In the following article, we’ll explore what the NIS2 Directive is, what it means for organizations, the key changes it brings, and how it affects the domain name industry.
Blog
Marketing Manager
NIS2 and Its Impact on the Domain Industry
What Is NIS2 and Why Is It so Important?
NIS2 entered into force on January 16, 2023, and is currently in the process of being transposed into national laws by the EU member states. It is the second EU directive on network and information security and replaces the previous NIS1 directive.
The NIS2 directive is an EU-wide cybersecurity legislation designed to establish a high common level of cybersecurity across all member states. It has been developed to address the growing threats of digitalization and the increase in cyberattacks. The scope of NIS2 has been extended compared to NIS1 by requiring a broader range of entities and sectors to implement measures that will strengthen Europe’s cybersecurity robustness in the long term.
EU member states must incorporate the NIS2 directive into national law by October 17, 2024, but depending on those laws, additional time for implementation of these laws may be granted. The absence of specific requirements for the wording or implementation of these laws could result in 27 different versions within the EU.
The NIS2 directive is an important instrument for strengthening the resilience and security of the critical infrastructure in the EU. Its objectives include promoting cross-border cooperation and establishing a culture of risk management and prevention.
Who Does NIS2 Affect?
NIS2 regulates that companies that fall within the scope of the directive must take appropriate and reasonable technical and organizational measures to effectively counter cyber threats. Moreover, they are required to adopt preventive measures to reduce the impact of security breaches, an obligation relevant for all medium-sized and large organizations. Non-compliance may lead to substantial financial fines and damage to reputation.
The NIS2 directive applies to a wide range of organizations and companies, including critical infrastructure operators, digital service providers and public administrations. It covers multiple sectors vital to the EU’s digital stability and welfare, including energy, transportation and traffic, drinking water, wastewater, telecommunications, banking and healthcare. To address cybersecurity threats, minimize vulnerabilities, and improve digital resilience, these entities are required to comply with the strict standards and practices established by the NIS2 directive.
Under the currently proposed German draft implementation law, nearly 30,000 companies in Germany will be required to take additional cybersecurity measures, and there will be increased oversight by the Federal Office for Information Security (BSI) with a three-tiered reporting system for security incidents.
Effects on the Domain Industry
Article 28 in particular is of great importance to the domain industry as providers of digital services. It emphasizes the need for Top-Level Domain (TLD) registries and domain registration service providers (which includes the entire domain registration value chain, including resellers, proxy or privacy service providers, etc) to collect and maintain accurate and comprehensive data regarding domain name registrations and registrants. They must develop and implement policies and procedures that guarantee the accuracy and completeness of the information in their domain registration database. The actual impact of these obligations will depend on how each EU member state implements the new legislation into its national law, but it is already clear that additional verification of registration data will become necessary.
The affected registries are already working hard on plans on how to implement the directive. Most European registries are taking a risk-based approach, triggering data verification in the event of irregularities in the holder data, while others require the submission of fully verified and accurate data at the time of the registration of a domain name. Ideally, the verification of the holder data should be performed by those parties with the closest direct contact with the domain holders.
Please also note that NIS2 also imposes special responsibilities and additional obligations on all parties providing DNS services, regardless of size or number of zones administrated. Therefore, it may be beneficial to consider outsourcing such services.
Rest assured that the implementation of the NIS2 directive and its regulations is our top priority, not only in the domain registration area, but in all other areas of security within the company.
You may also like
Preparing for NIS2 Compliance
November 27, 2024 | By Maximilian Preuß | 3 Min ReadAs part of our ongoing commitment to providing secure and reliable services, we are preparing to implement changes in line with the European Union’s NIS2 Directive.
Domain Management with AI: Benefits and Insights
September 30, 2024 | By Harley Ma | 5 Min ReadIn today’s digital age, domain management is crucial for maintaining a strong online presence.
Q&A With Oliver Fries, Head of Engineering
September 13, 2024 | By Harley Ma | 5 Min ReadWelcome to another insightful edition of our Q&A series, where we delve into the experiences and perspectives of the brilliant minds driving our success.