Front Page: Traficom
Front Page: Traficom
Menu

The NIS 2 Directive approved by the EU will affect .fi domain name operations with new obligations. The obligations of the NIS 2 Directive will become part of binding national legislation by 17 October 2024. The up-to-date and more specific information about the new regulations for registrars and resellers will be published on this page.

Presentations and general matters

The aim of the NIS 2 Directive is to ensure a common high level of cybersecurity throughout the Union. The Directive contains obligations to verify the correctness of the information in the domain name registration service that apply to entities providing domain name registration services, i.e. domain name registrars and agents acting on behalf of domain name registrars, such as privacy or proxy registration service providers or resellers.

New obligations

All fi domain name registrars and their resellers have the following obligations related to the fi domain name registration service (WHOIS data) in accordance with Article 28 of the NIS 2 Directive:

*    to collect and maintain accurate and complete domain name registration data with due diligence in accordance with Union data protection law
*    have policies and procedures, including verification procedures, in place to ensure that the domain name registry includes accurate and complete information 
*    to make publicly available, without undue delay after the registration of a domain name, the domain name registration data which are not personal data
*    to provide access to specific domain name registration data upon lawful and duly substantiated requests by legitimate access seekers, in accordance with Union data protection law, and the entities providing domain name registration services to reply without undue delay and in any event within 72 hours
*    to ensure such policies and procedures are to be made publicly available regarding accurate and complete information and the disclosure of information, and
*    to cooperate with the fi register, so that the collection of registration data shall not result in a duplication of collecting domain name registration data.

In addition, DNS service providers are also subject to the information security obligations of the NIS 2 Directive, such as the obligation to implement cybersecurity risk-management measures and reporting obligations of significant incidents. A DNS service provider means an entity that provides publicly available recursive domain name resolution services for internet end-users or authoritative domain name resolution services for third-party use, with the exception of root name servers.

On May 16th 2024, the Finnish Transport and Communications Agency Traficom has adopted a regulatory project decision (External link) regarding the .fi domain name regulation. The new regulation is intended to take into account new legislation, such as the requirements derived from the NIS 2 Directive. The new domain name regulation is currently under preparation. The draft regulation will be made public for comments at lausuntopalvelu.fi approximately in the beginning of autumn 2024.

Powerpoint-esitys NIS 2 -muutoksista välittäjille - In Finnish only (16.10.2023)

Cyber Security Center (NCSC-FI) provides public tools for maintaining and updating the level of cybersecurity. Ecpecially the Cybermeter helps organizations to self evaluate their NIS 2 preparedness. 

Services provided by NCSC-FI can be found here (External link). (16.10.2023)

Generic NIS 2-related information provided by NCSC-FI can be found here (External link) - In Finnish only (4.4.2024)

Q/A 

(16.10.2023)

Question: I am a sole entrepreneur. Do the obligations in NIS 2 Directive apply to me?

Answer: The obligations stemming from article 28 in the NIS 2 directive apply to all registrars, both large and small. The obligations also apply to registrars who are private persons. In addition, DNS service providers are subject to the information security obligations of the NIS 2 Directive.

Question: The registrar will be required to provide access free of charge to specific domain name registration data in accordance with data protection law. Does this mean that if someone asks, I have to give access to my registrar account?

Answer: For now, it remains unclear what "providing access" means in practice for registrars. However, it does not mean that a customer or any other person should be given access to your registrar account.

Cybersecurity of Registrar operations

 

 

Updated