News

CENTR has published a comment on the proposal for the revised EU Cybersecurity Act 2 (CSA2), which was put forward by the European Commission in January 2026. The proposal aims to strengthen the EU's cybersecurity governance and introduces a new "trusted ICT supply chain framework" that would apply to essential and important entities under the NIS 2 Directive, including ccTLD registries.

In a nutshell: The European Commission published the EU Tech Sovereignty Strategy, including the Open Source Strategy and the proposal for the Cloud and AI Development Act. The European Commission is also seeking views on the Copyright Directive and the application of the MiCA Regulation. The co-legislators finalised the work on the AI Omnibus. ENISA published its NIS360 report. The NIS Cooperation Group adopted common templates for incident reporting. European political groups published their position papers on EU Tech Sovereignty.

A letter arrived in my letterbox recently. Green branding, an Australian Company Number prominently displayed, a central Sydney address, a reference number, a QR code, and a "renewal fee" of $99 for one year or $171 for three. The sender was "Registration", trading through reg.com.au. My business name, the letter warned, was due for renewal on 2 July 2026.

Everything about the letter was designed to look official apart from one giveaway at the bottom in smaller font: "Registration is a third-party business name renewal service provider. We are independent of ASIC [Australia's corporate regulator]. This is not a bill." ASIC's own fee for the same three-year renewal is $102. Registration Pty Ltd pockets the difference for acting as a registered agent. This is a service I neither requested nor needed. While the operation is legal, consumer forums and small business groups consider it misleading and deceptive.

What I want to note here is not the ethics of the operator, but what the open .au namespace makes possible, and what .gov.au prevents.

In a nutshell: The European Commission presented a plan for better enforcement of EU rules, awarded a tender for a sovereign cloud, published the final reports of the Virtual Worlds Observatory and the Interactive Data Explorer, and partnered with EUIPO on DSA enforcement. The Cypriot presidency published a non-paper on FiDA negotiations. The Council of the EU published a compromise position on the Payment Services Regulation. EU institutions agreed on a roadmap to strengthen the EU Single Market, and are finalising the AI Omnibus negotiations. BEREC published an early assessment of the Digital Networks Act. The European Economic and Social Committee published an opinion on the Cybersecurity Act 2.0. Europol published the IOCTA 2026 report. The EDPB published a Data Protection Impact Assessment template. The Council of Europe issued a recommendation on online safety and empowerment of users and content creators.

In a nutshell: The European Commission published the 28^th regime proposal and opened feedback for the Cyber Resilience Act guidance. The European Council adopted conclusions on competitiveness and the single market. The Council of the EU adopted conclusions on the EU’s capacity to counter hybrid threats. The EDPB and EDPS published a joint opinion on the Cybersecurity Act 2.0 and NIS 2 amendments. The European Economic and Social Committee published an opinion on the Digital Omnibus. CJEU Advocate General delivered an opinion on high-risk suppliers.

Insights from 40 million domains in 10 ccTLDs reveal patterns behind domain renewals

Over the past few years, many CENTR members have observed changes in domain renewal behaviour. Many members saw a decline in the proportion of domains renewing during 2023-24. Even a small drop in renewal rates can have a significant financial impact, as a substantial share of registry revenue typically comes from renewals rather than new registrations. Additionally, stable and predictable renewal rates support more accurate financial planning.

Updates on abuse mitigation efforts

In January 2026, the gNSO adopted the PDP Charter for Associated Domain Check, which effectively initiated policy development work on DNS abuse. This PDP is expected to introduce new requirements for registrars to proactively check domains associated with malicious activity. The PDP will define the associated domain check’s triggers, scope, timeline, reasonableness, safeguards, documentation, and compliance metrics.

In a nutshell: The European Commission published a Submarine Cable Security Toolbox and Cable Projects of European Interest, 2026 Annual Single Market and Competitiveness Report, an IPRED study, and a counter terrorism strategy. The European Parliament held a hearing on CPC Regulation reform. The Council of the EU adopted a position on the 2030 Consumer Agenda. EDPB adopted a report on the right to be forgotten. EDPB, jointly with EDPS, adopted an opinion on the Digital Omnibus proposal. NIS Cooperation Group adopted an ICT supply chain toolbox. EU Member States published non-papers on competitiveness.

The 2026 CENTR Jamboree will take place in Berlin from the 6 to the 8 May 2026.

We will repeat last year’s process with contributions from participants to shape our agenda. Both members and non-members are therefore invited to submit proposals for sessions. We are excited to announce the Call for Proposals, and we invite you to be an active contributor to this event that brings the whole community together. 

CENTR issues Board statement on the EU action plan on fighting online fraud