‹ Back
Internet Way of Networking 11 October 2021

Internet Impact Brief

Impact of the Council of the European Union’s NIS 2 Proposal on the Internet

Abstract

In December 2020, the European Commission proposed the Revised Directive on Security of Network and Information (commonly referred to as NIS 2), repealing existing cybersecurity rules. This new proposal will have significant implications for DNS services, TLD registries, trust service providers, and certificate authorities that operate in the European market.

This report uses the Internet Impact Assessment Toolkit[1] (IIAT) to assess how the Presidency compromise proposal[2] from 21 September 2021 may affect the global Internet by impacting what the Internet needs to thrive as an open, globally connected, secure and trustworthy resource for all.

The report includes an overview of the methodology used for the assessment, context about key digital providers within the scope of the most recent compromise proposal, and an analysis in support of our recommendations.

Methodology

The Internet owes its strength and success to a foundation of critical properties that, when combined, represent the Internet Way of Networking (IWN). This includes: an accessible infrastructure with a common protocol, a layered architecture of interoperable building blocks, decentralized management and distributed routing, a common global identifier system, and a technology neutral, general-purpose network.

To assess whether the present compromise proposal has an impact on the Internet, this report will examine its impact on the IWN foundation the Internet needs to exist, and what it needs to thrive as an open, globally connected, secure and trustworthy resource.

Context

Introduction: Revised Directive on Security of Network and Information
(NIS 2)

The Revised Directive on Security of Network and Information2, commonly referred to as the NIS 2, was proposed by the European Commission on 16 December 2020. The revised directive introduces new cybersecurity rules for the European Union (EU) and will replace the existing 2016 Network and Information Systems (NIS 1).[3]

The NIS 2 proposal seeks to respond to the rapidly changing cybersecurity threat landscape as well as the limitations of the existing NIS 1. The proposal’s objective is to support a more resilient Europe by protecting additional vulnerable sectors and increasing interconnectivity between Member States’ cybersecurity mechanisms. Accordingly, member states will need to transpose the Directive into national laws.

The NIS 2 proposal differs from NIS 1 in several ways. The directive’s scope has been expanded under NIS 2 to cover additional sectors including telecoms, social media platforms, and public administration.[4] The NIS 2 proposal also removes the distinction between Operators of Essential Services (OES) and Digital Service Providers (DSP) found in NIS 1.[5] Instead, Member States will enforce risk management and reporting requirements for “essential and important entities,” with digital infrastructure designated as “essential” and digital providers as “important entities.”[6]

The concrete list of entities that will fall under NIS 2 will be created by member states while the Directive itself defines a high-level list of entities in the Annex. In this analysis we will focus on a subset of these entities, primarily concerned with Domain Name System (DNS) and trust services providers.

A) DNS Services within the Scope of NIS 2 Requirements

The Domain Name System (DNS) plays a crucial role in making the Internet easier to navigate using a system of common global identifiers that systems and users worldwide can depend on to get them where they are trying to go on the Internet. DNS services do this by creating a semantic map that allows users to navigate the network using only domain names (e.g. internetsociety.org) rather than requiring users to remember multiple numerical network addresses (e.g. 104.18.16.166 or 2606:4700::6812:11a6). The links created by DNS services ensure consistency and help prevent the fragmentation of the Internet.

The 21 September NIS 2 compromise proposal holds all providers of DNS services along the DNS resolution chain within scope, including: (1) operators of root name servers, (2) top-level-domain (TLD) name servers; and (3) authoritative name servers for domain names and recursive resolvers.[7]

NIS 2 requires that DNS services within the proposal’s scope meet certain reporting and security policy requirements, with exceptions for small and micro entities.[8] These requirements include incident reporting, the designation of a representative if the entity is located outside of the Union, and the adoption of various supply chain security measures. Given the typical size of DNS services, very few entities would qualify for exemptions under the category of small and micro entities.

B) Top Level Domain Registries within the Scope of NIS 2 Requirements

Top Level Domains (TLDs) sit near the top of the DNS and can be identified by the last segment of a domain name (e.g. .com, .org, .net, or .uk). A TLD registry is a database of all the domain names registered under one of these TLDs.

Operators of TLD registries are responsible for the registration of domain names either directly (as a registry) or through a network of domain name resellers (registrars). TLD registry operators primarily manage the generation, signing, and publication of the technical information needed for delegation to the next level in the DNS name hierarchy.

