Navigating NIS2 Article 28 in mid 2025: The Importance of KYC for Domain Name Registrants

Article 28 of the NIS2 Directive (Directive (EU) 2022/2555) requires TLD registries and registrars to collect, verify and keep accurate registrant data - and to disclose it swiftly to “legitimate access seekers” such as law enforcement agencies. Excedo’s original blog framed this as a Know-Your-Customer (KYC) revolution for the Domain Name System.

Nine months on, the spotlight has only intensified.

The NIS2 Directive tightens cybersecurity requirements for essential and important digital service providers across the EU. Article 28 specifically targets the Domain Name System (DNS), obliging TLD registries and registrars to collect, verify and maintain accurate registration data in resolute, publicly documented databases. The aim is to reduce the anonymity that cyber criminals hide behind, while respecting GDPR rules on personal data handling.

Transposition status & deadlines

• Transposition tracker: As of 7 July 2025, only 14 of the 27 EU Member States have fully adopted NIS2 into national law; most that missed the 17 October 2024 deadline are now under scrutiny.
  
  
• Domain specific lists: By 17 April 2025 Member States were to notify the Commission and the NIS2 Cooperation Group of all “entities providing domain name registration services” and classify them as essential or important—a step critical to triggering Article 28 duties.
  
  
• Infringement proceedings: On 7 May 2025, the Commission formally urged 19 Member States to complete transposition, warning of possible legal action (DIGIT/2025/247 press release).
  .

Cooperation Group’s risk based guidance (8 Apr 2025)

On 8 April 2025, the NIS2 Cooperation Group published non binding “minimum requirements” to harmonise Article 28 implementation across the EU.

Highlights:

• Syntactic & operational validation of e mail addresses and phone numbers at registration.
  
  
• Risk based identity checks on registrants, favouring electronic verification only for medium or high risk cases rather than blanket checks on every domain.
  
  
• Lifecycle stage verification - e.g. on renewal, transfer, key field updates, or upon motivated requests by legitimate access seekers (CERTs, law enforcement and, at Member State discretion, IP rights enforcers).
  
  
• Expedited data disclosure procedures for urgent threats (e.g. imminent risks to life or critical infrastructure), potentially reducing registrar response times to 24 hours instead of the standard 72 hours.

Registrar readiness: KYC trends & solutions

• iDenfy guide (Feb 2025): Outlines a turnkey KYC approach for registrars, combining AI driven identity proofing, business verification, AML screening and ongoing risk scoring - fully aligned with Article 28’s verification requirements.
  
  
• Market updates (June 2025): Industry commentary (e.g. EuroDNS blog and CENTR briefing) reminds registrars that NIS2 obligations extend to non EU TLDs (such as .com and .info). Registrars are therefore encouraged to implement periodic re verification—a practice recommended in the Cooperation Group guidance - to keep data accurate throughout the domain lifecycle.

Best practices emerging in 2025

• Multi factor verification: Combining government issued documents, payment instrument validation, and accredited identity services.
  
  
• Automated risk scoring: Flagging high risk registrants (e.g. large volume portfolios, incongruent data) for manual review.
  
  
• Transparent policies: Publishing registration data practices and verification thresholds to comply with Article 28 (3) & (5).

Challenges & outlook

• Divergent national approaches: GDPR concerns have led some states to limit data publication, while others embrace broader legitimate access lists including private IP enforcers - risking further fragmentation.
  
  
• Enforcement lag: Member States still behind schedule face infringement cases, but registrars operating there must nonetheless prepare for imminent domestic rules.
  
  
• Future secondary legislation: Observers expect the Commission to adopt delegated or implementing acts detailing technical requirements for domain registration databases. No official timetable has been published as of July 2025, but the possibility remains that drafts could appear later in the year.

Conclusion

Staying ahead means marrying robust KYC flows with a risk based, lifecycle oriented verification strategy. As Member States finalise their laws and the Commission refines secondary rules, registrars that have already invested in layered identity checks will find compliance smoother - and the Domain Name ecosystem more secure. 

Need help navigating NIS2 and all the necessary changes for compliance?

Contact us for a free consultation: