×

Member States guidance on NIS 2 Article 28: implementation around the corner, but at what cost?

Blog 26-09-2024

On 18 September, the NIS Cooperation Group, consisting of EU Member States’ representatives, issued its long-awaited recommendations on Article 28 of the NIS 2 Directive, targeted at national competent authorities and entities in the scope of the NIS 2 Directive's registration data accuracy obligations that includes TLD registries, registrars, resellers, and privacy/proxy services. At CENTR, we have been following closely both the NIS 2 Directive negotiations, as well as its transposition period. We have also issued our own recommendations for national authorities to take into account when transposing Article 28 into national legal frameworks. 

 

We applaud the NIS Cooperation Group's efforts in offering guidance on the challenges of ensuring registration data accuracy across all available TLDs in the EU. We are happy to see that European ccTLDs’ concerns are taken on board and reflected in the guidelines. As entities based and rooted in European values, CENTR members commit to the continuous delivery of safe and secure TLD zones for all users, irrespective of their location. Thanks to EU policymakers, domain registration data accuracy is part of the cybersecurity toolbox, and part of mandatory regulatory compliance of all TLDs available in Europe. However, we wished for more attention and guidance from Member States’ representatives on the relationship of Article 28 with data protection, especially considering its extraterritorial reach and impact on global internet users.

What is in Article 28 of the NIS 2 Directive?

Article 28 of the NIS 2 Directive introduces an unprecedented registration data accuracy obligation for all TLD registries, registrars, resellers, and privacy/proxy services active in Europe. 

The data accuracy obligation is included in the EU cybersecurity legislation, the NIS 2 Directive, that also deals with reporting significant cybersecurity incidents, and obliges all “essential” and “important” entities to follow minimum cybersecurity risk management measures. Internet infrastructure actors, such as TLD registries, DNS service providers, and IXPs are recognised as essential digital infrastructure actors (together with cloud and datacenter service providers). 

On top of these critical cybersecurity obligations, TLD registries are obliged to collect and maintain accurate domain registration data, verify its accuracy, and publish non-personal data (hereinafter, ‘WHOIS data’). TLD registries are also obliged to give out personal information of domain name holders to all “legitimate access seekers”. 

Impact of NIS 2 Directive on global DNS

The NIS 2 Directive is applicable to all TLDs available for registration in the EU, meaning it is equally applicable for EU ccTLDs, such as .it and .nl, as well as non-EU gTLDs like .com and .info. The extraterritorial reach of accuracy obligations creates tensions with the multistakeholder policy setting at the global level: i.e., within ICANN setting global domain registration policy for all gTLDs and their accredited registrars. It is not easy to harmonise domain name registration processes at global level, with many countries’ and stakeholders’ interests at stake. As a result, the negotiations at global level take time, and follow the consensus approach, which may not always lead to the desired outcome for all interested parties. 

Registration data accuracy continues to be a contentious issue, even at EU level where regulation does not always catch-up with or create the needed conditions for technological developments. This is particularly evident with the state of the use of electronic identification (eID) across EU Member States. In 2024, after almost a decade of eIDAS Regulation being in force, the EU does not have a uniform and user-friendly availability of eIDs in all Member States, despite a well-meaning legislation and political will of the EU institutions. As a result,  EU ccTLDs have a variety of data accuracy practices in place that offer flexibility to both local and foreign users, with or without the use of eIDs. After all, registration data accuracy within EU TLD zones has been cited as one of the factors contributing to low levels of abuse across EU TLDs. The NIS 2 Directive does not oblige domain name holders to register domain names with eID, but it is encouraged that TLD registries and registrars verify domain name holder data with eIDs.

What about data protection?

The EU has been the champion in setting a global standard for data protection in its groundbreaking EU General Data Protection Regulation (GDPR). However, when it comes to domain name holder data collection and processing in the EU, the principles of data protection remain secondary. 

Domain registration data is not necessary for the technical function (nor security) of DNS. There are TLD registries that require no collection of personal data when registering a domain name, and in light of the increased regulatory attention, we will see more (mostly non-EU) actors moving towards abandoning ‘WHOIS data’ altogether. 

Furthermore, as part of the EU GDPR compliance efforts, EU ccTLD registries have further minimised data collection from domain name holders. Yet, the NIS 2 Directive requires the collection of certain datasets that are no longer part of some registries’ WHOIS data. In addition, the NIS 2 Directive requires collection of more personal data in order to verify the collected mandatory dataset. 

