Uniform implementation of NIS2 article 28 remains a long way off

Open to interpretation

Nevertheless, Article 28 does not specify who is responsible for data verification when a domain name is registered, what information they must verify, or how. Individual EU member states will therefore have to interpret the directive's provisions when implementing it in local law. That is liable to result in different rules applying in different countries – an undesirable state of affairs for an inherently international industry.

Processes differ from country to country

At the moment, there is considerable diversity within Europe's domain name industry in terms of what is done to make sure that registration data is correct. There are differences not only in what is checked, but also in who does the checking: the registry, the registrar or, where relevant, the reseller.

Within the .nl domain, for example, the registrant has primary responsibility for the accuracy of their registration data. As the registry, SIDN verifies the data only after registration, and only if there is reason to do so. So, for instance, SIDN investigates the reliability of the data if there is a suspicion that a domain name is being used for a criminal purpose, such as malware distribution. By contrast, the registry for Denmark's .dk domain requires every Danish registrant to confirm their identity using their national eID. Various alternative verification requirements apply to non-Danish registrants. Meanwhile, the procedure for registering a domain name under a gTLD such as .com or .org involves the registrar sending the registration data to the registrant by e-mail for confirmation.

Is European coordination the answer?

Because domain name registrations may involve people and organisations in various countries, it's desirable that the rules on registration data verification are the same (or, at least, reasonably similar) everywhere. For that reason, we're pleased to see European countries actively seeking to coordinate the implementation of Article 28. However, the existing diversity will make it difficult to achieve regulatory uniformity. Not least because major differences exist amongst member states in the adoption and use of eIDs. In the Netherlands, for instance, our existing national eID, DigiD, can be used only for transactions with government entities. A Dutch person can't therefore use their DigiD to register a domain name with a private organisation, such as a registrar or a registry. And, in some other countries, there is no eID system for use by companies, societies, government bodies and other organisations. A further complication is that European cooperation hasn't yet reached the point where an organisation in one country can easily check the eID of a person from another country. And there are very few, if any, eID systems for checking the identity of non-European registrants.

Whose whereabouts are decisive?

As an illustration of the problems that divergent national interpretations of NIS2 might give rise to, consider the following scenario. A registrar based in Belgium registers a .nl domain name for a French person living in Spain. Should the registrar follow the rules that apply in their own country, or the country where the registrant lives? Or maybe the rules of the country whose nationality the registrant holds? Or does the fact that it's a .nl domain name mean that the Dutch rules apply? If the rules are the same everywhere, it doesn't matter much whose rules apply, of course. However, if the registrar's legal responsibilities differ from country to country, it matters a lot. And the confusion could have a negative impact on competition within Europe.

A real danger of market distortion

Suppose that, in the scenario sketched above, it's the Belgian rules that apply. What if those rules are stricter than the Dutch rules? The mere fact of being based in Belgium will mean that the registrar incurs higher costs when registering a .nl domain name than a Dutch registrar. So the Belgian registrar's prices will be higher than their Dutch counterpart's. That'll inevitably mean that registrants take their business to registrars in low-cost, high-convenience countries. And, as well as gaining extra revenue, those countries will attract extra trouble, because low prices are particularly important to registrants with dubious motives. The migration of registrants to low-cost, high-convenience countries will inevitably drive a similar migration of registrars. Especially given that domain name registration has become so straightforward in most cases, and such an international, low-margin business.

Development of an ideal solution

It seems, therefore, that there is no ideal solution suitable for short-term implementation throughout the EU. In my view, the next best thing would be to start by identifying a set of minimum requirements, and agreeing to adopt them as a starting point for development. With the goal of progressing towards eID-based registration data verification, in step with developments in the realm of eIDs.

Given the current diversity, it's possible that individual countries will want to use their own minimum requirements, reflecting what's possible in that country, preferably in consultation with the local domain name industry. However, that will inevitably mean regulatory divergence for several years at least.

Make the registry's location decisive when rules differ

In order to ensure that the situation remains workable for the industry and avoid migration to the most lenient regulatory regime, each member state should accept that its own NIS2-based rules are applicable only to registrations made with registries based on its territory. So, for example, the hypothetical Belgian registrar referred to above would have to follow Dutch law when registering a .nl domain name for a French person resident in Spain, not Belgian, French or Spanish law. The registrar would therefore still be able to compete with other registrars that sell .nl domain names. Another advantage of that approach is that it aligns well with current practice in Europe, where registrars are used to applying different rules to registrations under different ccTLDs. It would also allow the registries and registrars to reach agreements with local regulators about who is responsible for verifying the data.

Representation for non-EU registries

It will also be vital that registries based outside Europe, especially the big registries responsible for gTLDs such as .com, .org and .net, nominate European representatives, as required by NIS2. Each of them will then be subject to the rules of the country where their representative is based, and registrations made under those gTLDs, at least those that have European registrants, will be governed by the NIS2 rules of the EU country in question. Otherwise, there is a real risk that more and more Europeans will register domain names elsewhere, for reasons of price and convenience.

Summary

1. The scope for registrant data verification currently varies so much from one EU member state to the next that there is little prospect of implementing a uniformly strict verification regime in the near future.

2. It would therefore be best to agree a set of minimum requirements as a starting point for the development of a uniform regime in consultation with the sector.

3. Regulatory diversity would have serious adverse implications for an inherently international industry, and would also impact the competitiveness of market players in Europe and beyond.

4. In order to mitigate such consequences:

   • it should be agreed that each country's rules will apply only to registrations made with registries based in that country; and

   • a non-European registry for a TLD that is widely used within Europe should be required to nominate a representative based in an EU member state, so that all registrations made with that TLD are also governed by the relevant state's rules.