Allow me to add my thoughts on this, from the point of view of the EU - In the Network and Information Security Directive 2 (NIS2 Directive), the Internet is considered an essential part of critical infrastructure within the European Union. NIS2—the Second Directive on Security of Network and Information Systems—broadens the scope of what is recognized as critical infrastructure, extending beyond traditional sectors to explicitly cover digital service providers such as internet and telecommunications operators, digital platforms, and essential service providers linked to digital communications and internet operations.

The directive recognizes that dependence on digital infrastructures, including the Internet, is vital for modern society and that any significant disruption can have cross-sector consequences for both economic and social stability. Therefore, entities delivering essential digital communications infrastructure—including network and internet service operators—are now classified as critical entities and are subject to rigorous cybersecurity, incident reporting, and continuity of operations requirements.

In this way, under NIS2, the Internet and its key service providers hold a central role in the resilience and protection of European critical infrastructure.

https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
What is NIS2? - The NIS2 Directive https://nis2directive.eu/what-is-nis2/
Cybersecurity of Critical Sectors - ENISA - European Union https://www.enisa.europa.eu/topics/cybersecurity-of-critical-sectors
EU NIS 2 and RCE Directives for EU Critical Infrastructures https://www.openkritis.de/eu/eu-nis-2-rce-directive.html

Moreover, the NIS2 Directive explicitly includes the DNS and its providers as essential components of that infrastructure. The directive requires DNS service providers, top-level domain registries, and entities registering domain names to implement strict cybersecurity and risk management measures, guaranteeing the availability, integrity, and reliability of their services.

Under NIS2, safeguarding DNS is central to maintaining the overall resilience and security of the Internet, as a disruption or attack on DNS can impact the stability and continuity of countless other critical sectors that depend on digital infrastructure. Entities involved must report incidents, maintain accurate registration data, and cooperate with authorities to ensure a secure and trustworthy domain environment. In doing so, NIS2 strengthens the capacity of the Internet—through its DNS backbone—to serve effectively as a critical infrastructure underpinning European digital society and economy.

Best,
Ana


Enviado do meu iPad

No dia 15/11/2025, às 21:35, Ashton-Hart, Nick via wsis20 <wsis20@icann.org> escreveu:


Thanks Fiona, we’re going to have to agree to disagree here. In particular on the assertion that WSIS is not a creature of NY processes generally speaking given the opposite is true. WSIS was adopted in NY, it is reviewed in NY - not just every 10 years, but annually - and its concepts have been mainstreamed in the work coming out of NY since it was adopted by UNGA in the first instance. 

The technical follow up has traditionally largely taken place at an operational level particularly in Geneva, but nobody should be in any doubt that there is no WSIS without the UN in New York. The issues that were once siloed in WSIS have not been for many years as the resolutions I reference are only two of many, many examples.

As to your point about the public core to my way of thinking that’s neither here nor there: the discussion has been about whether the existing and recognized term, since 2004, of “critical information infrastructure” should be referenced by WSIS. 

Best, Nick

-- 
Nick Ashton-Hart
APCO
(m) +1 202 779 1072
nashtonhart@apcoworldwide.com

From: Fiona Alexander <fionaa@american.edu>
Date: Saturday, November 15, 2025 at 1:09 PM
To: Wolfgang Kleinwächter <wolfgang@kleinwaechter.info>, Ashton-Hart, Nick <nashtonhart@apcoworldwide.com>, Ashton-Hart, Nick via wsis20 <wsis20@icann.org>, Mona Gaballa <gaballa@isoc.org>
Subject: Re: [wsis20] Re: Internet Society's intervention during the WSIS+20 virtual stakeholder consultation

Thank you Wolfgang for all the helpful background and Nick for your perspectives.  I think though it helps reinforce my point.  These terms have a long fought history in the NY based cybersecurity silo, but they are not broadly used, agreed or even perhaps understood outside of that, even in the expert technical UN agencies in places like Geneva.

WSIS and all that goes with it are not creatures of the NY processes generally speaking and it is why the heading of this section is “building confidence and security in the use of ICTs” - the 2000 language which predates OEWG and I believe even the GGE cyber norms work.  Also to point out the GCSC public core norm wasn’t accepted in GGE, at least that is my recollection.

i am not sure this resolution and associated modalities provide the space to bring about a shared and agreed understanding of a what can be a loaded term.

Fiona
From: Wolfgang Kleinwächter <wolfgang@kleinwaechter.info>
Sent: Saturday, November 15, 2025 11:24 AM
To: Ashton-Hart, Nick <nashtonhart@apcoworldwide.com>; Ashton-Hart, Nick via wsis20 <wsis20@icann.org>; Fiona Alexander <fionaa@american.edu>; Mona Gaballa <gaballa@isoc.org>
Subject: Re: [wsis20] Re: Internet Society's intervention during the WSIS+20 virtual stakeholder consultation
 

External Email: Use caution with links and attachments.

Hi,
 
the term "Criticial information infrastructure" is established language in the multilateral cybersecurity negotiations under the 1st UNGA Committee and within the OEWG (now the new "Global Mechanism") since years. It has even an own acronym: "CII". This isa differentz von "critical infrastructure" (CI), that is energy, water etc.  
 
It is rooted in one of the eleven GGE norms from 2015: "States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions;".
 
