The digital landscape is evolving rapidly, and with that, the regulatory environment is becoming stricter to protect businesses, individuals, and governments from the growing threats of cybercrime.

One of the most significant developments in this space is the European Union’s NIS2 Directive (Network and Information Security Directive 2), which introduces new obligations for online service providers. Among its many provisions, Article 28 places a spotlight on Know Your Customer (KYC) processes for domain name registrants.

In this article, we will explore how NIS2 and Article 28 impact domain registration, why KYC is now more critical than ever, and how domain registrars must adapt to ensure compliance while enhancing cybersecurity. But first, a quick review of the NIS2 Directive.

What is the NIS2 Directive?

The NIS2 Directive, adopted by the European Union in 2022, updates and strengthens the original NIS Directive (2016), which aimed to improve cybersecurity across the EU by requiring essential service providers (like Energy, Healthcare, and Transportation) to adopt more stringent security measures.

NIS2 expands the scope to include a wider range of sectors, including Digital Infrastructure Providers, which notably covers domain name registrars and DNS service providers. The aim is to protect critical infrastructure and digital services from cyber threats like ransomware, data breaches, and supply chain attacks. 

When it comes to the responsibilities and obligations of domain name registrars and DNS service providers, special attention must be paid to Article 28.

Article 28: A Specific Focus on Domain Name Registration

One of the standout sections of NIS2 for domain name registrars is Article 28, which addresses the accountability of domain name registrars and DNS service providers. It mandates that these providers must gather, verify, and, in some cases, disclose accurate and complete information about their customers - particularly the domain name registrants.

Article 28 introduces the "Know Your Customer" (KYC) principle into the domain name registration process, requiring domain name registrars to know exactly who is registering a domain name and ensure that the registrant’s identity is legitimate.

Key takeaways from Article 28:

  1. Accurate Registrant Information: Registrars are responsible for ensuring that domain name owners provide valid, up-to-date personal and organizational information.

  2. Verification: Registrars must implement mechanisms to verify the identity of registrants, whether physical individuals or legal organizations, at the point of registration procedure.

  3. Accessibility of Data: Law enforcement and other competent authorities must have access to domain name registrants' data for investigations or cybersecurity purposes.

These measures aim to curb the misuse of domain names for malicious activities, including phishing, botnet control, and fraud. By enforcing KYC, Article 28 seeks to diminish the anonymity often exploited by cybercriminals. 

The Importance of KYC for Domain Name Registrants

The introduction of KYC for domain name registrants is a significant step toward improving online security and transparency.

Here’s why KYC is essential in this context:

Combatting Cybercrime

Cybercriminals often use false or anonymous information when registering domain names, allowing them to operate with impunity. Rogue domain name registrations are commonly used for:

  • Phishing attacks: Malicious domain names that mimic legitimate sites to steal personal or financial information.

  • Malware distribution: Domain names that host or distribute malware, including ransomware or spyware.

  • Command and Control (C2) servers: Domain names used to control botnets, which can conduct DDoS attacks or massive spam campaigns.

By enforcing KYC, registrars can prevent the use of fake or stolen identities, making it harder for criminals to hide their activities.

Accurate registrant data will provide a trail that law enforcement agencies can follow, improving the chances of identifying and stopping cybercriminals before considerable damage is done.

Enhancing Trust in the Domain Name Ecosystem

KYC practices promote transparency and accountability, which in turn strengthen trust in the digital domain name ecosystem. When registrants provide accurate, verifiable information, it reduces the number of bad actors exploiting the system. This is critical for online businesses, users, and service providers who rely on a secure and trustworthy domain name infrastructure.

For legitimate businesses, KYC helps reduce domain name spoofing and other tactics that cybercriminals use to impersonate trusted brands. This not only protects brand reputation but also boosts consumer confidence in online interactions. 

Compliance with Regulatory Requirements

The NIS2 Directive and Article 28 represent a move toward stricter regulation of domain names. Domain name registrars who fail to comply with the KYC requirements will risk facing penalties or even losing their ICANN accreditation.

By implementing proper KYC processes, registrars can ensure compliance not only with the NIS2 Directive but also with other regulatory frameworks, such as the General Data Protection Regulation (GDPR), which governs data privacy in the EU. Registrars must find a balance between meeting KYC requirements and protecting user privacy, particularly when sharing information with law enforcement or other entities.

Preventing Domain Name Abuse

Domain names with false or anonymous registration details are more likely to be flagged for malicious activities. By verifying the identities of registrants, registrars can significantly reduce domain name abuse. This contributes to better domain name reputation scores, which helps both end-users and search engines identify legitimate sites, making the internet safer.

How Domain Name Registrars Should Implement KYC

To meet the requirements of NIS2 and Article 28, domain name registrars must adopt effective KYC mechanisms.

Here are some key steps they can take:

  1. Identity Verification Tools: Registrars can integrate automated identity verification tools that authenticate a registrant’s identity at the point of registration. These tools could include checks such as government-issued ID verification, corporate registration documents, or cross-referencing against known databases.

  2. Continuous Monitoring: Registrars should not only verify information at the time of registration but also perform periodic audits or checks to ensure that registrant information remains accurate over time.

  3. Collaborating with Law Enforcement: Registrars should establish clear processes for securely sharing registrant data with law enforcement when required by investigations or cybersecurity incidents, in compliance with privacy laws.

  4. Transparency for Customers: Registrars should inform their customers about the KYC requirements and the reasons behind them, offering assurance that the processes are in place to enhance security without compromising privacy unnecessarily.

  5. Data Security: Given that KYC involves collecting sensitive information, registrars must implement stringent data protection measures to safeguard registrant data from breaches or unauthorized access, in line with GDPR and other privacy regulations.

Conclusion

The introduction of the NIS2 Directive and Article 28 marks a turning point for the domain name industry. By enforcing KYC processes for domain name registrants, the EU aims to improve transparency, accountability, and security in the digital world. Domain name registrars now have a critical role to play in combatting cybercrime by ensuring that the domain names they manage are not anonymously controlled by malicious actors.

Implementing robust KYC mechanisms not only helps registrars comply with NIS2, but also contributes to the broader goal of creating a safer and more trustworthy internet for all.

 

Need help navigating NIS2 and all the necessary changes for compliance?

Contact us for a free consultation: