CENTR publishes comment on the proposed NIS 2 Directive
Brussels, 19 May 2021 - CENTR, which represents European national top-level domain name registries (ccTLDs) such as .ie or .eu, has published a comment on the Proposal for a Directive on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 (also known as the NIS 2 Directive).
CENTR currently counts 53 full and 9 associate members – together, they are responsible for over 80% of all registered domain names worldwide. CENTR members are at the core of the public internet, safeguarding the stability and security of the internet as we know it today.
ccTLDs are responsible for operating and maintaining the technical Domain Name System (DNS) infrastructure for their top-level domain. Commonly thought as the “phone book of the internet”, the DNS provides a navigation function to map user-friendly domain names to numeric IP addresses. Furthermore, ccTLD registries maintain a domain name registration database. This database contains the contact information of domain name holders, technical and administrative data necessary to provide DNS services.
The European Commission published a proposal for the NIS 2 Directive last December, which considers top-level domain (TLD) registries to be “essential entities”, together with other actors that are “critical for the integrity of the internet”. Most notably, the proposal includes an obligation on TLD registries to collect and maintain accurate and complete domain name registration data. Furthermore, such entities are required to provide efficient access to domain registration data for legitimate access seekers, under the proposed NIS 2.
As entities under the scope of the NIS2 proposal which will be directly impacted by the NIS2 framework, CENTR members would like to ask legislators to take into consideration and adequately assess the impact of the proposed legislation, and specifically the proposed data accuracy obligation in Article 23, on ccTLD operators, who form the core of the public internet, together with other internet infrastructure actors.
CENTR members would like the co-legislators to address the following areas of concern in Article 23 of the NIS2 Proposal.
- Article 23 should include a clear purpose limitation to the data accuracy obligation, to align it with the respective data accuracy principle enshrined in Article 5 of the GDPR.
- Article 23 should be amended to include a clear legal basis for any collected “relevant information to identify and contact the holders of the domain names” that is strictly necessary and proportionate.
- The vague notion of "complete" should be omitted from Article 23, as it is meaningless if detached from the limited purpose for which a TLD gathers data.
- Legitimate access seekers to registration data collected under Article 23need to be limited to competent national authorities, as designated by Member States under their national cybersecurity strategies, provided that access to registration data is granted under the corresponding legal basis that satisfies the conditions of the Union data protection framework.
Stay informed on developments to this file through our regular EU Policy Updates, which you can find here.