NIS2 Is Coming: Is Your Domain Portfolio Ready?

Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo and other engagement features. To set up a live demo, please complete the form above on our website. If you currently are not on our website and are watching this on our YouTube channel, there's a link to the website in the description of this video. Thank you.

Christy: Hello, everyone, and welcome to today's webinar, "NIS2 Is Coming: Is Your Domain Portfolio Ready?" My name is Christy DeMaio Ziegler, and I will be your moderator.

Joining us today is Walt Fry and Ewa Zane. Walt is the senior director of technology for domains at CSC, responsible for developing the products and platforms that protect and optimize the domain portfolio of the world's largest companies. Ewa is CSC's senior service manager with 18 years of experience leading global TLD vendor operations. She oversees registry and vendor relations worldwide, ensuring clients stay ahead of new domain developments, product innovations, and evolving policy changes.

And with that, let's welcome Ewa, and I'm going to hand off to Walt.

Walt: Okay. Thank you, Christy. And thank you, everyone, for joining us today. Today we're going to talk about the Network Information and Security Directive, or NIS2. So it covers a lot of aspects. We're going to be talking about it today from the domain management perspective. Part of the inclusion of domain management in the NIS2 Directive now is the registration data, what was WHOIS data, registration data, depending on the protocols being used. We're going to talk about the importance of that and why the compliance is extra important now.

Of course, with any regulation comes alignment and process within an organization. So we're definitely going to cover getting your teams ready and also just the action that you need to take to look at your domain portfolio and make sure that that's ready and keeping that compliant. And then with this regulation, it really broadens out not just to your organization but also to your partners and your supply chain. So we will cover what to look for in partners and how to start that process.

So with that, Ewa, let's talk about what NIS2 actually is.

Ewa: Thank you, Walt. So yeah, before we dive deeper, let's just do a quick refresher on what is NIS2. And NIS2, as Walt said, it stands for Network and Information Security Directive. It is a directive that's introduced in the European Union, and it really establishes just cybersecurity requirements for EU companies that are deemed in this directive as critical infrastructure. It affects both companies located in the EU, but also all companies that provide services to the EU customers. So that's a very broad scope, as you can see.

Really the goal of the directive is to enhance the overall cybersecurity levels across all of the European Union. And it introduces obligations for all those critical infrastructure companies, as it mentions, and adds systemic cybersecurity regulations. It ensures that those companies have clear processes in place. It puts reporting obligations on these companies. And as with all the directives, it also comes with financial penalties for non-compliance. So it is quite important when it comes to making changes of how cybersecurity is viewed and acted on within the European Union.

The NIS2 Directive itself was adopted by the European Union Parliament all the way back on December 14th. It actually was in 2022. And that new directive was then published the same year in the official journal of the European Parliament, on December 27th, 2022.

Being a directive, meaning it's a little bit different than a European Union regulation that you may be used to, like GDPR. That was a regulation and affected all the European countries at the same time. A directive is actually transposed into the individual European Union laws, which can take time overall, but it's not adopted by every single country in the same exact way. So that's an important difference here.

Based on the NIS2 Directive, this transposition into national law was supposed to take effect by October 17th, 2024, and the measures were supposed to be applied as of October 18th, 2024. And when you see 2024 here on this slide, that is the correct date. It was last year. It's not 2025. So the transposition and the implementation of the transposition was supposed to happen last year.

We are not there yet. The transposition has been delayed, with most of the EU countries still really not having fully transposed the laws into their legal systems. So as a result, this implementation of NIS2 Directive has been really taking a little bit longer than expected.

In practice, what it really means for you is that this is being extended over a longer period of time. So what you're seeing is the different extensions, especially in the domain space. And the TLD registries within the European Union are starting to adjust their policies and adjusting their domain regulations. And it's happening over time. It's not happening all at once. It's not a once-and-done type of process. We're seeing those changes coming in month over month, each registry introducing these changes at their own pace and at a slightly different way.

So being a directive, it is looking different in each of the nation states of the European Union. And as a result, the regulations of each domain registry will be slightly different, and they will be coming into effect at slightly different times. Those of you who work in the domain space most likely have noticed that, in the last year, year and a half, there have been quite a lot of changes in the regulation and quite a lot of audits in the domain extension space. And that's really a result of this NIS2 Directive going into effect in the different countries at all different times.

So that's kind of where we are today. Walt, I'll pass it on to you.

