Back in January, we published a comprehensive preview[1] of the types of changes that domain managers could expect, as European country-code registries began to adapt their policies to conform with the NIS2 Directive[2].
This is the first, but likely not the last, update to that initial piece to provide more concrete information about what’s changing with each European domain name extension. This installment will focus on Denmark (.dk), Germany (.de) and Poland (.pl).
If there’s one phrase that domain managers need to add to their vocabulary, it’s “risk-based approach.” In lieu of policy changes that will affect 100% of domain owners, the registries discussed today are sending signs that they’re using automated tools to review domain owner data and requiring action only in cases where a high-risk level is assigned.
Now onto the specific changes that about which we’ve gained more information since January:
Denmark
Signing into a registry with a Digital ID is a logical and effective means to ensure that valid registrant data is used. Denmark’s MitID is used for this purpose is mandatory for domain registrants that specify an address in the country.[3]
Like many European country-code registries, Punktum lets foreign companies register .dk domains without necessarily having a branch office or representative in Denmark. The task for Punktum, the .dk registry, was therefore to develop a verification method for foreign registrants that don’t have MitID.
To approximate the rigor applied to local registrants, Punktum has partnered with an outside firm to conduct registrant data review.[4] A risk assessment is run on the data provided and if a registrant is flagged, they are asked to provide documents.
The document requirement for foreign companies is heavy: Proof of company registration from two different government sources and a utility bill to prove address.
In practice, IP Twins has observed legitimate registrant data “flagged” without containing usual and obvious signs of falsehood (ex. instances of “N/A,” sequential numbers such as 00000, 12345, or anonymized name or organization) Especially when it comes to a client that has never before registered a .dk domain, portfolio managers must be prepared to meet this threshold to ensure that a .dk name will remain active.
Germany
Compared to its counterparts, Germany’s DENIC has tended to request less data from its registrants and display very little on its public domain search. The changes underway in the context of NIS2 are moving things in the opposite direction.
Starting this month, new registration requests will need to include a phone number for the domain owner. It has not been announced if phone numbers collected will have any role in the verification of data, for example by requiring the holder to input a code sent by SMS.
In addition to the phone number becoming mandatory, DENIC has also announced a more general plan to request additional registrant verification. Like Punktum, these prompts will be based on the “risk-based assessment.” Unlike Punktum, two different risk levels are identified[5]:
– Risk Level “Suspicious”: The domain stays active, while additional information (and perhaps documentation) is requested of the sponsoring domain registrar
– Risk Level “High”: The domain is placed in quarantine.
As referenced above, the public domain query on the DENIC website (or query to its WHOIS service) returns the minimum amount of data: A status of “registered” or “available” and in the former case, the nameservers set for the domain. In June 2025[6], this display is expected to include the organization name, sponsoring registrar and registration date.
Poland
NASK, the registry for Poland’s .pl domains, is involving its registrars in data verification procedures to a greater extent than other registries. With some registrars going as far as to suggest that they might not continue to support new registrations for .pl during a transition period, there was an expectation that changes at the Polish registrar NASK might enact “codebreaking” changes to registration procedures. So far, that has not occurred, and the only new information is an outline of the reporting procedures for abusive domains and related penalties.
Unique to NASK (so far) is the move to impose fines on registrars, as opposed to establishing only domain suspension or deletion as the penalty for inaccurate registrant data.
NASK will notify registrars of instances of potentially inaccurate registrant data, which in turn will be reported to the domain owner. A short deadline is given to address the inaccurate data, which is done by providing documents.
Separate fines can be charged to the registrar: A specific fine for instances in which inaccurate data was supplied in the first place AND a daily fine if data takes longer than the deadline for data to be corrected.
Like DENIC there is a change to domain query results, albeit a more minor one: .pl domains with BLOCKED status will continue to display registrant details, as opposed to previously when a “domain name’s billing period had finished” message was displayed.
Conclusion
Except for providing a phone number for .de registrations (which IP Twins had been requesting anyway), new documents or data are still not required at the moment of registration. The change for .dk / .de / .pl is instead that domain managers must be increasingly aware that the data they provide undergoes a “risk assessment” and they must be prepared to collect significant documentation in case the data provided is flagged.
Additional posts will follow as policies for other countries are communicated, so watch this space!
Footnotes
[1] S. Penchansky, “NIS2 directive for domain managers: how best to prepare?”, iptwins.com, 2025-01-21.
[2] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS 2 Directive).
[3] Procedure new dk registrant | Punktum dk
[4] ID check at Punktum dk | Punktum dk
[5] NIS 2 – A Law that Concerns All of Us! The NIS 2 Working Groups at DENIC
[6] .DE NIS 2 Domain Registration Requirements: Enom Customer Support
