Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

European Commission proposal on accuracy of registration data raises numerous questions

Proposed new EU directive on the security of network and information systems is unclear in many respects

Waving flag of the European Union in front of the European Parliament building in Brussels, Belgium

On 16 December 2020, the European Commission published a draft of its proposal for a revised Directive on Security of Network and Information Systems. Known as NIS2, the proposed directive would replace the existing NIS Directive, introduced in 2016. Although the proposal is expected to undergo substantial amendment before becoming law, the directive seems likely to have significant implications for SIDN as operator of the .nl domain, and for the providers of .nl domain name registration services, our registrars. It is therefore well worth taking a closer look.

Implemented in the Netherlands by the Wbni

The proposed directive has numerous noteworthy aspects. The current NIS was incorporated into Dutch law in 2018 by the Networks and Information Systems (Security) Act, abbreviated in Dutch to Wbni. The Wbni provides the legal basis for SIDN's designation as an 'operator of essential services' in relation to our .nl activities, and thus for supervision by the Radiocommunications Agency (nowadays 'Dutch Authority for Digital Infrastructure'). In that particular respect, however, the wording of the proposal would leave the situation essentially unchanged.

Registrant data

On the other hand, the proposal includes new requirements regarding the registrant data that registries and registrars must hold, and regarding third-party access to such data. The requirements in question are contained in Article 23 (now Article 28) of the proposal. In a nutshell, European member states would be required to ensure that registries and registrars:

  1. 'collect and maintain accurate and complete domain name registration data';

  2. ensure that such data is sufficient for the registrant to be identified and contacted;

  3. have in place and publish policies and procedures to ensure that the data is 'accurate and complete';

  4. publish any such data that is not personal data as soon as possible following registration;

  5. 'provide access to specific domain name registration data upon lawful and duly justified requests of legitimate access seekers, in compliance with Union data protection law', 'without undue delay' and in accordance with their published policies and procedures.

The actual wording of the considerations underpinning this part of the proposal is provided at the end of this blog. I recommend taking the time to read it carefully.

Many unclear aspects

The proposal raises significant questions. Not least because many of the terms used are not clearly defined. What, exactly, do 'accurate' and 'complete' mean? And what is implied by 'lawful and duly justified requests of legitimate access seekers'?

What problem is the Commission looking to resolve?

However, before considering those questions, it is pertinent to ask what problem the European Commission is seeking to address and whether the proposed requirements are actually helpful in that regard. And whether the public interest served by resolution of that problem is sufficient to justify the effort required of the domain name industry to comply with the requirements. Unfortunately, the proposal is largely silent on those matters.

Identification requirement

Let us therefore consider the meaning of 'accurate and complete'. The proposal's current wording could be interpreted as meaning that, when a domain name is registered, it will be necessary to confirm a registrant's identity. And that it will subsequently be necessary to periodically verify that the registration data remains correct. If so, the requirements may be characterised as onerous in relation to registrations that cost only a few euros a year. However, it is unclear whether that interpretation is correct, or whether much less onerous checks will suffice.

Data publication

The proposal also implies the provision of a 'Whois-style' service for the publication of registration data. However, given that the published data should not include any personal data, it is unclear what data the Commission does want published. At present, each ccTLD registry decides what data to publish, and there are considerable differences across the industry.

Access to data

Then there is the topic of giving certain parties access to registration data, presumably the unpublished data, namely the personal registration data. The proposal is that access to such data (or, depending on who is seeking access, a portion of it) must be granted in response to 'lawful and duly justified requests of legitimate access seekers'. It would appear that 'requests of legitimate access seekers' means not only court orders, but also requests from parties other than those with a legal right to demand access. This aspect of the proposal seems to tie in with the e-evidence proposals. (1) However, the Commission has also taken note of the SSAD system developed within ICANN for the gTLDs (which doesn't apply to country-code domains). The explanatory information accompanying the proposal gives a number of examples of 'legitimate access seekers', but the examples fall well short of defining clear parameters.

