Thanks Greg.  I'm only mentioning this because it could come up in the form of a question from the GAC.  I know Council previously asked Org for more information on the possible impact of NIS2.  I don't recall staff's response at the moment but I also don't recall anyone mentioning timelines for urgent requests in that response.  

I assume that if the GAC asks a question about this, Thomas is the most likely person to answer.  I do recall Thomas pointing out that there are jurisdictional issues at play here in relation to Urgent Requests.  However, I should think that EU-based registrars would be interested in a clarification.

Anne

Anne Aikman-Scalese
GNSO Councilor
NomCom Non-Voting 2022-2026
anneicanngnso@gmail.com


On Thu, Jun 5, 2025 at 11:13 AM DiBiase, Gregory <dibiase@amazon.com> wrote:

Hi All,

 

Quick clarification: our update to GAC will concern what the IRT is currently discussing. I don’t believe the applicability of NIS2 is currently a discussion topic (although we can confirm with our liaison Thomas).

 

Councilors are free to raise the questions below in the IRT, but I want to be sure that our update to GAC accurately reflects IRT discussions to date. Happy to discuss further in Prague.

 

Greg

 

From: Anne ICANN <anneicanngnso@gmail.com>
Sent: Thursday, June 5, 2025 8:31 AM
To: Nacho Amadoz <nacho@amadoz.cat>
Cc: farzaneh badii <farzaneh.badii@gmail.com>; Lawrence O. Olawale-Roberts <lawrence@microboss.org>; DiBiase, Gregory <dibiase@amazon.com>; Tomslin Samme-Nlar <mesumbeslin@gmail.com>; Sebastien Ducos <Sebastien@registry.godaddy>; Steve Chan <steve.chan@icann.org>; Terri Agnew <terri.agnew@icann.org>; Council@icann.org
Subject: RE: [EXTERNAL] Talking Points for GAC - GNSO Council Meeting

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.

 

Thank you, Nacho.  I am copying Council on this email and the exchanges below since my first reply to the Talking Points on Urgent Requests did not go through because I mistakenly replied to the NTFY email.    The thread below concerns Urgent Requests from Law Enforcement and our upcoming Monday discussion with the GAC re same.

 

I think the Cybercrime reporting requirement of NIS2 may involve a different issue from the NIS2 Urgent Requests timelines.  Is that correct?

 

 It appears the current RAA requires registrars to REVIEW  urgent requests in a certain time frame but I think the IRT is working on developing realistic timelines for RESPONSE to Urgent Requests.  Contracted Parties have noted that authentication of law enforcement takes time.  So I am asking whether 

(1) NIS2 and its timelines as implemented by member states has any authentication provisions applicable to the timelines in the Directive and 

(2) whether NIS2 implementation has force or effect on contracted parties (depending on their jurisdiction and the reach of the implementing rules from each EU nation.)  

In this regard, I look forward to further updates from the IRT.  Farzaneh points out that legal clarity is needed.  

 

As to the parallel effort of the PSWG Urgent Requests Authentication group, we have some concerns about how the email lists being provided to ICANN are developed, vetted, and purged.  In addition, Lawrence has expressed in that group that Law Enforcement agencies in countries which do not participate in Europol or Interpol may be left out of the development of an authentication process.    How to address that issue?  (Please note the Authentication group meeting for May 29 was cancelled and we are not meeting in Prague which is unfortunate.)

 

Please see thread below for more comments/questions on this topic.

 

Looking forward to seeing those who can attend in person in Prague and the rest of you on Zoom!

Anne

 

Anne Aikman-Scalese

GNSO Councilor

NomCom Non-Voting 2022-2026

 

 

On Thu, Jun 5, 2025 at 1:23 AM Nacho Amadoz <nacho@amadoz.cat> wrote:

Good morning, 



El 5 juny 2025, a les 9:50, farzaneh badii <farzaneh.badii@gmail.com> va escriure:

 

Whether NIS2 is a legal requirement with a global reach, and what those requirements are and how IRT should consider it is yet to be seen. We have been saying this all along, NIS2 is a directive, it is not a regulation, it is not similar to GDPR. We need to get legal clarity before we discuss NIS2.

 

It is a directive with a minimum harmonisation remit. This means that States in the EU are not precluded from adopting measures ensuring a higher level of cybersecurity than the ones set by the Directive, but this should not be the ground to regulate beyond the framework set by the Directive. And, therefore, national laws transposing the Directive should not be expected to regulate on Law Enforcement Authentication, as this is not an aspect considered in the Directive, and the issue has a wider framework. 

 

As an example, Whereas 107 indicates the following: 

 

Where it is suspected that an incident is related to serious criminal activities under Union or national law, Member States should encourage essential and important entities, on the basis of applicable criminal proceedings rules in accordance with Union law, to report incidents of a suspected serious criminal nature to the relevant law enforcement authorities. Where appropriate, and without prejudice to the personal data protection rules applying to Europol, it is desirable that coordination between the competent authorities and the law enforcement authorities of different Member States be facilitated by the European Cybercrime Centre (EC3) and ENISA.