On May 12th, European legislators head into their final trilogue negotiations around the NIS2 Directive. This week, the Internet Infrastructure Coalition (i2Coalition) shared guidance found below with negotiators, focused on the Directive’s Article 23. i2Coalition has been detailing our concerns about Article 23 before even their public consultation in March 2021. The global multistakeholder model (MSM) was specifically designed to coordinate the management of globally architected systems, to avoid problematic outcomes where globally architected systems had differing or conflicting requirements based on specific jurisdictions. Bypassing the MSM for one area of DNS policy carries a significant risk of undermining the entire MSM and leading to a breakdown of globally coordinated policy development.

We believe that as currently drafted, the unclear requirements under Article 23 will lead to inconsistencies and conflicts between Member States about what the requirements for companies within the domain name industry should be. Such inconsistencies will have the adverse effect of creating a varied and unpredictable experience for those parties that seek to legitimately access registration data across different jurisdictions. We encourage negotiators to work toward a central goal of providing sufficient clarity to foster cohesive translation into national law, and avoid the anticipated difficulty of complying with 27 different regulatory guidelines from 27 different Member States interpreting things without sufficient guidance or clarity. We encourage those who share our concerns to voice them quickly to EU trilogue negotiators.

May 11, 2022

Re: NIS2 Directive Article 23 Concerns

Dear MEP B. Groothuis; MEP E. Maydell; MEP E. Kaili; MEP R. Andresen; MEP T. Mariani; MEP E. Tošenovsky; MEP M. Matias;

Dear Minister O;

Dear Executive Vice-President Vestager and Commissioner Breton:

Founded in 2012 by a diverse group of Internet infrastructure companies, the Internet Infrastructure Coalition (i2Coalition), is a global organization that supports and represents the companies that build and maintain the Internet’s infrastructure. The i2Coalition writes to share our remaining collective concerns regarding NIS2 Directive Article 23, as you head into final trilogue negotiations on the 12th of May.

We appreciate and greatly support the work that has been done on the NIS2 Directive, to bring clarity to cybersecurity and reporting requirements. Our concerns center around the continued need for clarity and precision in the language of Article 23. We are concerned that Article 23 as currently drafted could create significant compliance challenges for registries, registrars, and other entities in the supply chain of providing domain registration services. Depending on implementation requirements, very few existing systems are currently designed to facilitate the verification requirements this directive proposes.

As a starting point, the language in Article 23 fails to recognize the different roles that registries, registrars, and other entities providing registration services occupy within the Domain Name System (DNS), specifically as it pertains to registering a domain name and processing the personal data of domain registrants.

For example, registries do not need registrant data to perform DNS registration and resolution functions, and not all registries collect the personal data of domain registrants. Further, because registrars generally have the most direct contractual relationship to domain name registrants, they are much better positioned than registries to perform verification or validation of the accuracy of registration data and thus the imposition of that requirement on registries would be duplicative without providing any additional benefit. Please ensure that a final directive recognizes that domain registries and registrars do not collect and store the same data, and as such, makes explicit the type of domain name registration data that would fall under its obligations, and which obligations apply to each entity.

Please also ensure that a final directive provides guidance on how an obligated entity can comply in a way that is fully in line with data minimization and other data protection principles enshrined in the GDPR, and please provide sufficient guidance to those entities so that they can begin to build systems that can comply, while still being compliant with GDPR. We will also require further clarification as to what justified requests for such data would be. We recommend guidance that legitimate requests under NIS2 be limited to requests from national competent authorities as designated by Member States. This level of clarity is essential in order not to lead to an overly broad regulation.

We believe that as currently drafted, the requirements under Article 23 will lead to inconsistencies and conflicts between Member States about what the requirements for companies within the domain name industry should be. Such inconsistencies will have the adverse effect of creating a varied and unpredictable experience for those parties that seek to legitimately access registration data across different jurisdictions. Indeed, the central goal of further negotiations should be to foster cohesive translation into national law. The directive as written would unduly burden European-based companies, lessening their ability to compete at the international level.

This anticipated difficulty of complying with 27 different regulatory guidelines illustrates a larger problem with Article 23. The global multistakeholder model (MSM) was specifically designed to coordinate the management of globally architected systems, to avoid problematic outcomes where globally architected systems had differing or conflicting requirements based on specific jurisdictions. The ICANN MSM is the appropriate avenue for creating policy and requirements like those found in Article 23. Bypassing the MSM for one area of DNS policy carries a significant risk of undermining the entire MSM and leading to a breakdown of globally coordinated policy development.

Introducing regulation that specifically instructs DNS entities on how to perform their functions disrupts the ICANN policy development process. What we need and respectfully request from you now, is sufficient clarity in the Article 23 requirements that: (a) assign appropriate obligations to the different parties involved in the supply chain of domain name registration services; and (b) lead Member States toward one consistent implementation requirement rather than leaving open the risk of 27 variations. This added clarity will significantly reduce confusion surrounding the implementation challenges faced by parties, and improve overall consumer experience.

Once the final text is adopted, please encourage Member States to engage with industry in implementation of the directive.

We appreciate the opportunity to provide our comments on the EU legislative process on the NIS Directive.

Sincerely, Christian Dawson Executive Director, Internet Infrastructure Coalition