How to be compliant and prevent cybercrime at the same time?
In the domain registration industry, balancing regulatory compliance with robust security measures is essential. As an ICANN accredited registrar, Realtime Register has implemented a system that meets the ICANN RAA 2013 requirements for verification of registrant data and strengthens defences against cybercrime as required by the NIS-2 at the same time.
ICANN 2013 RAA Email Validation Requirement
The Internet Corporation for Assigned Names and Numbers (ICANN) introduced the 2013 Registrar Accreditation Agreement (RAA), which mandates registrars to validate and verify specific WHOIS data fields, including email addresses. This process ensures that the contact information registrants provide is accurate and up to date.
After a domain is registered, the ICANN registrar is obliged to send an email to the registrant verifying the registrants’ contact details. If the registrant does not confirm the accuracy of the data within 15 days by clicking on a link in the email send, the registrar must suspend the domain.
Why is this standard verification procedure a problem?
When a domain undergoes verification, any associated website will become inaccessible, and any connected email services will be disrupted after verification fails within 15 days. These services can only be reactivated once the registrant's data is verified. This often results in numerous complaints from registrants, overwhelming the service provider's support team with emails and phone calls, leading to significant costs and frustration.
But there is another negative side effect. Registrants with bad intentions like phishing, selling counterfeited products, and other scams, can eat their hearts out for 15 days before the service is taken down. Believe me when I say those guys can make a lot of money and do a lot of bad stuff in 15 days!
How do we handle these verifications at Realtime Register?
The verification and validation processes from ICANN RAA are familiar to our partners, but we execute the requirements differently. This provides security and customer satisfaction benefits.
Our approach involves verifying the email before allowing the registrant to use the domain name. This proactive measure prevents the common issue of domains being suspended after 15 days of use due to unverified email addresses, often leading to complaints from registrants. Imagine a company running a promotion on TV or radio using a new domain name. On day 15, the domain name goes offline right in the middle of the promotion. Our verification process counters such issues because we verify the email address first. Only after verification, the domain will resolve and can be used for the services intended.
Deterrence of Cybercriminals
Cybercriminals typically refrain from verifying their email addresses as they are wary of the potential tracking and logging mechanisms in place. They are unaware of the specific methods we might have deployed, such as device fingerprinting, which adds an additional layer of detection when it comes to cybercriminals. This uncertainty acts as a deterrent, reducing the likelihood of dodgy domain names being verified and used for malicious activities.
Which TLDs need verification?
It's crucial to note that all TLDs, including ccTLDs, will require verification. The good news is that gTLDs have been following this process for many years, underscoring its importance.
Currently, we provide email verification for over 16 ccTLDs.
We expect to hear more from ccTLDs like SIDN and DENIC soon. The Dutch government still needs to incorporate the NIS-2 directive into national law. This is expected to happen in the second or third quarter of 2025. We will closely follow up when compliance is required and turn on email verification for other countries that require email verification.
Different EU countries, different Article 28 NIS-2 requirements.
The response to the Article 28 requirements varies across EU member states, creating complexity in implementation. For instance, there will be EU countries that mandate the verification of the registrant's email address and telephone number, which is repeated every 12 months for all registered domain names, including those registered before NIS-2 took effect. In contrast, other member states may only require verification of the email address or the telephone number, but not both.
Registrars outside the EU, who must comply with NIS-2 and need to have a European base, are likely to choose a country with the least stringent requirements under Article 28. This practice could significantly impact market dynamics, potentially creating an uneven playing field.
If you provide domain name registration services, it is crucial to thoroughly understand and comply with the specific requirements of the country you operate in. Differing requirements and processes might affect consumer trust.
Compliance with NIS-2 Directive. We will help you!
The NIS-2 Directive, which aims to enhance cybersecurity across the EU, requires organizations to implement measures that minimize cyber risks. Our email verification process and other countermeasures align with these requirements. Currently, we are developing a verification engine that will ensure a smoother verification process for all of our resellers. We will provide more details about this verification engine soon when we near the completion of the project.
By maintaining these practices, we continue to uphold high security and compliance standards, ensuring a safer digital landscape for all users.