NIS2 Directive (proposal): obligations of registers and registrars of domain names
The Directive on measures for a high common level of cybersecurity across the Union, known as ‘NIS2’, which is at the stage of proposal (eur-lex.europa.eu), includes obligations for all top-level domain (TLD) registries and registrars (art. 2.2.a.iii). Para. 15 sets an objective: “To maintain and preserve a reliable, resilient and secure Domain Name System (DNS)”, the objective being to ensure confidence in the digital economy.
To this end, the directive will impose on registers and registrars, considered as “essential entities”, a number of obligations:
- maintain accurate and complete WhoIs data (paragraph 61 and art. 23);
- ensure the integrity of WhoIs data;
- make them available, in accordance with the General Data Protection Regulation (GDPR) (paragraph 59), “without undue delay” (paragraph 62).
Emphasis should be placed on a particular obligation. Indeed, in accordance with the by. 60 and article 23.3, “Member States shall ensure that TLD registries and entities providing domain name registration services for the TLD have policies and procedures in place to ensure that databases contain accurate and complete information. Member States shall ensure that these policies and procedures are made public“. Such an obligation could result, for example, by the systematic verification / documentation of the identity of the person registering the domain name or by the prohibition of the use of prepaid bank cards. In short, since the GDPR protects personal data , anonymity should no longer be allowed.
As for sanctions, article 29.6 provides for the possibility of engaging the liability of natural persons who have failed in their duty to ensure that the obligations set out in this directive are complied with ”.