IGF 2021 – Day 2 – Dynamic Coalition on Data and Trust

The following are the outputs of the captioning taken during an IGF virtual intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> GIOVANNI SEPPIA: Good morning, good evening, good afternoon, everybody.  This video, which contains the word "trust and be trusted" is not produced by the Dynamic Coalition but is a standard video with which any session of the IGF starts.  But it's a nice coincidence, indeed, because the words "trust and be trusted" are prominent in the video.  This is also everything about this session of the Dynamic Coalition on Data and Trust. 

    So thanks, everybody, for joining the Dynamic Coalition on Data and Trust session at the IGF 2021.  We did really hope that we could have it in Poland in person.  For various factors we know, we prefer to have it virtually, and hopefully next year it will be in person so we will be able to meet and greet face to face again. 

    The Dynamic Coalition on Data and Trust was launched in 2020, just in the middle of the pandemic, when we did see there was a sort of gap about, you know, in the IGF Dynamic Coalition landscape, a gap for speaking and talking and discussing and sharing best practices on data and trust.  And that's why we launched the Dynamic Coalition, together with Emily and OXIL in 2020, and we did want, from the very start, this coalition to be truly dynamic, and that's why we do have regular sessions and calls throughout the year, as we did this year, with several calls and one session during the EuroDIG meeting in Trieste.  At that time, we managed to be live from Trieste with some speakers remotely collected but with other speakers with us live from Trieste. 

    That said, today's session is all about data management and data accuracy and the NIS 2 directive, which is really a hot topic in the DNS industry.  We will manage in the next 55 minutes, 60 minutes, to speak about data management and data accuracy and the NIS 2 directive from different perspectives, starting with an overview of the NIS 2 directive by the European Commission.  We have Benjamin Bogel with us.  And then we'll move to Polina Malaja of CENTR, Policy Director at CENTR.  She has been regularly updating the CENTR.  CENTR is the Council of European National Top‑Level Domain Registries, the umbrella organization for ccTLD, but not only ccTLD operators.  And she has been regularly updating the CENTR membership about the evolution of the NIS 2 directive at the legislative process level. 

    We will then move on with the other speaker, who is Dirk Jumpertz, Security Manager at EURid.  EURid is the registry operator for .eu, and the equivalent in Cyrillic and in Greek.  And .eu, in EURid, as in many other registries, we have been following the impact of the NIS 2 directive on our operations and the actions that have to be deployed by the registry to make sure that at some point we are fully compliant with the forthcoming NIS 2 directive. 

    We will move on to Keith Drazek of Verisign, and thank you so much, Keith, for joining at the very last minute, and I believe you will provide very interesting, you know, view of what you think is the NIS 2 directive and all what Verisign does in terms of data accuracy and data management.  Verisign is the largest registry operator worldwide level, and Verisign is operator of .com, .net, and other TLDs.  So thank you, again, Keith, for joining.  And we will end with Arda Gerkens, who is from the Online Child Abuse Assessment Bureau, and she will provide an interesting perspective from a special area of, special group of the end users.  So we will collect all the opinions and all the views on data accuracy, data management, and the NIS 2 directive, but at the same time, we want, really, this to be an interactive session.  We have Emily Taylor with me, too, as the online moderator.  I would like to leave the floor to Benjamin first of the European Commission.  I'd like also to invite the speakers to stick to the 5‑6 minutes as we have agreed, and we will collect questions from remote participants and ask the questions directly and then open at the end the floor for discussion.  So thank you, Benjamin.  You are the first. 

>> BENJAMIN BOGEL: Great.  Thank you very much, Giovanni.  So my name is Benjamin Bogel.  I work in the European Commission in the cyber security Policy unit, and I am part of the team that has been working on the NIS directive since the proposal came out.  And I will quickly provide, like I will quickly walk you through the main elements of the directive, and this will not be very specific to DNS.  It will be a general overview so that you know the framework, you understand it, also with a little bit of background for those that are maybe not from the European Union and that don't know how EU law works, and then we can get into the details in the Q&A. 

    Okay.  So the NIS directive is a directive that has come into force in 2016 already, covering seven sectors of the economy and some digital service providers.  And we have now, in December 2020, decided to propose to revise it to make it fit for the digital age, so to speak, and also taking in account the experiences that we've had with the COVID‑19 crisis.  What I will present to you now is a proposal by the Commission, so this is not a final law.  It's a proposal that still has to go through the legislative process.  The legislative process has already started.  We already have a position by the European Parliament on the one hand, and there's also a position already by the Council, which gathers the Member States of the European Union, and we will soon enter, probably beginning of January we will enter trilog discussions.  That means that the three institutions that I just mentioned ‑‑ Commission, Parliament, and Council ‑‑ will together negotiate to come up with the final legal text. 

