NIS2 directive for domain managers: how best to prepare?

The NIS2 Directive is reshaping the landscape for domain name registries and registrars across the European Union. As new compliance measures are introduced to ensure accurate registration data and enhanced verification processes, domain name owners and managers must prepare for significant changes in 2025. This article explores the key obligations under NIS2, the evolving policies of registries and registrars, and practical steps to stay ahead of upcoming requirements.

Our Tristan Verna wrote an overview in October of the NIS2 Directive and its transposition into French law. In response to a wave of announcements from domain name registries and registrars about new measures undertaken to comply with NIS2, we wanted to pick up this conversation and prepare IP Twins’ domain name clients for changes in registry and registrar policies in the coming year.

This article will focus on the application Article 28 of NIS2, which can be found here in its entirety and bears the title “Database of domain name registration data.” In broad strokes, the directive is to ensure the availability of accurate data on domain names and their owners, to be supplied on demand to “legitimate access seekers.”

IP Twins is actively reviewing announcements, contractual revisions and other forums in which domain policy changes are being discussed in the context of NIS2. For the most part, the information available on rule changes and their timeline for implementation is preliminary in nature, so this article will be light on those details.

However, as the saying goes, “where there’s smoke, there’s fire.” The number of domain name registries that have gone public with the message that change is on the horizon lends itself to the conclusion that these changes may come soon and may be significant.

Which domain name suppliers are covered under the directive?

The obligations are directed to “registries and the entities providing domain name registration services,” which would encompass both the registries for country code domains in the EU (ex. DENIC for Germany’s .de domain) and domain name registrars, entities that hold contracts with registries and resell domain services to their clients. Both are relevant to IP Twins customers, as our supply network involves registries and registrars.

The directive applies to the European Union, but whether an entity is affected goes beyond its place of establishment. Entities based outside the EU that carry out their activities within the member states are also covered. The languages and currencies supported by the organization’s website are factors that can determine if it provides services in the EU.

Notwithstanding additional obligations that certain IP Twins clients may face, this article will focus on rule changes for managing domain names, independent of where the client is located and the nature of their business.

What changes are already being implemented?

Upon reviewing all communications received from registries and registrars in reference to the application of NIS2 requirements, roughly half made no reference at all to concrete measures. Most announcements of this nature referenced the need for additional clarity on obligations before changes to their registration system would be implemented. These messages tend to recommend that domain managers and owners verify that their data was in order and to make any necessary changes in advance of enhanced scrutiny in the future.

The desire for additional clarity was a common refrain amongst registries and registrars, especially those from countries where the directive has not yet been transposed into national law. However, not all organizations are taking a “wait and see” approach and several of IP Twins’ partners have already announced concrete actions. These tended to fall into the following three categories:

1. Audits: these were all from European ccTLD registries, which indicated that they had implemented automated tools to parse domain data and detect inaccuracies, which if left uncorrected could lead to domain suspension.

Example: READS application from Registro.it (.it) [1], EURidity from EURid (.eu)[2]

1. Contact Verification Emails: registrars announced that certain domain actions would now trigger an email notice requiring action from the recipient (ex. click to verify) to confirm that the data owner knows that a domain was registered using their email and that they have reviewed and confirm the accuracy of the domain data provided at registration.

Examples: Team Internet (registrar)[3] and DNS Belgium (registry)[4]

1. New Data/Syntax Requirements: both registries and registrars announced the introduction of new mandatory fields within domain data and/or that certain fields would need to follow a standardized format going forward.

Example: DENIC (phone number)[5], Openprovider (various) [6]

These types of measures will require only a moderate increase in the administrative burden for IP Twins’ domain name customers. For example, an IP Twins account manager may respond to a registration request by asking for an additional piece of data that was previously not required. For TLDs where our team knows that an email will be sent to the registrant, we will advise make note of this fact and ask that the instruction to “click to verify” be passed along to whomever reviews the email address in question.

What is perhaps a larger change is the level of attention that needs to be paid to email addresses used for domain data. In the above example of a new registration, it will be possible for IP Twins to predict the need to locate and react to a verification email. That will not necessarily be the case when it comes to domains flagged by registries in routine audits.

Are any stricter rules in the pipelines?

We observed no announcements or concrete steps being taken which went much farther than the above, so this section is speculative in nature. Its aim is to mention how a literal application of the directive could theoretically manifest itself in practice.

