There seems to be some confusion about NIS-2. Some registrars, like Openprovider, are already implementing Article 28 of the directive even though it hasn't been transposed into member state law.
What is Article 28 again?
Article 28 requires entities that offer domain name registration such as the registries, the registrar (us), and you, to verify and validate domain name registrants.
We will most likely need to confirm whether the registrant's email address is responsive, similar to the ICANN validation and verification process for gTLD domains since 2013.
Article 28 does not differentiate between ccTLDs and gTLDs.
Realtime Register is a Dutch registrar, so we will need to comply with the Dutch version of the NIS-2, which will most likely come into effect in Q3 of 2025.
At the time of writing, only Belgium and Croatia are known to have transposed NIS-2 into member state law.
What does this mean for you as a reseller of Realtime Register?
If you are a reseller within The Netherlands, you do not have to do anything regarding Article 28 for now.
If you are a reseller located in a country that has implemented NIS-2, you are required to comply with your country’s NIS-2 implementation. This may mean you need to validate your domain customers to comply with local regulations.
What are the EU-based registries doing in this regard?
Unfortunately, this is a bit of a mess. Some registries have long had all kinds of verification and validation, done on the registry side. Other registries implemented such procedures earlier this year. Some based on the actual NIS-2 implementation, some on what they expect the implementation will be for their jurisdiction.
When registries change their procedures, and inform us of doing so, we inform you accordingly through our newsletter. If there are changes the registries make that we have to implement as well, we will do so as always, in time and fully compliant with their requirements.
To be clear, this is concerning the compliance of the registries with their applicable NIS-2 member state law. This may have overlap with, but is separate from, our compliance with the Dutch NIS-2, or yours with your local requirements.
What will Realtime Register do when Article 28 transitions into Dutch law?
That is a good question, and we cannot fully answer it as we are waiting for the Dutch government's response and subsequent law.
However, we expect that we will have to ensure all new registrations are for verified registrants, for all TLDs. We plan to combine validations made by the registries, you as a reseller, and our own to prevent unnecessary duplicate validations.
Does Article 28 apply to all registrants?
Yes, the Article 28 directive does not exclude registrants from countries outside the EU.
Article 28 also does not specify where in the registration chain the validation and verification are done, as long as they are done. The EU recommends that registries and registrars collaborate to avoid duplication.
Will you take domain names offline due to Article 28 if a registrant is not validated and verified?
The short answer is no.
After the Dutch NIS-2 law goes into effect, we will validate and verify the domain name before it goes online. In other words, the registrant must go through the process first, before they can use the domain name.
There may be a requirement to suspend domains for registries and resellers in EU countries with retroactive or yearly re-validation requirements. For now, it looks like the Dutch law will not require this. Realtime Register will not suspend domains retroactively unless and until forced by Dutch law.
What about domain names registered before Article 28?
We do not know if there will be requirements for these cases in The Netherlands, so we will not speculate.
We hope the Dutch government will not have such requirements. It would be a very bad idea, disrupting critical services, and counterproductive to what the NIS-2 aims to achieve.
The current draft of the Dutch Article 28 suggests no validation and verification will be required for legacy domains. But again, we will have to wait for the final version.
What about registrars outside the EU?
The NIS-2 works the same as the GDPR in terms of applicability. So, if a registrar does any business at all with the EU, the NIS-2 applies.
Why are certain other registrars implementing Article 28, when the requirement has not yet transitioned into law?
We do not know.
However, we strongly believe it is critical to wait until it is clear what the law will require registrars or registries to do. Making assumptions about what is required at this point is rather dangerous.
Why is the EU doing this?
There is an assumption that verification and validation will lead to more accurate data and reduce cybercrime.
We, on the other hand, assume that criminals will register somewhere else, use compromised accounts with verified data, use compromised or temporary email accounts for verification, use stolen credit/debit cards as verification proof, or use other methods to evade this policy.
We believe the measures will create unnecessary friction for new customers in the domain market, especially due to the different implementations per country, Criminals will find ways to evade the policies faster than new policies can be brought into law. We consider any broad sweeping policies that threaten the availability of domains, like retroactive or yearly validation, to be harmful to the trust in the domain industry and dangerous for the wider economy. Most abusive domains are only active for a brief period after registration, so these policies will mostly affect good registrations.
Since 2021, we have made our abuse monitoring system available to all our customers. With the lessons learned from our active approach in abuse mitigation together with our suppliers, partners, and customers we are convinced that these policies only provide a false sense of security.
Stay tuned.
Since 2020, we have been monitoring the progress of NIS-2 and have provided the Dutch Government and the European Commission with regular input and guidance regarding Article 28.
The moment we have more updates, we will communicate them. It goes without saying that anything that will affect you and/or your customers will be communicated to you in a timely manner. You can check your newsletter subscription here.