    The NIS directive is a directive, which means the rules are not directly applicable in the Member States, but they need to be trance supposed by ‑‑ trans posed by European Member States into law. 

    That is a quick introduction where we stand at the moment.  Our proposal basically maintains three pillars that already exist in the current directive.  The first pillar is that we want to improve the Member State capabilities.  So our directive requires Member States to put in place cyber security authorities that implement the rules of the directive but also so called CSERTs, these are security response teams, and in addition, required to put in place national cyber security strategies and frameworks on coordinated vulnerability disclosure and crisis management.  So that was the first pillar on the Member State capabilities. 

    The second pillar, which is probably the most interesting one for you, is on the risk management and reporting of entities.  So these are usually companies, but they could also be public entities.  There will be two types of entities defined by the new directive, essentially important entities, and these companies, they are required to take cyber security measures.  They are very high level in our directive, these measures.  And then further specified by the Member States.  And these entities will also have to notify significant ins tents and cyber ‑‑ incidents and cyber threats. 

    And the third pillar of the directive is on cooperation and information exchange.  So there are two fora established by the directive ‑‑ the cooperation group, which gathers the national cyber security authorities, and this cooperation group discusses strategic issues and policy issues; and then there is the CSIRT's network, so the network of computer security incident response teams, where those incident response teams can jointly discuss major incidents and how to respond to them, especially incidents that have a cross‑border dimension.  Yeah, under this pillar, we also have European frameworks for coordinated vulnerabilities, closure, and crisis management, and it also foresees a biannual ENISA report, the European cyber security agency, and this report will contain a ranking comparing the capabilities of the Member States in terms of cyber security and policy. 

    Of interest to you is maybe the scope.  The scope is basically a list of sectors in which the entities that are part of these sectors will have to take the measures I mentioned, so cyber security measures and incident reporting, and so far there have been seven sectors ‑‑ energy, transport, banking, financial market infrastructures, health, drinking water, and digital infrastructure.  And their list will now grow much longer.  It will also include public administration space, postal and courier services, waste management, chemicals, food, manufacturing. 

    And in the digital sector ‑‑ so, so far we have covered so‑called digital providers.  These were search engines, online marketplaces, and cloud providers, but also DNS providers, Top‑Level Domain registries, and Internet Exchange Points.  And in the future, under the new directive, if agreed by the co‑legislators, the Parliament and the Council, we will also include social networks, data centers, content delivery networks, and electronic communications and trust service providers, so Internet service providers and trust service providers, although they are later, they are not in a new category; they are merely transferred over from another existing legal instrument.  Yeah, so that's the scope that we are looking at. 

    Entities, there will be a size threshold, so not all entities will have to take the measures, but only the ones that are medium in size or larger.  With the exception of Top‑Level Domain registries, and we also propose this exception for DNS service providers, so in these cases, they will have to be covered irrespective of size. 

    The risk management measures that I mentioned, they are very high level, so it's about incident handling, business continuity, supply chain security, et cetera.  And the incident reporting requirement would be to issue a first report within 24 hours after you know that you have experienced an incident in your organization. 

    I will also briefly speak about the specific article in the Directive, Article 23, on WHOIS.  That is not actually my unit who has been dealing with that, but another unit in my organization.  That's why I also brought a colleague of mine, Malina, who will happily answer questions on this particular aspect of the Directive.  So Article 23 requires Member States to ensure Top‑Level Domain registries and entities providing registration services maintain accurate and complete registration data and provide lawful access to such data.  In more detail, this article ensures that domain registration data that is not personal data is published without undue delay; that the access to specific domain name registration data, upon lawful and duly justified request of legitimate access seekers, is possible; and that these requests are replied to without undue delay. 

    So that's a brief overview of the Directive.  I think I have exceeded my time, so sorry for that. 

>> MODERATOR: Yes, you did, but you are brave enough to put your face in front because it's a very controversial directive today, especially for the DNS industry.  Thank you for showing your face. 

    I don't know if anyone would like to add anything to what Benjamin just said. 

>> Hello, everyone.  I think Benjamin covered most of it.  Just briefly mention specifically for Article 23 that it aims at creating a legal framework that would support the prevention and fight of DNS abuse and ultimately contribute to the increasing ‑‑ to the increase of the level of cyber security in the EU. 

    As Benjamin mentioned, this would be achieved by ensuring the accuracy of domain name registration data, ensuring the publication of registration data that concern legal entities and that are not personal data, and also ensuring that the registries and registrars will have a firm legal ground to provide access to specific domain‑name registration data upon lawful and duly justified requests from legitimate access seekers. 

    Last, but not least, another element is that Article 23 aims at ensuring that all requests to access the domain name registration data receive a timely reply.  Either positive or negative, it doesn't matter, as long as any request is properly addressed. 

