NIS2 legislation: what it means for registrars and resellers

NIS2 is fast approaching because from 18 October the new Cybersecurity Act will come into effect. Here's a reminder: NIS2 is a cybersecurity directive that was issued by the European Union in 2022. This spring, Belgium transposed the directive into a new Cybersecurity Act (this is also referred to as the Belgian NIS2 Act).

And from 18 October our sector has to comply with the provisions of this Act. Regardless of whether you are offering DNS services or only domain name registrations: this new act has an impact on all of us. Registries and registrars need to follow new procedures and meet specific obligations. We'll list them for you.

Who falls under the Belgian NIS2 Act?

  • Registrars and resellers established in Belgium.
  • Registrars and resellers with a legal EU representative in Belgium.
     

More information on the scope of the NIS2 legislation can be found on the CCB website.

What you need to get right as soon as possible

Register with the national cyber security authority. In Belgium, it is the CCB.

Within two months after the NIS2 Act has come into force, your organisation needs to register with the CCB. In other words, no later than 18 December 2024. This registration is compulsory for all registrars, resellers and registries. Registrars without a head office in Belgium but with a legal representation in Belgium also need to do this.

Your organisation's profile determines which NIS2 requirements you need to meet.


1. You're a DNS service provider.

In other words, are you providing recursive or authoritative nameserver services? Because you're providing an essential service, you need to meet all provisions of the NIS2 Act. In short, this comes down to two things:

  • You take risk management measures (article 21). These are specific actions your organisation takes for the protection of network and information systems.
  • You're obliged to report major incidents (article 23). You follow the legally defined procedures to draw up reports and follow the measures to prevent a recurrence of such cybersecurity incident.

These requirements should not be underestimated and are similar to obtaining an information security standard (so-called ISO certification). The application of this Act shows similarities with ISO27001.
Please note! Do you also offer domain name registrations? If so, you also need to comply with article 28, see below.

 

2. You offer domain name registrations, without nameserver services.

If so, you need to meet specific obligations (article 28) relating to:

  • keeping and verifying contact details of registrants.
  • publishing these contact details.
  • providing access to these contact details in case of a legitimate question (i.e. police services, the court, etc.).

Every registrar and reseller falls into one of the above categories. In other words, there's no escaping NIS2 and we advise you not to take this lightly.

You're not on your own

  • Where possible, we want to support you to understand this directive and its impact on you as a registrar. Contact our support colleagues with any questions.
  • In the coming weeks, we'll publish detailed info on each of the quoted articles from the NIS directive that apply to you. We're happy to provide up-to-date information on the application of NIS2 in Belgium.
  • Meanwhile, you can also visit the CCB for information sessions on NIS2. On their website, the CCB also guides you through a risk assessment in a few steps. That way, you will clearly know what level of cyber security you need to achieve, as a Belgian registrar or reseller.
  • As a registry, we want to take the lead in verifying, maintaining, publishing and providing access to contact details of registrants (article 28). Where possible, we'll limit the work for registrars as much as possible. More information on this will follow in the coming months.

With this article we support the Sustainable Development Goals of the United Nations.