Making Sense of the Registry Code of Conduct 2027 Draft

The 2027 draft of the Registry Code of Conduct (CoC), released in anticipation of the next round of new gTLD applications, represents one of the most significant updates to ICANN’s contractual framework since the 2012 new gTLD program. Designed to address new realities in DNS governance, vertical integration, data protection, and registry accountability, the revised CoC is intended to provide clarity and enforceable standards across an increasingly diversified and commercially complex registry ecosystem. For both prospective applicants and existing registry operators, understanding the nuances of the 2027 draft is critical, as it introduces new expectations around operational independence, non-discriminatory access, brand protection, and public interest commitments in a post-GDPR, post-centralization era.

At the core of the 2027 draft is a refined articulation of separation between registry operations and registrar activities, particularly in cases of vertically integrated operators. The original 2013 CoC included provisions to prevent anti-competitive behavior, ensuring that registries did not favor affiliated registrars or use privileged information to disadvantage competitors. While those principles remain intact, the 2027 draft expands the definition of discriminatory access to include algorithmic pricing, data-informed marketing exclusives, and delayed provisioning for unaffiliated registrars. The new language requires registry operators to demonstrate not only formal neutrality but operational equality, including through documentation of registrar onboarding timelines, standardized SLAs, and equitable API access. This is a response to long-standing concerns that certain vertically integrated operators—especially in high-volume or speculative gTLDs—have used backend leverage to shape registrar ecosystems in ways that subtly suppress competition.

Another major update concerns the treatment of sensitive data. The revised draft incorporates language informed by GDPR, CCPA, and a broader trend toward data minimization and registrant privacy. Registry operators are now expressly prohibited from using WHOIS or registry-level transaction data for profiling, behavioral analytics, or downstream commercial targeting, unless explicit consent mechanisms and data processing disclosures are implemented. This affects operators that previously leveraged registry logs or DNS query patterns to enrich customer profiles or upsell services through registrar partners. The CoC 2027 draft makes clear that registry infrastructure is not to be exploited for marketing surveillance, signaling a stronger division between infrastructure utility and commercial intent.

The draft also introduces a new framework for evaluating whether a registry is operating in alignment with public interest goals, particularly for TLDs that imply community service, regulated industries, or trust-sensitive content. Registries operating strings such as .health, .green, .ngo, or .safe will now be subject to additional transparency requirements under the proposed Article 6b. These include publishing annual impact statements, disclosing abuse mitigation metrics, and providing channels for third-party complaints related to misleading content, fraud, or inconsistent eligibility enforcement. The 2027 draft stops short of defining these requirements as mandatory for all gTLDs, but it signals ICANN’s intent to raise the bar for TLDs that leverage public trust or imply social credibility.

A notable addition in the 2027 draft is its approach to automation and artificial intelligence in registry operations. Recognizing the growing use of machine learning in abuse detection, registration analytics, and registrar support, the draft introduces provisions that require operators to disclose the use of algorithmic systems that materially affect registrar access or registrant outcomes. This includes AI-based risk scoring systems used to throttle domain provisioning, identify suspicious registrants, or implement dynamic pricing models. Registries will be expected to explain how these systems are tested for bias, how false positives are reviewed, and how affected parties can appeal or request human review. This preemptive move aligns ICANN’s contractual architecture with global regulatory trends around algorithmic transparency, such as the EU AI Act and various national frameworks emerging in the United States, Canada, and Australia.

The 2027 draft also redefines how exceptions are handled for single-registrant and brand TLDs. While the 2013 Code of Conduct allowed for exemption via the Specification 13 mechanism, the new version retools this into a more structured exemption class called “Registry Purpose Designation” (RPD). Applicants for .brand, .closed, or mission-limited gTLDs must submit a comprehensive RPD request at the time of application, detailing their registration policies, internal eligibility criteria, and use-case alignment. Approved RPDs may bypass certain neutrality or access provisions of the CoC, but only if they commit to contractual boundaries and periodic review. For example, a brand operating .canon may retain full control over its namespace, but a trust-oriented registry for .climate may be required to maintain open access under Article 3c, unless a compelling RPD justifies a more curated model.

Furthermore, the 2027 draft introduces a compliance enhancement protocol. Under this protocol, ICANN Compliance will be authorized to initiate structured audits of registry behavior, particularly around anti-competitive conduct and failure to maintain equal registrar access. Audits may be triggered by complaints, abnormal market behavior, or statistical anomalies in registry reports. The draft outlines clear timelines, evidentiary standards, and remediation pathways, signaling a stronger posture from ICANN on active enforcement. Importantly, registry operators will have the opportunity to respond before sanctions are imposed, but repeat violations may trigger public notices or even contractual penalties.

The language of the draft also modernizes the notion of “undue preference” to reflect newer commercial realities, such as bundled services. For example, if a registry operator also offers web hosting, site builders, or payment platforms, the CoC now explicitly states that it must not bundle those services in a way that makes access to the TLD conditional or coercive. This addresses a growing concern that infrastructure convergence may subtly distort the openness of the DNS by embedding domain services into broader product ecosystems with locked-in advantages.

On the operational side, the CoC 2027 also codifies stronger uptime and technical reporting requirements. Registries will need to maintain transparent records of service outages, DNS latency, and query resolution consistency, publishing quarterly service level disclosures. These reports must be independently verifiable and made available to both registrars and ICANN. This measure stems from complaints about systemic but opaque performance issues in certain TLDs, which have historically been hard to diagnose due to lack of consistent data.

The cumulative effect of the 2027 Registry Code of Conduct draft is to move the DNS ecosystem toward greater accountability, fairness, and user protection. While it retains the foundational principles of equal registrar access and non-discrimination, it updates them for an era of data sovereignty, AI integration, brand exclusivity, and global regulatory convergence. It also shifts the narrative from contractual minimalism to ecosystem stewardship, suggesting that registry operators are not just infrastructure providers but also custodians of digital trust.

For gTLD applicants in the upcoming round, the implications of the CoC 2027 draft are far-reaching. Applications must be crafted with an understanding of these new obligations, particularly in areas of data usage, registrar relations, vertical service integration, and public trust alignment. Legal and operational teams must be prepared to demonstrate how proposed registry models comply with these evolving standards—not only to pass ICANN’s evaluation process but to sustain long-term reputational legitimacy in a more scrutinized and expectation-rich internet landscape.

The draft is still subject to community input and revision, but it sets a clear direction. The next generation of gTLD registries will not only be judged by their technical capacity or business models, but by how transparently, fairly, and ethically they operate within an infrastructure that remains essential to the functioning of the global internet. The Registry Code of Conduct 2027 draft, in this sense, is not just a contractual instrument—it is a framework for DNS-era digital governance.

The 2027 draft of the Registry Code of Conduct (CoC), released in anticipation of the next round of new gTLD applications, represents one of the most significant updates to ICANN’s contractual framework since the 2012 new gTLD program. Designed to address new realities in DNS governance, vertical integration, data protection, and registry accountability, the revised…