Blogs de l’ICANN

Lisez les blogs de l’ICANN pour vous tenir au courant des dernières activités d’élaboration de politiques, des événements régionaux et bien plus encore.

NIS2 Consultation and Next Steps

12 septembre 2024
Par Dimitris Zacharias

The Network and Information Security Directive (NIS2) (Directive on measures for a high common level of cybersecurity across the Union, EU 2022/2055) strengthens cybersecurity risk management measures and streamlines incident reporting obligations for essential and important entities offering their services in the European Union (EU). Domain Name System (DNS) service providers and top-level domain (TLD) name registries are deemed essential entities under the directive. The NIS2 Directive also imposes obligations with respect to collecting, maintaining, and granting access to domain name registration data on TLD name registries and entities providing domain name registration services.

EU Member States must transpose the directive into national law by 17 October 2024. This deadline also applies to the European Commission, which must specify the technical and methodological requirements for cybersecurity risk management measures for essential and important entities, as well as clarifying when an incident is considered significant, through the adoption of secondary legislation. In this context, the European Commission published a Draft Implementing Regulation and invited feedback between 27 June and 25 July 2024.

ICANN provided feedback on the draft provisions regarding the unavailability of a service, service degradation, and cybersecurity breaches in backend systems of DNS service providers and TLD name registries, and the technical and methodological requirements of the cybersecurity risk management measures.

Specifically, ICANN suggested that factors beyond the control of a DNS service provider or a TLD name registry – such as connectivity issues at the local network or the Internet service provider level, the intermediary or transit network, or the quality of the endpoint device or hardware – can negatively impact the perceived quality of service. Therefore, approaching service degradation from the end user perspective could indirectly transfer the responsibility for upholding service quality to DNS service providers and TLD name registries for factors beyond their control. ICANN recommended clarifying the criteria for determining significant reputational damage caused by an incident, as well as those for identifying recurring incidents, in order to capture significant incidents whose root causes are within the control of the impacted entity.

ICANN suggested including the application of best practices in the security of the DNS as a cybersecurity risk management measure, calling on relevant entities to apply best practices without specifying them, as they can evolve over time. Such practices should be agreed upon by the relevant communities.

ICANN's contribution to the European Commission's consultation is available on the ICANN organization's Submissions to External Bodies page. All contributions to the Public Comment are available on the European Commission's consultation website.

The transposition of the NIS2 Directive in Member States is progressing steadily, although some delays are anticipated. The pace of progress varies significantly; only three Member States have fully or partially transposed the directive into national law, while five others have published draft laws that are currently under review by their respective legislative authorities. Additionally, eleven Member States have completed their consultation phases. Greater delays are expected in Member States where elections or changes in the composition of the respective national governments have significantly impacted legislative planning and processes.

It is also noted that the Network and Information Systems Cooperation Group Work Stream for Article 28 of the NIS2 Directive was established to facilitate cooperation and information exchange among EU Member States regarding the implementation of Article 28 on domain name registration data. This group is expected to issue nonbinding guidance for the Member States to consider as they transpose this article of the directive.

To our knowledge, the dedicated working group has primarily focused on the verification of registration data and access to registration data. On 9 November 2023, ICANN sent a letter to the Network and Information Systems Cooperation Group Work Stream for Article 28. In the letter, ICANN shared information about the role and work of the ICANN multistakeholder model and its policymaking, including existing policies, procedures, and requirements that are pertinent to Article 28 - "Database of domain name registration data."

As stated in the letter, ICANN believes that the "guidance and the standards developed by the multistakeholder governance structures at international level," recognized by the NIS2 Directive, should be considered during its implementation. Requirements from national legislation that could create conflicts with the rules created within the ICANN ecosystem can pose significant challenges to the registries and registrars. This is particularly apparent in the case of varying interpretations and implementations of Article 28 that could potentially lead to a disparate landscape of national requirements, distinct from ICANN's policies. Such requirements can also pose challenges for the multistakeholder Internet governance model more generally.

As we move closer to the October deadline, it remains important for all stakeholders to stay engaged and proactive, ensuring a uniform transposition of NIS2 which not only recognizes the uniqueness of national ecosystems but also aligns with international standards, safeguarding the integrity of the DNS and the broader internet ecosystem.

Authors

Dimitris Zacharias

Government and IGO Engagement Sr. Manager