The norm was more specified later, inter alia by the recommendations of the Global Commission on Stability in Cyberspace (GCSC) in 2019 which added the need "to protect the public core of the Internet".   The GCSC Final Report from 2019 proposed as an additional norm "State and non-state actors should neither conduct nor knowingly allow activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet, and therefore the stability of cyberspace.".
 
The GCSC understanding of the public Internet core included both the "critical Internet ressources" (CIR) as domain names, Internet protocols, IP adresses, as discussed in the WSIS/IGF/ICANN context, as well as the whole underlying infrastructure of servers, (undersea) cables and satellites, as discussed in the various GGEs.
 
A new element in the proposed GCSC norm was, that it  calls on "state and non-state actors", that is, it went beyond the "narrow approach" of the GGEs/OEWG, which included only state actors, and supports the inclusion of non-govcernmental stakeholderrs in cybersecurity negotiations, an issue which is still unsettled in the new "Global Mechanism". 
 
Insofar it would make sense
a. to avoid new language as "critical Internet infrastructure" and to go back to "critical information infrastrutcure" (CII) and 
b. to have stronger references to the UN cybersecurity negotiations  and to call for the inclusion of non-governmental stakeholders in the new "Global Mechanism" . 
 
Wolfgang
 
  
 
Ashton-Hart, Nick via wsis20 <wsis20@icann.org> hat am 15.11.2025 15:33 CET geschrieben:
 
 
Dear Fiona,
 
I take your point but in a paragraph about international cybersecurity I don’t see that it matters whether it has been used in WSIS or not. The agreement on what constitutes critical information infrastructure in the UN context postdates WSIS, as does AI and many other things that the review is referencing.  It is also easy enough to make clear where this comes from in the text, though candidly anyone working in international cybersecurity policy in multilateral institutions will know what it means, which is the point. 
 
Best, Nick
 
-- 
Nick Ashton-Hart
APCO
(m) +1 202 779 1072
nashtonhart@apcoworldwide.com
 
 
From: Fiona Alexander <fionaa@american.edu>
Date: Friday, November 14, 2025 at 7:48 PM
To: Mona Gaballa <gaballa@isoc.org>, jen--- via wsis20 <wsis20@icann.org>, Ashton-Hart, Nick <nashtonhart@apcoworldwide.com>
Subject: Re: [wsis20] Re: Internet Society's intervention during the WSIS+20 virtual stakeholder consultation

Hi Nick
 
I would actually agree with Mona in the context of WSIS +20.  Neither the wording critical Internet infrastcture nor critical information infrastructure are commonly used phrasing in the context of WSIS.  Perhaps it might be more common in the various New York based cybersecurity workstreams.  
 
Designating something as “critical” irrespective of the additional words can carry a variety of domestic regulatory obligations depending on the national jurisdiction.  At the international level it’s not something I’ve seen used in regards to the Internet in this cluster, so as Mona’s comment highlights it doesn’t have an agreed definition, scope or shared understanding.
 
Fiona
From: Ashton-Hart, Nick via wsis20 <wsis20@icann.org>
Sent: Friday, November 14, 2025 6:07 PM
To: Mona Gaballa <gaballa@isoc.org>; jen--- via wsis20 <wsis20@icann.org>
Subject: [wsis20] Re: Internet Society's intervention during the WSIS+20 virtual stakeholder consultation
 

External Email: Use caution with links and attachments.

Thanks Mona, for sending this around, I have one concern about and otherwise excellent statement.
 
I question deletion of the reference to “critical internet infrastructure” - while the correct term is “critical information infrastructure,” protecting that as a form of critical infrastructure should be something we can all support. Critical infrastructure protection is a different order of magnitude than simply protecting infrastructure is, as critical infrastructure includes those forms of infrastructure which are necessary to life and health. 
 
I think we would all agree that the Internet is fundamental to health and welfare in the modern world. 
 
I would request that instead of deleting this phrase we simply call for the term to be corrected.
 
I am of course always open to thoughts.
 
-- 
Nick Ashton-Hart
APCO
(m) +1 202 779 1072
nashtonhart@apcoworldwide.com
 
From: Mona Gaballa via wsis20 <wsis20@icann.org>
Date: Friday, November 14, 2025 at 2:45 PM
To: jen--- via wsis20 <wsis20@icann.org>
Subject: [wsis20] Internet Society's intervention during the WSIS+20 virtual stakeholder consultation

Hi everyone,
 
Please find the Internet Society's intervention during the WSIS+20 Virtual Stakeholder Consultation on Rev1 earlier today.
Warm regards,
Mona Gaballa, Senior Advisor,  Institutional Relations
gaballa@isoc.org | +19082799933
Outlook-4s5kixou.png
internetsociety.org | @internetsociety
 

DATA HANDLING

 

For data handling questions, please view our Privacy Policy or contact us at privacy@apcoworldwide.com with any inquiries.


CONFIDENTIALITY

This email may contain material that is confidential, privileged and/or work product for the sole use of the intended recipient. Any review, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies.

_______________________________________________ Learn more about the WSIS+20 Outreach Network and review relevant resources: https://go.icann.org/wsis20 Read the public archives for this mailing list: https://mm.icann.org/pipermail/wsis20/ _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
_______________________________________________


Learn more about the WSIS+20 Outreach Network and review relevant resources: https://go.icann.org/wsis20

Read the public archives for this mailing list: https://mm.icann.org/pipermail/wsis20/

_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.