NIS 2: pay attention or pay the costs

Blog 18-10-2021

At the end of 2020, the European Commission came up with a proposal to revise EU cybersecurity legislation, following the allegedly increased cyberthreats due to the COVID-19 pandemic. The NIS 2 Directive proposal aims to improve the resilience and incident response capacities of public and private entities, deemed to be critical infrastructures. These entities also include domain name registries, registrars, DNS service providers and root servers operators.

While the NIS 2 Directive proposal is essentially built on its currently valid predecessor - the NIS Directive, it also introduces several changes that can have a profound effect on the global internet infrastructure. Although the intentions of the NIS 2 proposal are noble, the discussions on the final legislative text within the EU are introducing additional obligations on internet infrastructure operators that, if adopted, will be very difficult to comply with.

In return, NIS 2 will hamper the competitiveness of the EU domain name industry and essentially create more paperwork. What is worse, these additional burdens on EU operators will not achieve any greater cybersecurity. 

What is NIS 2?

The Proposal for a Directive on measures for a high common level of cybersecurity across the Union (‘NIS 2’) is the revision of the first EU-wide legislation on cybersecurity - the Directive (EU) 2016/1148 on security of network and information systems (NIS Directive) from 2016. The NIS Directive confirmed the criticality of several sectors for the functioning of society, including the Domain Name System (DNS). As a result, “operators of essential services” in these critical sectors, together with “digital service providers” were obliged to put in place cybersecurity requirements and report incidents.

Four years later and in light of increased cyberattacks on the critical infrastructure during the COVID-19 pandemic, the EU chose to respond with an update of its cybersecurity legislation. The proposal for the NIS 2 law saw the light at the end of 2020, and the scope has been expanded to include  more “essential” and “important” sectors, adding more responsibilities to ENISA, the European Union Agency for Cybersecurity, and strengthening the supervisory regime by national competent authorities. It also defines sanctions for service providers who do not comply with obligations under NIS 2 (up to 2% of total annual turnover), including a possibility to hold their management bodies accountable. 

Cybersecurity is the new buzz word, and NIS 2 has teeth to make sure we all get the memo. 

How are registries and registrars affected?

Under the NIS Directive, top-level domain registries (TLDs), together with DNS service providers, are considered to be operators of essential services. They have therefore been complying with obligations under NIS for some time, investing in increasing the security of their network information systems and providing a stable and resilient service for the benefit of information society. Not only in Europe, but all over the world. The internet is global after all. 

Yet, according to EU legislators, these obligations are not sufficient. The NIS 2 proposal recognises that the DNS is a “key factor in maintaining the integrity of the Internet” and goes further by stating that: 

“Maintaining accurate and complete databases of domain names and registration data (so called ‘WHOIS data’) and providing lawful access to such data is essential to ensure the security, stability and resilience of the DNS.”

To this end, the NIS 2 proposal introduces a new “security” related obligation on both TLD registries and registrars. Article 23 requires registries and registrars to collect and maintain accurate and complete domain name registration data, publish all registration data related to legal entities, and provide efficient access to nonpublic personal information to all legitimate access seekers. 

What about data protection and privacy?

Does this actually mean collecting, publishing and disclosing more personal information on the internet in the name of increased cybersecurity? In the era of the GDPR? Yes, that’s right. Furthermore, the NIS 2 proposal claims to be “in full respect of Union data protection rules”, including the GDPR. 

Data protection experts seem to have different opinions, as is evident from the Opinion given by the European Data Protection Supervisor who called on legislators to align the NIS 2 requirements with the EU data protection framework, and also reminded them that data concerning legal entities can still be considered personal data in certain cases. 

Hence, no blanket data publication requirement for legal entities can be consistent with the GDPR. The law must specify what type of information should be published, while still respecting the rules under the GDPR, and provide a clear legal framework for any interference with the right to privacy and data protection in case personal information is disclosed to “legitimate access seekers”.

Is Article 23 going to be clarified?

The co-legislators in the European Parliament and the Council of the EU are currently finalising their respective positions on NIS 2 before entering into trilogue negotiations with the European Commission to hone the final text of the law.

The prospect of aligning NIS 2 with data protection rules is slim. The European Parliament’s position is advocating for the collection and processing of even more personal information, without any effective safeguards.  In addition to being ‘accurate’ and ‘complete’, which are already pretty vague concepts under the proposal, registration data will also need to be ‘verified’, according to the direction taken by the European Parliament. 

Why is data verification under NIS 2 problematic for registries and registrars?

Instead of going in the direction of limiting excessive data collection and processing domain name holders, the EU seems to be going towards making more end-users’ personal data available for commercial purposes and third parties’ use, all in the name of their increased protection. Furthermore, this data collection effort is organised at the expense of the European domain name industry. 

On the internet, everyone already knows you’re a dog but now you will also have to prove it.

For some industries it makes perfect sense: we need to go through additional hoops in order to open a bank account and we want our bank to notify us when there is an issue. But in order to have access to the basic internet infrastructure and be able to build an online identity, do we really need a bank-level identification and verification process? Including providing copies of our passports, verifying our postal address by sending in bills, providing a functioning phone number - all just to be able to have a domain name. 

