The Directive on measures for a high common level of cybersecurity across the European Union – NIS-2 – is currently being transposed into national legislation. DENIC as part of Germany's critical infrastructure wants to create an adequate and sustainably practicable solution for domain managers in Germany for implementing the requirements of the Directive.
When the NIS 2 Directive enters into force in October 2024, enhanced cyber security requirements will apply for many companies and organisations in 18 critical sectors, in order to harmonise the security level across the EU member states. This involves reporting obligations for security incidents and penalties in case of violations. Compared to the NIS Directive of 2016, the group of companies concerned as well as the obligations and the official supervision defined in the revised Directive are significantly extended.
For DENIC and its members, Article 28 of the Directive is of particular importance: It obliges registries and registrars "to collect and maintain accurate and complete domain name registration data in a dedicated database with due diligence in accordance with Union data protection law as regards data which are personal data".
DENIC's central aim is to find a good solution together with its members to be able to meet the strict requirements of the NIS 2 in an appropriate and sensible way. To this end, DENIC already discussed the new Directive in a NIS 2 Article 28 Working Group last year. DENIC members of different size and with different business models as well as DENIC representatives of the Executive Board, the Legal Department, Policy, Member Relations and Product Management participated in this group. In the current year, further details will be worked out in two new working groups.
But let us first take a look at the results of the first working group and the suggested changes.
Subject Matter and Changes
The DENIC NIS 2 WG 2023 dealt with the future requirements for collecting and maintaining registration data, their verification and risk assessment as well as with the question which data of a domain shall be published via the DENIC information services in the future.
Article 28 of the NIS 2 requests registrars, i.e. also our members, to verify the name, address and e-mail address of the domain holder in the future. DENIC supports its members in this endeavour with a comprehensive range of options for storing verification information for the domain holder with DENIC.
New will be the mandatory recording of a phone number for the domain holder in the DENIC database.
Another key issue is the verification of the domain holder data. DENIC is pursuing a risk-based approach here. According to the plan drawn up last year, DENIC will carry out a risk assessment for new and updated domains as well as for domains that have been transferred to a new provider. If the domain is assessed as "suspicious", the DENIC member administering the domain must verify the domain holder data; if the risk is categorised as "high", the domain is placed in quarantine. The NIS 2 WG 2023 has defined model processes for the detailed verification and quarantine procedures.
As to the output of holder data via DENIC information services, it is planned to publish the name, address, e-mail address, telephone number, the last registration date of the domain and the administering DENIC member for legal entities in the future. For natural persons, the last registration date and the administering DENIC member will be output.
The draft concept stipulates that a registrar must inform all domain holders once a year about the holder data stored with them and their possible publication in the information services.
The New Working Groups
The two working groups, which were set up at the beginning of this year, deal with policy aspects and with the technical implementation of the proposals developed last year in the registration system. As in the NIS 2 Article 28 Working Group, our members are part of the groups and thus involved in determining the further development.
Next to working out the technical implementation details of the NIS 2 (Article 28) requirements in the registration system, the technical working group will also draw up a roadmap and coordinate the implementation details. Participants will have the opportunity to help shape the specific design of the interface through their feedback. We will also offer our members the opportunity to test the new features during the development phase.
The Policy Working Group discusses the current draft bills of the NIS 2 Implementation Act and adapts the relevant DENIC terms and policies on the basis of the provisions contained therein. This involves coordination with the technical working group. The next meeting of the group will take place when the national law has actually been adopted.
Why Does NIS 2 Concern Us All?
The scope of NIS 2 is very broad. The Directive targets numerous aspects of cyber security and affects a whole range of important entities such as DNS service providers, TLD name registries, domain name registration services, providers of cloud computing or data center services, online marketplaces, online search engines or platforms for social network services and many more. It also applies to operators of content delivery networks. Thus, it is not only the registries that are responsible for complying with the new strict regulations. The Directive extends far into the complex network of internet-related services. This means that everyone who has anything to do with this network also has to deal with the NIS 2 Directive. In line with our mission statement "for a responsible internet", we want to make our contribution to a high level of security in European cyberspace also in this context.