European Commission Unveils Important Initiatives Relevant to the DNS and DNS Service Providers
This week, the European Commission published important initiatives relevant to the Domain Name System (DNS) including domain name registration data and DNS services providers. ICANN org would like to bring this to the attention of the community.
The Digital Services Act Package
On Tuesday, 15 December 2020, the Digital Services Act package was published, which is comprised of the Digital Services Act (DSA) and the Digital Markets Act (DMA).
The DSA includes rules for online intermediary services. The obligations of different online players match their role, size, and impact in the online ecosystem. Intermediary services offering network infrastructure such as Internet access providers and DNS service providers, and hosting services such as cloud and web hosting services and online platforms, are covered under the DSA regardless of size. Online platforms will have to do more to limit the spread of illegal content and goods.
The DSA clarifies that DNS service providers are under its scope. This eliminates the ambiguity that exists under the existing legislative framework, which consists of Directive 2015/153516 and the eCommerce Directive on whether DNS operators can be considered “information society services” and to what extent the liability exemption regime of the existing e-Commerce Directive applies to them.
The DSA will apply to intermediaries offering their services in the European single market, whether they are established in or outside the European Union (EU). The DMA will impose new obligations on large online platforms that qualify as so-called gatekeepers. These are platforms that have a significant impact and enjoy an entrenched and durable position. Failure to abide by the DMA rules could lead to hefty fines up to ten percent of a company’s global revenue, or in the worst cases, to the possibility to break up firms that repeatedly violate the new rules.
The European Parliament and EU Member States will discuss the European Commission’s proposed acts. If adopted, the Acts would be directly applicable across the EU.
The New EU Cybersecurity Package
On 16 December 2020, the European Commission announced a series of initiatives in the cybersecurity field. First, it announced the “Communication on the EU’s Cybersecurity Strategy for the Digital Decade,” which outlines major EU policy objectives in the fields of cybersecurity and technological sovereignty. Second, the European Commission put forward a proposal for the “Revision of the Directive on the Security of Network and Information Systems” (NIS 2). Third, it proposed a “Directive on the resilience of critical entities.”
The new EU Cybersecurity Strategy, which aims to bolster Europe’s collective resilience against cyber threats, includes a section titled “Greater global Internet security.” Section 1.6 of this strategy puts forward a number of actions related to the DNS. “The Commission intends to develop a contingency plan, supported by EU funding, for dealing with extreme scenarios affecting the integrity and availability of the global DNS root system.[…] With a view to reducing security issues related to market concentration, the Commission will encourage EU companies, ISPs and browser vendors to adopt a DNS resolution diversification strategy. […] The Commission also intends to contribute to secure Internet connectivity by supporting the development of a public European DNS resolver service. This ‘DNS4EU’ initiative will offer an alternative, European service for accessing the global Internet. […] The Commission will also, in liaison with Member States and industry, accelerate the uptake of key internet standards including IPv6 and well-established internet security standards and good practices for DNS, routing, and email security […] Finally, the Commission will consider the need for a mechanism for more systematic monitoring and gathering of aggregated data on Internet traffic and for advising on potential disruptions.”
The proposal for a revised Directive on Security of Network and Information Systems (NIS2 Directive) is an update of the EU existing NIS Directive and will impose new requirements on “essential” and “important” service providers in critical sectors, including reporting cyber attacks, implementing security policies, scrutinizing the security of suppliers, and using encryption technology.
DNS providers are included in the existing NIS Directive list of entities for which operators of essential services should be identified. In this respect, some EU countries have identified operators of essential services within the Domain Name System (DNS) while others have not. The NIS2 Directive states that “Upholding and preserving a reliable, resilient, and secure domain name system (DNS) is a key factor in maintaining the integrity of the Internet and is essential for its continuous and stable operation, on which the digital economy and society depend. Therefore, this Directive should apply to all providers of DNS services along the DNS resolution chain, including operators of root name servers, top-level-domain (TLD) name servers, authoritative name servers for domain names and recursive resolvers.” DNS service providers, thus, will be automatically under the scope of NIS2 without the need for EU Member States to identify operators of essential services within the DNS.
In cases in which a DNS service provider not established in the EU offers services within the EU, it must designate a representative under NIS2. This representative shall be established in one of those EU Member States that offer these services. Such entity shall be deemed to be under the jurisdiction of the Member State where the representative is established.
The NIS2 Directive also recognizes that “Maintaining accurate and complete databases of domain names and registration data (so called ‘WHOIS data’) and providing lawful access to such data is essential to ensure the security, stability and resilience of the DNS” and includes provisions about domain name registration data. Article 23 of NIS2 in particular would require EU Member States to ensure that domain name registries and registrars take several actions related to registration data.
Databases of domain names and registration data
1. For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall ensure that TLD registries and the entities providing domain name registration services for the TLD shall collect and maintain accurate and complete domain name registration data in a dedicated database facility with due diligence subject to Union data protection law as regards data which are personal data.
2. Member States shall ensure that the databases of domain name registration data referred to in paragraph 1 contain relevant information to identify and contact the holders of the domain names and the points of contact administering the domain names under the TLDs.
3. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD have policies and procedures in place to ensure that the databases include accurate and complete information. Member States shall ensure that such policies and procedures are made publicly available.
4. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD publish, without undue delay after the registration of a domain name, domain registration data which are not personal data.
5. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD provide access to specific domain name registration data upon lawful and duly justified requests of legitimate access seekers, in compliance with Union data protection law. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD reply without undue delay to all requests for access. Member States shall ensure that policies and procedures to disclose such data are made publicly available.
The proposed NIS2 Directive is posted for public comment through 10 February 2021. All feedback received will be summarized by the European Commission and presented to the European Parliament and Council with the aim of feeding into the legislative debate. Once the NIS2 Directive proposal is agreed by the European Parliament and the Council, and consequently adopted, EU Member States will have to transpose it into their national law.
The same goes for the proposed Critical Entities Resilience (CER) Directive, which expands both the scope and depth of the 2008 European Critical Infrastructure Directive. The Directive previously dealt with physical protection requirements in the energy and transport sectors only, but will now expand to cover ten sectors: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration, and space. The CER Directive imposes rules to protect physical assets, networks, and grids from getting tampered with.
The Government Engagement team will be working on a comprehensive paper, looking at the initiatives and their impact on the DNS. When this paper is published, we will make it available to the ICANN community.