Walt: Yeah, thank you. So the two part of the NIS2 Directive expanded the definition of what is essential infrastructure and the companies that are included in that. So now domain registries and domain registrars and DNS providers, among others, are now part of that directive. So registries and registrars are affected by something called Article 28, which Ewa will tell us about next. We have to implement, as a registrar and all registrars, a comprehensive process that accurately verifies the identity of the registrant. So you may say, "Well, this is something that, of course, was happening." But if you think about it, maybe for certain countries you were asked to prove it, maybe you were not when registering. And if those went out of compliance, maybe it wasn't such a big deal, right? And now that is becoming a very big deal.

So as I said before, with regulation come processes, and with these processes now registrars have to implement ways to prove that the identity of the registrant is verified. And essentially it is mitigating that risk of fraudulent and imposter domains. Obviously, we know what that can lead to. That can lead to phishing. That can lead to impersonation. It can lead to malware and things like that. So they're trying to cut those off at the source, which is the domain name registrant.

We're mostly going to focus on domain management today. But DNS is a big part of this. There's a different article that affects DNS. The main takeaway here is just to examine the supply chain and know who the DNS provider is. The DNS provider has to meet certain requirements. One of the biggest ones is redundancy. So any proposals that you're issuing and certainly evaluating current providers, they must meet these. It's not just a recommendation or a best practice. Your DNS provider and you, as the user of those services, must meet all of those regulations, things like redundancy. So let's hear more about Article 28, Ewa.

Ewa: Yes, let's do a little bit of a deeper dive, because this is really the article that impacts all domain holders. And while it's written for domain registrars and the domain registries, it really does affect ultimately the domain holders. So let's take a closer look here.

So Article 28 really puts specific obligations on both registries and registrars, and it puts those requirements on them. And it kind of has a little statement there that registries and registrars have to work together to make sure that there's no duplication of effort or that we're not doing the same work at the same time. And you will see that in how that article is implemented in the different registries, that sometimes it's the registry, sometimes it's the registrar that takes on the majority of these requirements.

But in general, the article is fairly simple. It adds four kind of basic things that registries, both, and registrars have to implement. And the first one of them is that both of the parties shall collect and maintain accurate and complete domain name registration data. That's not necessarily a new requirement, right? For many registries and, well, for all registries, and it's also an ICANN requirement, the requirements of the TLDs always state that the WHOIS information or the domain registration data that's being provided must be accurate and complete. So that's not a new requirement. I think what's being specified here is that that data needs to be stored in a dedicated database and that there must be due diligence in accordance with the EU policies in regards to the personally identifiable information that is being collected.

And this article further specifies that the domain data that's being collected specifically must include the registrant's name, contact, email, and phone. So those fields are specifically called out. And it also calls out that both the contacts' emails and phone numbers must be contactable or working numbers. So that's a very important element that's kind of put in the directive.

The bigger piece that Walt alluded to just a moment ago is that it really puts what's called teeth behind a standard requirement that was always there. So we always had to collect accurate and complete data. Now the directive also puts a little bit more of a process behind it, and it requires that both registries and registrars must have a verification or a validation policy and procedure in place to make sure that the data we're collecting is accurate and complete. So that's much more specific or makes the directive much more specific. And you are starting to see, and we have been seeing for a little bit now, registries and registrars both adding either steps in their process or in their procedures when setting up new WHOIS contacts, or adding new steps into place where they audit the information that's already in place or information that's being added for all new domain names. So that is an Article 28 requirement. And those policies must be publicly available by all registries and registrars that they have put into place.

In addition to this accurate and complete data collection and verification, registries and registrars must also make publicly available domain registration data that is not PII data, meaning that's not private data, and provide access to the private information, if needed, to any legitimate access seekers. So all partners that you work with, all registries, all registrars must publish their processes of how information can be obtained, and they will all specify who a legitimate access seeker is in addition to that.

Walt: Working with CSC can be a factor in that. So Ewa called out many of these items here within the discussion of Article 28, but we just wanted to reiterate because it's really important. The registrants must be valid, and they must be existing companies. So either through not being aware or benign negligence, business happens and things change, and we don't think about the domain name. Well, we do. But you may not think about the domain names needing to be updated. Now that becomes part of a compliance requirement to get that done, as well as going down to the contact level. So those contacts must be contactable. But what we've been stressing for years is corporate domains should have corporate information wherever possible and not be required by registry, no individuals. And that will help to keep these names in compliance.

And then the supporting documentation may be required. And as we know, that documentation can also change and shift under. And in many cases, those registries are reaching out and asking for refreshed documentation, whether they have a timeline that they've put in place for when they audit, or just it is a document that has expired that had a natural timeline itself. The registries are doing those audits and now reaching out.

So it's important to keep updated on a regular basis. And certainly CSC, as a registrar, is going to look to do those things and help out our clients. But the thing we really want to stress, Ewa, are the consequences of not doing that, again not willfully, but perhaps just benign neglect and not thinking about it.