    And also the Commission reserves the right to issue any guidelines on the topics of accuracy on domain name registration data, including its disclosure by drawing from industry good practices in order to support harmonized approach across the industry in the EU. 

    So I hope I was not too long.  Over to you. 

>> MODERATOR: Thank you, Malina.  I see, Emily, are there any questions from the floor?  Thank you, Emily, for moderating the floor. 

>> EMILY TAYLOR: Yes, a question was asked about whether registrars are included or just registries, and Benjamin has put a reply in the Chat on that.  But maybe we can come back to that and invite Lori to take the floor at some stage when we've gone through our speakers. 

    We also have a request for the microphone from Susan Payne.  And in fact, make we can use the Raise Hand function, Giovanni, for people who would like to ask a question so that we can run through our speakers.  Thank you. 

>> Sorry, can I quickly jump in just for the question in the chat? 

>> MODERATOR: Yes. 

>> So as rightly said by Benjamin, I mean, he covers the NIS regions.  Just for Article 23, the note that just for this provision, also registrars are covered.  So basically, if you read the wording of Article 23, it refers to domain registries and the entities providing services to them, for them.  So this is meant also to cover registrars.  I repeat for Article 23 only.  Thanks. 

>> MODERATOR: Thank you, Malina, for clarifying. 

    Susan.  Susan, I see your hand up. 

>> SUSAN:  Yeah, thank you.  Sorry.  I wasn't sure if I should wait for the rest of it, but because it is a question specifically on this.  And particularly on the decision to include all TLD operators, irrespective of size, and more particularly, irrespective of the business model of that TLD operator.  And the thing I am thinking of in particular is that a number of brand owner or, you know, a number of companies have what are termed dot brand TLDs, which are essentially more of an internal matter.  They are not providing a service to the public at large.  They may, if they choose to operate in such a way, they might particularly ‑‑ they might allocate names to, say, trademark licensees or group companies.  But it's not a sort of public service, and it's not a sort of an essential infrastructure to the wider public.  It may well be essential infrastructure for them internally, so my question is why would they ‑‑ why do you perceive the need to be regulating them in the same way as, you know, an open sort of retail model, Top‑Level Domain?  Thanks. 

>> MODERATOR: Thank you, Susan.  Any short reaction from Melina or Benjamin? 

>> BENJAMIN BOGEL: So if your brand Top‑Level Domain is only used for internal purposes and you are not providing it as a service, so if you are not providing a registration service to the wider public, it's out of scope.  Our directive only applies to services that are available publicly. 

>> MODERATOR: Thank you, Benjamin.  Very clear answer.  And speaking about registries, who is best than Polina to take the floor as she is fully into registry with CENTR.  Thank you, Polina, the floor is yours.  Thanks a lot for Europe today for this community. 

>> POLINA MALAJA: Thank you very much, and good afternoon or good evening from my side as well.  Once again, thanks for organizing this very timely debate and, of course, inviting me today to give a short overview of how NIS is relevant for DNS actors and specifically to TLD registries.  I will try to not repeat already what has been so helpfully and extensively covered by Benjamin.  But a quick overview to reiterate that NIS2 aims to increase service registries critical for functioning of society, and one of those is rightfully also a cornerstone of the Internet infrastructure, and that is the Domain Name System.  And as already identified by Benjamin, NIS 2 is essentially an extension of the currently valid framework in the European Union, so the NIS directive adopted in 2016.  Actually, already in 2016, the essential status of DNS and specifically of DOD registries was first confirmed by policymakers in the EU, and NIS directive suggested that TLD sector can be considered essential but left the identification process of concrete operators that could fall as operators of essential services to the EU Member States.  And of course, NIS directive established national advisory team over all services, and established they need to follow a minimum set of information security measures by a variety of operators across the European Union. 

    And in the past five years, European ccTLDs were already consistently identified as operators of essential services as part of the digital infrastructure structure, as established by the NIS directive, and this confirmed and, also, in some ways, encouraged additional investments into security of networks and information systems within the European ccTLDs. 

    So the question now is how is NIS 2 different, and specifically when it comes to the DNS, NIS 2 makes a few important statements directly in its text, so in the proposal I am referring at the moment as Benjamin identified.  And it's different from the mere suggestion to include the sector as essential, as established by the current NIS directive.  So specifically, NIS 2 exclusively recognizes that upholding and preserving a reliable, resilient, and secure DNS is a key factor in maintaining the integrity of the Internet.  So that's an important statement to frame the obligations and additional provisions that NIS 2 put forward. 

    Furthermore, according to the NIS text, maintaining accurate and complete databases of registration data, so data as referred in the proposal, and providing lawful access to such data is essential to ensure the security, stability, and resilience of the DNS.  That's another important statement in the NIS 2 proposal. 