When zone data is out of date or inaccurate, the links connecting the TLD to its underlying consumer domain names break, causing traffic to be directed to inaccurate or outdated network addresses. This creates security risks as users are taken to insecure network addresses where they can become victim to abusive behavior. Weak registration policies make abuse of the DNS even easier, as evidenced by instances of domain names being used as botnet command and control centers for attacks.

The NIS 2 proposal places requirements on TLD registries to collect domain name registration data by implementing technical and organizational measures.[9] Additionally, TLD registries will have 72 hours to reply to requests from legitimate access seekers for the disclosure of domain name registration data.[10] There are no exceptions in the NIS 2 proposal for small or micro trust service providers.[11]

C) Trust Service Providers within the Scope of NIS 2 Requirements

Trust service providers (TSP) provide and maintain digital certificates that are used to create and validate electronic signatures as well as to authenticate signatories and websites. They play a critical role in verifying the identity of people and companies on the Internet. The reliable use of digital certificates increases the trustworthiness of the Internet and has enabled, among other things, the growth of eGovernment services, as well as sensitive health and financial services, throughout the EU.

The most recent compromise proposal of NIS 2 includes TSPs within the scope of the Directive[12] and identifies them as essential entities in the Annex under the category of digital infrastructure.[13] As essential entities, TSPs would be subject to both ex-ante and ex-post supervision[14], meaning that trust service providers would need to systematically document their compliance with the security requirements of the directive. There are no exceptions in the NIS 2 for small or micro trust service providers.[15]

Analysis: How would the NIS 2 proposal affect the Internet?

1. The NIS 2 proposal negatively impacts root name servers and the Address and Routing Parameter Area TLD.

The recent compromise proposal retains within its scope both root name servers as well as the Address and Routing Parameter Area (.arpa) TLD, with the operators of root name servers identified explicitly. Root name servers sit at the core of the DNS—like the foundation a tree trunk serves for a myriad of branches and leaves—and answer requests for records in the root zone, which contains the list of root servers themselves as well as a list of the authoritative name servers for all TLDs.

Meanwhile, .arpa provides a number of critical technical services for the global Internet[16] including a “reverse resolution service” where numerical IP addresses are translated into their corresponding domain names. The service provided by .arpa as a TLD is essential to the functioning of global common protocols. It is currently governed by the Internet Architecture Board, a multi-stakeholder committee associated with the Internet Engineering Taskforce (IETF), the standards body for the Internet.

NIS 2 imposes a top-down Internet governance approach for root name servers and .arpa which could fuel Internet fragmentation, especially if similar top-down approaches were to be implemented by other governments around the world. This would harm multistakeholder processes and contribute to the disintegration of common global identifiers. Furthermore, it runs contrary to the EU’s historic support of a ‘single, open, neutral, free, secure and un-fragmented network.’ The NIS 2 proposal should therefore exclude root name servers and the .arpa TLD from the directive.

2. NIS 2 should foster a culture of collaborative security.

The NIS 2 proposal has a further opportunity to strengthen Internet security so that the integrity of data sent through the system is not compromised. Networks constantly exchange routing information to get Internet traffic to where it needs to be. Hundreds of incidents occur on these networks everyday including route hijacking, route leaks, and IP address spoofing. These incidents result in Denial of Service (DoS) attacks, surveillance, and lost revenue, negatively impacting the trustworthiness of the Internet.

Voluntary collaborative actions are essential for countering incidents such as these and increasing Internet security.  For example, the Internet Society coordinates and supports an industry-led initiative called the Mutually Agreed Norms for Routing Security (MANRS) to protect the integrity and resilience of the Internet. The initiative supports four voluntary programs for network operators (ISPs), Internet exchange points (IXPs), content delivery networks (CDNs) and cloud providers, and equipment vendors to implement practices to combat the most common routing threats. We recommend that NIS 2 encourage voluntary collaborative actions that increase Internet security.

3. A full impact assessment report on NIS 2 should be conducted to avoid unintended consequences to the Internet.

There are several ways that NIS 2 could harm the Internet’s foundational properties and prevent it from reaching its full potential. Based on these preliminary findings, werecommend that these potential unintended consequences are further investigated in a full Internet Impact report.

a. NIS 2 impacts several foundational properties that underpin the Internet and contribute to its strength and success.

