Thank you, Nacho.  I am copying Council on this email and the exchanges below since my first reply to the Talking Points on Urgent Requests did not go through because I mistakenly replied to the NTFY email.    The thread below concerns Urgent Requests from Law Enforcement and our upcoming Monday discussion with the GAC re same.

I think the Cybercrime reporting requirement of NIS2 may involve a different issue from the NIS2 Urgent Requests timelines.  Is that correct?

 It appears the current RAA requires registrars to REVIEW  urgent requests in a certain time frame but I think the IRT is working on developing realistic timelines for RESPONSE to Urgent Requests.  Contracted Parties have noted that authentication of law enforcement takes time.  So I am asking whether 
(1) NIS2 and its timelines as implemented by member states has any authentication provisions applicable to the timelines in the Directive and 
(2) whether NIS2 implementation has force or effect on contracted parties (depending on their jurisdiction and the reach of the implementing rules from each EU nation.)  
In this regard, I look forward to further updates from the IRT.  Farzaneh points out that legal clarity is needed.  

As to the parallel effort of the PSWG Urgent Requests Authentication group, we have some concerns about how the email lists being provided to ICANN are developed, vetted, and purged.  In addition, Lawrence has expressed in that group that Law Enforcement agencies in countries which do not participate in Europol or Interpol may be left out of the development of an authentication process.    How to address that issue?  (Please note the Authentication group meeting for May 29 was cancelled and we are not meeting in Prague which is unfortunate.)

Please see thread below for more comments/questions on this topic.

Looking forward to seeing those who can attend in person in Prague and the rest of you on Zoom!
Anne

Anne Aikman-Scalese
GNSO Councilor
NomCom Non-Voting 2022-2026
anneicanngnso@gmail.com


On Thu, Jun 5, 2025 at 1:23 AM Nacho Amadoz <nacho@amadoz.cat> wrote:
Good morning, 

El 5 juny 2025, a les 9:50, farzaneh badii <farzaneh.badii@gmail.com> va escriure:

Whether NIS2 is a legal requirement with a global reach, and what those requirements are and how IRT should consider it is yet to be seen. We have been saying this all along, NIS2 is a directive, it is not a regulation, it is not similar to GDPR. We need to get legal clarity before we discuss NIS2.

It is a directive with a minimum harmonisation remit. This means that States in the EU are not precluded from adopting measures ensuring a higher level of cybersecurity than the ones set by the Directive, but this should not be the ground to regulate beyond the framework set by the Directive. And, therefore, national laws transposing the Directive should not be expected to regulate on Law Enforcement Authentication, as this is not an aspect considered in the Directive, and the issue has a wider framework. 

As an example, Whereas 107 indicates the following: 

Where it is suspected that an incident is related to serious criminal activities under Union or national law, Member States should encourage essential and important entities, on the basis of applicable criminal proceedings rules in accordance with Union law, to report incidents of a suspected serious criminal nature to the relevant law enforcement authorities. Where appropriate, and without prejudice to the personal data protection rules applying to Europol, it is desirable that coordination between the competent authorities and the law enforcement authorities of different Member States be facilitated by the European Cybercrime Centre (EC3) and ENISA.