The NIS2 Directive and Its Impact on Domain Name Ecosystem

The NIS2 Directive is a new European Union law on cybersecurity that aims to harmonize cybersecurity preparedness levels in critical sectors, including the digital infrastructure. This directive applies to TLD registries and DNS service providers, making them essential entities that must adopt minimum cybersecurity risk management measures and report security incidents to authorities. Non-compliance with these measures could result in penalties of up to 2% of the total worldwide annual turnover. Additionally, the directive introduces a data accuracy obligation, requiring TLD registries and entities providing registration services to collect and maintain accurate registration data, respond to legitimate access seekers within 72 hours, and cooperate to prevent duplication of data collection. The penalties for non-compliance with data accuracy obligations are left to member states to decide. Registrants should be aware that additional verification steps for identity information may be introduced in the future, potentially leading to more costly and delayed domain registrations. Member states implementing the directive should carefully consider existing instruments, such as GDPR, and exercise caution when introducing verification procedures at the national level to avoid unnecessary obstacles for end users and allow flexibility for operators to conduct checks based on identified risks.