Hi Alan,

 

Thank you for your question regarding NIS2 at last month’s General Assembly. As promised, here is a detailed response (below my signature), provided by our Government Engagement colleagues. If you have any further questions, please do not hesitate to reach out. I am copying the NARALO list so they can be informed of the response as well.

 

Best,

Joe

---

 

The NIS2 Directive will soon become law. A political agreement between the so-called co-legislators, the European Parliament and the Council (the EU institution bringing together the 27 member states), was reached this summer (see the text here) and the entire process should be concluded by the end of the year (expectedly in November).

 

The law should be then effective around Q3-Q4 2024, as a Directive is not directly applicable and member states will have to implement it nationally. 

 

The NIS2 imposes cybersecurity measures and cyber incident related reporting obligations to operators of essential and important entities and applies to all providers of DNS services, with the exception of root servers.

 

The main responsibilities for DNS operators, as operators of essential services under NIS2 are: (a) implementation of appropriate and proportionate technical and organizational measures, (b) reporting obligations to the competent authorities or the established computer security incident response teams (CSIRT) of any incident having a significant impact on the provision of their services, (c) provide contact details for the registry of essential entities to ENISA (d) if a DNS service provider is not established in the EU and offers services in the EU, it should designate a representative.

 

The NIS2 also includes provisions on collection and access to registration data, in Article 23, that will require the contracted parties to take steps (both on public access and responding to requests for non-public data). The text, as agreed, leaves leeway to member states to possibly introduce different requirements in the implementation of Article 23.  and there is the risk that member states would mandate different requirements. There could also be differences with ICANN’s policies.

 

Recital 62 provides that “the Commission may adopt guidelines” with regard to access to registration data.

 

As regards data collection and maintenance policies that TLD registries and the entities providing domain name registration services for the TLD should establish under NIS2, Recital 61 provides that “policies and procedures should take into account to the extent possible the standards developed by the multi-stakeholder governance structures at international level”. The same wording is included in Recital 62 with regard to policies and procedures for the publication and disclosure of registration data.