The recent adoption at the end of December of the new EU Directive for a high level of cybersecurity across the Union—commonly referred to as “NIS2”—paved the way for important updates to the domain name system (DNS). Most significantly, Article 28 of NIS2 and its related recitals resolved any ambiguities about the public interest served by a robust and objectively accurate WHOIS system that permits legitimate access by third parties to data, including personal data, and the legal basis under the EU General Data Protection Regulation (“GDPR”) that supports such a system.

By mandating that all registrars AND registries hold complete and accurate databases of domain name registration information (known as “thick WHOIS”), NIS2 requires ICANN finally to complete implementation of the long-delayed Thick WHOIS Transition Policy. ICANN should recognize the importance of the consensus thick WHOIS policy, acknowledge that no legitimate obstacles prevent its complete implementation and move immediately to implement and require thick WHOIS for all gTLD domain name registries.

GDPR Delayed Implementation of Thick WHOIS Policy

For many months, European Union (EU) authorities have labored on NIS2 not only to bolster cybersecurity, but also to make important clarifications to the now more than four-year-old GDPR as it applies to WHOIS.

In addition to requiring verification and accuracy of WHOIS data and creating a mandate for timely responses to access requests, NIS2 clearly obliges both domain name registries and registrars to maintain thick sets of WHOIS data. When implementation of the GDPR darkened the WHOIS system in 2018, it not only left security authorities scrambling, but also prompted some to make the argument that thick data was no longer necessary or possibly even permitted. But EU policy makers have clearly recognized the importance of thick WHOIS and the ability of legitimate access seekers to obtain full WHOIS data from registries—a much smaller number of entities—as well as from registrars. As just one example, the .COM gTLD is administered by a single registry (as are all TLDs), but is serviced by over 2,000 accredited registrars around the world.

The ICANN Community Long Adopted and Confirmed Thick WHOIS Policy

Thick WHOIS is a consensus policy developed by the ICANN community and adopted by the ICANN Board of Directors in 2014. Nevertheless, the ICANN Board of Directors adopted resolutions permitting five deferrals of enforcement of thick WHOIS with respect to .COM, .NET and .JOBS. The last resolution, adopted in November 2019, set no specific timeline for ending the deferral.

In light of the GDPR, ICANN adopted a Temporary Specification on WHOIS in 2018 and launched an expedited policy development process (“EPDP”). When Phase 1 of the EPDP concluded, the ICANN Board resolved to confirm thick WHOIS as a policy, and specifically called for the EPDP Phase 2 work to determine whether that policy should be altered. Phase 2 results, though, in fact did not identify thick WHOIS policy as one requiring modification.

Unfortunately, this didn’t stop some from pursuing a back door elimination of thick WHOIS, in contravention of standing policy, by trying to get the EPDP implementation team to say thick WHOIS policy had been “superseded” by the subsequent Registration Data Policy.

It appears that these delays and machinations encouraged EU policy makers to step in and require thick WHOIS via government regulation, which is precisely what NIS2, in part, was designed to do.

ICANN’s Inability to Fully Implement Thick WHOIS Led to Government Intervention via NIS2

Within the sprawling context of the NIS2 directive, EU policymakers carefully crafted detailed language to set forth requirements for an accurate and robust WHOIS system to contribute to the safety and security of the DNS and the internet overall. The final NIS2 text, officially published on December 27, 2022, requires thick WHOIS.

Specifically, Article 28 says (emphasis added):

“For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall require TLD name registries and entities providing domain name registration services to collect and maintain accurate and complete domain name registration data in a dedicated database with due diligence in accordance with Union data protection law as regards data which are personal data.”

Further refining the WHOIS requirement, Recital 109 states (emphasis added):

“Maintaining accurate and complete databases of domain name registration data (WHOIS data) and providing lawful access to such data is essential to ensure the security, stability and resilience of the DNS, which in turn contributes to a high common level of cybersecurity across the Union. For that specific purpose, TLD name registries and entities providing domain name registration services should be required to process certain data necessary to achieve that purpose.”

While Article 28 clarifies that registries and registrars do not each need to independently collect WHOIS data from registrants, it is clear that both must maintain complete and independent databases of thick WHOIS data. A prior version of NIS2 from June 2022 had confusingly stated that compliance with the relevant obligations “shall not result in a duplication of collecting and maintaining domain name registration data.” This confusion was eliminated in the final NIS2 language of Article 28 that states only that compliance with the relevant obligations “shall not result in a duplication of collecting domain name registration data.”

As EU member states begin transposing NIS2 into law in their individual jurisdictions, applicable law will require registrant data to be transferred to and maintained by registries.

In addition to the thick WHOIS requirements, various recitals preceding Article 28 as well as that article’s provisions clarify and strengthen requirements for registries and registrars to: (i) ensure accuracy and completeness of WHOIS data, (ii) make publicly available all WHOIS data that is not personal data, including the data of legal persons, (iii) respond without delay to WHOIS data access requests and provide access upon lawful requests, and (iv) provide legitimate access to WHOIS data free of charge. See for example (emphasis added):

• In order to ensure the availability of accurate and complete domain name registration data, TLD name registries and entities providing domain name registration services should collect and guarantee the integrity and availability of domain name registration data. In particular, TLD name registries and entities providing domain name registration services should establish policies and procedures to collect and maintain accurate and complete domain name registration data, as well as to prevent and correct inaccurate registration data, in accordance with Union data protection law. Those policies and procedures should take into account, to the extent possible, the standards developed by the multi-stakeholder governance structures at international level. The TLD name registries and the entities providing domain name registration services should adopt and implement proportionate procedures to verify domain name registration data. Those procedures should reflect the best practices used within the industry and, to the extent possible, the progress made in the field of electronic identification. Examples of verification procedures may include ex ante controls carried out at the time of the registration and ex post controls carried out after the registration. The TLD name registries and the entities providing domain name registration services should, in particular, verify at least one means of contact of the registrant. (Recital 111)
• TLD name registries and entities providing domain name registration services should be required to make publicly available domain name registration data that fall outside the scope of Union data protection law, such as data that concern legal persons… (Recital 112)
• Member States shall require the TLD name registries and the entities providing domain name registration services to make publicly available without undue delay after the registration of a domain name, the domain name registration data which are not personal data. (Article 28, paragraph 4)
• TLD name registries and entities providing domain name registration services should also enable lawful access to specific domain name registration data concerning natural persons to legitimate access seekers, in accordance with Union data protection law. (Recital 112)
• TLD name registries and entities providing domain name registration services should be required to enable lawful access to specific domain name registration data, which are necessary for the purposes of the access request, to legitimate access seekers in accordance with Union and national law. (Recital 110)
• Member States shall require the TLD name registries and the entities providing domain name registration services to reply without undue delay and, in any event, within 72 hours of receipt of any requests for access. (Article 28, paragraph 5)
• Member States should ensure that all types of access to personal and non-personal domain name registration data are free of charge. (Recital 112)

Obviously, NIS2, which now carries the effect of binding law, imposes clear obligations on registries that can be met only through the maintenance of thick WHOIS records. Therefore, the time has come for the ICANN Board of Directors to put an end to procedural gyrations with respect to thick WHOIS and complete the Thick WHOIS Transition Policy for .COM, .NET and .JOBS as soon as possible. Indeed, failure to do so will result in ICANN policies that are contrary to clear legal and regulatory requirements of the EU.