    And finally, the availability and timely accessibility of this data, as also pointed out by marina, has been stated to combat abuse. 

    As a result, the NIS 2 goes further than its predecessor NIS directive by first enlarging the scope to more digital infrastructure services, and in particular, the DNS services, since it is recognized as a critical key component for supporting digital economy and society.  The scope of the NIS 2 is also extraterritorial, so it encompasses all systems available in the European Union. 

    Secondly, importantly for TLD sector, it puts a special emphasis on the data accuracy information on DoEd registries and registrars that is essential for security and stability, (Off microphone) provided an overview of. 

    To restate, marina already said, but to frame our discussion a bit further, TLD registries and registrars would be obliged to collect and maintain accurate and complete registration data, publish all registration data concerning legal entities, and provide access to nonpublic personal information to all legitimate seekers.  And as already identified by Benjamin, this is currently a proposal, so the negotiations on the final text are still ongoing, and the goal of legislators in the European Parliament and the European Union have been working on their respective drafts of the legislation before they can enter final negotiation rounds.  When it comes to Article 23, both legislators are in favor of adding additional obligation within the data accuracy scope.  That is to verify the registration data, in addition of keeping it nearly accurate and complete.  And the co‑legislators are also in favor of specifying which data sets should be kept accurate, complete, and essentially verified.  And some of these positions will prevail in the final stage of the negotiations, TLD registries and registrars can be obliged to verify registrants' for example, physical addresses and phone numbers in addition to their identity and other contact details. 

    So with regard to access seekers and their access, as also already pointed out by Polina, there might be also an obligation to respond to these legitimacy requests. 

    In a nutshell, such data accuracy will have impact on existing policies and procedures in place across the industry, and we feel that the impact on the cyber security law is limited.  So while registration database accuracy is, of course, important for the overall health of domain name zones, it is also important to keep in mind that it is not strictly a network and information security issue, as it won't help to address all different cyber security threats when it comes to maintaining security, stability, and resilience of DNS.  So for example, it won't help with addressing such cyber security threats as DDOS attacks or DNS hijacking, for example.  So the reach of data verification obligation, if you look at the co‑legislators' positions, it is limited.  And it really cannot be also claimed as the most important issue for DNS security, as it has been stated in the proposal in providing the framework for these additional obligations.  And of course, after all, NIS 2 is also not only about registration data accuracy, but there is a significant attention given to this very specific issue.  And we feel there is a risk of shifting the focus on the issue that might not bring significant security benefits for DNS, and of course, this takes time, so individual actors, registration. 

    With that, finally, I would like to just state that it is also worth it to reiterate that ensuring safe and trusted online space for consumers, businesses, and public sector is a collaborative effort of many actors involved.  And consequently, increased collaboration between infrastructure actors and competent authorities based on a clear procedure and the rule of law is the key to make sure that the online space remains a safe space for all.  So thank you with that, and back to you, Giovanni. 

>> GIOVANNI SEPPIA: Thanks for that.  It was a very healthy reminder about the multi‑stakeholder nature about the Internet community and the importance of having a constructive and good dialogue among the different parties.  So thank you so much, and also thank you for having brought up again part of the statement that was made in the official position of membership about how much data accuracy contributes to, let's say, a safer and more resilient Internet infrastructure. 

    Emily, is there any question from the floor, any hand up that I may have missed? 

>> EMILY TAYLOR: I am not seeing anything just now.  Thank you, Giovanni.  But just to encourage all participants to raise their hand or to post some questions in the Chat, and we can pick them up as you have done in the flow.  Thank you. 

>> GIOVANNI SEPPIA: Thanks a lot, Emily.  Let's move straight to the next panelist, who is the security manager at EU RID, Dirk, has been completely booked over the past 24 months by all the compliance requirements to make sure they are up to speed with all the obligations as an essential operator, and he has done great, great work to also brief and communicate internally the importance of the different things we have to comply with.  So thank you, Dirk.  The floor is yours. 

>> DIRK JUMPERTZ: Thank you, Giovanni, and good day, everyone. 

    As a ccTLD registry operator, we are obviously very curious about what's going on in the landscape, and it looks like everybody is obsessing about Article 23.  But just to give a side note, there is 42 other articles in the NIS directive, which all of them have an impact on the registry operator. 

    But there are a couple of questions that we are asking ourselves, and there are plenty of open questions, and this is also very true amongst the different European ccTLDs.  And those open questions are about how is this directive going to be transposed into Member State law?  As an operator of essential services, we have already seen how this happened in Belgium, for example.  The Belgian transposition is different than other transpositions. 

    For instance, in Belgium, the scope of the NIS directive is different from the one in Luxembourg.  In Belgium, it's only about the DNS services; whereas in other countries, the registration services are also included in as part of the implementation. 

