On January 16, 2023, the highly anticipated NIS2 Directive (EU) 2022/2555 came into force, replacing its predecessor, NIS Directive (EU) 2016/1148. This new cybersecurity legislation aims to fortify the European Union‘s digital landscape against evolving cyber threats. Understanding the NIS2 Directive’s implications is vital for DNS operators to ensure a secure and robust digital infrastructure. In this article, we’ll shed light on the objectives and critical aspects of the NIS2 Directive and its impact on the domain industry.
Strengthening the EU’s cybersecurity framework
To address the rapid growth of cyberattacks and tackle the sophisticated nature of emerging threats, the NIS2 Directive introduces stringent supervisory measures, expands its scope and fosters collaboration across member states.
The Directive strives to enhance businesses’ cyber resilience, helping companies fortify their information safety defenses and effectively respond to breaches, fostering an ecosystem of trust and improved security and establishing a harmonized approach across member states and sectors to reduce the disparity in cybersecurity preparedness levels.
Furthermore, the Directive aims to improve understanding and joint crisis response among member states. This involves reinforcing collective data exchange systems and crisis management methods, which should aid in making quick, informed decisions in crisis scenarios. This legislation will help member states to effectively collaborate, pool resources and share threat intelligence.
This multifaceted approach, bridging policy gaps and fostering a culture of continuous learning and adaptation, is geared towards shaping a stronger Europe that is better prepared for cyber threats.
Overview of the NIS2 Directive
The Network and Information Security (NIS2) Directive is a legal measure developed to bolster the overall cybersecurity standard within the European Union. This significant legislative push, expected to be officially implemented by EU member states from October 2023, marks an essential step in confronting emerging digital threats.
-> Mandatory cybersecurity protocols and governance
The Directive mandates that member states establish a legislative framework, obligating companies to adopt and implement clear, assessable cybersecurity protocols. Non-compliance could result in substantial fines of at least € 7 million or a maximum of € 10 million, depending on the sector. This new legislation is intended to enhance several key aspects of cybersecurity, including risk management processes, security governance, system resilience, as well as network and application security. Notably, the Directive goes beyond these measures, specifically mandating incident reporting and recovery procedures to ensure rapid response and system integrity.
-> Risk assessments and third-party scrutiny
A new element of the NIS2 Directive is its specific demand for risk assessments of security protocols targeted toward significant connected third-party service providers. This means the Directive is not only policing the companies, but also keeping a close eye on their interactions with other digital entities.
-> Key targets: critical digital infrastructure
The Directive also expands its scrutiny to medium and large corporations in a predetermined array of pivotal sectors. Its profound impact can be felt most by the operators of essential digital infrastructure components, including but not limited to technology providers like data centers, content delivery networks and trust services providers. To create a universal application, the Directive considers “essential” all domain name system (DNS) service providers along the DNS provisioning and resolution chain. This includes everyone from top-level-domain (TLD) name servers and authoritative name servers for domain names to recursive resolvers.
-> Consequences of non-compliance
Non-compliance with the NIS2 Directive can result in serious repercussions, including substantial financial penalties and significant reputational damage. The intentions behind these stern consequences are clear – to ensure cyber hygiene and to establish a secure and trustworthy digital environment throughout the European Union.
LINKEDIN POST NIS2 SCOPES – Coming soon.
Bridging the gap between NIS2 and the domain industry
The domain industry, which encompasses domain registrars like us from InterNetX, registries, hosting providers and other related entities, is pivotal in enabling users to access websites and online services. As the digital landscape expands, the domain industry becomes both a target and a potential vector for cyberattacks. NIS2 recognizes the importance of including domain industry operators within its scope, as their services underpin the functioning of the internet.
Article 28: Impact on Domain Name Registrations
Article 28 of the NIS2 Directive significantly reshapes practices within the domain industry, especially concerning the collection and maintenance of accurate domain name registration data. The Directive mandates TLD registries and domain name registration service providers to maintain comprehensive databases, including information such as the domain name, registration date and the contact details for the registrant and administrator.
For the purpose of contributing to the security, stability and resilience of the DNS, member States shall require TLD name registries and entities providing domain name registration services to collect and maintain accurate and complete domain name registration data in a dedi- cated database (…). NIS2 Directive, Article 28(1)
To ensure data accuracy, these entities must establish and implement transparent policies and procedures to uphold the integrity and accuracy of their databases. Also, non-personal domain name registration data should be made public swiftly post-registration. Legitimate access seekers must be granted access to particular registration data under EU law within 72 hours of a lawful and substantiated request. Moreover, compliance with Article 28’s obligations must not result in the duplicate collection of domain name registration data by several operators.
While the NIS2 Directive aims to boost the EU’s cybersecurity resilience, it has raised concerns in the domain industry due to its perceived ambiguity, particularly with regard to verification processes and role allocation between registrars and registries. Consequently, it has spurred the domain industry to remain alert and collaborate with stakeholders in order to understand and proficiently navigate the convolutions of the NIS2 Directive.
NIS2 Directive impact on European ccTLD registries
The NIS2 Directive, which applies to all TLD registries operating within the EU, introduces several significant changes for the domain industry. According to Polina Malaja, Policy Director at CENTR, NIS2 imposes an array of duties on registries. These responsibilities involve their recognition as essential entities and extend to safeguarding their systems against various security issues. This also encompasses the rigorous reporting of such cybersecurity incidents.
