NIS 2 Implementation - Overview

Collecting and Maintaining Registration Data

What's new?

  • Due to the requirements of NIS 2, we will record a phone number of the domain holder in addition to the other data.

    Caution!   Members have one year to update existing Holder handles with a phone number!

  • We will publish the following data via the information services:

    • Legal person (domain holder of “ORG” type)

    • Domain registration date

    • Administering DENIC member

    • at a later date: Administering RegAcc

 

Ensuring Accuracy and Completeness of the Data

Our Principles

  • Future-oriented, scalable in a flexible, risk-based approach

  • Regular check only for new / updated / transferred domains

  • Check of domains already in our inventory only in case of complaints or irregularities

  • Ex post and ex ante verification possible

 

Verification

Which data do I have to verify as a DENIC member?

  • Name and address

  • E-mail address (analogous to gTLD process)

 

Communicating Verification Information

Once the verification by the member has been completed successfully, an update must be performed for the relevant holder handle:

  • With updated holder data, if necessary

  • With meta information about the verification process conducted by the member

    • Verified claims (name, address, e-Mail address)

    • Time stamp

    • Audit reference (ticket ID etc.)

    • Verification method used

    • Information about the verified evidence

    • Trust framework

    • Verification result (success or failed)

      Caution! If verification fails, the domain is always quarantined!

    • A reference to a previous verification can be used

    • Meta information can be provided directly with a Contact Create or a Contact Update to show that an ex-ante verification was performed.

    • DENIC permits a wide range of evidence and methods. The member is free to choose which of these it wants to support.

    • DENIC makes available process mocks in the test environment which members can use to test and implement the verification processes in their own systems.
      Verification of Name and Address

      Verification of E-Mail Address

 

Risk Assesment and Quarantine

For new (Domain CREATE), updated (Domain CHHOLDER and Contact UPDATE) and transferred (Domain CHPROV) domains, DENIC asynchronously carries out a risk assessment.

DENIC applies a traffic light system for the risk assessment:

  • Risk level "low" – The domain is registered and delegated.

  • Risk level "suspicious" – The domain is registered and delegated, must however be verified within a defined period. If the domain is not verified, it is put into quarantine (risk level "high").

  • Risk level "high" – The domain is registered but not delegated and immediately put into quarantine. If the domain is not verified within the defined period, the domain is deleted.

 

Publication of Domain Registration Data

The following data will be published via the information services:

  • Legal persons (defined on the basis of the contact type "ORG"; Members must ensure assignment of correct type)

    • Name

    • Address

    • E-mail adress

    • Phone number

    • Domain registration date

    • Administering DENIC member

    • at a later date: administering RegAcc

 

  • Natural persons (defined on the basis of the contact type "PERSON"; Members must ensure assignment of correct type)

    • Domain registration date

    • Administering DENIC member

    • at a later date: administering RegAcc

Members have the obligation to inform the domain holder once a year about the holder data and their potential publication in the whois.

Members must effectively inform end customers about publication of data.