In this blog, we’ll explore Germany’s efforts to transpose the NIS-2 Directive into local legislation, focusing on the specific requirements outlined for domain name registrars in §§ 51-53 of the draft law, as well as feedback from the Bundesrat regarding identity verification and the fight against fraudulent domain registrations, such as those used for fake shops.
The European Union’s NIS-2 Directive is a significant update aimed at enhancing cybersecurity across member states. With the deadline for member states to transpose the directive into national law looming, Germany has been steadily advancing its implementation.
As part of this process, the draft of the NIS-2 Implementation and Cybersecurity Strengthening Act is in the final stages of discussion. This law aims to address key cybersecurity concerns, particularly those related to the protection of critical infrastructure and digital services, including domain name registrations.
One of the critical aspects of the NIS-2 Directive is its emphasis on enhancing the security and transparency of domain name registrations. Domain name registrars, who manage and administer the registration of domain names, play a crucial role in maintaining the integrity of the Domain Name System (DNS). For a summary of the NIS-2 Directive in general, please check our other blog article here.
In Germany's draft of the NIS-2 Implementation Act, responsibilities of domain name registrars are detailed in §§ 51-53.
The first notable requirement is that Top-Level Domain Name Registries and Domain Name Registry Service Providers must maintain accurate and complete domain name registration databases. This data is vital for identifying and contacting domain holders, ensuring that domain-related activities are transparent and traceable.
The law specifies that the database must include the following information:
This information must be maintained with diligence and updated regularly, adhering to data protection laws. Importantly, this requirement ensures that domain holders cannot hide behind incomplete or inaccurate information, which has been a significant issue in the fight against online fraud, including the rise of fake shops.
Beyond maintaining this database, domain registrars are also obligated to provide access to the domain name registration data upon request. Legitimate requesters, such as law enforcement agencies or consumer protection groups, must be able to access this data within 72 hours of a valid request. If the information is unavailable, the registrar must inform the requester within 24 hours.
This quick turnaround is crucial in tackling issues like fake shops, which can exploit domain name registrations to deceive consumers. Having timely access to registration data allows authorities to act swiftly, potentially preventing further harm to consumers.
Moreover, registrars are required to make their disclosure procedures public within three months of the law’s enactment, ensuring transparency in how they handle access requests.
The draft law also emphasizes the cooperation between registrars and other stakeholders in the domain registration ecosystem. Registrars are required to work together to prevent duplicate registration data and ensure the accuracy and completeness of domain name records. This collective effort helps maintain the integrity of the domain name system and supports the broader goal of cybersecurity.
The Bundestag is Germany's directly elected federal parliament, responsible for drafting and passing laws. The Bundesrat represents the 16 federal states and reviews laws that affect state interests, with the power to approve or veto them. Both chambers work together to ensure that federal laws respect the balance between national and state responsibilities in Germany’s federal system.
In parallel to the provisions in the draft law, the Bundesrat, Germany's upper house of parliament, has provided significant feedback on the draft, especially concerning the need for stronger identity verification for domain registrations. In their comments, the Bundesrat underscores the growing issue of fake online shops, many of which exploit ".de" domains to appear trustworthy to consumers.
The Bundesrat recommends the following additions to the draft law:
Fake online shops have become a significant issue in Germany, with many exploiting the trust associated with ".de" domains. These websites often present themselves as legitimate retailers, only to deceive consumers into paying for goods that never arrive. The Bundesrat highlights that one of the main reasons for the success of these scams is the lack of strict identity verification during the domain registration process.
To address this, the Bundesrat advocates for stricter controls, including mandatory identity verification for both new registrations and domain transfers. This would raise the barrier for criminals seeking to create fake shops, making it more difficult for them to hide behind older, unused domains that were previously registered without such verification.
Germany’s draft law reflects the stringent requirements of the NIS-2 Directive, which aims to bolster cybersecurity across the EU. By imposing stricter obligations on domain registrars, Germany hopes to address the growing threats posed by online fraud, fake shops, and other cybercrimes.
However, as the Bundesrat's feedback shows, there are still areas where the draft law could be strengthened. Specifically, the recommendations for enhanced identity verification and automated access to domain data are seen as critical improvements that could significantly improve Germany’s ability to combat cybercrime.
In conclusion, as Germany continues its transposition of the NIS-2 Directive into local law, the role of domain name registrars will be crucial in maintaining the security and transparency of the domain name system. With the right balance of regulation and cooperation, Germany can not only meet the EU’s cybersecurity standards but also protect its citizens from the growing threat of online fraud.