ICANN, Others Seek Changes to Draft EC Cybersecurity Measure

(see 2101290006). Responding to an EC consultation, ICANN said NIS2 could have "far-reaching impacts" on the domain name system: The directive captures all DNS service providers. It urged the EC to consider distinguishing between providers of authoritative domain name resolution services (the "publication" side of domain name resolution) and providers of recursive domain resolution services (the name resolving side). Entities that operate a resolver service, often now otherwise classified as essential or important, are within the scope of the draft because they host a domain name or operate a recursive resolver, ICANN said. Providers of authoritative domain name resolution services should qualify as essential only if they serve domains of such important entities, it said. NIS2 requires EU governments to ensure that top-level domain registries and registrars collect and maintain accurate and complete domain name registration data in a "dedicated database facility with due diligence" subject to EU data protection law. ICANN said no entity can guarantee the integrity and availability of domain name registration data. The European Internet Services Providers Association noted only two years have passed since the effective date of the directive, meaning EU countries have had little time for assessment. NIS2 will raise costs for affected providers and should be future-proofed, said EuroISPA. The Information Technology Industry Council urged the EC to ensure reporting requirements are harmonized across the EU. The Internet Systems Consortium, which runs an ICANN authoritative root server, recommended NIS2 not include root name servers, saying doing so could destabilize the unitary DNS system. Verisign encouraged the EC to turn to ICANN's multistakeholder community for details on how EU governments can implement NIS2 consistently.