In DNW Podcast episode #464, Polina Malaja of CENTR talked about the implications of NIS2 for the domain name industry. I asked Simone Catania of InterNetX if he would share some thoughts on NIS2.
In the constantly evolving world of digitization, staying updated on the latest legislation affecting the cyber landscape is of paramount importance. One such critical piece of legislation recently drawn attention is the Directive on Security of Network and Information Systems (NIS2 Directive). The NIS2 Directive represents an ambitious aspect of the European Union’s plans to ensure a high common level of cybersecurity across all member states.
A deep dive into the NIS2 Directive: its background, purpose and goals
The NIS2 Directive finds its roots in the first-ever EU-wide legislation on cybersecurity, the original NIS Directive adopted in 2016. As the digital landscape continued to grow, so did the realization that with expansion came newer and more complex threats.
Everything around us is bursting into the digital realm—from our personal lives to the industries we work in, making cybersecurity more critical than ever. The threats, including DNS abuse, are diverse and increasing in number. They hold the potential to cause severe disruption to essential services like healthcare, energy and transport systems. This necessitates collective vigilance and adaptation to these potential menaces.
This led the European Commission to propose a revision, aptly named the NIS2 Directive (EU) 2022/2555, in December 2020. The NIS2 Directive is, in essence, a significant upgrade to the original Directive. It establishes a comprehensive framework designed to address growing cyber threats while ensuring the resilience of critical infrastructure across all member states. It provides guidelines and requirements for increasing security measures and reporting incidents for various essential sectors and digital service providers.
The objectives of the NIS2 Directive can be broadly categorized into three primary goals:
- Developing a culture of shared responsibility in addressing cybersecurity risks.
- Ensuring that essential service providers and digital service providers adhere to strict security standards.
- Facilitating swift and efficient information sharing and collaboration for responding to cyber threats among member states.
In sum, the NIS2 Directive displays the European Union’s proactive approach to addressing the urgent issue of cybersecurity. By intent and design, it seeks to shore up the EU’s defenses and make its digital environment safer and more resilient.
NIS2 reshapes the roles of digital operators and domain experts
The NIS2 Directive will have significant implications, not just on a macro level but also on the operational aspects of digital operators and domain experts. Articles 27 and 28 mandate the establishment of registries and the upkeep of domain name registration data. To fulfill these objectives, domain companies must adapt to new standards, reinforce cybersecurity protocols, implement risk management strategies and develop systems for reporting incidents.
Under Article 27, the European Union Agency for Cybersecurity (ENISA) is tasked with assembling and maintaining a registry of multiple entities. These include DNS service providers, TLD name registries, domain name registration services, data center service providers, content delivery network providers and more. The registry consolidates information about such entities, ensuring close monitoring and cooperation between the competent authorities in EU member states. As per the Directive, entities specified in Article 27(1) must provide the necessary information to their competent authorities by 17 January 2025.
Article 28, on the other hand, bears significant implications for the domain industry. It emphasizes the necessity for TLD registries and domain name registration service providers to gather and maintain accurate, comprehensive data on domain name registrations. To ensure this, TLD registries and domain name registration service providers must craft policies and procedures to validate the accuracy of the information in their databases. Additionally, non-personal domain name registration data should be made publicly available promptly after domain name registration.
Domain industry faces new challenges with the NIS2 Directive
The NIS2 Directive presents several challenges for the industry, particularly regarding the verification process and the allocation of responsibilities between registries and registrars. As the Directive pushes for strengthened cybersecurity, it demands stringent verification processes for domain registrations. However, the lack of clear procedures and standards often leaves domain professionals in the dark.
Furthermore, the NIS2 Directive has potential implications outside of the EU as well. It may also apply to companies outside the EU if they offer services to customers within the European Union. One crucial concern is maintaining a balance between legitimate access and data privacy. Operators must provide access to information when they receive legitimate, lawful requests and are required to respond within 72 hours.
So, while the primary goal of the NIS2 Directive is to fortify cybersecurity and enhance infrastructure resilience across the EU, it brings considerable changes and challenges for digital operators and domain professionals. The industry remains highly attentive, closely monitoring the developments and working collaboratively to shape the debate. This will ensure the smooth implementation of the Directive and help companies to navigate the ever-evolving complexities of the cybersecurity landscape successfully.
How to be prepared for these legislative changes
Embracing the changes brought forth by the NIS2 Directive is essential not just for compliance but for the sustainability and resilience of organizations in the face of evolving cyber threats.
For digital operators, the first step towards aligning with the Directive should involve carrying out a thorough risk assessment to accurately understand their existing security postures and identify any gaps that need to be addressed. Subsequent actions should focus on strengthening their systems with advanced cybersecurity measures, frequent auditing and rigorous testing. A proactive approach to incident reporting by establishing clear communication channels can ensure transparency and the ability to implement timely remediation.
Non-compliance with NIS2 can result in reputational damage, loss of essential services, increased scrutiny from customers and investors, decreasing revenue and market share, not to mention substantial fines of up to €10 million or 2% of global annual revenue for essential companies and up to €7 million or 1.4% for important companies.
Compliance with the NIS2 Directive isn’t simply a regulatory necessity but can prove to be a testament to an organization’s commitment to protecting its services, clients and itself against cyber threats. When seen through this lens, the NIS2 Directive is less of a challenge and more of an opportunity for digital operators and domain experts to build trust and assure their customers of their unwavering commitment to security and resiliency.
The value in understanding the NIS2 Directive
The NIS2 Directive represents a significant step towards strengthening the cybersecurity of critical infrastructure within the European Union. This comprehensive framework has implications for both digital operators and domain experts, compelling them to adhere to stricter security standards and fulfill enhanced incident reporting obligations.
That said, decoding the NIS2 Directive in full, with all its complexities and subtleties, can be challenging. To learn more, read the whitepaper “NIS2: Unraveling the Directive“. Tailored for digital operators and domain experts, this resource provides a comprehensive understanding of the NIS2 Directive and helps navigate its implementation.
Post link: What does the NIS2 Directive mean for domain experts?
© DomainNameWire.com 2023. This is copyrighted content. Domain Name Wire full-text RSS feeds are made available for personal use only, and may not be published on any site without permission. If you see this message on a website, contact editor (at) domainnamewire.com. Latest domain news at DNW.com: Domain Name Wire.