Your digital identity blog | Truid

NIS2 - The current state of Germany's transposition

Written by Ph.D. Markus Ejenäs Chief Commercial Officer | Oct 2, 2024 9:38:26 AM

In this blog, we’ll explore Germany’s efforts to transpose the NIS-2 Directive into local legislation, focusing on the specific requirements outlined for domain name registrars in §§ 51-53 of the draft law, as well as feedback from the Bundesrat regarding identity verification and the fight against fraudulent domain registrations, such as those used for fake shops.

 

TL;DR


  • Germany is advancing its transposition of the EU's NIS-2 Directive, focusing on stricter cybersecurity measures for domain name registrars. The draft law mandates accurate domain registration databases, quick access to data for authorities, and enhanced identity verification to combat online fraud, particularly fake shops.
  • Germany's draft of the NIS-2 Implementation Act emphasizes cybersecurity by imposing new responsibilities on domain name registrars. Key measures include maintaining accurate registration databases, rapid data access for law enforcement, and stricter identity verification to reduce online fraud.
  • The NIS-2 Directive pushes Germany to enforce stricter regulations on domain name registrars, requiring detailed registration databases and swift data access to fight online fraud. The Bundesrat advocates for improved identity verification to combat fake shops exploiting ".de" domains.


Increased pressure on domain name registrars

 

The European Union’s NIS-2 Directive is a significant update aimed at enhancing cybersecurity across member states. With the deadline for member states to transpose the directive into national law looming, Germany has been steadily advancing its implementation.

As part of this process, the draft of the NIS-2 Implementation and Cybersecurity Strengthening Act is in the final stages of discussion. This law aims to address key cybersecurity concerns, particularly those related to the protection of critical infrastructure and digital services, including domain name registrations.

 

 

What does the NIS-2 directive demand from domain name registrars?

 

One of the critical aspects of the NIS-2 Directive is its emphasis on enhancing the security and transparency of domain name registrations. Domain name registrars, who manage and administer the registration of domain names, play a crucial role in maintaining the integrity of the Domain Name System (DNS). For a summary of the NIS-2 Directive in general, please check our other blog article here.

In Germany's draft of the NIS-2 Implementation Act, responsibilities of domain name registrars are detailed in §§ 51-53.

 

Obligation to maintain a database

 

The first notable requirement is that Top-Level Domain Name Registries and Domain Name Registry Service Providers must maintain accurate and complete domain name registration databases. This data is vital for identifying and contacting domain holders, ensuring that domain-related activities are transparent and traceable.

The law specifies that the database must include the following information:

  • The domain name,
  • The registration date,
  • The name, email address, and phone number of the domain holder,
  • Contact information for any person managing the domain (if different from the domain holder).

This information must be maintained with diligence and updated regularly, adhering to data protection laws. Importantly, this requirement ensures that domain holders cannot hide behind incomplete or inaccurate information, which has been a significant issue in the fight against online fraud, including the rise of fake shops.

 

§ 52 - Obligation to provide access

 

Beyond maintaining this database, domain registrars are also obligated to provide access to the domain name registration data upon request. Legitimate requesters, such as law enforcement agencies or consumer protection groups, must be able to access this data within 72 hours of a valid request. If the information is unavailable, the registrar must inform the requester within 24 hours.

This quick turnaround is crucial in tackling issues like fake shops, which can exploit domain name registrations to deceive consumers. Having timely access to registration data allows authorities to act swiftly, potentially preventing further harm to consumers.

Moreover, registrars are required to make their disclosure procedures public within three months of the law’s enactment, ensuring transparency in how they handle access requests.

 

§ 53 - Obligation to cooperate

 

The draft law also emphasizes the cooperation between registrars and other stakeholders in the domain registration ecosystem. Registrars are required to work together to prevent duplicate registration data and ensure the accuracy and completeness of domain name records. This collective effort helps maintain the integrity of the domain name system and supports the broader goal of cybersecurity.

 

 

Bundesrat’s comments on Identity Verification and fake shops

 

The Bundestag is Germany's directly elected federal parliament, responsible for drafting and passing laws. The Bundesrat represents the 16 federal states and reviews laws that affect state interests, with the power to approve or veto them. Both chambers work together to ensure that federal laws respect the balance between national and state responsibilities in Germany’s federal system.

In parallel to the provisions in the draft law, the Bundesrat, Germany's upper house of parliament, has provided significant feedback on the draft, especially concerning the need for stronger identity verification for domain registrations. In their comments, the Bundesrat underscores the growing issue of fake online shops, many of which exploit ".de" domains to appear trustworthy to consumers.

The Bundesrat recommends the following additions to the draft law:

  1. Identity Proof during Domain Registration and Transfer: The Bundesrat calls for mandatory identity verification when a domain is registered or transferred. This verification should be carried out using qualified procedures, such as video identification or the submission of an electronic identity proof. These methods ensure that the person registering or transferring the domain is accurately identified.
  2. Real-time Access to Registration Data: The Bundesrat further suggests that domain registrars be required to provide real-time access to complete registration data for authorized requesters. This would allow consumer protection agencies and security services to quickly identify and investigate suspicious domains.
  3. Automated, Digital Access Procedures: Another key point raised by the Bundesrat is the need for automated, privacy-compliant procedures for accessing domain registration data. This would replace the current manual, time-consuming processes that often involve PDF forms. The Bundesrat suggests that this could be modeled on the RDAP interface, a modern alternative to the older Whois system.
  4. Regulations for Blocking Domains in Case of Misuse: To combat the misuse of domains by fake shops and other fraudulent actors, the Bundesrat recommends establishing a clear regulatory framework for blocking domains when they are linked to illegal activities. This would ensure that domains used to perpetrate fraud could be quickly taken offline.

 

The fight against fake shops: A critical focus

 

Fake online shops have become a significant issue in Germany, with many exploiting the trust associated with ".de" domains. These websites often present themselves as legitimate retailers, only to deceive consumers into paying for goods that never arrive. The Bundesrat highlights that one of the main reasons for the success of these scams is the lack of strict identity verification during the domain registration process.

To address this, the Bundesrat advocates for stricter controls, including mandatory identity verification for both new registrations and domain transfers. This would raise the barrier for criminals seeking to create fake shops, making it more difficult for them to hide behind older, unused domains that were previously registered without such verification.

 

Moving forward: the role of the NIS-2 directive

 

Germany’s draft law reflects the stringent requirements of the NIS-2 Directive, which aims to bolster cybersecurity across the EU. By imposing stricter obligations on domain registrars, Germany hopes to address the growing threats posed by online fraud, fake shops, and other cybercrimes.

However, as the Bundesrat's feedback shows, there are still areas where the draft law could be strengthened. Specifically, the recommendations for enhanced identity verification and automated access to domain data are seen as critical improvements that could significantly improve Germany’s ability to combat cybercrime.

In conclusion, as Germany continues its transposition of the NIS-2 Directive into local law, the role of domain name registrars will be crucial in maintaining the security and transparency of the domain name system. With the right balance of regulation and cooperation, Germany can not only meet the EU’s cybersecurity standards but also protect its citizens from the growing threat of online fraud.