EU NIS2 Directive: Security Duties for Registries and Registrars

The European Union’s NIS2 Directive, formally known as Directive (EU) 202555 on measures for a high common level of cybersecurity across the Union, represents a major regulatory evolution in the EU’s digital policy framework. Replacing the original Network and Information Systems Directive (NIS1), NIS2 significantly expands both the scope and depth of obligations for entities deemed essential or important for the functioning of the digital ecosystem. Among the sectors newly brought into sharper focus are domain name system (DNS) service providers, including domain registries and registrars. These entities now face a comprehensive set of cybersecurity, risk management, and incident notification duties under NIS2, with major implications for both operational standards and legal liability.

NIS2 was enacted in response to the EU’s recognition that the increasing digitalization of critical services and the growing sophistication of cyber threats required a more robust and harmonized regulatory approach. One of the directive’s core aims is to ensure that vital digital infrastructure—of which the DNS is a central component—is resilient to security risks, operational failures, and malicious attacks. To that end, Article 28 of NIS2 explicitly includes top-level domain (TLD) name registries and domain name registration service providers (registrars) as entities within scope. This recognition codifies their role as critical infrastructure providers whose failure or compromise could have wide-ranging consequences for the functioning of the internet and digital services across the EU.

For domain registries—organizations responsible for managing specific TLDs such as .fr, .de, or .eu—the directive imposes sweeping security obligations. These include implementing appropriate and proportionate technical and organizational measures to manage risks posed to the security of network and information systems. These measures must ensure the confidentiality, integrity, availability, and authenticity of their services. Practically, this means adopting state-of-the-art security protocols, intrusion detection systems, resilient backup and recovery capabilities, and comprehensive access control mechanisms. Importantly, these requirements are not static; registries are expected to regularly review and update their risk management strategies in light of evolving threat landscapes and emerging best practices.

Registrars—entities that sell and manage domain name registrations for end users—are similarly bound by NIS2 obligations. In addition to the security measures mentioned above, registrars must ensure that data integrity and availability are maintained throughout the lifecycle of a domain registration. This includes safeguarding customer data, protecting registrar systems from unauthorized access, and ensuring that registration services remain operational even during cyber incidents. Of particular importance is the secure handling of WHOIS data and customer verification processes, which have become high-value targets for phishing, impersonation, and domain hijacking attempts.

One of the most impactful provisions of NIS2 is the enhanced duty of notification. Registries and registrars are now required to notify the competent national authority or CSIRT (Computer Security Incident Response Team) without undue delay—no later than 24 hours after becoming aware of a significant incident that has substantial impact on the provision of their services. The notification must include an initial assessment of the incident, its impact, and the mitigation measures taken or planned. This timeline imposes a strict operational discipline on DNS service providers, requiring them to have real-time monitoring, rapid assessment capabilities, and pre-established incident response plans in place. In severe cases, the notification must be updated within 72 hours with a more detailed analysis and final report.

Another major innovation under NIS2 is the requirement for supply chain risk management. Registries and registrars must assess the security of products and services they rely upon from third-party providers, especially when those services are essential to DNS functionality. For instance, outsourcing DNS resolution or domain management tools to cloud vendors or third-party software providers now carries regulatory oversight. This aspect of the directive forces DNS service providers to expand their cybersecurity scope beyond their immediate systems and adopt a more holistic risk posture.

To ensure compliance, NIS2 grants substantial enforcement powers to national regulators. Authorities can conduct audits, request documentation, inspect facilities, and impose administrative fines for non-compliance. While the exact fine amounts are determined by national transposition laws, the directive sets a maximum cap of at least €10 million or 2% of the total worldwide annual turnover, whichever is higher. This penalty regime is modeled on the General Data Protection Regulation (GDPR) and underscores the seriousness with which the EU treats cybersecurity in essential services.

Importantly, NIS2 introduces obligations not only on cybersecurity but also on governance and accountability. Registries and registrars must ensure that their management bodies are trained and aware of their responsibilities under the directive. This includes understanding how cybersecurity fits into broader risk management frameworks and being involved in major security-related decisions. The directive also encourages these entities to participate in information-sharing networks and sector-specific threat intelligence collaborations, promoting a collective defense posture among internet infrastructure providers.

From a practical standpoint, the implementation of NIS2 will require domain industry actors to undertake detailed compliance reviews, upgrade their technical infrastructure, refine their operational procedures, and train staff at all levels. For some registrars, particularly smaller or mid-sized ones, the investment needed to meet NIS2 standards may be substantial. However, the long-term benefits include improved security resilience, reduced risk of operational disruption, and greater trust from customers and regulators alike.

NIS2 is scheduled to be fully transposed into national law by EU Member States by 17 October 2024. This means that registries and registrars operating within the EU—or offering services to EU customers—must begin preparing for compliance well in advance. Many national regulators have already issued guidance and begun consultation processes to tailor the directive’s provisions to domestic legal and administrative systems. Cross-border service providers must also account for variations in enforcement and interpretation among Member States, even though the directive seeks to harmonize the overall cybersecurity framework.

In conclusion, the NIS2 Directive marks a significant turning point in the regulatory treatment of domain registries and registrars within the European Union. By classifying these entities as essential to digital infrastructure, and by imposing rigorous and enforceable cybersecurity duties, the directive elevates the standards of operational security, accountability, and resilience in the DNS ecosystem. While the transition to full compliance will require strategic investment and operational diligence, the end result will be a more secure, robust, and trustworthy internet environment for all EU stakeholders. For registries and registrars, aligning with NIS2 is no longer just a best practice—it is a legal and strategic imperative.

The European Union’s NIS2 Directive, formally known as Directive (EU) 202555 on measures for a high common level of cybersecurity across the Union, represents a major regulatory evolution in the EU’s digital policy framework. Replacing the original Network and Information Systems Directive (NIS1), NIS2 significantly expands both the scope and depth of obligations for entities…