Back

NIS2 is coming: what should EU domain resellers do?

Author: Valeria van der Poel
0 MIN READ TIME
10/9/2024
Domain Security News
nis2 is coming: what should EU domain resellers do?

In response to the growing number and complexity of cyber threats, the European Union is implementing new regulations to strengthen the security of essential digital assets. The NIS2 Directive, announced in late 2023, aims to safeguard critical infrastructure by establishing new standards for organizations across the EU – including domain registrars, domain resellers, and DNS providers. Among its many requirements, the directive mandates accurate domain holder data and ensures the functionality of email addresses and phone numbers.

In this article, we break down what the NIS2 Directive means for domain owners and resellers in the European Union, and what changes you can expect starting in October 2024.

What is the NIS2 Directive?

The NIS2 Directive (Network and Information Security Directive) is part of the EU’s initiative to strengthen cybersecurity and protect critical infrastructure across critical sectors. An expansion of the original NIS Directive, the NIS2 Directive broadens its scope to include more industries and organizations that provide essential services, including domain registrars and DNS providers. Other industries that are affected by NIS2 range from energy and transport to healthcare and banking.

With regards to the domain industry, a key element of NIS2 relates to the maintenance of accurate domain registration data, ensuring that registrants’ contact information—such as email addresses and phone numbers—is verified and up-to-date. This step helps mitigate cybersecurity risks by making it easier to contact domain owners if issues arise, reducing the risk of unauthorized access, and preventing misuse of domains.

NIS2 also aims to promote more effective cross-border cooperation in Europe, enabling faster and more coordinated responses to cyber threats. By implementing these standards, the EU hopes to create a safer digital environment, ensuring that businesses, governments, and individuals are better protected against growing cyber threats.

How does the NIS2 Directive affect domain resellers and owners?

The NIS2 Directive comes with several changes that will affect the way that resellers and owners register and manage domains. In this blog post, we break them down by category.

If your domain reselling business is running on an API, changes in domain registration and owner verification processes may break your existing code. It is vital to make sure that any code-breaking changes are applied well in advance and that you inform your customers about these updates to minimize the support load on your teams. We recommend you also review your legal terms and include clauses that ensure that the registration data linked to a domain name submitted is always accurate, complete, and up-to-date.

Below, you can find an overview of the different changes related to the NIS2 Directive.. 

Domain owner email verification

Starting October 14, 2024, we will enforce email verification at Openprovider for specific TLDs affected by the NIS2 Directive. This will apply during new domain registrations, incoming transfers, and contact updates (including domain ownership changes).

The following TLDs will require email verification:

  • Austria: .at, .co.at, .or.at.
  • Denmark: .dk.
  • Finland: .fi.
  • France & Overseas Territories: .fr, .pm, .re, .tf, .wf, .yt.
  • Germany: .de.
  • Italy: .it and all corresponding 3rd level domains.
  • The Netherlands: .nl, .amsterdam (Postponed until Q3 2025)
  • Poland: .pl and all corresponding 3rd-level domains.

Starting October 14th, domain owners whose emails are not yet verified at Openprovider will receive an email to verify their email address by clicking a link. This verification is required only once per email. If the domain owner fails to verify within 14 calendar days, any domain(s) linked to that email will be suspended.

This process aligns with existing ICANN policy, so as a domain owner, you are likely familiar with this from gTLDs and from .se and .nu domain registrations at Openprovider. The emails are white-labeled with your brand. Detailed information can be found in this Knowledge Base article.

Email verification will still be required for domains already registered before October 14th, but no suspensions will occur before January 15, 2025, to avoid disruptions. After this date, however, any domains with unverified email addresses will be suspended.

TLD-specific changes by the registries

.be (DNS Belgium)

DNS Belgium will start applying the below new validation rules for contact handles when registering, updating, or modifying the domain owner with either a new or existing contact handle:

  • Name, organization, street, and city: Each must contain at least one alphanumeric character.
  • Street and city: May not be identical.
  • Postal code: Must follow the correct syntax for the registrant’s country code. For countries without postal codes, use ‘0000’ or ‘00000’.
  • Phone number: The phone prefix must be of the correct length.
  • VAT: Mandatory for organizations. ‘PENDING’ can be used if applicable. If entered, VAT must follow the correct syntax for the registrant’s country code.
  • Text format: The exact regular expressions have been provided by DNS Belgium. You can find them in these CSV or json files.

If the information on the contact handle does not pass these validation criteria, the operation will not succeed, resulting in an error.

This change was originally set to go live on October 14th but has since been postponed by the registry. We will keep you updated about when these changes will go live.

.eu, .ею, .ευ (EURid)

EURid, the registry for .eu and its IDN variants, has already introduced an owner verification process directly between them and the domain holder. As a reseller, you need to ensure from your side that:

  • The registrant for whom you register a .eu or its IDN variant domain name has accepted the rules and regulations set forth by EURid.
  • The registrant confirms that the domain name is registered in good faith and does not infringe the rights of any third party.
  • The registrant meets the eligibility requirements set out in the EURid rules.

After registration, the registrant will receive an email directly from no-reply@eurid.eu, indicating that EURid has initiated the verification of their domain. The registry will send multiple reminders to the registrant to complete the verification process. If the verification is not completed within the specified deadline, the domain name will be suspended.

To complete the verification, the registrant needs to log in to their panel here and follow the instructions provided by EURid to complete the verification.

.de (DENIC)

DENIC, the registry of .de domains, has announced that the phone number will be a mandatory field while registering a .de domain. This has always been mandatory with all contact handles at Openprovider, so for domain owners at Openprovider, this will not change.

DENIC will check for a phone number during Create, Update, Trade, and Transfer processes. More technical changes will follow here as the registry is working on the same.

Changes in Whois Privacy Protection for specific TLDs

This change applies to .barcelona, .cat, .eus, .gal, .madrid, .radio, .scot, .sport, .swiss, .xn--80asehdb (.онлайн), .xn--80aswg (.сайт), and .xn--mgbab2b (باار.)

As of October 1st, 2024, you are no longer able to add Whois Privacy Protection to new registrations of the aforementioned TLDs. It’s also no longer possible to renew your existing Whois Privacy Protection services for the aforementioned TLDs. Your active Whois Privacy Protection services for these domains will remain active until their expiration date.

For the registry and for other people and organizations, having the true registrant’s details in the register is an important step toward preventing abuse and verifying their identity.

With this change in policy, please make sure that the contact information associated with your domain(s) is accurate and up-to-date. We recommend you take a look at your contact information and update it if needed.

Future changes and compliance with the NIS2 Directive

Please note that this is just the first step in our efforts as a registrar to comply with the NIS2 Directive. Many countries and registries are still in the consultation phase regarding TLD-specific changes related to the verification of domain registrant data.

As a result, you can expect additional updates for each affected TLD in the future, as they become available to us. Rest assured, the Openprovider team will communicate these changes to you in advance, allowing you to adapt your systems accordingly and avoid any unnecessary delays.

If you have any questions about this, please contact our support team.

0 Views
0 Likes

Share this:

More Topics Like This

Understanding the spam lifecycle: how to keep it away from inboxes

Today, over 45% of all email traffic is spam. And that isn’t just an inconvenience; it’s a security risk that’s growing every year.

Read more

Openprovider x Offlimits: The shared road to a cleaner internet

Openprovider talks to Offlimits about the risks facing web hosters in the areas of illegal content such as child sexual abuse material (CSAM)

Read more

Follow us on

Not a Member yet?

Become a Member today and get access to exclusive deals.