  • A key feature of an open Internet is that it facilitates fast and permissionless innovation so that useful changes are adopted when needed and unnecessary ones removed without barriers. The NIS 2 proposal has been successful in not prescribing specific security mechanisms to DNS services and has instead taken a technology neutral approach.

    Technological flexibility has proved important in the past as DNS services have adopted new security building blocks such as Domain Name System Security Extensions (DNSSEC) as well as DoT and DoH to respond to new challenges. In this sense, while the NIS 2 does confine DNS services in developing their own measures appropriate to their risk level, it is positive that the type of technologies used to meet these requirements has largely been left open.
  • The decentralized management of Internet services allows for local optimization as needed. The NIS 2 proposal places new obligations on DNS services without considering the wide variety of existing obligations they already face under a myriad of community-led governance structures. This approach risks the creation of multiple layers of accountability and clashing obligations, threatening the autonomy of DNS services and resilience of the Internet. For example, the requirements for certain country code top-level domains are set by local government while others are set by local communities. Adding regulations at higher levels would negate local community-led governance structures and reduce autonomy.
  • The globally connected Internet uses common identifiers to deliver consistent addressability and prevent Internet fragmentation. By placing additional requirements on DNS services, without consideration for differences in resources and ability, NIS 2 disproportionately burdens certain entities. Entities that fail to comply with obligations may be ordered by member states to ‘cease non-compliant conduct.’[17] Could failure to comply result in banning certain domain names in the EU and barring access for EU residents? By not providing greater clarity on repercussions, NIS 2 creates the conditions for the disintegration of common global identifiers and contribute to Internet fragmentation.

    Fragmentation may also occur when global entities within the scope of the directive change their behavior to avoid administrative fines. Global entities could do this by ceasing to provide their services to European Internet users by geo-blocking European DNS queries, likewise, contributing to Internet fragmentation and depriving EU residents of access. Historic examples of regulation-dodging behaviour can be seen in General Data Protection Regulation (GDPR) cases where foreign websites blocked access from Europe.[18]

    Furthermore, new obligations on TLDs could interfere with global governance rules resulting in Internet fragmentation. The equivalent treatment of all TLD registries under the NIS 2 proposal causes problems when applied to country code top-level domains (ccTLDs). Would ccTLDs associated with non-EU countries (such as .us, .uk, or .cn) be in scope if they include lower-level domain names from EU registrants or are used by the websites providing services in the EU? Similarly, what about generic ccTLDs such as .tv that are used across national borders? The broad treatment of all TLD registries creates issues of extraterritoriality and could further encourage Internet fragmentation if regulatory actions also come from other countries.

b. NIS 2 impacts the ability of the Internet to reach its full potential as an open, globally connected, secure, and trustworthy resource.

  • An open Internet is maximized when its development and maintenance is based on consensus. By not recognising the wide variety of structures that govern DNS services, the NIS 2 proposal risks replacing existing collaborative multistakeholder development with a top-down approach that would only achieve a narrow subset of global needs.

    Internet security problems are global in nature and therefore require global coordination, which is best accomplished through voluntary collaboration, not regulation. This change undermines consensus-based decision making and constrains efforts to ensure that infrastructure and services are optimized for the benefits of users.
  • A globally connected Internet works best when Internet users have access to all the resources and technologies made available on the Internet. NIS 2 creates a number of challenges for global DNS services that may struggle to comply with the proposal:
    • Internet domain registrars such as GoDaddy Inc. may need to stop registering domains from EU citizens in non-compliant TLDs. Similarly, TLD authoritative servers may need to stop answering queries from EU resolvers, even though many of these queries are proxied by public DNS resolvers run by Google, Cloudflare, and others at the request of EU businesses and Internet users. Other enforcement mechanisms may involve mandated filtering at the resolver level, which would similarly restrict reachability to unwitting third parties, namely the registrars of the associated TLD. These scenarios would deprive EU Internet users of the essential systems and resources generated by DNS services. Over time, the Internet experienced by European users would appear vastly different to that enjoyed by the outside world, cutting Europeans out from new knowledge and innovation driven by the Internet.
    • Similarly, NIS 2 may require non-compliant Certificate Authorities (CAs)[19] to be removed from the set of trusted CAs in browsers. This could lead to EU-specific versions of popular browsers like Chrome and Safari. Non-compliant CAs may likewise find that access to the web resources protected by their certificates is denied or becomes insecure. This would deprive EU residents from access to parts of the Internet.
    • Even if TLDs were to operate exclusively in the EU, issues of reachability would still arise. The NIS 2 proposal empowers member states to ‘cease non-compliant action’, which could result in the barring of TLDs from registering names until they are able to collect all mandatory registration information. This would similarly deny Internet users the full benefits of DNS services.
    • Finally, a similar issue may arise for technologies and resources provided by third parties along the supply chain, which typically conduct their own security analyses and are evaluated for safety by consumers of their services. NIS 2 could result in the barring of these services in the EU while administrative fees could result in bankruptcy for smaller players and market consolidation by larger players. These trends would limit the diversity of services on the Internet, to the determent of European Internet users.
  • The value of the Internet is maximized when the integrity of data sent over the Internet, and stored in applications, is not manipulated, or compromised. NIS 2 is commendable for recognizing the importance of this and encouraging the use of important tools like encryption.