TLD registries and registrars must ensure the collection and maintenance of domain name registration data and must also verify its accuracy. In addition, they need to collaborate with partners in the registration chain to avoid the duplicate collection of this data.
The practical implications may vary depending on how the law is interpreted by individual EU member states. Two critical aspects of the Directive that require further explanation are data verification processes and double data collection. Polina Malaja emphasizes that general verification procedures might conflict with existing data protection obligations under GDPR, such as data minimisation. To remedy this, she suggests that EU member states adopt a risk-based approach, allowing ccTLD operators to calculate risks according to their capabilities and adopt verification measures accordingly. Regarding double data collection, NIS2 mandates that duplicate collection must be avoided, which could burden registrars and lead to business consolidation.
Malaja encourages EU jurisdictions to facilitate flexible data transfer arrangements to maintain the European domain industry’s diversity. She concludes by stating that the NIS2 Directive necessitates additional clarity at the national level to allow for maintaining the diversity of existing accuracy practices among European ccTLDs that have proved to be effective. Consequently, EU member states must carefully navigate this area while incorporating NIS2 requirements into their national laws to preserve the competitiveness of the European domain industry.
The challenges for domain industry operators
New EU legislation, NIS2 Directive, proposes considerable alterations and presents numerous challenges for domain industry operators. This updated regulation, while emphasizing the critical role of DNS in the digital society, compels these operators to navigate a new landscape of obligations and expectations.
1. Compliance complexity
NIS2 introduces a complex set of cybersecurity obligations that domain industry operators must adhere to. These obligations include implementing risk management measures, ensuring incident response capabilities and notifying authorities of significant incidents. Complying with these requirements can be challenging, especially for smaller domain operators with limited resources. Striking a balance between compliance and operational efficiency becomes a delicate task.
2. Cross-border coordination
The global nature of the domain industry means that cyber threats and incidents can transcend national borders. NIS2 encourages increased cooperation among EU member states to address such incidents effectively. However, differences in legal frameworks, varying technical expertise, and divergent communication protocols can hinder seamless cross-border coordination. Domain industry operators must navigate these challenges in order to contribute to a cohesive cybersecurity ecosystem.
3. Rapidly evolving threat landscape
Cyber threats are constantly evolving and the tactics employed by attackers are becoming increasingly sophisticated. Domain industry operators must arm themselves to defend their systems against DNS attacks and various other threats, from distributed denial-of-service (DDoS) attacks to phishing campaigns to compromise user data. Staying a step ahead of these threats demands continuous monitoring, sharing intelligence on threats and the ability to adapt security measures swiftly.
4. Balancing user privacy and security
Domain industry operators are entrusted with sensitive user data, including contact information and payment details. NIS2’s emphasis on incident reporting may lead to concerns about user privacy. Striking the right balance between reporting incidents to authorities and protecting user privacy is a delicate task for operators to accomplish. Ensuring transparent communication about data handling practices will prove to be crucial.
5. Resource allocation and investment
Implementing robust cybersecurity measures requires substantial investments in technology, personnel and training. For smaller domain industry operators, these investments may need more resources. Navigating the trade-offs between cybersecurity investments and other operational needs becomes a pressing concern, highlighting the need for risk-based approaches tailored to each operator’s unique circumstances.
Adapting to the NIS2: strategies for domain industry operators
Adapting to the NIS2 regulations presents domain industry operators with unique complexities and challenges. However, by understanding and creating proactive strategies, these operators can turn them into an opportunity for advancing their business.
Collaborative threat intelligence
Domain industry operators should foster collaborations with other industry players, sharing threat intelligence and best practices. By pooling resources and knowledge, operators can gain insights into emerging threats and strengthen their collective defense.
Continuous training and education
Employee training and education are essential for building a resilient cybersecurity posture. By equipping their teams with the latest skills and knowledge, domain industry operators can better anticipate and mitigate cyber risks.
Leveraging automation and AI
Automation and artificial intelligence can bolster incident detection and response capabilities. Implementing AI-driven security solutions can help domain industry operators detect anomalies, respond to real-time incidents and alleviate the burden on human resources.
Engaging with regulatory bodies
Domain industry operators should actively engage with regulatory bodies to develop policies that are practical, effective and take the industry’s unique challenges into account. Collaborative efforts can lead to regulations that are both protective and feasible.
NIS2 Directive: What’s next?
The NIS2 Directive marks a significant advancement in the European Union’s endeavors to reinforce the cybersecurity of its digital infrastructure. Despite the ongoing transposition and implementation process, with numerous specificities yet to be defined more clearly, the emphasis on harmonization, augmented security protocols and collaboration among member states is a strong signal of the EU’s resolve for a secure and robust digital future.
The NIS2 Directive poses significant challenges for DNS operators and domain professionals. Organizations must remain alert and follow national measures. By conforming to universally recognized best practices in cybersecurity, establishments can strive towards ensuring compliance and fortifying their overall security stance.
The introduction of NIS2 underscores the need for domain industry operators to adapt their strategies, enhance their cybersecurity measures and collaborate across borders to maintain the integrity of their services. By embracing these challenges and implementing forward-facing solutions, domain industry operators can continue to provide secure and reliable online experiences for users worldwide.
Uncover a deeper understanding of these challenges and the best ways to navigate through them. Download our comprehensive guide on the topic “NIS2: Unraveling the Directive. Insight for operators and digital experts”.