NIS 2 Information for .FI Registrars
This page is intended for domain name registrars and DNS service providers. Read about the obligations imposed by the NIS2 Directive and what you are required to do.
On this page
- Who are the obligations for?
- Are You a DNS Service Provider?
- Obligations of DNS Service Providers
- Obligations of Domain Name Registrars
- Additional Obligations for .fi Domain Name Registrars
- Get to know the services
- More information about NIS2
Who are the obligations for?
The NIS2 Directive sets requirements for domain name activities. In Finland, .fi domain name registrars are supervised by the Finnish Transport and Communications Agency Traficom.
The obligations are based on:
• the Act on Electronic Communications Services
• the Cybersecurity Act, as regards DNS service providers
NIS2 obligations applicable to all operators can be found on the website of the National Cyber Security Centre Finland.
Are You a DNS Service Provider?
Not all domain name registrars act as DNS service providers.
A DNS service provider is an operator that provides:
• recursive domain name resolution services to end users of the internet; or
• authoritative domain name resolution services to third parties
If you provide either of these services, you are considered a DNS service provider regardless of your size.
Obligations of DNS Service Providers
Register in the Operator Register
You must register in the operator register if you operate as a DNS service provider.
How to register:
• log in to Traficom’s domain name service using your registrar account
• provide the requested information
Note: Registration in the operator register is role-specific. Depending on the nature of your activities, you may also be required to register in other roles. More information about roles and registration can be found on the National Cyber Security Centre Finland’s website.
Ensure Information Security
You must ensure a sufficient level of information security.
Traficom supervise information security level using the Cybermeter (Kybermittari). When requested by Traficom, you must complete the Cybermeter. The Cybermeter is based on self-assessment. Based on the results, Traficom may request further clarification, close the case, or take further measures.
Report Incidents
You must report significant information security or operational reliability incidents.
Timelines:
• initial notification: within 24 hours of detecting the incident
• follow-up notification: within 72 hours
• final report: no later than one month after submitting the follow-up notification or after its processing has ended
Traficom may also request additional information or an interim report. Use the NIS2 Directive incident notification form for reporting.
Obligations of Domain Name Registrars
Register and Provide Information
As a domain name registrar, you must:
• register in the NIS2 operator register
• provide the requested information (e.g. IP addresses and places of establishment in the EU)
If you are a .fi domain name registrar:
• log in to Traficom’s domain name service
• provide the requested information
Traficom may disclose information, for example to the European Union Agency for Cybersecurity (ENISA), in accordance with the privacy notice.
Note: Registration in the operator register is role-specific. Depending on the nature of your activities, you may also be required to register in other roles. More information about roles and registration can be found on the National Cyber Security Centre Finland’s website.
Verify the Accuracy of information
You must ensure that the domain name users information is accurate.
You may use, for example:
• strong electronic identification services or
• other reliable identification services
Describe the verification methods you use and make the description publicly available, for example on your website.
Respond to Information Requests
You must respond to lawful information requests without undue delay, and no later than 72 hours after receiving the request.
You must assess:
• the requester’s right to access the information
• the request also from the perspective of data protection legislation
Publish Domain Name Information
You must provide public information on your website about the domain names you manage. This requirement does not apply to personal data.
A secure way to fulfil this obligation is to add a link to Traficom’s WHOIS service.
Additional Obligations for .fi Domain Name Registrars
As a .fi domain name registrar, you must also comply with Traficom Regulation M68.
Assess the Level of Information Security
Complete the Cyber Meter for domain name activities no later than 31 January 2026.
Using the Cyber Meter, Traficom monitors the level of information security of registrars. Traficom may also request you to complete the Cyber Meter after this date.
Report Information Security Incidents
You must report significant information security incidents affecting registrar operations within 24 hours of becoming aware of the incident. You may supplement the notification if necessary.
Submit the report using the information security incident form available in Traficom’s domain name service via your registrar account.