tagline

News

NIS2 Directive: What are the new guidelines and how will they affect businesses?

Olivier Guerdan
By Olivier Guerdan
Published 08 October 2024
In this interview with Team Internet expert Olivier Guerdan, we explore what the new NIS2 directive guidelines are and how they will affect your business. Read on to find out more.
Hi Olivier, thank you for taking the time to answer our questions!
1. Can you please tell us a bit about yourself and your experience in the industry?

In the early years of 2000, I started at DENIC eG and stayed there for over a decade. There I learned a lot about operating a registry, customer care and software development. Since 2016 I have been part of PartnerGate and eventually became part of the Team Internet Group which included representation in several working groups and advisory boards.

2. What is the NIS2 Directive and why was it introduced?

In general, the NIS2 directive is the advanced new version of the NIS – a cybersecurity directive to improve the resilience and sustainability of critical infrastructure. The ISO standard 27001 is a direct result coming out of this directive.

3. What are the key objectives of the NIS2 Directive?

The five key objectives of NIS2 are:

  • Strengthened cybersecurity measures
  • Enhanced incident reporting
  • Wider scope
  • Improved cooperation
  • Increased accountability

To show how important these goals are: the total financial loss from cybercrime in Germany was substantial, amounting to approximately 205.9 billion Euros in 2023.

4. How does Article 28 of the NIS2 Directive specifically impact businesses?

Article 28 may be directed specifically at European TLD registries and entities providing domain name services, but the impact is mostly on domain owners because their data has to be verified.

5. How does Article 28 differ from previous cybersecurity regulations?

The big difference to the current situation is that the name, e-mail address and phone number must be verified for each registrant of a domain. These checks can be performed post or ex ante – meaning that a verification of date may happen before, during and after registration of a domain.

To keep in mind, despite its impact as directive it is not a regulation like GDPR. The contents of NIS2 must be transformed in national law. Which also leads to every member state having their own local law regarding cyber security.

6. What sectors are most affected by the NIS2 Directive, particularly Article 28?

Article 28 will have the most impact on the domain industry. The impact on dependent industries like hosting or other webservices cannot yet completely be foreseen.

7. What are the penalties for non-compliance with Article 28 of the NIS2 Directive?

We are talking about similar figures as seen with the GDPR. Depending on the infringement it can result in penalties of just a couple of thousand Euros and up to 7 million Euros or a maximum of 1.4 % of worldwide annual turnover in the proceeding financial year.

The importance of the directive is also shown in that processing and implementation of measures and processes is to be personally supervised by the CEO. Failing can result in a personal penalty of up to 100.000 Euros.

8. How can businesses prepare for and ensure compliance with Article 28?

The core principle of Article 28 is based on “know-your-customer”. If you have already processed and measures in place, you are already prepared for.

9. What do domain holders, registrars, registries need to do to prepare for NIS2?

In general, there should be no big changes for domain holders and registrants. Except for some verification of their data like address or phone. Based on the KYC principles this should be already in place. Nevertheless, be prepared for more requests for ID documents either from the registries or out of the domain management system.

10. What specifically will BrandShelter be able to do to support with this?

At Team Internet we are constantly surveying the current situation regarding NIS2.

In the background we are already laying the groundwork for handling domain requests and verification processes. Most of the time we must wait until the directive is implemented in local law and in specific: how the corresponding registry reacts to that law and how they implement these changes in their system.

Some registries already do KYC checks on their customers/domain owners so there be no change at all. Some registries have different plans but have not yet announced their proceedings.

Thank you so much for answering our questions!

If you are interested in learning more about NIS2 and its consequences for your business, please feel free to reach out to us here.

Share article
A person typing on a laptop