The new European cybersecurity directive NIS2 aims to enhance the resilience of companies and improve responses to security incidents. During the Domain pulse event in Vienna, representatives from politics, registries, and registrars discussed its implementation. There are still numerous concerns within the industry.

“It’s coming, whether we want it or not,” said Barbara Schloßbauer, head of the legal department at nic.at and moderator of the NIS2 panel, regarding the new EU directive at Domain pulse in Vienna. NIS2 is part of the EU's cybersecurity strategy and is set to replace the 2016 NIS1 directive. “NIS1 greatly advanced cybersecurity, although there were also shortcomings. These are now intended to be addressed,” confirmed Vinzenz Heußler, Policy Officer at the European Commission. Member states have until October 17, 2024, to implement the directive.

Smaller businesses also fall under the directive
Several updates require attention from affected companies, one of which is that "cybersecurity should be a top priority, with executive boards responsible for overseeing its implementation," according to Vinzenz Heußler. NIS2 generally targets medium-sized and large companies that play a key role in certain sectors. However, in the digital infrastructure sector, smaller companies are also considered important. Registries and registrars, for example, fall under the future directive regardless of their size. Arno Spiegel, in charge of the national NIS2 law at the Austrian Federal Chancellery, provided an overview during a panel discussion in Vienna: "Currently, NIS1 impacts approximately 180 companies in Austria; this number will rise to about 6,000 starting in October." This marks a substantial expansion of the directive's reach in Austria, introducing many companies to heightened requirements in information security, data gathering, and verification for the first time.

Only implement the bare minimum
In particular, Article 28 of the directive, which deals with the database for domain name registration data, has faced criticism. Registries and registrars are required to maintain databases and collect information such as contact details of domain owners in accordance with EU data protection law. This is intended to enable the identification of domain owners.

Robert Schischka, the technical director of nic.at, believes that Article 28 is ineffective in combating cybercrime. He argues that the requirement to identify individuals is not essential for maintaining the security and stability of the DNS, stating, "Criminal groups adjust to new situations. There will be an increase in the misuse of actual existing addresses."

One unresolved issue is the validation of user data: What exactly needs to be verified and how can it be implemented? Fritz Tupy, Managing Director of WebID Austria, explained at the Domain pulse how a verification process can be delegated to an external service provider: "We perform personal identification, which involves checking the individual's ID. We hold passports from 170 countries in our databases and are capable of conducting biometric matches."

Thomas Rickert, an attorney specializing in domain law, expressed concerns regarding national regulations: "I'm worried that we'll see a patchwork of different rules across Europe." Cross-border registries and registrars would need to comply with 27 distinct sets of regulations. As a result, Rickert appealed to national lawmakers: "Please implement only the minimum necessary."

Small businesses face disadvantages
There is a concern that small businesses in particular will no longer offer DNS services due to increased workload, potentially leading to market consolidation. Georg Schönberger, a security specialist at Xortex ebusiness, validated these fears: "We plan to circumvent NIS2. We will move our DNS servers elsewhere and hand over our DNS management," said Schönberger. "It's unfortunate because we are operationally strong," he continued. The software company has 30 employees and hosts approximately 500 domains on its servers. Schönberger criticized the consolidation of services and the resulting disadvantages to small businesses, which he believes drives the market towards larger players.

Preparing for October 2024
There is no final national law yet, numerous companies are already gearing up for the impending requirements. Franz Reischenböck, the managing director of the registrar LedI.net, provided some insights: "We've trained our staff using internal resources for their continuing education." He advised other companies to take NIS2 seriously: "Consider it seriously and allocate the necessary resources. Ultimately, you'll be responsible for any fines." Marco Hoffmann, Head of Domain Services at InterNetX GmbH, stated: "We aim to stay ahead of the curve with NIS2." His company manages 3.8 million domains and is coordinating with resellers to determine data provision responsibilities.

The registry nic.at is planning a risk-based approach for implementing the directive. "It was clear to us that we are affected by several criteria of NIS2," said nic.at Managing Director Schischka. "We want to identify the datasets that are likely to contain errors or be incomplete and require closer examination."

No official notification
Arno Spiegel stressed that DNS operators cannot afford to wait for an official notification from the Federal Chancellery: "There will no longer be any formal notifications." During the NIS1 phase, companies did receive official communications, but Spiegel noted that this is no longer feasible due to the large number of affected companies.

Therefore, it is crucial that companies inform themselves about the new cybersecurity directive and prepare accordingly. Non-compliance with the requirements could result in severe penalties.

 Picture (c) Anna Rauchenberger