The Board of Directors of The Council of European National Top-Level Domain Registries (CENTR) last week adopted the draft statement concerning the Directive on Network and Information Security (NIS). The Directive was approved by the European Parliament in March last year and at the moment is being discussed at the European Council. In particular it requires mandatory reporting about all significant cyber incidents and implementation of the strict measures of audit and reporting to ensure cyber security. Operation of the Directive is planned to the extended not only on enterprises and organizations of critical infrastructure, financial sector and large Internet providers but also participants of the domain market, namely, registries of the European national domains and domain registrars of the European countries. Earlier on they were not included in the list of organizations impacted by the Directive.
Members of the CENTR reaffirm their commitment to the principles of transparency, stability and security of the Internet and point out that they have many years of experience in combating cyber threats that they willingly share among themselves and all interested parties. However, they emphasize that the extension of the Directive in its current form on the members of the domain market may lead to serious negative consequences.
First of all, CENTR members pay attention to the fact that while affecting registries of national domains, the Directive have no impact on gTLDs which leads to violation of the principles of fair competition on the domain market. For example, domain .COM continues to be one of the most popular domains in Europe. In many European countries, for example, in France, Spain, Croatia, Ireland, Cyprus or Luxembourg, users prefer it over national domains of their countries.
The number of registered names in also not comparable. More than 100 million domains are registered in .COM domain zone, while around 4 thousand are registered in the national domain of Malta .MT. However, domain .COM is run by the American company Verisign. Verisign doesn’t fall under the jurisdiction of the EU. Therefore, it doesn’t have to apply strict security measures, that may be required for national registries of the European national domains. This is why adoption of the NIS Directive in its current form, first of all, will not protect interests of the majority of European users. Secondly, will oblige registries of the European national domains to make substantial expenditures, necessary to meet the requirements set out in the Directive. This will entail the rise in the registration fee and create benefits for gTLD registries that do not have to bear these expenses.
In addition, CENTR members pay attention to the fact that the Directive doesn’t take into account special features of the domain space structure. The highest level of hierarchy is DNS root zone, which is run by 12 organizations together, only two of them are based in Europe. So the operation of the Directive won’t be applicable to other 10.
The statement also reads that expenses needed to meet the requirements of the NIS Directive could be an unbearable burden for many European domain registrars that are relatively small companies. This might change the entire landscape of the European domain market, depriving the users of possibility to select where to register a domain name.
Finally, CENTR members indicate the uncertainty of many Directive’s wordings, that in particular relate to «critical impact» of the incidents, what measures are «appropriate» and also the concept of the name service provider. The latter in some cases could be applicable not only to domain registrars, but also to registrants themselves, including individuals that run their domains but certainly are not able to fulfill Directive’s requirements.
