The NIS2 Directive, particularly Article 28, imposes new responsibilities on domain name registrars to implement an Identity Verification (IDV) process for domain registration. What is also required from you as a registrar is to present your IDV process on your homepage.
We expect that compliance with this aspect together with the rest of NIS2 will be a struggle during 2024. Therefore, in this article we have outlined what such a process description could look like, to support you in complying with NIS2 and securing your part of the digital infrastructure.
Explain when ID proofing is initiated
You need to explain the various processes for ID checks, and that they are initiated for a registrant when considered required, for example when:
- Someone applies for or creates a new domain name
- An existing domain name is transferred to a new registrant
Explain how ID verification works in general
In terms of ID control, you might have different processes that follow some common paths. To save space, we suggest you start with describing what they have in common. Things to cover might include:
- Who is the subject for ID control - the registrant or the domain?
- How will the user get a request for ID verification (important to prevent phishing)
- When will the request expire?
- What happens if ID check is not completed, is the domain suspended?
- When is it suspended? For how long?
- Are other domain names that the user controls affected by a failed ID check?
Explain how IDV works for specific use cases
The ID verification might vary for different use cases, for example application / creation of a new domain name, or transfer of domain name to a new registrant. We suggest you move forward by describing each use case.
Explain the different potential outcomes of the risk assessment that will be performed, for example
- ID verification is not required or has already been successfully completed
- ID control must be obtained via the use of a digital identity solution, for example Truid
- ID verification is initiated, the application is closed, and the specified domain name is activated
- ID verification is initiated, the request is terminated, but the specified domain name awaits the outcome of the ID verification (note that this outcome is not valid for transfer to new registrant)
Describe potential ID verification methods that the user can be subject to
- National digital identity, for example Swedish BankID
- International digital identity, for example Truid
- International digital business ID, for example Truid
- Manual ID check
Explain what happens after an ID check
- Status visibility in the portal
- Activation of domain name
- Potential suspension
Download a template for domain registration IDV process description!
In order to comply with article 28 in NIS2, domain registrars need not only implement stricter security measures such as identity verification of registrants. You also need to explicitly present on your homepage how this process is accomplished. Above we have described what to think of when describing this process. Too much compliance work to do right now? Then you can download a template here!