    The other open question we also have is how where will registrars fit into this image because if you read the NIS directive, rental streetcars can be part of entities.  If they are large enough and they are offering authoritative services, then they also become essential entities, which is not true, of course, for most registrars because most registrars will be small enough not to fall in that category.  As mentioned earlier. 

    Then, of course, there is this question, what about the TLD space?  The original version never made a difference between GLTDs.  For instance, in Belgium, you have the funny situation that both are falling under the same regulator, and in the Netherlands, for instance, you only have (Off microphone). 

    Then we have a complete different ball game.  CcTLDs are governed in a different way than gTLDs on the level of the Internet Governance.  GTLDs are governed by ICANN, where ccTLDs in most cases are completely governed by themselves.  So again, that's a very important question. 

    The Internet has another open question, I think, is that the Internet is open by nature and international by nature.  And so we have to ask ourselves what does it mean when the NIS directive is transposed into Member State law, including some of the registrars, but what about jurisdictions?  We fall under the Belgium jurisdiction, but if we have a large registrar ‑‑ I am giving an example like the French registrar, who might also be the registry ‑‑ what if they also fall under the French implementation of the NIS directive, and how is this going to work on the European scale?  So all these questions still need to be answered.  And especially when we are looking at Article 23, there's a lot of interpretation possibilities, and there's also a lot of things that can be added by the Member States. 

    When I read the last version of the NIS development, 26 November, then the amount of data that is supposed to be accurate and complete is limited to a relatively small set.  Originally it was a much larger set, but now it's a much smaller set.  It implies Member States can (Off microphone).  There we have the question of, again, how is this going to be interpreted by the Member States, and will there be guidance, either by the European Commission or by the industry, to help facilitate this thing because it is quite complicated.

    When looking at Article 23, it is quite interesting because it's about policies and standards which will be used, which need to be public to validate or not to validate, to make that data that is collected accurate and complete.  So again, these are open things that are not very well defined.  In the meantime, the industry is working at the NIS directive and trying to work together.  So there's several initiatives already within the European TLD community to try to understand how we are going to react upon all these different obligations and how we can deal with this, taking into account that it's a directive and not a regulation. 

    Lastly, and this is just a little remark, the DNS is not about registration data.  The DNS is about the DNS.  It is a system that allows us to use the Internet as it is.  And we have to make sure that we don't forget this.  I mean, making sure that the DNS is stable and resilient, which it has been for more than 30 years without any big issues, is utterly and the most important thing.  The DNS must flow.  To paraphrase Frank Herbert, DNS is important.  Why is it important?  If you think about the future, we have to be careful.  We have to be careful that we treat all domain names equally, but also equally important.  Because not all the domain names are equal.  If a domain name is used in a smart city and literally used for a thousand or maybe tens of thousands or hundreds of thousand devices, if something were to happen to that domain, that's a big issue.  So we have to be careful not to focus too obsessively about DNS abuse and not forget the other things that are happening with DNS and where DNS is an essential component. 

    With that, I will leave the floor to questions or remarks. 

>> GIOVANNI SEPPIA: Thank you so, so much, Dirk.  And Emily, any questions from the floor?  Anybody who likes to ‑‑

>> EMILY TAYLOR: I am not seeing anything more, and I can't see any hands raised, but there were many ‑‑ or I have just seen a question from Samuel Kariuke, sorry if I pronounced your name wrongly.  Maybe if someone will take the microphone if that fits in with your plan, Giovanni. 

>> GIOVANNI SEPPIA: Please, the floor is yours if you would like to speak up.  Otherwise, we will just read the question. 

    Okay.  Shall we just read the question, Emily, please? 

>> EMILY TAYLOR: Yes, oh, here we go. 

>> Hello.  My name is Samuel.  I would like to ask what are the penalties for those who do abuse the DNS?  Thank you. 

>> EMILY TAYLOR: Thank you very much.  And just as a suggestion, Giovanni, maybe we could ask Benjamin or his colleagues to answer some of the questions raised by Dirk as well at the same time.  Thank you. 

>> GIOVANNI SEPPIA: Yes, indeed, if you, Benjamin and Polina, if you would like to take up any of the points highlighted by Dirk in his intervention, the floor is yours. 

>> Great.  Thanks a lot.  Also thanks, Dirk, these are all, I think, very good questions.  I think I have answers to most of them. 

    So you mentioned rightly that the NIS 1 directive, it has not worked perfectly, to be honest.  There has been great divergence when it comes to how it was interpreted and transposed by the Member States, and that's one of the main reasons actually why we have decided to propose a revision of the directive.  So just to give you a few examples, you already mentioned it, there were quite wide divergence as regards scope.  For example, when we speak of DNS, there were certain Member States that only covered authoritative DNS, while others covered only resolving entities.  So when it comes to requirements, again, some Member States, they had very high‑level requirements, basically following ISO standards, while other Member States were much more detailed.  And as regards to reporting, some Member States, they requested ‑‑ required ‑‑ that you report an incident basically immediately once you find out about the incident, while others said we can wait 72 hours and we want to hear from you. 