    Yet while the use of tools like encryption should be pursued by European entities, other well-intentioned obligations under NIS 2 may have unintended negative consequences to the integrity of data if they are too stringent and cannot be followed. For example, Certificate Authorities (CAs) that fail to meet obligations under NIS 2 may be removed from the set of trusted CAs in browsers, even if they adhere to the trust criteria mutually agreed to among certificate authorities, browser manufacturers, and other relevant stakeholders. This would negatively affect access to the services protected by the certificates that these CAs issue, creating opportunities for man-in-the-middle attacks, impersonation of services, and other malicious actions.

  • The Internet is trustworthy when reliable technologies and processes are in place that permit the delivery of services as promised. Digital service providers may find their resources strained when complying with NIS 2 requirements alongside existing obligations developed through community-led governance efforts. This could fuel market exit, business closures, or the acquisition of smaller entities by larger entities, resulting in market concentration. Market consolidation of DNS services would reduce choice and resilience on the Internet. When the number of providers is limited, errors, malicious behaviour, or other challenges to normal operations are no longer isolated and shock the entire system.

    Non-profit certificate authorities that provide their services free of charge and operate on slim margins provide an example. Excessive requirements under NIS 2 could force these free providers to exit the European market, creating the conditions for private certificate authorities to increase their prices. European businesses will face higher IT infrastructure costs, putting them at a disadvantage in comparison to foreign business that can still access these free services and have lower operating costs. This could have knock-on effects for European innovation and the ability of the European tech sector to compete globally.

  • A trustworthy Internet additionally gives users the assurance that the organizations and institutions they interact with are directly or indirectly acting in a transparent and fair way. DNS services are subject to layers of authority from state and community-led governance. For certain entities, confusion may exist as to which governance body holds authority, particularly when duplication occurs.

    For example, to which authority would .tv, which is technically the ccTLD for Tuvalu but operates globally, be accountable? This problem would be particularly pronounced for ccTLDs that are strongly associated with sovereign nations. This ambiguity creates challenges for holding organizations responsible for their actions and providing transparency to the public.

    The same question would apply to certificate authorities that operate globally and adhere to stringent requirements set by the Certification Authority Browser Forum (CA/Browser Forum)[20]. As the chain of authority becomes more complex, so does accountability for outcomes on the Internet, reducing transparency and trust.

Summary & Recommendations

This Internet impact brief has identified several instances where the compromise proposal of NIS 2 may harm or diminish the Internet as an open, globally connected, secure and trustworthy resource. The Internet Society recommends the European Commission should conduct a full Internet impact assessment report to identify how NIS2 would impact DNS services, trust service providers, and certificate authorities and avoid any unintended consequences.

This report has also made several additional recommendations. This includes that root name servers should be explicitly excluded from the scope of the NIS 2 proposal. Their inclusion runs counter to historic EU support for a “single, open, neutral, free, secure and un-fragmented network”. Regulating them would set the precedent for other governments to also impose regulation on the multistakeholder processes governed by the IETF and the Internet Architecture Board (IAB). Their inclusion could lead to the disintegration of common global identifiers, therefore increasing the risk of Internet fragmentation.

Additionally, this report recommends that the Commission encourage voluntary collaborative actions to strengthen Internet security and to protect data. Voluntary collaborative action for network operators helps to protect against route hijacking, route leaks, and IP address spoofing incidents. A voluntary model like the Internet Society’s MANRS initiative, already adopted by more than 700 networks worldwide, can serve as an example. The Internet Society would be pleased to provide additional briefings or materials upon request.