The issue of any data verification obligation before using a digital service starts with the obvious: the lack of consistent use and availability of electronic identification in the EU. 

Surely, there could be an easy way to verify identity in a few clicks through a governmental or a private service of electronic identification. If only we lived in a world full of “Digital Tigers”, like Estonia and Denmark, who have highly developed electronic ID schemes allowing their citizens to vote, travel, check medical records and more. But the reality is that, out of 27 EU Member States only 14 have functional eID schemes, and these are not always compatible cross-border. Even if an eID is a good solution for a Danish or Estonian resident, what about non-EU residents who register domain names? How do we make their national eIDs functional and recognised in the EU?

In practice, any blanket verification requirement that does not take into account national specificities and rules will put a burden on registries and registrars to come up with solutions to verify domain name holders without eIDs. In essence this means the need to circulate copies of passports and other identity documentation, which will increase personal data processing and go against the principle of data minimisation.

Furthermore, even if a technical operator receives a copy of passport, they won’t be able to actually verify the validity of it, or whether the person behind the screen is actually the one that they claim to be. 

Consequently, this will result in increasing costs of domain names. Naturally, with any additional hoops that a registry and registrar need to jump through to verify identity, store the increasing amount of data and put in place additional security measures to protect that amount of personal information, the price of a domain name will have to go up. 

The real problem is that the end-user would rather choose a more convenient option than a European domain name. Other options (such as a non-European domain name or a social media page) will allow the user to establish an online presence much faster and at much less cost.

Competition and market consolidation

Most European ccTLDs are already considered critical digital infrastructures, under their national cybersecurity legislation, following the NIS Directive implementation. Non-European gTLDs (e.g. .com, .org, .info) would fall under NIS 2 obligations if their services were actively offered on the European market, as NIS 2 includes an extraterritoriality clause. 

According to the CENTR Global TLD Report for Q2 2021, for most European countries, the local country code (ccTLD) remains a popular choice (e.g. .fr for France and .si for Slovenia). This might not be the case when NIS 2 is in place.

Additional obligations and compliance activities will result in more market consolidation and provision of services by a few larger companies, as smaller actors would not be able to keep up. 

According to the CENTR Global TLD Report, at the end of 2020, the global market was estimated at 354 million domains split between ccTLDs (38%) and gTLDs (62%). Within that 62% of estimated global market share, 44% is held by only one actor (.com).

When it comes to regulation, it does make sense to treat all actors equally, irrespective of their place of establishment. Yet, it is important to make sure that local smaller actors are not disproportionately disadvantaged because of strenuous obligations that only big and powerful players can afford to implement. 

Domain names are offered to consumers via registrars, and similarly to domain registries, they are also under the scope of the data accuracy obligation in Article 23. Recently, we have observed an ongoing registrar market consolidation, and this trend will very likely continue with the increased burden on registrars and additional verification obligation.

Will it all be worth it for more cybersecurity?

Obviously registration data checks will have indirect effects on increased safety online. Purely from the fact that it will make it difficult for some people to commit fraud online. 

However, the assumption that COVID-19 affected all sectors deemed to be critical under the NIS 2 Directive is simply not correct. The COVID-19 pandemic did not lead to any significant levels of increased “DNS abuse” online, as evident from our research at the beginning of the pandemic in 2020, where the number of actually confirmed abusive cases amongst European ccTLDs was low. 

Hence, there is no fact-based justification in including additional data accuracy obligations on registries and pinning it on COVID-19. The evidence of increased “DNS abuse” is so insignificant that the Impact Assessment accompanying the NIS 2 proposal from the European Commission is completely silent on any pointers on why such a data accuracy obligation should be mandated by law.

Furthermore, cybersecurity experts have also argued that the accuracy of domain name registration databases has nothing to do with the stability of the DNS.

For once, do not strive for full harmonisation

Cybersecurity may be tricky. In the same way that it is impossible to develop 100% “secure” and bugless software (and if anybody promises otherwise, it’s probably spam), there is also no effective way to achieve 100% accuracy in domain name registration databases. But most importantly, for European country code top level domains there is no problem to fix.

European ccTLDs work hard to keep rogue actors out, update their registration databases, and verify identities if suspicious activities are detected by competent authorities, including cybersecurity experts. They have been considered as the champions of the industry for years. Their key to success? Diversity in approaches based on a unique national environment. It also makes it difficult to find one point of failure and for fraudsters to adapt their modus operandi for all 27 and more approaches. 

Data accuracy within domain name databases is important but there is no reason to increase the bureaucracy, when it can seriously hamper access to the basic digital infrastructure, create conflicting obligations with the GDPR, and weaken the competitiveness of the European market - without any evident need or purpose. 

For once, a full harmonisation in regulating the internet is probably not the best idea.

Published By Polina Malaja
Polina Malaja is the Policy Director at CENTR, leading its policy work and liaising with governments, institutions and other organisations in the internet ecosystem.