News archive

EU Regulation and the Domain Industry: What’s Coming

That reality framed the session led by Polina Malaja, who works at CENTR as Policy Director and focuses on EU policy and regulatory affairs. She offered a deep dive of how European regulation is already affecting the domain name ecosystem. And how much more is still coming.

Polina began by explaining what CENTR is and why it plays a key role in these discussions. CENTR brings together European country code top-level domain registries, including .ee, .lv and .lt. Together with associate members, this community is responsible for around 80% of all registered domain names worldwide. Beyond sharing best practices and operational experience, CENTR also acts as a collective voice in Brussels, helping policymakers understand how laws translate into real-world DNS operations.

From there, Polina moved straight into the regulatory landscape. Her first warning was simple: EU regulation affecting domains is no longer limited to “internet laws.” Cybersecurity, financial regulation, data governance, and even digital sovereignty debates are now shaping how registries and registrars operate.

One of the most important pieces is NIS2, the EU’s updated cybersecurity directive. For the domain industry, its message is clear: top-level domain registries and DNS service providers are considered essential digital infrastructure. That status brings obligations. Operators must implement minimum cybersecurity risk management measures, submit to oversight by national authorities, and report significant security incidents quickly.

NIS2 also includes the much-discussed Article 28, which directly affects registration data. Registries and registrars are required to collect and maintain accurate contact data, including the registrant’s name, email address and phone number. Non-personal data must be public, while personal data must be made available to legitimate access seekers within tight deadlines. While verification methods are not strictly mandated, strong encouragement is given, and cooperation between registries and registrars is expected to avoid duplicate data collection.

However, because NIS2 is a directive, its real impact depends on how each EU member state transposes it into national law. Polina shared that across Europe, interpretations already differ. Some registries previously removed phone numbers for GDPR reasons and now have to reintroduce them. Others are still waiting for national guidance. This uncertainty is likely to persist until transposition is complete everywhere.

Just as the community has been focusing on NIS2, another regulation has quietly entered the picture: DORA, the Digital Operational Resilience Regulation. At first glance, DORA is about financial institutions. But its relevance to domains lies in the fact that registries and registrars provide services to banks, payment providers, insurers and crypto companies.

Under DORA, financial institutions must map all ICT services they rely on and assess their risks. That raises an uncomfortable question: could domain registries or registrars be treated as “critical ICT third-party providers”? If so, they could face audits, contractual requirements and even on-site inspections initiated by financial regulators. For now, this remains unclear. The good news, Polina noted, is simple: if you haven’t been contacted by financial supervisors yet, you’re probably not considered critical. Still, awareness is key, especially for providers offering hosting or cloud services alongside domains.

The most striking part of Polina’s talk came when she turned to financial regulation and domain enforcement. New EU laws, including the Markets in Crypto-Assets Regulation and proposals under the Financial Data Access Framework, now include provisions that allow authorities to order the deletion of domain names linked to “infringing” financial services.

This is not limited to fraud. In some cases, infringement could mean refusing to share certain non-personal financial data with third parties, such as fintech companies. The idea that a bank’s or payment provider’s domain name could be deleted as an enforcement measure shocked many in the room. As Polina stressed, domain deletion has serious consequences for users and consumers, far beyond a typical regulatory fine.

During the discussion, it became clear that lawmakers likely did not fully understand the technical meaning of “delete.” In many cases, they probably intended something closer to suspension or seizure. But the legal text says deletion, and that distinction matters. CENTR has pushed back hard on this language, arguing that it could harm cybersecurity and consumer protection rather than help it.

Looking ahead, Polina outlined what is next on the EU agenda. One major theme is simplification. Faced with criticism that EU rules slow innovation, the European Commission is reviewing digital legislation to reduce overlap and complexity. This does not mean GDPR or NIS2 will disappear. Instead, the focus is on streamlining incident reporting, audits and risk management where multiple laws overlap.

Another topic returning to the table is data retention. The Commission is assessing whether service providers, including registries and registrars, should be required to retain certain metadata for law enforcement purposes. No concrete proposal exists yet, but an impact assessment is underway, with more clarity expected in 2026.

Finally, Polina connected these issues to the broader debate on digital sovereignty. While much of this discussion currently focuses on cloud services and public procurement, it could eventually affect DNS as well. Requirements around EU-based services, certifications or standards may clash with the global and decentralized nature of the domain name system. How Europe balances sovereignty goals with global internet coordination remains an open question.

Polina closed with an invitation rather than a conclusion. Regulation will continue to shape the domain industry, often from unexpected directions. Staying informed, engaging early, and explaining how DNS actually works are no longer optional. For those who want to keep up, she encouraged following CENTR’s EU updates: a small effort compared to the scale of change coming from Brussels.

In today’s European tech landscape, regulation is no longer a background detail. It is part of the operating environment. For the domain name industry, understanding that reality may be just as important as understanding DNS itself.