The NIS2 Directive, particularly Article 28, imposes new responsibilities on domain name registrars to implement an Identity Verification (IDV) process for domain registration. What is also required from you as a registrar is to present your IDV process on your homepage.
We expect that compliance with this aspect together with the rest of NIS2 will be a struggle during 2024. Therefore, in this article we have outlined what such a process description could look like, to support you in complying with NIS2 and securing your part of the digital infrastructure.
TL;DR
Subscribe to our monthly newsletter for free!
Subscribe
- NIS2 Directive Overview: Article 28 of the NIS2 Directive mandates domain name registrars to implement an Identity Verification (IDV) process for domain registration and display it on their homepage by 2024, aiming to enhance digital infrastructure security.
- Initiating ID Proofing: ID checks are triggered when registering a new domain name or transferring an existing one to a new registrant, ensuring compliance with regulatory requirements.
- General ID Verification Process: Registrars must outline common aspects such as who undergoes ID verification, methods to prevent phishing, expiration of verification requests, and consequences of non-compliance, potentially leading to domain suspension.
- Specific Use Cases: Different scenarios like new domain registration or domain transfer require tailored IDV approaches to meet compliance standards effectively.
- Risk Assessment Outcomes: Various outcomes include cases where ID verification is not needed, already completed successfully, or requires digital identity solutions like national or international digital IDs.
- ID Verification Methods: Methods can range from national digital IDs (e.g., Swedish BankID) to international digital business IDs (e.g., Truid), ensuring robust verification suitable for different user contexts.
- Post ID Check Actions: After verification, actions include status visibility in the user portal, domain name activation, or potential suspension pending verification outcomes, ensuring ongoing compliance and security.
- Compliance Support: To aid registrars in meeting NIS2 requirements, a template for detailing the domain registration IDV process is provided, simplifying the compliance process and enhancing clarity for stakeholders.
Explain when ID proofing is initiated
You need to explain the various processes for ID checks, and that they are initiated for a registrant when considered required, for example when:
- Someone applies for or creates a new domain name
- An existing domain name is transferred to a new registrant
Explain how ID verification works in general
In terms of ID control, you might have different processes that follow some common paths. To save space, we suggest you start with describing what they have in common. Things to cover might include:
- Who is the subject for ID control - the registrant or the domain?
- How will the user get a request for ID verification (important to prevent phishing)
- When will the request expire?
- What happens if ID check is not completed, is the domain suspended?
- When is it suspended? For how long?
- Are other domain names that the user controls affected by a failed ID check?
Explain how IDV works for specific use cases
The ID verification might vary for different use cases, for example application / creation of a new domain name, or transfer of domain name to a new registrant. We suggest you move forward by describing each use case.
Explain the different potential outcomes of the risk assessment that will be performed, for example
- ID verification is not required or has already been successfully completed
- ID control must be obtained via the use of a digital identity solution, for example Truid
- ID verification is initiated, the application is closed, and the specified domain name is activated
- ID verification is initiated, the request is terminated, but the specified domain name awaits the outcome of the ID verification (note that this outcome is not valid for transfer to new registrant)
Describe potential ID verification methods that the user can be subject to
- National digital identity, for example Swedish BankID
- International digital identity, for example Truid
- International digital business ID, for example Truid
- Manual ID check
Explain what happens after an ID check
- Status visibility in the portal
- Activation of domain name
- Potential suspension
Download a template for domain registration IDV process description!
In order to comply with article 28 in NIS2, domain registrars need not only implement stricter security measures such as identity verification of registrants. You also need to explicitly present on your homepage how this process is accomplished. Above we have described what to think of when describing this process. Too much compliance work to do right now? Then you can download a template here!