CentralNic Reseller Homepage
CentralNic Reseller Homepage

NIS2 Compliance

The EU NIS2 Directive is coming into effect, introducing new obligations for both registrars and resellers. In our newsletters, we introduced important updates in our OT&E (Operational Testing & Evaluation) environment on 24th March 2025 that form part of our commitment to the EU NIS2 Directive (repeated below).

The updates are available in live environment since 25th November 2025.


Key Requirements Under NIS2

Article 28 of the directive applies to entities providing domain name registration services, including registrars, resellers, and providers of ancillary services (such as privacy and local presence services). Under NIS2, both registrars and resellers share the responsibility for ensuring that registration data is accurate and complete in our database. This includes essential data elements such as the registrant’s name, contact email address, and telephone number.

Additionally, NIS2 requires registrars and resellers to implement and publish policies to maintain accurate registration data, including adequate verification procedures. The publication of registration details of legal entities will become mandatory.

As a reseller, you have a direct relationship with customers, making your role in data accuracy critical. You are expected to:

  • Verify that the data you submit to us has undergone appropriate verification procedures.
  • Maintain logs documenting verification for each registrant contact.
  • Inform your resellers (if applicable) of these requirements.

Basic Compliance Requirements:

  • Ensure all mandatory contact fields (e.g., email, phone number) are correctly provided during domain registrations, transfers, and ownership changes.
  • Validate registrant data using format checks (e.g., RFC standards for email/phone, ensuring postal codes have the right number of digits, etc) and verify it where feasible.
  • Implement processes to detect and block requests containing incomplete or invalid registrant data.
  • Use industry-standard best practice methods (e.g., email, phone, and name verification) to confirm registrant contact details.
  • Inform your clients that the use of the Organization field in the registration data may result in the identification of the registrant as legal entity and therefore the publication of their information in the public registration database/query service.
  • Keep logs documenting when and how registrant data verification has occurred.

Failure to comply with these requirements may result in:

  • Rejection of registration requests.
  • Suspension of registered domain names.
  • In extreme cases, suspension of your account.

Please note that any fines applied to us by a registry operator regarding unverified registration data supplied by you may be charged to your account.


Upcoming Registrar Enhancements:

We will extend our existing validation and verification processes for gTLD domain names (see: https://kb.centralnicreseller.com/domains/icann/contact-verificationhttps://kb.centralnicreseller.com/domains/icann/contact-verification) to cover all domain registrations and contact data updates on our platform. Additionally, a non-intrusive validation of registrant telephone numbers will be introduced as part of this process. Please see details below.

  • Annual registration data reminders (formerly WDRP) will now be sent for all domain names, regardless of the TLD.
  • Weekly email reminders to resellers about identified incorrect or incomplete data.
  • Introduction of a new optional contact extension to allow self-identification of entity type: X-LEGALFORM.
  • Resume partially unredacted publication of registration data of legal entities, as identified by the use of the “Organization” field and the X-LEGALFORM extension.

Contact Verification Details

Additional parameters and responses will be introduced to allow the users to record details on the verification method used. For now, these parameters are optional. We will monitor how the different registries adapt NIS2 and adjust where necessary.

X-VERIFICATION-DATA0..n          = email|phone|name|address
X-VERIFICATION-TRUSTFRAMEWORK0..n = <TEXT> (Entity performing the verification/reseller’s internal trust framework)
X-VERIFICATION-TIMESTAMP0..n     = YYYY-MM-DD HH:MM:SS (Date and time of the verification, in UTC)
X-VERIFICATION-METHOD0..n        = auth|electronic_document|physical_document|vdig|bvr|pvr|data|reachability
X-VERIFICATION-REFERENCE0..n     = <TEXT> (Verifying entity's/reseller's unique reference ID for the specific verification process)
X-VERIFICATION-EVIDENCE0..n      = idcard|passport|population_register|residence_permit|proof_of_arrival|
                                   drivers_license|company_register|company_statement|bank_account|
                                   online_payment_account|utility_account|bank_statement|tax_statement|
                                   written_attestation|digital_attestation|postal_ver_transaction_log|
                                   email_ver_transaction_log|address_database
X-VERIFICATION-RESULT0..n        = success|failed


X-VERIFICATION-METHOD# values in details

Values Meaning
auth Verification completed using an electronic authentication service linked to the user, such as eID or eIDAS.
electronic_document Verification based on official digital documents containing verifiable identification information.
physical_document Verification based on official physical documents containing verifiable identification information.
vdig Validation of digital/electronic evidence by checking the authenticity and integrity of the submitted files or data.
bvr Automated biometric verification using technologies such as facial recognition to confirm the user's identity remotely.
pvr Physical verification performed remotely by an qualified/authorised person using image or video comparison.
data Verification completed by matching the user's information against an existing trusted electronic record.
reachability Confirmation that the registrant can be contacted using the provided contact details.

X-VERIFICATION-EVIDENCE# values in details

Values Meaning
idcard Government-issued identity card used to confirm a person's identity.
passport Government-issued passport used to verify identity and nationality of its holder primarily for the purpose of international travel.
population_register Record from an official population database.
residence_permit Official document confirming a person's right to reside within a particular jurisdiction.
proof_of_arrival An audit or compliance record showing that a verification message or document was successfully delivered.
drivers_license Official document permitting an individual to operate motorized vehicles. In the absence of a formal identity document, a driver's license may be accepted in many countries for identity verification.
company_register Official company registry information confirming company-related details.
company_statement Official statement or document issued by a company.
bank_account Bank account information from a recognised financial institution.
online_payment_account Documented payment information used to confirm a transaction.
utility_account Utility account record from a recognized utility provider used as proof of address.
bank_statement Official bank statement issued by a recognised financial institution.
tax_statement Official record issued by a country's tax authority.
written_attestation Written/printed statement/letter confirming the identity from a recognised person or authority.
digital_attestation Electronic confirmation of identity issued by a recognised person or authority.
postal_ver_transaction_log A log of postal or mail-based address verification activities involving PIN code delivery, tracking, or deliverability checks.
email_ver_transaction_log An audit log of the email verification process, confirming that the email address was reachable, verification was completed successfully, and an audit trail is available for compliance purposes.
phone_ver_transaction_log An audit log of the phone verification process, confirming that the phone number was successfully reached and verified (for example, via SMS or voice call).
address_database A record from a trusted government or regulated identity/address database.

