Security Obsession Pre-GDPR

In the years leading up to the enactment of the General Data Protection Regulation (GDPR) in May 2018, a wave of anxiety and fascination swept across the digital landscape. This period, marked by data breach headlines, regulatory uncertainty, and rising user skepticism, gave birth to a number of security-focused initiatives, services, and—most curiously—a specialized domain extension: .security. The .security gTLD, launched in 2015 by XYZ.com LLC, was introduced into an internet ecosystem desperate for reassurance. Cybercrime was climbing, trust in major tech platforms was plummeting, and companies were looking for any possible signal to differentiate themselves as safe and trustworthy. In this climate, domains like mybusiness.security or banking.security were meant to serve not only as destinations but as digital billboards of safety.

From a marketing perspective, the logic behind .security was almost painfully obvious. As the internet matured and digital footprints grew, the public’s concern with online safety expanded far beyond traditional tech circles. Between 2013 and 2017, data breaches at Target, Equifax, Yahoo, and dozens of others shifted cybersecurity from an IT department problem to a boardroom and kitchen table discussion. Consumers began to pay attention to SSL certificates, green padlocks, and browser warnings. Meanwhile, security vendors seized on the moment to flood the market with new products and services, ranging from endpoint protection suites to personal VPNs. The environment was ripe for a domain extension that offered an easy, recognizable association with online protection.

The .security domain entered this charged atmosphere with a focused target audience: cybersecurity firms, IT consultants, surveillance tech providers, and infrastructure companies. The registry pitched the domain as a premium namespace, with early access pricing structured to signal exclusivity and importance. It was not cheap, and that was intentional. Like the .luxury and .bank domains, .security was positioned as a domain for serious players—a place for those who could afford not only the domain itself but the rigorous infrastructure and practices expected to accompany it. The idea was that by simply adopting a .security domain, a business could telegraph its dedication to best practices, even before a user read a single line of copy.

But unlike restricted domains such as .bank or .insurance, which required verification and compliance with industry-specific security protocols, .security lacked formal vetting. Anyone could register a .security domain, provided they paid the premium. This absence of regulation quickly became a liability. Domain speculators swooped in, acquiring dozens—sometimes hundreds—of keyword-laden .security domains in the hopes of flipping them. Domains like vpn.security, password.security, and home.security were purchased and listed at steep prices. Investors imagined a gold rush, believing that once GDPR took hold and regulatory scrutiny increased, companies would scramble to purchase digital real estate that spoke directly to user concerns.

But the stampede never came. Despite its seemingly perfect timing, .security failed to gain meaningful adoption. Most major cybersecurity firms—Symantec, Kaspersky, McAfee, Trend Micro—continued to rely on their entrenched .com addresses. Not only did those domains carry SEO history and brand equity, but they were also deeply tied into existing sales funnels, documentation portals, and partner networks. Replatforming to a new gTLD, especially one as untested and potentially misunderstood as .security, carried more risk than reward. End users, for their part, were not searching for domains based on their suffixes. Trust was still earned through familiarity, user experience, and third-party reviews—not TLDs.

As GDPR approached and global headlines fixated on compliance deadlines, the discussion around privacy and data handling began to shift. The emphasis moved from broad-strokes “security” branding toward very specific requirements around data processing, user consent, retention policies, and cross-border transfers. Companies needed legal expertise, process redesigns, and airtight documentation—not vanity domains. As a result, the emotional resonance of .security diminished. It began to feel like a pre-GDPR artifact—an idea born in a time when signaling good intentions was seen as a viable substitute for demonstrating compliance.

Moreover, browser and platform-level changes diminished the perceived need for security-themed TLDs. The proliferation of HTTPS, driven in part by Google’s push to mark non-encrypted sites as “Not Secure,” created a new baseline for user trust. With free SSL certificates from Let’s Encrypt and widespread adoption of HTTP/2 and HSTS, actual security improvements were happening at the protocol level—not the branding level. In this environment, .security felt decorative, even performative. It lacked teeth.

Usage data reflected this lack of traction. A majority of .security domains ended up undeveloped or used as redirects. Some hosted placeholder websites for affiliate marketing. Others languished in domain marketplaces, listed at aspirational prices no buyer ever met. The few that were developed often belonged to minor consultancies or startups trying to gain credibility through association, but they struggled to achieve meaningful visibility. As a result, .security never coalesced into a recognizable online neighborhood. Unlike .dev or .io, which gained cultural momentum among developers and startups, .security remained fragmented and disconnected.

By the early 2020s, the post-GDPR world had solidified new standards for what real digital trust looked like. It was no longer enough to claim security—it had to be demonstrated through technical audits, regulatory adherence, and transparent user controls. Privacy policies became legal documents, not brand afterthoughts. TLDs faded into the background of this more mature, infrastructure-driven internet. The market began favoring substance over symbols, and .security—despite its timely entrance and strong name—was left behind.

Today, .security domains are still available, still functional, and still marketed by a handful of registrars. But the extension has largely faded from the broader digital conversation. It survives in the long tail of domain options—occasionally used by niche firms or picked up as an SEO experiment—but it no longer carries the promise of trust or the momentum of a movement. The obsession that birthed it has been replaced by the slower, more methodical work of compliance, encryption, and infrastructure resilience.

The rise and retreat of .security offer a snapshot of a particular era on the internet—an anxious, transitional moment when signaling security seemed as important as providing it. But ultimately, users and regulators demanded more. In that shift, .security went from sounding like the future to feeling like a slogan. It was an artifact of pre-GDPR optimism, priced high and pitched hard, but ultimately unable to deliver the kind of lasting assurance that a truly secure internet requires.

In the years leading up to the enactment of the General Data Protection Regulation (GDPR) in May 2018, a wave of anxiety and fascination swept across the digital landscape. This period, marked by data breach headlines, regulatory uncertainty, and rising user skepticism, gave birth to a number of security-focused initiatives, services, and—most curiously—a specialized domain…