Blog | The Impact of NIS2 on Ireland’s Domain Name Industry
The European domain name sector is finding itself having to prepare for multiple new regulatory initiatives. Regulatory pressure in this sector is not new, but is definitely increasing. A brief glimpse at the horizon shows that there are multiple regulations coming like the critical entities directive (CER), the eIDAS 2.0 Regulation, covering e-certificates for authentication, and electronic seals for electronic documents, or new regulations affecting Intellectual Property Rights for everything from crafts to spirits. The one law that everyone in the domain name industry is (or should be) talking about though, is NIS2.
What is NIS2?
NIS2 is an EU directive for a “high common level of cybersecurity across the Union.” It replaces the first “Network and Information Systems Directive”, (hence the name NIS2). As an EU Directive, NIS2 sets out a goal that EU Member States must achieve. However, Member States are allowed to come up with their own national laws in order to reach that goal. The goal in NIS2 is to have a “high common level” of cyber resilience and cyber security across the Union.
In Ireland, NIS2 will be transposed into national law by October 17, 2024 through the upcoming National Cyber Security Bill. This was announced in the government’s Autumn 2023 Legislative Programme, but no further details on the contents of the bill have been released. Just like any other law, the Bill will need to go through the stages of passing a Bill in the Oireachtas.
Does NIS2 apply to me?
If your business is operating in the internet domain name space, then it probably applies to you. Article 2 of NIS2 explicitly names Top-Level Domain Registries (like the .ie registry), domain name service providers, and any “entity providing domain name registration services.” This includes Domain Name Registrars and Resellers – the companies that users purchase the rights of a .ie domain name from. Unlike other sectors and businesses affected by NIS2, there is no size cap for registrars and resellers. Any entity providing domain name registration services will be subject to NIS2, no matter how small.
So what does NIS2 say, exactly?
For the domain name sector, there are a few parts of NIS2 that are most relevant:
- Jurisdiction (Article 26): TLD Registries, DNS Service Providers, Registrars and Resellers will be under the jurisdiction of the Member State they’re established in – this means the country where they make cybersecurity decisions. Any entity established outside the EU, but offering services within the EU will need to designate a representative in the Union.
- Registry of Entities (Article 3(4) and Article 27) – The EU Agency for Cybersecurity (ENISA) needs to create a “Registry of Entities”, which will include entities in the domain name industry (registries, registrars, etc.). These entities will have to provide information about their entity (name, contact, address, etc.) to their Member State’s Competent Authority by 17 January 2025.
- Database of Registration Data (Article 28) – Registries, registrars, and resellers alike will need to have a “dedicated database” of complete and accurate information of any registrant who signs up for a domain name. This database will need to include (at minimum) their name, email, phone number, and information for any administrative points of contact. This also means that registries and registrars will need to have verification processes.
- Legitimate Access Seekers (Article 28) – Registries and registrars will also need to disclose this registration information to “legitimate access seekers” within 72 hours, if the request is “lawful” and “duly substantiated.” This means that each request has to be examined carefully to make sure that it is lawful.
- Cyber Security Risk Management (Article 21) – Article 21 has a long list of cyber security measures that some entities have to implement. Registries like .ie will need to implement these measures as a designated “essential entity.” Registrars aren’t mentioned in Article 21, but may also be impacted because they are part of a registries’ supply chain, and one of the measure is to ensure “supply chain security.”
More specific requirements will be clarified in a separate set of laws called “Implementing Acts.” These laws come from the European Commission, and will be passed by 17 October 2024.
The Impacts and Risks of NIS2
NIS2 presents an opportunity for Ireland to improve its cybersecurity resilience. But in the domain name industry, it risks bringing severe unintended consequences, particularly for small companies, if not transposed carefully in Ireland.
The requirement to have verification processes for registration data could overburden smaller registrars, especially if the information that must be verified is comprehensive or difficult to collect. Even the requirement to provide access to “Legitimate Access Seekers” may overburden registrars if this term is defined too broadly. If the definition for “legitimate access seekers” goes beyond things like law enforcement, or government regulators, it will just make it harder and more expensive for companies to verify the access seeker’s identity.
The cybersecurity measures under Article 21 may also impact smaller entities. We don’t know yet what the requirement measures will be, or how they will affect smaller companies that are part of the supply chain for essential entities (like .ie). Consideration needs to be given to an entity’s exposure to risk when prescribing these requirements.
In general, the Government needs to ensure that any adverse impacts from transposing NIS2 are mitigated – and one of the best ways to do this is to give clear information about the new regulations, with ample time to prepare. Those who will be within the scope of the NIS2 regulations need to have certainty without delay.
Conclusion
At .ie we are committed to demonstrating leadership for our sector and providing good governance. This includes meeting all its regulatory requirements, including NIS2. It is not an easy task, but .ie is thankfully equipped with multi-stakeholder Policy Advisory Committee that ensures its policies and procedures are consensus-driven and will help .ie navigate rough regulatory waters ahead. On this matter, .ie will also continue to advocate for its stakeholders to policymakers, and collaborate with cross-border partners and government officials to mitigate any possible adverse impacts on registrars and internet users.
Access all our blogs here
As the trusted national registry for over 330,000 domain names, .ie protects Ireland’s unique online identity and empowers people, communities and businesses connected with Ireland to thrive and prosper online. A positive driving force in Ireland’s digital economy, .ie serves as a profit for good organisation with a mission to elevate Ireland’s digital identity by providing the Irish online community with a trusted, resilient and accessible .ie internet domain. Working with strategic partners, .ie promotes and invests in digital adoption and advocacy initiatives – including the .ie Digital Town Blueprint and Awards for local towns, communities and SMEs. We provide data analytics and dashboards built by the .ie Xavier team to help with data-led decision-making for the public, registrars and policymakers. The organisation is designated as an Operator of Essential Services (OES) under the EU Cyber directive, and we fulfil a pivotal role in maintaining the security and reliability of part of Ireland’s digital infrastructure.