ICANN78 Day Zero Workshop: NIS2 Directive – Impact on the DNS Industry

eco – Association of the Internet Industry

invites you on Friday, 20 October for a Day Zero Workshop at ICANN78 in Hamburg to discuss the legislation that impacts the domain name industry in the European Union followed by an informal reception.

Please note, space is limited and registration is required.

A separate registration for the ICANN78 meeting is required to attend.

We look forward to welcoming you!

The NIS2 Directive is the EU-wide legislation on cybersecurity. It provides legal measures to increase the overall level of cybersecurity in the EU.

The EU cybersecurity legislation, which was introduced in 2016, was updated by the NIS2 Directive, which came into force in 2023. It modernized the existing legal framework to keep pace with increasing digitization and the evolving cybersecurity threat landscape. Extending the scope of cybersecurity rules to new sectors and entities will further improve the resilience and responsiveness of public and private entities, competent authorities and the EU as a whole.

In addition to its impact on the cybersecurity sector, the NIS2 Directive has implications for domain name registrations in the European Union. Article 28 of NIS2 contains requirements for domain name registrations, in particular registration data.

What makes NIS2 a challenge for the domain industry is its directive nature. A directive is a piece of legislation that sets a goal that all EU countries must achieve. However, it is up to the individual countries to develop their own laws on how to achieve these goals. This could potentially result in 27 different procedures for validating domain name registration data. Given that the domain name industry is a global ecosystem of domain name registries, registrars, resellers, etc. interacting with each other, validation procedures should follow proven industry best practices. The implementation of NIS2 by individual member states of the European Union should avoid the definition of 27 different processes.

The clock is ticking. The updated NIS2 Directive entered into force on January 16, 2023. Member States now have until October 17, 2024 to adopt new legislation to comply with NIS2. Businesses need to consider how the extended new regime will affect them, as it will take time to put compliant structures in place, and they will need to consider NIS2 jurisdictional rules in their compliance plans, contracts and relationships with third parties they rely on to protect their assets.

9:00am CET
Registration & Coffee

10:00am CET
Welcome to Part I, Introduction & Methodology

Thomas Rickert
Director Names & Numbers, eco – Association of the Internet Industry

10:10am CET
Introduction to NIS2 and Art. 28 – Requirements & Expectations

National legislative bodies are already working on draft legislation to implement the NIS2 Directive in their respective countries. What are the objectives and intentions of Art. 28 and how much guidance can the European Commission provide to national legislators? This session will provide an overview of the requirements of the NIS2 Directive with a focus on Art. 28 and its expectations.

Gemma Carolillo
Deputy Head of Unit, Next Generation Internet, European Commission, DG CNECT

Juuso Jarviniemi
Policy Officer, Cybersecurity & Digital Privacy Policy, European Commission, DG CNECT

10:40am CET
Report from the NIS Cooperation Group

As NIS2 is a Directive, it is up to individual countries to enact their own legislation to achieve its objectives, including Art. 28. This could potentially result in 27 different procedures for validating domain name registration data. The NIS Cooperation Group is discussing the various national approaches and proposals. This session will provide an update on the status of the group's work, including the two task forces working on validation and legitimate access.

Finn Petersen
Director of International ICT Relations, Division for Digital Regulation and Supervision

11:00am CET
National level deliberations on Art. 28

NIS2 must now be transposed into national law by national legislators by 17 October 2024 and will apply from 18 October 2024. As a result, proposals for national legislation are already in the pipeline. This session will analyse and discuss selected draft proposals from different EU Member States in order to understand the national legislative processes and implementing legislation.

Dirk Jumpertz
Security Officer, EURid

Sophie Kreizer
Ministry of Economic Affairs and Climate Policy, Netherlands

Jaromír Talíř
Technical Fellow, CZ.NIC

Peter Vergote
Legal & Corp. Affairs Manager, DNS Belgium

Morning summary

Thomas Rickert
Director Names & Numbers, eco – Association of the Internet Industry

12:00pm CET
Lunch break

13:00pm CET
Welcome to Part II

Thomas Rickert
Director Names & Numbers, eco – Association of the Internet Industry

13:10am CET
Multistakeholder Organizations

The language of NIS2 refers to multi-stakeholder organisations. In this session we will discuss the interplay between national/regional legislation and the global multistakeholder model, including ICANN, where community policies are already in place.

Elena Plexida
Vice President, Government and IGO Engagement, ICANN

13:30pm CET
The role of Registration Data in the fight against DNS Abuse

Recital 110 states that “The availability and timely accessibility of domain name registration data to legitimate access seekers is essential for the prevention and combating of DNS abuse, and for the prevention and detection of and response to incidents.” How effective is the use of domain name registration data in combating DNS abuse? What other complementary measures are there?

Brian Cimbolic
Vice President, General Counsel, Public Interest Registry (.ORG)

Volker Greimann
General Counsel, Head of Legal and Policy CentralNic Group

Steinar Grøtterød
Director of Policy & Compliance, iQ Global AS

Chris Lewis-Evans
Director of Governmental Engagement and Internet Abuse Mitigation, CleanDNS

Nick Wenban-Smith
General Counsel, Nominet UK

14:30pm CET
Operational & Implementation Challenges I

TLD name registries and the entities providing domain name registration services will be required to have policies and procedures in place, including verification procedures, to ensure that databases contain accurate and complete information, to make domain name registration data that is not personal data publicly available, etc.

What are the best practices and challenges in implementing and operating the required policies and procedures and what are the implications at the national, EU and global levels? Will EU-based companies be at a commercial disadvantage in the future? These and other questions will be discussed in this session.

Beth Bacon
Senior Director, Policy and Privacy, Public Interest Registry (.ORG) / Vice Chair, RySG

Samantha Demetriou
Senior Director - Policy, Verisign / Chair, RySG

15:00pm CET
Coffee break

15:30pm CET
Operational & Implementation Challenges II & Discussion

Continuation of the session.

Ashley Heineman
Director, Global Policy, GoDaddy / Chair, RrSG

Polina Malaja
Policy Director, CENTR

Neal McPherson
Head of Product Management Domains, IONOS

17:00pm CET
Afternoon summary, Stocktaking & Workshop wrap-up

Thomas Rickert
Director Names & Numbers, eco – Association of the Internet Industry