NIS2 Directive Obligations for Domain name system providers

Obligations in scope

Article 28 — TLD name registries and entities providing domain name registration services

Collect and maintain accurate and complete domain name registration data in a dedicated database with due diligence in accordance with Union data protection law. Action required: collect and maintain.

Article 28 — TLD name registries and entities providing domain name registration services

Ensure the database contains necessary information to identify and contact domain name holders and administrators, including domain name, registration date, registrant details, and administrator contact details. Action required: contain.

Article 28 — TLD name registries and entities providing domain name registration services

Have policies and procedures, including verification procedures, in place to ensure the databases include accurate and complete information. Action required: have.

Article 28 — TLD name registries and entities providing domain name registration services

Make policies and procedures regarding data accuracy and verification publicly available. Action required: make publicly available.

Article 28 — TLD name registries and entities providing domain name registration services

Make publicly available, without undue delay after registration, the domain name registration data which are not personal data. Action required: make publicly available. Deadline: without undue delay after registration.

Article 28 — TLD name registries and entities providing domain name registration services

Provide access to specific domain name registration data upon lawful and duly substantiated requests by legitimate access seekers, in accordance with Union data protection law. Action required: provide access.

Article 28 — TLD name registries and entities providing domain name registration services

Reply to requests for access to specific domain name registration data without undue delay and in any event within 72 hours of receipt. Action required: reply. Deadline: within 72 hours of receipt.

Practical steps

What the obligations on this page actually require you to do, ordered by article. Use this as a starting checklist; verify each item against the underlying article text before treating it as legal advice.

• Art 28 — collect and maintain (TLD name registries and entities providing domain name registration services)
• Art 28 — contain (TLD name registries and entities providing domain name registration services)
• Art 28 — have (TLD name registries and entities providing domain name registration services)
• Art 28 — make publicly available (TLD name registries and entities providing domain name registration services)
• Art 28 — provide access (TLD name registries and entities providing domain name registration services)
• Art 28 — reply (TLD name registries and entities providing domain name registration services)
• Art 28 — cooperate (TLD name registries and entities providing domain name registration services)

Obligation reference table

Penalty exposure

None of the 9 obligations on this page carry an explicit penalty figure in the NIS2 Directive text itself — the fine ceiling is set elsewhere in the regulation and applies by reference. Refer to NIS2 Directive's general penalties article (or the diagnostic below) to estimate exposure before signing off on a compliance programme.

Cross-regulatory conflicts

NIS2 Directive interacts with other EU regulations in ways that can pull compliance teams in opposite directions. The most concrete conflicts in the Fontvera corpus involving this regulation:

• DSA Art 17 ↔ NIS2 Directive Art 12 (medium) — [entity affected: Providers of hosting services / ICT product providers] DSA requires providers to disclose reasons for content restrictions including notifier identity if strictly necessary, while NIS2 emphasizes anonymity for vulnerability reporters, creating tension in disclosure practices when a content restriction is based on a reported vulnerability.
• DORA Art 19 ↔ NIS2 Directive Art 23 (high) — [entity affected: Financial entities classified as essential/important] DORA imposes specific, strict timelines for incident reporting to competent authorities, while NIS2 allows Member States to define reporting timelines, potentially creating contradictory compliance schedules.
• DORA Art 18 ↔ NIS2 Directive Art 23 (high) — [entity affected: Financial entities classified as essential/important] DORA defines specific criteria for classifying 'major' ICT incidents, whereas NIS2 relies on Member State definitions for 'significant' incidents, leading to potential discrepancies in what triggers reporting obligations.
• GDPR Art 33 ↔ NIS2 Directive Art 23 (high) — [entity affected: Essential and Important Entities] GDPR mandates notification within 72 hours of becoming aware of a breach, whereas NIS2 requires an initial notification within 24 hours of becoming aware of a significant incident, creating a stricter timeline conflict for overlapping incidents.
• NIS2 Directive Art 13 ↔ ePrivacy Directive Art 5 (high) — [entity affected: Competent Authorities / CSIRTs] NIS2 encourages the exchange of incident information and cyber threats among authorities and CSIRTs, while ePrivacy strictly prohibits the interception or storage of communications and traffic data without user consent, potentially limiting the data available for sharing under NIS2.

Related Fontvera pages

• nis2 directive art 14 cooperation group obligations
• nis2 directive art 32 competent authorities obligations
• nis2 directive art 33 competent authorities obligations
• nis2 directive art 7 member state obligations

Check your full compliance exposure with the 5-minute Fontvera diagnostic →