NIS2: the end of domain name registration industry in the EU?

[Remitur]

In a few months (17 October), the NIS2 directive will be enforced in European countries (https://digital-strategy.ec.europa.eu/en/policies/nis2-directive)

According to NIS2, any entity involved in domain name registration is "important", and any entity providing DNS services is "essential".

This means that these entities will be subjected to several rules (starting from ISO quality assessment), and subjected to hyperbolic fees  (up to 10.000.000 € or 2% of the total annual turnover, whichever is higher).
And also extra-european entities that sell this kind of services to European citizens will be subjected to NIS2... 

Is anyone worrying about this?

 

[Kuhl, Rubens]

NIS2 is a directive, not a regulation, so what you will have to consider is the national legislation that will be created in your jurisdiction. They might be very easy and cheap to follow, or be a massive cost to implement. Try finding which one is the case is the start of this process. 

 

[DennisHermannsen]

Unless you work for a larger company, you're likely not going to be affected by NIS2: https://nis2directive.eu/who-are-affected-by-nis2/

[Remitur]

20 hours ago, DennisHermannsen said:

Unless you work for a larger company, you're likely not going to be affected by NIS2: https://nis2directive.eu/who-are-affected-by-nis2/

Nope.
If you're involved in DNS systems, your role is "essential", with no regard to your company dimension.
If you're involved in domain registration, your tole is "important", with no regard to your company dimension.

About this, beware of commercial sites (like the one you linked): just a lot of disinformation sources right now...

[Remitur]

On 8/15/2024 at 4:55 AM, Kuhl, Rubens said:

NIS2 is a directive, not a regulation, so what you will have to consider is the national legislation that will be created in your jurisdiction. They might be very easy and cheap to follow, or be a massive cost to implement. Try finding which one is the case is the start of this process. 

 

That's right, but national regulations will conform to the directive.
And even in the details will be known in the months to come, it seems i.e. that an external audit will be mandatory...

[DennisHermannsen]

41 minutes ago, Remitur said:

Nope.
If you're involved in DNS systems, your role is "essential", with no regard to your company dimension.
If you're involved in domain registration, your tole is "important", with no regard to your company dimension.

About this, beware of commercial sites (like the one you linked): just a lot of disinformation sources right now...

Do you have any sources? Everyone I've spoken to regarding this says the same thing. Same thing when I researched the subject.

If I'm wrong, I want to know. We're gonna be busy then 😅

[Kuhl, Rubens]

7 minutes ago, DennisHermannsen said:

Do you have any sources? Everyone I've spoken to regarding this says the same thing. Same thing when I researched the subject.

If I'm wrong, I want to know. We're gonna be busy then 😅

Most of those who I've spoken to believe they will need to follow whatever laws came out of the implementation. Which is why they have been lobbying local authorities to go soft when writing those laws. 

 

[Remitur]

On 8/16/2024 at 6:01 PM, DennisHermannsen said:

Do you have any sources? Everyone I've spoken to regarding this says the same thing. Same thing when I researched the subject.

If I'm wrong, I want to know. We're gonna be busy then 😅

It's long and hard, but the only reliable source is the official EU source:
https://eur-lex.europa.eu/eli/dir/2022/2555

In art. 2.2 it's specified that:
"Regardless of their size, this Directive also applies to entities of a type referred to in Annex I or II, where services are provided by [...] top-level domain name registries and domain name system service providers;"

in art. 2.3 that "Regardless of their size, this Directive applies to entities identified as critical entities under Directive (EU) 2022/2557."

In art. 2.4 that "Regardless of their size, this Directive applies to entities providing domain name registration services."

Directive (EU) 2022/2557 is here:   https://eur-lex.europa.eu/eli/dir/2022/2557
In the Annex of Directive (EU) 2022/2557,at #8 there're "DNS service providers as defined in Article 6, point (20), of Directive (EU) 2022/2555, excluding operators of root name servers"

Art. 6 point 20 states that

Quote

‘DNS service provider’ means an entity that provides:
(a) publicly available recursive domain name resolution services for internet end-users; or
(b) authoritative domain name resolution services for third-party use, with the exception of root name servers;

So all of us are definitely in...

About reception from single states: AFAIK, the only one that has already published his law is Belgium, and this is his law:
https://www.ejustice.just.fgov.be/cgi/article.pl?language=fr&sum_date=2024-05-17&lg_txt=f&caller=sum&s_editie=1&2024202344=4&numac_search=2024202344&view_numac=2024202344f
(use Google to translate that barbarian language...)
Right now, Belgian companies were just forced to register with the national cybersecurity authority (13.1) ; but there are a number of different duties whose details are demanded to further decrees, that will be issued in the future...

[Remitur]

On 8/16/2024 at 6:11 PM, Kuhl, Rubens said:

Most of those who I've spoken to believe they will need to follow whatever laws came out of the implementation. Which is why they have been lobbying local authorities to go soft when writing those laws. 

 

It's true, but this may apply only to the measure of fines, imposing a lower minimum amount.
I.e. the belgian law (the only one already issued: https://www.ejustice.just.fgov.be/cgi/article.pl?language=fr&sum_date=2024-05-17&lg_txt=f&caller=sum&s_editie=1&2024202344=4&numac_search=2024202344&view_numac=2024202344f ) at art 59 states that "shall be punished by a fine of EUR 500 to EUR 10,000,000 or 2 percent of the total worldwide annual turnover of the previous financial year of the company to which the significant entity belongs, whichever is the higher, any significant entity that fails to comply with the obligations relating to cybersecurity risk management measures and/or incident reporting referred to in Title 3."
(The EU directive states that the fee should be  "EUR 10,000,000 or 2 percent of the total worldwide annual turnover [...] whichever is the higher".
So in Belgium the real fine will not be 10.000.000, but somewhat between 500 and 10.000.000 ... 
but the measures to be adopted to comply will be hard and costly.