The NIS Cooperation Group, which includes regulatory bodies from various EU countries, recently released its recommendations for the implementation of NIS2 Directive Article 28. While these guidelines are not legally binding, they serve as an essential reference for anyone involved in domain name registrations. Following these recommendations is crucial for ensuring compliance and improving data accuracy.
In this post, we’ll highlight some of the more notable aspects of the document, focusing on the simpler, more achievable procedures that can help you stay on the path to compliance. While compliance is not yet mandatory, the Belgian regulator, like many others across Europe, expects steps to be taken toward improving data quality.
Why Compliance Isn’t Mandatory (Yet)
Thanks to pressure from organizations like ours and similar-minded entities, mandatory compliance isn’t currently enforced. However, the Belgian regulator does expect action towards compliance, particularly around improving the quality of domain registration data.
One challenge many industry players face is the absence of specific, mandated procedures. This lack of concrete guidance makes it difficult to know if your compliance efforts are sufficient. However, this freedom also allows companies to choose methods that best suit their operations, embracing flexibility in how they approach these recommendations.
Key Takeaways from the Document
Database Verification for Accuracy The NIS2 Directive emphasizes ensuring that registrant information, such as name, email, and phone number, is complete and accurate. While ideas like requiring ID checks have been discussed, this could be burdensome for many registrars. Similarly, phone verification is technically challenging and expensive.
Email and Phone Verification The recommendation encourages email and phone number verification. Phone verification however is currently not an industry standard practice and would be difficult and costly to carry out for most registrars.
Re-verification on a Regular Basis One particularly difficult recommendation suggests that email and phone numbers be re-verified periodically. This could prove complex, especially if a high-value or critical domain name’s verification fails and is not corrected within the proposed 30-day window. Suspending such domain names could lead to disproportionate consequences.
Operational Verification Fortunately, the recommendations allow for a more feasible option called “operational verification.” This means ensuring that an email address is functional (e.g., by confirming that an email doesn’t bounce) or verifying that a phone number is operational (e.g., the phone rings). This sets a lower bar compared to ICANN’s more stringent requirements, which demand the exchange of a unique code for email or phone verification.
Risk-Based ID Verification Full-blown ID verification is not deemed workable and is only required on a risk-based approach. This is a relief for many, as it limits the scope of ID checks to higher-risk scenarios.
What Happens if Verification Fails? For newly registered domain names, the recommendation advises that domain names should only be activated once verification is completed. For existing domains, registrants have up to one month to correct inaccurate information, with quicker action if the domain is used for malicious purposes.
Actions You Should Take
- Implement and Publish Procedures
Ensure you have documented procedures for verifying registrant name, email, and phone numbers. While these procedures don’t need to be applied to every domain name, they should be available on your website. Compliance with this requirement is crucial under NIS2. - Register with SafeonWeb
All Belgian entities offering domain name registration services must register with SafeonWeb. You can do this by visiting SafeonWeb and logging in with itsme or your eID card. If you also offer DNS services, select “DNS service providers” under “Digital.” If not, select “none of the above”. In both cases, indicate you offer domain name registration services in the next step.
Actions to Consider
While full-blown verification may be overkill for many registrars, there are steps you can take to enhance data accuracy and streamline operations:
- Data Validation Improving the validation of new data is a relatively simple first step. While gathering all the necessary validation information can be tedious, DNS Belgium has done much of the groundwork. You can access their input validation guidelines at DNS Belgium’s technical information.
- Operational Verification Operational verification of email addresses can be done without much hassle. For instance, you can send an email and follow up on any bounces. There are also technical ways to verify whether an email address is operational without bothering the recipient with an additional email.
In Conclusion
While the NIS2 directive and the Belgian regulator currently offer flexibility, not taking any action from within the industry could risk having procedures put upon us which turn out to be unworkable. By implementing best practices like email verification and furthermore only risk-based verifications, we can demonstrate that more exuberant procedures aren’t required to create a safer internet.