The directive on measures for a high common level of cybersecurity across the Union, known as “NIS2”, which is at the stage of a proposal (eur-lex.europa.eu), includes obligations for all top-level domain (TLD) registries and registrars (Art. 2.2.a.iii). Para. 15 sets out an objective: “Upholding and preserving a reliable, resilient and secure domain name system (DNS)”, the purpose being to ensure trust in the digital economy.
To this end, the directive will impose on registries and registrars, considered as “essential entities”, a number of obligations:
- maintain accurate and complete WhoIs data (Para. 61 and Art. 23);
- ensure its integrity of WhoIs data;
- make them available, in accordance with the General Data Protection Regulation (RGPD) (Para. 59), “without undue delay” (Para. 62).
Emphasis should be placed on one particular obligation. Indeed, in accordance with Para. 60 and Article 23.3, “Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD have policies and procedures in place to ensure that the databases include accurate and complete information. Member States shall ensure that such policies and procedures are made publicly available“. Such an obligation could result, for example, in the systematic checking/documenting of the identity of the person registering the domain name or in the prohibition of the use of prepaid bank cards. In short, since the GDPR protects personal data, anonymity should no longer be allowed.
As for penalties, Article 29.6 provides the possibility of engaging the liability of natural persons who have failed in their duty to ensure compliance with the obligations set out in this directive”.