    And our directive is trying to address this.  So in particular as regards to scope, we are making it extremely clear that all entities along the DNS resolution chain are now in the scope, so that includes both authoritative DNS and resolvers.  We have provided some more explanations as regards requirements, although they are still relatively high level, I admit.  Finally, as regards reporting, we have set the deadline, so within 24 hours, you have to provide a first report of an incident.  So we are hoping that these measures will help to align the national transposition a lot and to make the directive much more consistent. 

    Secondly, indeed, I can confirm registrars, they are not under the scope for domain services, but they are under scope as authoritative DNS providers if they provide such services, which I think a lot of registrars do. 

    You have also mentioned the generic Top‑Level Domain names.  So as Polina ‑‑ Polina already explained, our jurisdiction regime we proposed, the general rule is that entities are supervised by the Member State where they provide a service.  We call that concurrent supervision.  But in the case of providers that we consider to be highly digitized or the business models are highly digitized, we make an exception to that rule, and TLDs fall under that exception, and that means that TLDs are only supervised by one Member State, and that is the Member State where you either have your main establishment or if you are located outside the EU, where you have your representative. 

    And we covered them on purpose because we feel that the generic Top‑Level Domain names, they play an important role in the European Union.  A lot of European countries register such domain names, are available under such domain names.  That's why we register them and consider them critical. 

    Before passing on to Melina, I would like to also answer directly the last question that was given orally by the audience.  So there are penalties in the directive, but these penalties, they are addressed to the organizations that provide services.  So there are penalties conceivable for, for example, DNS resolvers or authoritative DNS servers.  There are no penalties for DNS abuse if you, for example, as a citizen, you are a malicious actor and you are refusing the DNS for your own purposes, then this is not covered by the directive.  The directive is also not a sector‑specific law for DNS, but a very general, broad law covering all the sectors, and it's really about the provision of services by entities.  Thanks. 

>> GIOVANNI SEPPIA: Thank you, Benjamin.  Melina, I don't know if you have anything to add very shortly. 

>> MELINA STROUNGI: Sorry.  I will try to be super short because a lot of open questions, indeed, and I think Benjamin covered most of them. 

    Just maybe to quickly comment on two points, the one on potential risk of less harmonized transposition by the Member States of the directive.  I mean, this is, I think, the inherent difference between a directive and regulation.  The regulation is directly applicable, while a directive precisely leaves room to Member States in how to transpose certain provisions.  But especially in terms of Article 23 and accuracy, this is precisely why I mentioned in the beginning that the Commission may, in the future, issue some guidelines in case, indeed, harmonization is at stake and to draw from best practices and hopefully give some guidance on this issue, if necessary. 

    And then another point, if I understood well the point ‑‑ and apologize if I didn't ‑‑ on basically arguing that potentially Article 23 may limit the scope of registration data on certain types just to highlight that in the original Commission proposal, we did not prescribe any specific data categories.  We really wanted to leave this up to the Member States.  And even in the last Council text, as currently is highlighted in the general position adopted by the Council, it's mentioned the word "at least."  So at least some categories are, you know, provided, but it doesn't mean this list is exhaustive or in any way limits Member States.  Thank you. 

>> GIOVANNI SEPPIA: Thank you so much, Melina.  Now I would like to give the floor to Keith Drazek of Verisign.  Verisign is really looking forward to knowing a bit more about the future of the NIS 2 directive as the major player.  So Keith, the floor is yours. 

>> KEITH DRAZEK: Thank you very much, Giovanni, and thanks, Emily, for the invitation to participate today and to all the panelists. 

    So I would like to respond.  I will be as brief as possible.  I want to keep a few minutes for Q&A, obviously.  I think some very interesting questions have been raised, and I just want to note that Verisign has been a longtime supporter and strong supporter of the multi‑stakeholder model and the multi‑stakeholder engagement related to the DNS and the Domain Name System, domain names, IP addresses.  And some really interesting and important questions have been raised here, and that is, one, the distinction between country code top‑level domains and generic top‑level domains, so I think as Dirk noted, ccTLDs are located typically in each Member State.  Sometimes operated under the auspices of the government, sometimes, whether a university, but certainly under Member State law.  Where gTLDs are generic and more global and responsible to ICANN in terms of our contracts, in terms of our responsibilities, in terms of the policies established in the gTLD space.  And so there are some concerns, I believe, about the impact of the proposed NIS 2 language on the multi‑stakeholder model, the multi‑stakeholder engagement at ICANN. 

