The fact that cyberattacks on companies, institutions and critical infrastructure have increased in recent years is not lost on the European Union. With the NIS 2 Directive (“Network and Information Security 2”) the EU is pursuing the objective of raising the minimum cybersecurity requirements of all EU states and strengthening the resistance of network and information systems as well as international cooperation. Most EU member states will presumably implement the NIS 2 Directive in national law within the course of this year.
NIS 2 is a further development of the first NIS Directive, which came into force in 2016. NIS 1 was the first comprehensive EU regulation aimed at enhancing the cybersecurity of network and information systems. Work on the successor directive NIS 2, which completely replaced NIS 1 and ultimately went into effect in January 2023, began in December 2020.
What is the purpose of the NIS 2 Directive?
As mentioned above, the NIS 2 Directive is intended to improve cybersecurity in Europe and tightens requirements even on companies that do not operate critical infrastructure. The directive defines 18 sectors, which are divided into two categories:
-
Essential entities:
Companies with more than 250 employees or sales of over EUR 50 million are defined as particularly critical if they are classified as belonging to the energy, transport, banking, healthcare, water supply or public administration sectors. -
Important entities:
Companies with more than 50 employees or annual sales of over EUR 10 million are defined as important, but less critical than the essential entities. This includes entities such as postal and courier services and chemical companies, but also providers of digital services. Even smaller companies such as the providers of domain name services can be classified as essential if their services are indispensable for supply security or other critical infrastructure.
In all cases, the NIS 2 Directive requires companies to maintain robust risk management practices. They must be able to manage security incidents and restore service after disruptions. Supply chains must also be integrated in the risk management apparatus, supplemented by measures such as cyber hygiene, cyber security training, access control, multi-factor authentication and secure communication.
Impact of NIS 2 on domains
NIS 2 has certain consequences for Hostpoint and our domain customers as well. Article 28 of the directive requires registries of top-level domains (TLDs) in the EU to maintain current and verified information about domain owners. The collection of this data is the responsibility of the respective domain registry, but also domain registrars like Hostpoint.
This specifically applies to the following data:
- Domain name
- Date of registration
- Name, e-mail address and telephone number of the domain owner
- E-mail address and telephone number of the point of contact if the domain is managed by a third party
Which TLDs are affected?
The TLDs of the EU include, for example, .de, .at, .fr and .it. Domain endings from states outside the EU, by contrast, such as the Swiss ccTLD .ch and generic TLDs such as .com, .org or .net, are exempted from this regulation.
The EU requires registries to ensure that domain holder data is always up to date. The registries, in turn, place requirements on the responsible registrars with which the domains are registered. Hostpoint, as the leading domain registrar in Switzerland, is also subject to these requirements. We act as an interface between the registries of the individual countries and the domain owners. Our task is to collect the required information from the customers and additionally verify the data upon request by a registry.
This process is best illustrated by an example: A person or company wants to register a domain name ending in .de with Hostpoint. We require them to provide certain contact information when they order the domain. This information is checked by Hostpoint and, of course, handled confidentially. However, sometimes this data has to be additionally verified upon request by the responsible registry (DENIC in the case of .de domains).
The verification of domain owner data is intended to ensure that the owner can be easily contacted in the event of security-related cases. At the same time, it aims to reduce the misuse of domains (e.g. for phishing) due to incorrect or incomplete registration data. This will make it more difficult to register EU ccTLDs using false data in the future.
What will change for users for domain lookup (WHOIS)?
With NIS 2, more data regarding legal entities could become visible again in WHOIS lookups. Exactly what information is published depends on the rules of the respective registry. For private users, personal data remains protected.
Do I have to take any action as a domain owner?
If you have a ccTLD from the EU and it was registered with Hostpoint, this does not necessarily mean that you have to take action. If there is any contact information that still needs to be verified, we will contact you proactively and offer you as simple a process as possible.
For more information about the verification process, please visit our Support Center. If you have questions about domains and NIS 2, you can contact our support team by e-mail (domain@hostpoint.ch) or phone (0844 04 04 04). We are available in your language, from 8 am to 6 pm, seven days a week.
