ICANN78 Day Zero Workshop: NIS2 Directive – Impact on the DNS Industry

eco – Association of the Internet Industry

invites you on Friday, 20 October for a Day Zero Workshop at ICANN78 in Hamburg to discuss the legislation that impacts the domain name industry in the European Union followed by an informal reception.

Please note, space is limited and registration is required.

A separate registration for the ICANN78 meeting is required to attend.

We look forward to welcoming you!

The NIS2 Directive is the EU-wide legislation on cybersecurity. It provides legal measures to increase the overall level of cybersecurity in the EU.

The EU cybersecurity legislation, which was introduced in 2016, was updated by the NIS2 Directive, which came into force in 2023. It modernized the existing legal framework to keep pace with increasing digitization and the evolving cybersecurity threat landscape. Extending the scope of cybersecurity rules to new sectors and entities will further improve the resilience and responsiveness of public and private entities, competent authorities and the EU as a whole.

In addition to its impact on the cybersecurity sector, the NIS2 Directive has implications for domain name registrations in the European Union. Article 28 of NIS2 contains requirements for domain name registrations, in particular registration data.

What makes NIS2 a challenge for the domain industry is its directive nature. A directive is a piece of legislation that sets a goal that all EU countries must achieve. However, it is up to the individual countries to develop their own laws on how to achieve these goals. This could potentially result in 27 different procedures for validating domain name registration data. Given that the domain name industry is a global ecosystem of domain name registries, registrars, resellers, etc. interacting with each other, validation procedures should follow proven industry best practices. The implementation of NIS2 by individual member states of the European Union should avoid the definition of 27 different processes.

The clock is ticking. The updated NIS2 Directive entered into force on January 16, 2023. Member States now have until October 17, 2024 to adopt new legislation to comply with NIS2. Businesses need to consider how the extended new regime will affect them, as it will take time to put compliant structures in place, and they will need to consider NIS2 jurisdictional rules in their compliance plans, contracts and relationships with third parties they rely on to protect their assets.

9:00am CET
Registration & Coffee

10:00am CET
Welcome to Part 1, Introduction & Methodology

10:15am CET
Introduction to NIS2 and Art. 28 – Requirements & Expectations

National legislative bodies are already working on draft legislation to implement the NIS2 Directive in their respective countries. What are the objectives and intentions of Art. 28 and how much guidance can the European Commission provide to national legislators? This session will provide an overview of the requirements of the NIS2 Directive with a focus on Art. 28 and its expectations.

Report from the GAC NIS2 Coordination Group

As NIS2 is a Directive, it is up to individual countries to enact their own legislation to achieve its objectives, including Art. 28. This could potentially result in 27 different procedures for validating domain name registration data. The NIS2 Coordination Group is discussing the various national approaches and proposals. This session will provide an update on the status of the group's work, including the two task forces working on validation and legitimate access.

National Draft Legislative Proposal(s)

NIS2 must now be transposed into national law by national legislators by 17 October 2024 and will apply from 18 October 2024. As a result, proposals for national legislation are already in the pipeline. This session will analyse and discuss selected draft proposals from different EU Member States in order to understand the national legislative processes and implementing legislation.

More details coming soon.

11:20am CET
Multistakeholder Organizations

The language of NIS2 refers to multi-stakeholder organisations. In this session we will discuss the interplay between national/regional legislation and the global multistakeholder model, including ICANN, where community policies are already in place.

11:50am CET
Summary of the morning

12:00pm CET
Lunch break

13:00pm CET
Welcome to Part 2

13:15pm CET
Will Art. 28 be effective against DNS Abuse?

Recital 110 states that “The availability and timely accessibility of domain name registration data to legitimate access seekers is essential for the prevention and combating of DNS abuse, and for the prevention and detection of and response to incidents.” How effective is the use of domain name registration data in combating DNS abuse? What other complementary measures are there?

Operational & Implementation Challenges

TLD name registries and the entities providing domain name registration services will be required to have policies and procedures in place, including verification procedures, to ensure that databases contain accurate and complete information, to make domain name registration data that is not personal data publicly available, etc.

What are the best practices and challenges in implementing and operating the required policies and procedures and what are the implications at the national, EU and global levels? Will EU-based companies be at a commercial disadvantage in the future? These and other questions will be discussed in this session.

15:00pm CET
Coffee break