The NIS2 (Network and Information Systems 2) regulation, implemented by the 27 European countries and adopted in 2022 (after the successor NI2, established in 2016), added new editions, specifically addressing domain name registrars and DNS service providers in October 2024 based on Article 28.
Effect of Article 28 on Domain Name Registrars
The 28 articles of the NIS2 Directive introduce stricter regulations to enhance the Domain Name System’s security, stability, and resilience (DNS).
1. Mandatory Collection of Accurate Domain Data
Under NIS2, TLD (Top-Level Domain) registries and domain registration service providers must collect and maintain accurate, complete domain name registration data. This must be done with due diligence, following EU data protection laws when handling personal data.
2. Essential Data Requirements
The database of domain registration data must include key information to identify and contact domain holders and administrators:
- Domain Name
- Date of Registration
- Registrant’s Name, Contact Email, and Phone Number
- Admin Contact Details (if different from the registrant)
In the following paragraphs, we will explain why KYC is a perfect fit for this information collection.
3. Verification Procedures Are Mandatory
Registries and service providers must have clear verification policies and procedures to maintain data accuracy. These procedures must be:
- Regularly Updated to reflect the latest compliance standards
- Publicly Available to ensure transparency in data management
This aligns with KYC requirements for ongoing due diligence and risk monitoring.
4. Public Access to Non-Personal Data
Non-personal domain registration data must be made publicly accessible without delay after registration. This is particularly useful for KYC solutions that rely on real-time data checks to validate digital identities.
5. Timely Data Disclosure for Legitimate Requests
Registries must provide specific domain data upon lawful, substantiated requests from legitimate access seekers (e.g., regulatory bodies, law enforcement, or KYC providers). Key points include:
- Response Time: Requests must be answered within 72 hours
- Transparency: Disclosure policies must be publicly documented
6. No Duplication of Data Collection
NIS2 emphasizes efficiency, requiring registries and service providers to cooperate to prevent duplicate data collection. For KYC vendors, this promotes:
- Streamlined Data Access
- Improved Data Consistency across verification workflows
The KYC requirements for the Domain Name Registrars
Since Article 28 of NIS2 stresses data collection and verification, a particular set of measures has to be implemented. Even though the article does not specifically highlight identity verification as part of the customer due diligence procedure, it is still crucial.
Domain Name Registrars and DNS service providers need these solutions to follow the compliance requirements correctly:
1. Identity verification tools. Identity verification requires capturing the photos of ID documents or passports and optionally matching the selfie with the picture from the document. The verification also extracts and compares the registrant’s name with the data from the document.
2. IP Proxy checks. Since online e-commerce often faces chargeback fraud and domain registration is part of the broader online e-commerce industry, it is practical to verify whether an onboarded customer.
3. Ongoing monitoring. Verifying the identity once and not following up again is not sufficient. Based on the audits and set compliance policies, new verification checks must be initiated once the appropriate time approaches.
4. Correct data security procedures. Since domain registration is a sensitive online procedure, as part of the data security policy, all integrated vendors must follow strict GDPR requirements, be ISO20071 certified, and have an easy identity verification API for the registrant’s data deletion.
5. Effective registrants’ data export. Whenever internal or external audits occur or upon a fraud occurrence and initiatives from the access seekers to get appropriate information – the domain registry is obliged to generate reports. A right KYC vendor has to have experience working with regulated entities and provide PDF exports with all registrant’s data.
How can a successful KYC procedure be implemented for a domain registration service provider?
Since identity verification plays a crucial role in instilling the right compliance procedures towards a correct NIS2 implementation, it has to be part of the instrumental onboarding flow, based on these merits:
1. Registrants’ names and surnames should be passed to the KYC vendor, which cross-matches the details with data from the documents.
2. The domain register then receives the information from the identity verification provider via API webhook callback and checks whether the identity was verified or if some discrepancies were found.
3. If serious fraud is detected, it should be passed to state authorities to escalate the case further. Whenever an identity is verified successfully, the company has to store the verification records and upgrade the customer’s account permissions.
4. Once the verification date passes the set data validation threshold, the customer has to be verified again either by a new KYC check or by utilizing the face authentication feature.
Final thoughts
By implementing the right KYC practices, your digital domain registration service will become more straightforward and benefit from reducing fraud’s impact on your monthly expenditures.
Realistically, it will positively impact your brand credibility, too. Whenever impersonations or successful fraud events are registered, it harms the brand’s online strength and reliability, especially when working in a highly sensitive domain industry.
At iDenfy, we offer a complete fraud prevention package for various industries, offering you AI-powered user verification, business verification, AML screening, risk assessment, and other RegTech solutions. Let’s chat for more info.
Try for free 
