2024 The Year of Public Responsibility
by Kelly Hardy
The first of the year’s looking ahead meetings have taken place with the various working groups, policy groups and watchdog organizations to confirm that as an industry we have two big compliance issues on the horizon and another sea change with an impending second round of new gTLDs brewing.
The theme of 2024 in the domain and internet infrastructure industries seems to be Public Responsibility. There is a sliding scale of belief in our industry of what our responsibility to the public and to the users we serve has been. Some companies and individuals in our space believe that as stewards of the internet, it is our responsibility to keep both the eco-system and users safe (in the areas for which we are responsible). And there are others who have historically believed that we operate infrastructure and owe nothing to anyone.
The aim of the amendments was to drive this somewhere towards the middle by creating a bare minimum standard of behavior, responsibility and stewardship to manage a defined set of abuses. It is up to all of us now, to uphold the agreement to be active on DNS Abuse.
So where are we right now?
NIS2
NIS2 is the first EU wide law on cybersecurity and is part of the EU CyberSecurity strategy. Among other things, It comes with incident reporting obligations.
The section of NIS2 that most applies to the Domain Name Industry is Article 28 wherein it is outlined that domain name registries and any entities providing domain name registration services must collect and store accurate registration data.
As stated in the NIS2 Directive Article 28: For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall require TLD name registries and entities providing domain name registration services to collect and maintain accurate and complete domain name registration data in a dedicated database with due diligence in accordance with Union data protection law as regards data which are personal data.
What you will need to become compliant:
There is no clear directive for us at the moment due to challenges around implementation across the member states. So we know we will need to be compliant but at the moment must wait for explicit direction.
Read our Primer on the NIS2 Directive here https://iq.global/news/the-nis2-directive-a-primer
Contract Amendment Compliance
What you’ll need to become compliant: A DNS Abuse reporting and clearance strategy.
You can do this in-house, with a third party abuse management service or a combination of the two.
As a reminder, Contracted Parties are being asked to monitor and action DNS Abuse only.
What is considered DNS Abuse in the Registry and Registrar agreements with ICANN: Phishing, Pharming, Malware, Botnets, Spam (when spam serves as a delivery mechanism for the other forms of DNS Abuse listed in this Section)
What is not considered DNS Abuse:
All other online harms.
Read our article about the contract amendments https://iq.global/news/how-to-stop-worrying-and-learn-to-love-the-yes-vote
While change is never easy, particularly for industries such as ours that can be less agile than is ideal, we have our work cut out for us in 2024. Ultimately at least in the case of the contract amendments, taking action on DNS Abuse is ultimately good for your business, your customers and the health of the internet.
