In preparation for NIS/2, the French and German domain registries, AFNIC (.fr) and DENIC (.de), have announced new measures for extra verification of registrant data.
Short notice by AFNIC
AFNIC, the registry responsible for .fr domains, has surprised stakeholders with the abrupt rollout of their new validation guidelines. These guidelines will be effective from January 1st, 2024. However, AFNIC has opted for a phased approach, initially working collaboratively with registrars to ensure the guidelines are practical and effective before full enforcement.
DENIC’s Timely Preparation
On the other hand, DENIC, the German counterpart, has taken a more measured approach. Their announcement, made well in advance, states that their verification requirements will align with the actual enforcement of NIS/2, expected towards the end of 2024. This gives stakeholders ample time to prepare and adapt to the upcoming changes.
Government Collaboration
Both AFNIC and DENIC have developed their guidelines in close cooperation with their respective national governments, France and Germany. Although the official laws implementing NIS/2 in these countries are yet to be finalized, it is anticipated that the rules established by these registries will be in full compliance with national legislations.
Similar Verification Procedures
Interestingly, the verification procedures outlined by both AFNIC and DENIC bear striking similarities. They share a common interpretation of the NIS/2 directive’s requirement for “accurate” owner information. For instance, both registries will require address information to be verified against public databases. However, there’s no mandate to prove the direct association of the address with the individual or entity registering the domain name.
Additionally, the reachability of the registrant must be confirmed via email, a practice already in place for gTLDs (generic top-level domains). Notably, DENIC will also require verification of the registrant’s name, which may also be authenticated using public databases if possible.
Contrast with .dk and .be Procedures
These new procedures mark a departure from the more stringent verification processes implemented by the .dk (Denmark) and .be (Belgium) registries well before any detail about NIS/2 were known. The Danish and Belgian approaches demand comprehensive proof linking the registrant’s details to the individual requesting the domain. Actually linking that information can be very complex and is almost impossable to automate.