    Another important question is the distinction between registries and registrars.  And this also ties to the requirements under GDPR and the questions about data, who holds the data, who has the relationship with the registrant, and what those obligations might be and should be. 

    I think on questions of data privacy, there is an ongoing and active community engagement within the ICANN space to look at the question of data accuracy.  There's actually a scoping effort for future policy work on the topic of data accuracy under way today at ICANN.  And again, this would be specific to gTLDs, not ccTLDs, necessarily.  And so we have some questions and some concerns about the possible impact of a regulatory approach in a particular jurisdiction on the multi‑stakeholder engagement as it relates to gTLDs. 

    I think a key question is around the roles and responsibilities of various actors and players in the econet system.  I posted a link to a blog that I posted recently that focuses on some of these key questions around roles and responsibilities of various actors and definitions of DNS abuse as a broad heading or an umbrella term.  And I think it's really important to recognize that different actors in the space have different roles and responsibilities and technical capabilities and different obligations under law, including GDPR.  And I will give an example. 

    Today, and for the last more than 20 years, Verisign has not collected or held registrant data for our .com and .net TLDs.  We haven't needed that information to operate the service that we provide as a registry, and the registrant data for .com and .net are held at the registrar level.  And questions of where that data should reside should all of that data be transferred across borders, across jurisdictions, you know, I think is a question that is being dealt with within the ICANN community and the multi‑stakeholder model.  But it's an example of a potential conflict between requirements for a registry, a gTLD registry, to collect, hold, process data that we simply don't need to perform the services that we perform and have performed, and I will note with now 24 years of uninterrupted availability and uptime for .com and .net, 24 years.  We've provided our registry services without that data, without those obligations, and we are concerned that, I think as Polina noted, there's some extraterritorial impact of this type of a regulation.  What does that mean for gTLD registries that are housed or headquartered outside the EU?  And what does that mean in terms of new obligations? 

    So I am going to wrap up there.  There's a lot to talk about here.  But I want to make sure we leave sufficient time, and I would refer people to the blog post link that I put into the Chat for additional detail, additional information about the ongoing ICANN community efforts on DNS abuse.  So thank you very much, Giovanni. 

>> GIOVANNI SEPPIA: Thank you so much.  And you brought up, indeed, an interesting point about the need of holding registry data for gTLD registries.  So thank you for having brought that aspect up. 

    I would like to move straight to Arda, who is going to give us the perspective of the Online Child Abuse Assessment Bureau on the data accuracy, data management, and the NIS 2 directive.  So Arda, the floor is yours. 

>> ARDA GERKENS: Thank you very much, and I do feel like an odd member here in this technical panel, but I do want to give my point of view or the point of view of the hotlines who try to identify the owner of websites. 

    So even after, but also before GDPR, we have seen an enormous drop in the possibility to reach the website owners who host child abuse material.  This is an ongoing problem for us.  What we mostly do is notify the Internet hosting party as well as the website owner because we know the the majority of time the website owner doesn't react.  It's not mainly because they don't want to react.  We also know the majority of these companies who do spread the material are not, as you might think, websites with mainly this kind of material, but it's for a majority image hosting websites who are very vulnerable for this material.  And we also found that these image hosting websites are not big companies, but they are most of the time small business enterprises, even not medium business enterprises, who sometimes do it beside their day job just to get some extra money, and they do everything not to get hassle out of it.  So yeah, they won't have a very accurate abuse address.  It's hard for us to get in touch.  We have to go through all kind of lengths to get to know them.  And the thing is that what we want here is swift deletion of that material because the more it's online, the more harm it can do.  

    I do understand because I think because these are small enterprises, I do understand that there are still some hurdles to go through, and certainly for registrars and registries who are ‑‑ some of them are so small.  They are not big companies.  So you need to do a lot of administrative extra work.  Although I must say, honestly, if I look from the outside, I am going to be completely transparent because I am a politician too, but I am really looking from my child sexual abuse fight hat.  I have heard the same discussion when GDPR came into place.  People were very worried about that happening and thinking that it would give a lot of hassle.  And of course, it does, but we also have seen that it does improve the privacy for people online. 

    So basically, I think for us, it would be really important to have accurate data on who that website owns, and for consumers, it's important as well in order for child sexual abusers and to know who is behind that website.  I understand that might give some problems.  I think some very good analysis around the legislation has been given, and I would advise to look at that.  But I also think it is proportional.  And it's doable.  And I also think they probably have good technical possibilities to solve the problem that might come around administrative. 

    Thank you. 

>> GIOVANNI SEPPIA: Arda, thank you so, so much also for the work that the Online Child Abuse Assessment Bureau is doing, and it's really, you know, there are so many organizations doing similar activities, and they all need to be praised for what they are doing.  So thank you so, so much for your work in a very, very special sector. 