Ewa: That's right. The big piece and the big change we're seeing with the NIS2 implementation across the European Union is that really the audits are on an increasing basis. So both registries and registrars that manage domain names are really validating the WHOIS information. And registries are adding more and more steps into the process to make sure that they ensure that this data is current and accurate. And this WHOIS information detail there that has been potentially considered not important is now becoming critical to making sure that your domain names continue to operate.

So if the data is not updated in a timely manner, your domain name may be suspended. When we say suspended, this really means it can be put on a server hold status and taken offline, effectively meaning you can't use or operate your domain name online. And then if still not updated, or if the WHOIS information is still not brought into compliance, the end result may be that your domain may be deleted at an earlier than wanted date and you will not have access to it at all. So the WHOIS information really, really is gaining in importance, and we do highly recommend making sure you review that detail ahead of time, have a regular process in place to keep that data up to date, and check it regularly to make sure it's still current.

Walt: I think, Ewa, we've seen that happen, right? Organizations that work with us and have certain domains with us, we have seen that play out. So again, this is all very real. It is not theoretical. We have seen domains audited and suspended. And we've further strengthened our registry polling and making sure that we're receiving all those registry communications and acting on time. So there again, in terms of choosing a partner, these processes need to be in place.

Ewa: Absolutely. And at least in my job, I see audits happening on an everyday basis. So this is not an out-of-the-blue occurrence anymore. Back in the day, when I first started in the industry, we didn't see audits daily, for sure. We didn't see them as often as they're occurring today. Today, a domain validation or a domain review audit is quite a normal thing for us. We're seeing more of these happening, and we're just making sure everybody is aware that this is something that will stay and those compliance checks are here to stay.

I think what's challenging and the biggest challenge for all parties involved in domain management is that those checks and those audits are not necessarily consistent and the same for every single extension, right? Because this is a directive, as we said, it's being implemented in every single country slightly differently, and every registry within the European Union is implementing their own slightly different process for their audits. So here we have a few examples of how that may actually look in practice.

Italy is a great example. Here the registry took on the task of validating the domain registration information. Right now, Italy has fully transposed NIS2 into their legal system. The registry in the domain side implemented a compliance tool or compliance system that they call Darwin. And into that portal, they will simply flag domain names that they find to be out of compliance. They do it based on the registrant's information data. If they find that the business registration number or the VAT number of the entity that was used for registration of the domain name is no longer a valid number, or the company itself is no longer in existence, they will flag that domain into the portal. It is the registrar's responsibility to check the data, and it's the registrar's responsibility to work with the domain holders to then make sure that the name is brought into compliance.

The timelines are different here. In the case of Italy, registrants have 30 days to provide the necessary information and to update the information if needed. If not updated, that name gets suspended, and then after an additional 90 days, the domain will be deleted if it's not corrected on time. And it's not as easy to correct that information. You do have to show that the company name has changed or transitioned if the company is no longer registered. So once audited, the fix isn't as easy as simply updating the information ahead of time. So we really do again recommend checking your portfolios, updating the information before it gets out of compliance and before the companies are changed. That's just a good tip here for keeping an eye on things.

Sweden is another registry that does regular compliance checks. Sweden has an automated check against the national VAT database. They will similarly flag domain names that are out of compliance, and they also send that information directly to the registrar. So they contact the registrar partners directly through what they called EPP poll messages. It is the registrar's responsibility to make sure they can consume that information and pass it on to the registrants. And again, fairly quickly timeline. You have about 90 days to update that data. It's much simpler. In this case, you simply have to update it. But you have to bring the domain name into compliance within 90 days or you will lose it.

France is a slightly different model. Again, every registry has a slightly different way of doing it. In the case of the French registry, they do partner with registrars, and in our case, CSC, as the enterprise-grade registrar, we are able to have a process in place where we are responsible for doing the validations ourselves. So we do our checks. We check the registrants as they enter orders into our system. We check the data, make sure that the registrants are current and valid. We pass it on to the registry as a validated contact. And that really speeds up the registration process. There's no auditing by the registry. There's no slowdown. The domains can get registered right away because we as the registrar take on the validation.

So as you see, every partner has a different role in the process. There are registries that go directly to the registrant and do the validation directly with the domain holder. And that's also important to keep in mind because you have to make sure that the emails you list on your domain names are monitored, that there's somebody keeping an eye on the emails and taking action if or when needed.

So every single registry is different. That's the unique thing to remember here. And the timelines will differ as well, anywhere between 5 to 90 days. It's so critical to kind of be aware and have the right partners to help you through the process.

