# NIS2: A New Chapter for Cybersecurity in Europe
In today’s landscape, the debate on cybersecurity is more crucial than ever, especially in light of the NIS2 Directive (Network and Information Systems Directive) of the European Union, which came into effect on January 17, 2023. This regulatory measure aims to strengthen the security of digital infrastructures in Europe, countering increasingly sophisticated threats in a rapidly digitalizing world.
## A Necessary Retrospective: From NIS to NIS2
In 2020, the Covid-19 pandemic triggered an unexpected acceleration of digitalization, revealing vulnerabilities in the IT systems of many organizations. In response to these challenges, the European Union updated its cybersecurity legislation, beginning with the NIS Legislative Decree of 2018, which was a transposition of EU Directive 2016/1148. However, the persistence of cyber threats made it evident that more robust regulatory intervention was needed. Thus, NIS2 was conceived to meet this necessity, establishing a more robust framework for the protection of IT systems.
The new Legislative Decree No. 138, intended for October 16, 2024, aims to implement necessary cybersecurity measures to improve the resilience and effectiveness of network services. This is crucial not only to ensure internal security but also to facilitate the proper functioning of the European single market.
## Regulations for Domain Names: A Focus on DNS
NIS2 has far-reaching implications for domain name registries, registrars, and DNS service providers. A central aspect of this directive is the protection of the integrity of the Internet, aligning with the reliability and resilience of the Domain Name System (DNS). The measures imposed by NIS2 include stricter security requirements concerning the processing and management of domain name registration data.
Practically, this means that registries and registrars will need to implement stringent policies and procedures to ensure the maintenance of complete and accurate registration data. This effort is not just an obligation but also a guarantee of transparency for end-users.
## Intersection of NIS2 and GDPR
A crucial point is the interaction between NIS2 and the General Data Protection Regulation (GDPR). Both of these regulatory frameworks deal with data processing but with different objectives. While GDPR focuses on protecting individual privacy, NIS2 aims to ensure a high level of security in the IT context.
NIS2 clearly establishes the basis for collecting registration data in the context of DNS services but does not exempt entities from adopting measures in compliance with GDPR. For example, it is necessary to ensure that sensitive data, such as email addresses, are protected while non-personal data should be made publicly available without undue delay.
## Practical Impacts for Domain Name Industry Stakeholders
As one might expect, NIS2 has a range of direct implications for all entities operating in the domain name sector:
1. **Scope of Application**: NIS2 applies to all TLD Registries and DNS service providers located in the EU, but it also has consequences for non-European entities wishing to offer services in the Union market.
2. **Data Collection Obligation**: The collection of comprehensive registration data will be required, including both personal and non-personal data. Data verification policies will be essential to ensure compliance.
3. **Management of Public and Personal Data**: Non-personal data must be made publicly available quickly and effectively, while personal data will require appropriate protection, creating a delicate situation to manage.
4. **…**