Endnotes

[1] https://www.internetsociety.org/issues/internet-way-of-networking/internet-impact-assessment-toolkit/ The IIAT was developed by the Internet Society to be used by anyone who wants to check if a particular policy, development, or trend affects the critical properties of the Internet Way of Networking (IWN).

[2] 12019/21

[3] https://digital-strategy.ec.europa.eu/en/policies/nis-directive

[4] https://digital-strategy.ec.europa.eu/en/library/revised-directive-security-network-and-information-systems-nis2

[5] https://www.cullen-international.com/news/2021/04/NIS2–Overview-of-the-new-EU-cybersecurity-rules-proposed.html

[6] https://www.digitaleurope.org/resources/digitaleuropes-position-on-the-nis-2-directive/

[7] Recital 15, 12019/21.
“Upholding and preserving a reliable, resilient and secure domain name system (DNS) is a key factor in maintaining the integrity of the Internet and is essential for its continuous and stable operation, on which the digital economy and society depend. Therefore, this Directive should apply to all providers of DNS services along the DNS resolution chain, including operators of root name servers, top-level-domain (TLD) name servers, authoritative name servers for domain names and recursive resolvers.” [SIC]

[8] Article 2(2). 12019/21.
“Regardless of the size of the entities referred to in paragraph 1, this Directive also applies to entities referred to in the Annex, where: (a) the services are provided by one of the following entities: (iv) top–level domain name registries and domain name system (DNS) referred to in point 8 of the Annex” [SIC]

[9] Recitals 59-64, 12019/21.

[10] Recital 23, 12019/21.

[11] Article 2(2). 12019/21.
“Regardless of the size of the entities referred to in paragraph 1, this Directive also applies to entities referred to in the Annex, where: (a) the services are provided by one of the following entities: (iv) top–level domain name registries and domain name system (DNS) referred to in point 8 of the Annex” [SIC]

[12] Recital 48. 12019/21.

[13] Annex. Item 8, Digital Infrastructure. 12019/21.

[14] https://www.cullen-international.com/news/2021/04/NIS2–Overview-of-the-new-EU-cybersecurity-rules-proposed.html

[15] Article 2(2). 12019/21.
“Regardless of the size of the entities referred to in paragraph 1, this Directive also applies to entities referred to in the Annex, where: (a) the services are provided by one of the following entities: (ii) qualified trust service providers referred to in point XX of the Annex; (iii) non-qualified trust service providers referred to in point XX of the Annex;” [SIC]

[16] Services offered by .ARPA are documented in RFC1035 (in-addr.arpa), ), RFC3152 (ip6.arpa), RFC3404 (uri.arpa & urn.arpa), RFC4698 (iris.arpa), RFC5855 (in-addr.servers.arpa and ip6-servers.arpa), e163.arpa (RFC6166), RFC7050 (ipv4only.arpa), and RFC 7535 (as112.arpa)

[17] Article 29(4). 12019/21.
”Member States shall ensure that competent authorities, where exercising their enforcement powers in relation to essential entities, have the power at least to: (c) order those entities to cease conduct that is non-compliant with the obligations laid down in this Directive and desist from repeating that conduct” [SIC]

[18] https://www.bbc.com/news/technology-44614885

[19] Certificate Authorities (CAs) are a critical component of Public Key Infrastructure (PKI), which is a system of creating, managing, and using digital keys and certificates. CAs issue digital certificates that certify the ownership and authenticity of a public encryption key., ensuring that the public key offered by a website does indeed belong to the website. CAs therefore ensure the authenticity, integrity, and confidentiality of communication on the Internet. Without CAs, third parties could impersonate other communicating parties to eavesdrop or tamper in message exchanges. These vulnerabilities could additionally be used to spread malware or imitate banks and other sites to steal users’ credentials.

[20] See: https://cabforum.org/ .

‹ Back

Related articles

Internet Governance 9 July 2021

Internet Governance in the Middle East and North Africa

The Internet is a ‘network of networks’ made up of tens of thousands of networks that interconnect and route...

Encryption 16 April 2021

Encryption unlocks the benefits of a thriving, trustworthy Internet

This analysis is intended to help policymakers worldwide understand how encryption operates throughout the Internet’s infrastructure, and not just...

Internet Way of Networking 14 February 2021

How to Make Sure Section 230 Reforms Don’t Harm the Foundation of the Internet

Author: Katie Watson Jordan We called it in 2020, and barely two months into the new year the increasing...

Join the conversation with Internet Society members around the world