Walt: So with all that in mind, how do you make this actionable? So the first thing is obviously to have a plan. But what does that plan include? Well, you have to know what events could have an impact on your domain name information or on your company information and require updates to your domain name information. So company name changes, mergers, acquisitions, maybe entities are deregistered, all these normal things that are happening. And even if you're aware that a domain name needed to be updated in the past, it may have just been planning for it in the future. And Ewa just gave you those timelines. Now there are timelines that can be associated to that. So it needs to be right up there with other primary tasks when those business events happen.

The same thing can be true of trademarks. If a trademark was used for a domain registration, maybe the ownership of that trademark has changed, or the trademark expired, that is going to affect ownership of that domain name. And so the information needs to be updated. Again, the registries will be auditing that. But it's best if you can do that proactively along with your registrar.

As Ewa said, some registries may go direct. So you need to have a process and make sure that wherever those emails are going, first of all, know where those emails are going. And then wherever they're going, be it from the registry directly or from a registrar, that someone is monitoring that and in fact knows what to do with them. Information like that can often be seen as FYI, and it is not. These are compliance notices that are going to require that action be taken.

So there's DNS abuse involved. That is now under the directive. So all things related to domain management, the data that's involved in your DNS and your DNS providers, all of that is now subject to audit and then part of the compliance directive. So along with just bringing people together and everybody knowing what needs to be done and, in fact, what these notices mean, it's good for all of those people to be aware of the events that could trigger you to take action.

Ewa: That's right. And I think that awareness piece is so critical here, Walt, right? So both security and domain management, they take a village. It takes a lot of teams being aware of what's happening, both from an institute perspective and all the other changes happening in the industry. And having all those parties play together and understand their role within the process is so critical.

We mentioned it a few times before, but picking the right partners who can really help you proactively monitor the space is critical. New regulations and changes in the TLD space are literally happening on a weekly and daily basis. It's really hard to keep up on all those changes on your own. So make sure that the partners you work with, your registrars have good processes in place to monitor for those changes and to keep you updated when the changes do occur. If your partners can help you proactively audit your domain name portfolio or make sure that all your names are in compliance, that is really the best way to go. Do the proactive checks first. Make sure that you are ready for any changes that may be coming your way.

We mentioned that a little bit earlier, but a lot of the checks happening by the registries now are automated. So the registries do connect to either VAT or business registration databases and automatically do checks on their entities. So make sure you partner with companies who can, number one, help you through this process and maybe can help take on some of that validation process on their end. We mentioned France where we do it. We do it for a number of extensions where CSC can take on that validation role and help you really streamline and speed up the entire registration process.

I know it's a lot. It's a lot of things we said, but on a very, very basic level, I think it's just important to help your internal teams connect the dots, and that's really what's most important. So if a company name changes or if your company rebrands, that will have an impact on your domain portfolio. So it's important to make sure that the different parts of your organization that deal either with the legal process of changing company names or maybe if you're just moving an address, that all those things connect and there's a way to feed that information back into your domain name portfolio.

So if your company name changed, if your company address has changed, if you're rebranding maybe and starting to use a new email address and that information for your company has changed as well, all of that information needs to then be translated into your domain portfolio. Same thing when you do a trademark change. So if your company name changed, are you updating all your trademarks to the new ownership as well? With all those things, you must then also take a look at your domain name portfolio and make sure that the domain names themselves are updated and that your WHOIS or registration data information is updated at the same time.

So make sure you help the teams connect the dots. Good to have an established process within your organization that allows all the different teams to be aware of whom to reach and when, when they're making updates to organizations, and really help them understand the impacts. The information can no longer sit and be unchanged for years. The registries are proactively auditing, and they are proactively making sure that those changes are reflected in the domain space as well because now there's that real policy directive that's in place that enforces it and potentially puts financial penalties if that data continues to be out of sync. So lots of little dots to connect. But we hope that this brings it for you a little bit more together into one picture.

Walt: So very quickly, within our organization, obviously, we're making sure that we're sharing the information, that all the information is up to date, and proactively monitoring registries for changes that are happening there while they're auditing, making sure we're understanding where action is needed. But of course, we need all of you as CSC customers to be partners in that when those business events happen on your side. So from the registrar side, there are proactive audits that are happening, processes that are being put in place that can be tracked. So we had processes in place before to do verification of contacts, and we preseed contacts in the system so everything is not being free-formed. But now that process is being tightened even further.

And from the DNS side of things, we've always been an enterprise-class DNS provider. That is just becoming more and more important, as well as continuing to offer more and more features in more and more advanced ways, such as DNSSEC and anything that can further provide that redundancy and that security on the DNS side.