EU’s Network and Information System Directive (NIS-2) can Restore Access to Critical WHOIS data

The Cybersecurity Tech Accord is joining with the Coalition for Online Accountability (COA) in support of new implementation guidance for the European Union’s (EU) NIS-2 Directive in hopes that the new requirements can help restore accuracy of and access to domain name ownership data (WHOIS) to help combat cybercrime. Addressing a longstanding issue, the NIS-2 Directive introduces new requirements for the collection, maintenance, verification, and disclosure of WHOIS records that will ensure a higher level of cybersecurity across the EU.

Adopted by the EU in 2022, NIS-2’s requirements in Article 28 are intended to reverse the near-universal redaction by domain name registrars of WHOIS records that were previously publicly available. This challenge emerged in 2018, following the implementation of the EU’s General Data Protection Regulation (GDPR) and has persisted ever since. Verifying the accuracy of information of registrants and beneficial users of domain names contributes substantially to the prevention of cybercrime.  Access to domain name information is critical for cybercrime professionals tracking down bad actors perpetuating fraud and other illicit and criminal activity online. As stated in the NIS-2 Directive, “The availability and timely accessibility of domain name registration data to legitimate access seekers is essential for the prevention and combating of DNS abuse, and for the prevention and detection of and response to incidents.”

Importantly, Article 28 of the NIS-2 Directive clarifies the legal basis enabling WHOIS access to be restored and encourages companies to share information and defend their information systems against online threats such as phishing, malware, and unauthorized access.  Moreover, NIS-2 requires domain name registrars, registries, and service providers to collect and maintain complete, verified and accurate WHOIS records. It restores public access to WHOIS data of legal persons and requires the disclosure of WHOIS information of natural persons to those with legitimate interests, consistent with GDPR.

What is essential now is the effective implementation of the NIS-2 Directive and its requirements by the EU member states, all 27 of whom must transpose the directive and implement it as jurisdictional law ahead of an October 17 deadline.

NIS-2 promises meaningful solutions for WHOIS access

The Cybersecurity Tech Accord fully supports the restoration of WHOIS access as outlined in Article 28. Since the implementation of GDPR in 2018, our coalition has drawn attention to the chaotic approach that resulted for requesting information from domain name registrars and registries, and the pressing need for solutions. In an effort to centralize and standardize these requests, ICANN late last year launched the Registration Data Request System (RDRS). While the Cybersecurity Tech Accord welcomed this new system for requesting registrant data, there were still major concerns that we highlighted in a blog post last November.

The requirements of NIS-2 thankfully reflect a much more comprehensive approach to addressing this challenge by establishing clear requirements for those organizations logically responsible for maintaining WHOIS data. NIS-2 specifically requires the following with respect to registrant data provided by domain name registrars, registries, and service providers such as resellers, and privacy/proxy providers doing business in the EU:

  • Accurate and completeness of data,
  • Validation of data,
  • A 72-hour response timeline,
  • Differentiation between legal and natural persons, and,
  • Data access free of charge

The Cybersecurity Tech Accord believes that the transposition of Article 28 into EU member state law can be further expanded as set forth below:

  1. When a legitimate access request for registration data is made, the underlying data of the actual customer/beneficial user of the domain name should be revealed and not just the data of the privacy or proxy service provider if such a privacy or proxy service was used in the registration process. 
  2. Cybersecurity professionals with legitimate purposes should be able to obtain a list of all of the domain names registered by an entity providing domain name registration services or administered by a TLD name registry or registrar that have been registered using the same registrant data.
  3. If the WHOIS data for a particular domain name is materially false, inaccurate and/or incomplete, then that domain name should be frozen and not permitted to resolve until the registrant corrects the registrant data so that it is accurate, complete, and verified. 

Registrant data can be a critical difference maker in combatting cybercrime but only if the data delivered in response to legitimate requests is accurate, verified and consists of the data of the beneficial user of the domain name, not simply the ineffectual placeholder data of a privacy or proxy service provider. This is why the Cybersecurity Tech Accord is endorsing the new report today, NIS2 ARTICLE 28:  EU MEMBER STATE IMPLEMENTATION. The report summarizes the most critical issues for implementation of NIS-2 with respect to Article 28 and Recitals 109 to 112 related to domain name registration services.

It is imperative that cybersecurity professionals have access to WHOIS data in order to uncover bad actors online. Interrupting that access has for years hindered investigations that otherwise can not only disrupt malicious activity and hold criminals accountable, but also prevent them from conducting the same activity again under a different domain. The Article 28 requirements should be seen as an absolute minimum standard for governing the production of registrant data to legitimate users to ensure there is greater safety and security online.

If you would like a copy of the implementation guidance report, please reach out to [email protected].