The element of identity verification has invited differing interpretations, some of which go well beyond what is normally requested in the domain registration process at IP Twins.

The consideration of two passages together forms the basis of these interpretations:

1. Article 28, on the requirement of verification:

“Member States shall require the TLD name registries and the entities providing domain name registration services to have policies and procedures, including verification procedures, in place to ensure that the databases referred to in paragraph 1 include accurate and complete information.”

2. Preamble 111-120, on the nature of verification:

“Those procedures should reflect the best practices used within the industry and, to the extent possible, the progress made in the field of electronic identification. Examples of verification procedures may include ex ante controls carried out at the time of the registration and ex post controls carried out after the registration.”

On the far end of the spectrum, interpretations on the above passages are that it calls for “biometric verification and digital ID verification services.” [7] This is based on the reference to electronic identification. Of any interpretations put forward in print, this ranks as the change that would have the most dramatic effect on domain management policies at a registry or registrar.

What should be done today?

We can safely say that many more concrete policy changes will be introduced in 2025 than have already been implemented to date. In some cases, this means a change has been announced and later postponed, but more frequently it’s because the exact nature of changes is still in the planning states at registries and registrars.

Based on what we know now and chatter in the industry, a reasonable course of action for an IP Twins domain client to take in late 2024 consists of the following:

1. Get a report of the contact information used for your domains

This can be generated on our online management platform, or you can request an Excel file from your account manager. Especially with larger portfolios, it wouldn’t be uncommon to see some combination of data that is out-of-date, or which belongs to companies or individuals that no longer have any connection to the domain. If you see anything like this, just send the request to update to our team.

2. Reevaluate the protocol (if any) used previously to assign contact emails

It’s given that emails that are no longer in use should be replaced with active ones, but there are some pitfalls to avoid even if domain contacts do use valid emails:

Mailbox is too overloaded for there to be a reasonable expectation to review every message. For example, if it’s a large company using info@ or contact@, with their main domain name, this mailbox is likely receiving a lot of spam with nothing to do with domain names. A better option could be a dedicated email for domain contacts.
There are multiple emails used for the same portfolio. It’s common for domain management responsibilities to have moved between departments over the years. If the company has not been actively updating contacts, this can manifest itself as different emails in domain contacts depending on when the domain was registered, for example: first.last@ to it-team@ to domains@ to ip-assets@. If such a situation is detected, it can be a good idea to centralize domain contacts now.
The client’s own email(s) are used, but you know that they’re going to prefer that their service provider take the lead on validation procedures. If you anticipate that the customer is going to have this preference, it could be smart to propose replacing their contact email now.

3. Start a dialogue with your customers

Skip this if you’re only managing your company’s own domains. If you’re managing domains for other clients, it’s a good time to start letting them know about new verification features arising from NIS2. The previous point about emails can be a good conversation starter:

“We’ve been following the NIS2 Directive and there are some domain data verification procedures that will be informed over email. For most of the domains you manage with us, the email used is domains@company.tld. Could I just confirm with you that this email is reviewed regularly and you’d be able to react to any requests to validate your data?”

Clients will naturally prefer advance warning to any situation where they receive an email they do not understand, or even worse, see a domain suspended because they didn’t react to a prompt to verify/amend data. Even beyond practical matters, demonstrating an awareness of initiatives affecting the domain name industry will show the client that their domains are in good hands. Of course, if the client comes back with a question you’re not prepared to answer, feel free to forward it over to your IP Twins account manager for feedback.

Conclusion

No definitive overview of the practical implications of the NIS2 Directive on domain registries and registrars can be provided at this time, but an observation of what has happened so far gives us a fair picture of what is likely to come.

Domain customers can expect to be asked for domain data to be reviewed more stringently than even before, to provide types of data upon registration that hadn’t been requested in years prior and to receive more emails prompts with mandatory response.

It remains possible that some European country code domains will introduce measures such as electronic identity verification that go far beyond the above, but it’s premature to start preparing for this while it’s only theoretical.

The recommendation for now is that a moderate effort be made towards updating registrant data and establishing a protocol that ensures that all email accounts used for domain contacts are reviewed by appropriate personnel.

IP Twins is actively monitoring changes and will guide clients through the compliance process, minimizing/avoiding disruptions to operations.