of the longstanding problems that persist in the DNS.¹

Article 28 transposition guidance

The cooperation group advising EU member states on transposition of Article 28—the NIS2 article critical to those in the domain name industry—clarifies the treatment of domain name registration data (“WHOIS”) under the General Protection Data Regulation (GDPR) and establishes specific duties for all parties along the domain name supply chain to fulfill:

• Syntactical and operational accuracy of registration records;
• A “risk-based” approach to registrant identity verification for suspicious registrations;
• Suspension or cancellation of domain names that fail verification;
• Establishment as legitimate access seekers with a legal basis for data access those that have a stake in the prevention or mitigation of online crimes, including those against intellectual property rights holders;
• Fulfillment of legitimate data requests within 72 hours;
• A constructive, helpful statement of reasons for data access denial, in the event the data cannot be provided; and
• A 24-hour turnaround for data disclosure resulting from urgent requests.

While these measures certainly do not go as far as they could in terms of the strength of available anti-abuse tools, they’re a significant improvement over the status quo, which offers very little to parties seeking to protect end users, businesses, rights holders, and others suffering from online criminal behavior. European regulators understand that while cybercrime is seemingly always on the increase, they would be negligent to not equip responsible authorities with the tools they need.

Detractors will no doubt say these steps are too burdensome for them to put in place, that they’ll unreasonably drive-up registration costs, that the criminals are too smart or too evasive to get caught in this intensified net, or come up with some other excuses for not acting. However, the time for arguing is over—the good guys need backup against the bad guys, and right now the bad guys have the upper hand thanks to lax registration requirements and the lack of access to accurate WHOIS data. A fresh set of tools will undoubtedly help. There’s no excuse for not trying.

Belgium is setting the example

Belgian authorities have advanced helpful requirements via their full transposition of Article 28 into their national law, including:

• Accurate and complete registration data, maintained by both registries and registrars;
• Verification procedures to ensure accuracy;
• Immediate publication of non-personal data following registration;
• A 72-hour maximum window for registration data publication following legitimate requests, and immediate publication for urgent requests;
• Requirements that both top-level domain name registries and entities providing domain name registration services immediately block the operation of a domain name and prevent it from being transferred if the registration/WHOIS data are incorrect, inaccurate, or incomplete.

This reads like the consumer protection law that it is shaping up to be and is very much needed. This is a strong development—consumers and businesses need to know about unscrupulous businesses online.

Legitimate Access Seekers

Industry authorities continue to weigh in as well on the practicalities of NIS2’s requirements. For example, refer to Recital 110 of NIS2, which defines “legitimate access seeker(s)” of domain name registration data (commonly known as WHOIS) as “any natural or legal person making a request pursuant to Union or national law.”

As expressed in a letter dated May 2024, Amy Cadagin, Executive Director of the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) stated:

“It is the experience of M3AAWG members that law enforcement agencies often collaborate with and rely upon independent researchers and non-governmental organizations to track and combat illegal online activity.”² Cadagin added that that “This is consistent with the approach taken by the European Cybercrime Centre, which aims to engage public and private sector stakeholders whose skills, resources, and reach are needed alongside law enforcement efforts to create a safer digital environment.”³

Conclusion

Members of our coalition, plus the countless others that have been desperate for help for many years, are grateful for the European Commission coordination group’s and Belgium’s robust national law implementation as well as the authoritative voices of those on the front lines of abuse. We hope that other EU Member States will follow the excellent example that Belgium has set and will continue to heed good advice when offered. We look forward to continuing the battle against DNS abuse, both within the ICANN sphere and with governmental partners in the months to come.