    Indeed, I will just remind you that we have to end the session in seven minutes sharp because that's the timing.  I'd like to open the floor for discussion, comments.  Everything is so complex, I don't know whose idea was this of having this session in one hour.  Emily and I would like to think about in the future when we think about topics, but we have already covered a lot, I think, and we have already heard a lot of interesting points. 

    Emily, any questions from the floor? 

>> EMILY TAYLOR: We've got some comments from the floor, appreciation about the structure and scoping of this session, you know, taking a technical issue into the general IGF.  Some support from Alaina from ICANN about key points for possible conflicting requirements in Article 23.  And also some interest from EMEA in joining the Dynamic Coalition, which I will reply to in the Chat. 

    I can also see that Alan woods has his hand up, and Lori Schulman does as well. 

>> GIOVANNI SEPPIA: Allen, please, the floor is yours, very short. 

>> ALAN WOODS:  Thank you very much, Giovanni and Emily, and just thank you all.  I work with a large registry called Donuts.  I suppose I want to echo what Keith said, there were excellent points, key things that stick in my mind I want to hammer home.  One of the things is we were very glad for the clarification as to scope.  I would encourage people to consider the interplays with NIS 2 with other European legislative actions as well.  If registries and registrars are both expected under Article 23 to do certain things, such as collect and verify and assess, I would ask about concepts of data minimization.  And again, thinking of where the interplay between a registrar and client and the registry and their client, the registrant, and how would that duplication amongst the various layers of the DNS, how does that serve necessity and minimization under other things such as the GDPR?  And again, these are things that will be very much hard for a registry to make sure they implement correctly and in line with the law. 

    The other thing, this is, I suppose, taking it outside the DNS as a registry, but generally about specific data elements being required under NIS 2.  Specifically looking at ones like phone numbers.  And I just want to encourage people to think about how does that affect on a global scale?  In the DNS, the elements that are collected under registration data that can support the ideals of this is about the contactability of the registrant and that they are contactable if and when there is a necessity to contact that registrant.  This doesn't mean just by a phone number.  There are several elements.  If they are not maintained within the DNS or within the model itself, there are severe consequences, including and up to deletion of a domain name.  But saying you have to exactly have a phone number, that could be a barrier to entry for many people, even within the entire world itself, where many people might not have the luxury of a phone number.  They might have an email address which, of course, will allow them to be contactable.  But again, there's unintended consequences by ensuring things outside of the model.  So these are things I would like to make sure that they are still being monitored and thought of as we progress with NIS 2, which, of course, is welcome from a security point of view, but the unintended consequences need to be brought forward. 

>> GIOVANNI SEPPIA: Thank you very much, Alann.  I leave the floor to Lori because we are really now running against time.  Lori, please. 

>> LORI SCHULMAN: Thank you.  I will say something quickly, but I do want to focus on the contactability point.  That's an essential point.  It's more essential to contact and the means may not be as important. 

    I do want to highlight a point coming from the perspective of a private sector, and that segues from the discussions about the child abuse protections.  The concerns that we have with NIS 2 today, the two different versions that Benjamin mentioned from the Council and the Parliament, is this definition of legitimate acts of speakers.  In the Parliament version, it's clear that the legitimate acts of seekers is law enforcement, period, the way I understand and read that new legislation or the compromise that came out of Council. 

    On the Parliament side, it's more broad, saying typically legitimate access seekers without specific limitations.  Those of us in the private sectors have deep concerns that organizations that are investigating harms and work very closely with law enforcement and sometimes share their information with law enforcement may not be treated as legitimate if there is too much of a broad scope and not enough guidance on the definition. 

>> GIOVANNI SEPPIA: Thank you so, so much, Lori.  That was really the last intervention.  I am really sorry for that.  Emily, any last‑minute point you would like to I think about up? 

>> EMILY TAYLOR: I have ‑‑ I can see some comments.  There are lots of comments in the Chat.  Peter Van Roster had chimed in at the end to say working email address seems to cover most cases mentioned in this discussion.  And there's more detailed remarks back on Section 23 or Article 23, which is animating people a lot.  But nothing more than that.  And great questions and comments from the audience.  Thank you very much. 

>> GIOVANNI SEPPIA: Indeed, Emily, thank you so much for being the online moderator and Rapporteur.  We will circulate the notes both on the Dynamic Coalition mailing list and also on the IGF site.  We have to wrap up now.  Thank you to all the panelists.  Thank you to all the attendees.  It was a very interesting discussion.  It was clear from the going that we didn't have enough time to cover everything, but we did cover some very interesting points.  So thank you so much.  Stay tuned on the Dynamic Coalition on Data and Trust.  We will catch up soon.  Bye‑bye, everybody.