News archive

Domain Registries in a Regulatory Maze: Reflections from the CENTR Legal & Regulatory Meeting in Stockholm

Particular attention was given to GDPR implementation challenges, issues arising from the NIS2 Directive, and newer initiatives such as the Digital Omnibus package and the DORA Regulation.

When GDPR entered into force in 2018, it dominated the agenda. In the domain industry, however, the topic has never really faded. Quite the opposite: it remains a highly practical and ongoing issue.

One of the sharpest questions concerns the retention of historical data: how long registries may store data, and on what legal basis. A presentation from the Dutch registry made it clear that domain registrants are increasingly requesting detailed information about data processing: what data is stored, for what purpose, and for how long. Transparency is no longer an abstract principle; it has become a concrete expectation.

An interesting fact shared by SIDN was that in some countries, registry historical data goes back to the 1980s. This creates a real dilemma. On one hand, there are statutory retention obligations, limitation periods, and even research considerations. On the other hand, GDPR requires that personal data not be kept longer than necessary.

One possible approach discussed was retaining data related to deleted domains for a limited period and then anonymising it. In practice, however, implementing such policies technically has proven more complex than anticipated.

WHOIS and the Legal Basis Question

Another lively discussion revolved around the legal basis for publishing registrant data through WHOIS. And what data can be disclosed at all.

The debate was triggered by a Portuguese presentation arguing that even data of a legal entity’s representative may, under certain circumstances, constitute personal data. In such cases, it cannot simply be published via WHOIS, nor can it automatically rely on consent, especially if that consent may not be considered freely given.

Approaches differ across Europe.

Some argue that an administrative contact acts in their capacity as a legal representative or authorised person of the legal entity, not as a private individual. Others point out that the person designated as an administrative contact may not fully understand the implications of publication, and that the contact details (such as email and phone number) are still personal data.

The conclusion was clear: there is no unified European practice. Each registry has had to find its own balance.

Cybersecurity Remains in Focus

Looking ahead, developments in EU law suggest that 2026 will continue to bring a strong focus on cybersecurity.

Among the topics discussed were the Digital Omnibus initiative, Cybersecurity Act 2.0, and potential amendments to the NIS2 Directive. On the one hand, there is an effort to simplify requirements, for example, through a single incident reporting channel or possibly excluding smaller DNS service providers from certain obligations. On the other hand, there is a push to strengthen oversight of supply chains and to recognise DNS as a critical public space of the open internet.

In practical terms, this could mean stricter requirements and increased supervision. As always, we will keep stakeholders informed as these developments unfold.

DORA: Are Registries ICT Third-Party Providers?

The DORA Regulation, that is aimed at strengthening the digital operational resilience of the financial sector was also briefly addressed.

For registries, the key question is whether we could be classified as ICT third-party service providers. If that were the case, financial institutions would need to conclude contracts with registries in line with Article 30 of DORA. These contracts would contain detailed provisions on service descriptions, security measures, audits, and incident management.

However, the prevailing view at the meeting was that registries do not see themselves as classic third-party ICT providers within the meaning of DORA.

Supervisory Role Over Registrars

Another topic was the registry’s day-to-day role in supervising registrars: an area where practices still vary considerably between countries.

Examples were shared of registrar auditing practices, including the use of automated IT solutions to monitor compliance, as well as how contractual breaches are handled. It was valuable to exchange experiences on how supervision is practically implemented in the domain ecosystem.

Overall, the meeting was substantive and practical, offering much food for thought on a range of legal issues affecting our sector. Next on the agenda is the annual CENTR Jamboree: a larger, cross-working-group gathering focused on strategic and forward-looking discussions about the future of the domain industry.

We will continue to follow these developments closely and share key insights along the way.