European Commission's frustrations

In its current form, the proposal is too unclear for practical implementation and is therefore unworkable. It seems in part to reflect the European Commission's frustrations concerning the policy discussions taking place within ICANN in connection with the restrictions placed on the Whois by the GDPR. That would explain why the proposal states explicitly that the domain name requirements will apply to non-EU-based entities that provide services to EU residents.

Deterrent fines

Finally, I should mention that the proposal makes provision for fines for those who fail to follow the rules. Although the size of those fines is to be left up to individual member states, the draft directive does require them to be sufficient to serve as a deterrent.

Impact on the domain name industry

It will probably be quite a while before the wording of NIS2 Directive is finalised. In the meantime, we can expect it to be improved, hopefully significantly. Nevertheless, it seems unlikely that the registration data requirements will be removed altogether. Consequently, the definitive version is bound to have implications for the domain name industry.

Wording of Article 23 of the proposed directive

(Article 23 later became Article 28)

Databases of domain names and registration data

  1. For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall ensure that TLD registries and the entities providing domain name registration services for the TLD shall collect and maintain accurate and complete domain name registration data in a dedicated database facility with due diligence subject to Union data protection law as regards data which are personal data.

  2. Member States shall ensure that the databases of domain name registration data referred to in paragraph 1 contain relevant information to identify and contact the holders of the domain names and the points of contact administering the domain names under the TLDs.

  3. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD have policies and procedures in place to ensure that the databases include accurate and complete information. Member States shall ensure that such policies and procedures are made publicly available.

  4. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD publish, without undue delay after the registration of a domain name, domain registration data which are not personal data.

  5. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD provide access to specific domain name registration data upon lawful and duly justified requests of legitimate access seekers, in compliance with Union data protection law. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD reply without undue delay to all requests for access. Member States shall ensure that policies and procedures to disclose such data are made publicly available.

Relevant considerations from the proposal

  • (59) Maintaining accurate and complete databases of domain names and registration data (so called ‘WHOIS data’) and providing lawful access to such data is essential to ensure the security, stability and resilience of the DNS, which in turn contributes to a high common level of cybersecurity within the Union. Where processing includes personal data such processing shall comply with Union data protection law.

  • (60) The availability and timely accessibility of these data to public authorities, including competent authorities under Union or national law for the prevention, investigation or prosecution of criminal offences, CERTs, (CSIRTs, and as regards the data of their clients to providers of electronic communications networks and services and providers of cybersecurity technologies and services acting on behalf of those clients, is essential to prevent and combat Domain Name System abuse, in particular to prevent, detect and respond to cybersecurity incidents. Such access should comply with Union data protection law insofar as it is related to personal data.

  • (61) In order to ensure the availability of accurate and complete domain name registration data, TLD registries and the entities providing domain name registration services for the TLD (so-called registrars) should collect and guarantee the integrity and availability of domain names registration data. In particular, TLD registries and the entities providing domain name registration services for the TLD should establish policies and procedures to collect and maintain accurate and complete registration data, as well as to prevent and correct inaccurate registration data in accordance with Union data protection rules.

  • (62) TLD registries and the entities providing domain name registration services for them should make publically available domain name registration data that fall outside the scope of Union data protection rules, such as data that concern legal persons. TLD registries and the entities providing domain name registration services for the TLD should also enable lawful access to specific domain name registration data concerning natural persons to legitimate access seekers, in accordance with Union data protection law. Member States should ensure that TLD registries and the entities providing domain name registration services for them should respond without undue delay to requests from legitimate access seekers for the disclosure of domain name registration data. TLD registries and the entities providing domain name registration services for them should establish policies and procedures for the publication and disclosure of registration data, including service level agreements to deal with requests for access from legitimate access seekers. The access procedure may also include the use of an interface, portal or other technical tool to provide an efficient system for requesting and accessing registration data. With a view to promoting harmonised practices across the internal market, the Commission may adopt guidelines on such procedures without prejudice to the competences of the European Data Protection Board.

  1. See, for example, the ongoing EPDP2 consultation: https://www.icann.org/public-comments/epdp-2-policy-recs-board-2021-02-08-en

Article by:

Maarten Simon

Maarten Simon

Legal & Policy Advisor