Accepted combinations

Data Evidence Method
address address_database data
email email_ver_transaction_log reachability
phone phone_ver_transaction_log reachability
name bank_account data
name drivers_licence electronic_document|physical_document|bvr|pvr
name passport vdig|electronic_document|physical_document|bvr|pvr
name proof_of_arrival electronic_document|physical_document|bvr|pvr
name|address bank_statement electronic_document|physical_document
name|address company_register electronic_document
name|address company_statement electronic_document|physical_document
name|address idcard auth|vdig|electronic_document|physical_document|bvr|pvr
name|address population_register electronic_document|physical_document|bvr|pvr
name|address postal_ver_transaction_log vdig|reachability
name|address residence_permit electronic_document|physical_document|bvr|pvr
name|address tax_statement electronic_document|physical_document
name|address utility_account electronic_document|physical_document
name|address|email digital_attestation electronic_document
name|address|email online_payment_account data
name|address|email written_attestation physical_document

This change applies to the following API commands:

  • AddContact
  • ModifyContact
  • StatusContact

NIS2 – Email Verification

We are extending email verification to all TLDs, covering both gTLDs and ccTLDs.

This applies to all TLDs, except fulfilment TLDs. Fulfilment TLDs will operate as they are currently.

From 25 November 2025, new domain registrations, transfer-in and owner-changes in the live environment will require email verification to be completed.

From 16th June 2026, email verification are now linked with the contact verification details. Once the email address has been verified, an x-verification-data0=email entry will be automatically added.


NIS2 – Phone Validation

There will be a syntax validation check on international phone numbers to ensure compliance to RFC5733.

Contact telephone number structure is derived from structures defined in [ITU.E164.2005]. Telephone numbers described in this mapping are character strings that MUST begin with a plus sign ("+", ASCII value 0x002B), followed by a country code defined in [ITU.E164.2005], followed by a dot (".", ASCII value 0x002E), followed by a sequence of digits representing the telephone number. An optional "x" attribute is provided to note telephone extension information. From 25 November 2025, this change will be applied to the following APIs in the live environment::

  • AddCertificate (SSL API 2.0)
  • AddCertificateContact (SSL API 2.0)
  • AddContact
  • ModifyContact

To ensure a smooth transition, we invite you to test these updates in OT&E ahead of the production rollout.

None of these enhancements should be code-breaking, but they may lead to a higher number of failed transactions if the data quality is low.

We encourage you to review these requirements and ensure your customers are properly informed and the contact data fields are submitted according to the base requirements. This will result in fulfilling the data quality requirements of the registries and avoiding unnecessary transaction failures or domain suspensions/deletions.

Please note that certain EU member states and the TLDs in those jurisdictions may have additional or even stricter requirements. We will inform you about such requirements, including special penalties for failure to comply with those special requirements by newsletter and updates to our TLD appendices when they become available.

For further details on our NIS2 compliance journey, please refer to our previous blog post.

Please note that nothing in this notification constitutes legal advice regarding any responsibilities you may have under NIS2.

FAQ

Questions Answers
Is there a verification on phone numbers? There are no plans at the moment.
What will happen to the domain name order if no phone number was provided? Phone validation is a standard set of checks on the format. This is is done real time. If the telephone number is missing or does not match the checks, a contact will not be created with an error returned.
In what cases will email verification will be done? Domains currently already registered with us will not be affected. From 25th November 2025, new domain registrations in the live environment as well as incoming transfers will require email verification to be completed. The email verification applies to the API commands AddDomain, ModifyDomain, TradeDomain and TransferDomain. For transfer in cases, the addContact API will be triggered. A validation and verification will take place. Validation is the same as before except now with phone validation. For verification, if the owner email is not verified, our system generates a verification email with 14 days to respond before suspension.
How to find out which domains have not completed the email verification? If a contact that was never verified was used, you can find this information from the extension “X-TIME-TO-SUSPENSION”. This is available on each domain, immediately after the AddDomain command request, coming from a StatusDomain command response.

Alternatively, you can check the contacts that are subject for verification using QueryContactList command with the right parameters.

https://kb.centralnicreseller.com/domains/icann/contact-verification/contact-verification-statusdomain

https://kb.centralnicreseller.com/domains/icann/contact-verification/contact-verification-querycontactlist
How many emails will be sent to registrant? Within the 14 days before suspension, one initial email will be sent, followed by 1 reminder 3 days before.
What happens to the domain once it is suspended? The nameservers of the domain will be replaced. A banner will be displayed on the website. Completing the verification would restore back to the previous nameservers. This is in place to provide a better user experience of the website, instead of having the domain not resolving anymore.
If the email verification is not completed, will there be a suspension notification? The email verification is sent to the registrant. However, when a domain is suspended, the notification is sent to the CentralNic Reseller customer, not to the registrant. Registrants will notice their domains are no longer working.
Where can I find NIS2 information on specific ccTLDs? Please navigate via the top menu, Domains -> TLD List → search for the individual ccTLD.

We domains
-