The text of the NIS 2 Directive does attempt to bring in some data protection limitations for Article 28 obligations. This is especially evident in its careful attention towards (not) publishing email addresses containing personal data, and recommending verification of only one contact means of a domain name holder. Unfortunately, this helpful guidance is only in recitals, and not in the binding part of the Directive. 

NIS Cooperation Guidelines 

The text of NIS 2 Directive offers flexibility. It is drafted in an almost technologically neutral way (minus eIDs) and it references practices that can be found in the diverse EU ccTLD landscape. 

Although it is a directive that establishes minimum requirements, there is a lot of thought put into substantiating Article 28’s accuracy requirements available in the explanatory part of the legislative text (recitals). We hope recitals of the Directive will continue offering the needed guidance to the Member States that have less than a month to transpose the Directive into their national frameworks before the transposition deadline runs out on 17 October. 

The NIS Cooperation Group, consisting of national experts and Member States’ representatives, is set to give further guidance to substantiate Article 28 requirements beyond the legislative text, for the purposes of “a high common level of security for network and information systems”. Albeit non-binding, these are valuable guidelines that can inspire both national regulators and technical operators.

The NIS Cooperation Group’s guidelines offer some important direction. We especially welcome the recognition of a risk-based approach when it comes to identity verification. This is in line with the practices adopted across EU ccTLDs, where a careful balance between accessibility of domain names and weeding out rogue actors must be maintained. The majority of domain name holders should not be punished for a few malicious actors wanting to abuse the registration system, and they should not be treated as criminals either. We are also pleased to see no retroactive and automatic application of the accuracy obligation to existing domain registrations, and a gradual approach towards applying accuracy checks to existing registrations. We welcome the suggestion that domain name holders should be offered a possibility to react and rectify their information, before their domain name registrations get suspended. These are in line with our recommendations and suggestions for Member States to follow when transposing the law.

We thank the NIS Cooperation Group for their attention and care towards EU ccTLD accuracy practices and policies. Despite the NIS 2 Directive’s intentions to regulate global actors, EU ccTLDs will be at the forefront of compliance (and regulatory oversight), due to their local roots and national relevance.

We recognise the difficulties that come with this task, considering how many challenges still remain with Article 28, and the limitations of the NIS Cooperation Group to give guidance on issues that are within the remit of cybersecurity. However, we are still missing a mechanism for a closer cooperation with data protection authorities, considering the significant data protection dimension of Article 28. We hoped the NIS Cooperation Group would consider the recitals that took into account data protection, such as the need to avoid verification of all contact means. Operational verification of both email address and phone number at all times seems to be against the guidance in the Directive itself. The guidelines lack justification on why it is necessary or proportionate to verify both contact means of all new registrations. 

We are pleased to see the recognition of CSIRTs and law enforcement authorities as legitimate access seekers for the purposes of the NIS 2 Directive. Both groups are at the forefront of cybersecurity enforcement. However, we must raise the point that the NIS 2 Directive does not provide a legal basis for access requests for personal data of legitimate access seekers, so we still expect the clarification of “lawful and duly substantiated” access requests at national level, stemming from other EU legal instruments that provide for such clear legal basis. This includes the EU e-Evidence Regulation for law enforcement access, or incident reporting and supervisory power for CSIRTs under the NIS 2 Directive. 

As for the recommendation to optionally extend the list of legitimate access seekers to private interest groups (such as IPR protection), we would like to stress that this requires a legal basis that goes beyond the aims of the NIS 2 Directive, i.e, the security of network and information systems. We therefore ask for Member States to exercise caution when considering this part of the recommendation, as the aim of the NIS 2 Directive is not IPR protection, and there are other existing instruments both at EU and national level that deal with it much more efficiently. As a minimum, the national NIS 2 transposition law must reference the need for all legitimate access seekers to showcase and substantiate their access requests with a valid legal basis. For private interest groups, more thorough scrutiny is needed. 

Still, some tough questions remain open, primarily due to the Directive’s extraterritorial reach. How to verify beyond eIDs? How to verify foreign registrations and legal entities? How to reconcile data protection and the need to collect more data than necessary for the provision of a technical service? How to cooperate with registrars/resellers/privacy & proxy services to avoid duplication of data collection? How to assess if their requests are “lawful and duly substantiated”? Most importantly, even if EU ccTLDs have their answers already, will it be enough to comply with the regulatory obligations?

Concluding, we believe the guidance from the NIS Cooperation Group is a meaningful step towards an effective implementation of the NIS 2 Directive - it does however leave some crucial questions for the Member States to answer. 

Published By Polina Malaja
Polina Malaja is the Policy Director at CENTR, leading its policy work and liaising with governments, institutions and other organisations in the internet ecosystem.