The EU NIS2 Directive is coming into effect, introducing new obligations for both registrars and resellers. In our newsletters, we introduced important updates in our OT&E (Operational Testing & Evaluation) environment on 24th March 2025 that form part of our commitment to the EU NIS2 Directive (repeated below).
This is to enhance registration data accuracy and allow our customers to test early, ensuring a seamless transition before the updates go live.
The updates are now scheduled for deployment to the live environment on 25th November 2025.
Key Requirements Under NIS2
Article 28 of the directive applies to entities providing domain name registration services, including registrars, resellers, and providers of ancillary services (such as privacy and local presence services). Under NIS2, both registrars and resellers share the responsibility for ensuring that registration data is accurate and complete in our database. This includes essential data elements such as the registrant’s name, contact email address, and telephone number.
Additionally, NIS2 requires registrars and resellers to implement and publish policies to maintain accurate registration data, including adequate verification procedures. The publication of registration details of legal entities will become mandatory.
As a reseller, you have a direct relationship with customers, making your role in data accuracy critical. You are expected to:
Verify that the data you submit to us has undergone appropriate verification procedures.
Maintain logs documenting verification for each registrant contact.
Inform your resellers (if applicable) of these requirements.
Basic Compliance Requirements:
Ensure all mandatory contact fields (e.g., email, phone number) are correctly provided during domain registrations, transfers, and ownership changes.
Validate registrant data using format checks (e.g., RFC standards for email/phone, ensuring postal codes have the right number of digits, etc) and verify it where feasible.
Implement processes to detect and block requests containing incomplete or invalid registrant data.
Use industry-standard best practice methods (e.g., email, phone, and name verification) to confirm registrant contact details.
Inform your clients that the use of the Organization field in the registration data may result in the identification of the registrant as legal entity and therefore the publication of their information in the public registration database/query service.
Keep logs documenting when and how registrant data verification has occurred.
Failure to comply with these requirements may result in:
Rejection of registration requests.
Suspension of registered domain names.
In extreme cases, suspension of your account.
Please note that any fines applied to us by a registry operator regarding unverified registration data supplied by you may be charged to your account.
Upcoming Registrar Enhancements:
We will extend our existing validation and verification processes for gTLD domain names (see: https://kb.centralnicreseller.com/domains/icann/contact-verificationhttps://kb.centralnicreseller.com/domains/icann/contact-verification) to cover all domain registrations and contact data updates on our platform. Additionally, a non-intrusive validation of registrant telephone numbers will be introduced as part of this process. Please see details below.
Annual registration data reminders (formerly WDRP) will now be sent for all domain names, regardless of the TLD.
Weekly email reminders to resellers about identified incorrect or incomplete data.
Introduction of a new optional contact extension to allow self-identification of entity type: X-LEGALFORM.
Resume partially unredacted publication of registration data of legal entities, as identified by the use of the “Organization” field and the X-LEGALFORM extension.
Contact Verification Details
Additional parameters and responses will be introduced to allow the users to record details on the verification method used. For now, these parameters are optional. We will monitor how the different registries adapt NIS2 and adjust where necessary.
This change will be applied to the following API commands:
AddContact
ModifyContact
StatusContact
From 25th October 2025, this change will be available in the OT&E environment.
Then from 25th November 2025, it will be available in the live environment.
To ensure a smooth transition, please test these updates in OT&E ahead of the production rollout.
NIS2 – Email Verification
We are extending email verification to all TLDs, covering both gTLDs and ccTLDs.
This applies to all TLDs, except fulfilment TLDs. Fulfilment TLDs will operate as they are currently.
From 25 November 2025, new domain registrations, transfer-in and owner-changes in the live environment will require email verification to be completed.
NIS2 – Phone Validation
There will be a syntax validation check on international phone numbers to ensure compliance to RFC5733.
Contact telephone number structure is derived from structures defined in [ITU.E164.2005]. Telephone numbers described in this mapping are character strings that MUST begin with a plus sign ("+", ASCII value 0x002B), followed by a country code defined in [ITU.E164.2005], followed by a dot (".", ASCII value 0x002E), followed by a sequence of digits representing the telephone number. An optional "x" attribute is provided to note telephone extension information.
From 25 November 2025, this change will be applied to the following APIs in the live environment::
AddCertificate (SSL API 2.0)
AddCertificateContact (SSL API 2.0)
AddContact
ModifyContact
To ensure a smooth transition, we invite you to test these updates in OT&E ahead of the production rollout.
None of these enhancements should be code-breaking, but they may lead to a higher number of failed transactions if the data quality is low.
We encourage you to review these requirements and ensure your customers are properly informed and the contact data fields are submitted according to the base requirements. This will result in fulfilling the data quality requirements of the registries and avoiding unnecessary transaction failures or domain suspensions/deletions.
Please note that certain EU member states and the TLDs in those jurisdictions may have additional or even stricter requirements. We will inform you about such requirements, including special penalties for failure to comply with those special requirements by newsletter and updates to our TLD appendices when they become available.
For further details on our NIS2 compliance journey, please refer to our previous blog post.
Please note that nothing in this notification constitutes legal advice regarding any responsibilities you may have under NIS2.
FAQ
Questions
Answers
Is there a verification on phone numbers?
There are no plans at the moment.
What will happen to the domain name order if no phone number was provided?
Phone validation is a standard set of checks on the format. This is is done real time. If the telephone number is missing or does not match the checks, a contact will not be created with an error returned.
In what cases will email verification will be done?
Domains currently already registered with us will not be affected. From 25th November 2025, new domain registrations in the live environment as well as incoming transfers will require email verification to be completed. The email verification applies to the API commands AddDomain, ModifyDomain, TradeDomain and TransferDomain. For transfer in cases, the addContact API will be triggered. A validation and verification will take place. Validation is the same as before except now with phone validation. For verification, if the owner email is not verified, our system generates a verification email with 14 days to respond before suspension.
How to find out which domains have not completed the email verification?
If a contact that was never verified was used, you can find this information from the extension “X-TIME-TO-SUSPENSION”. This is available on each domain, immediately after the AddDomain command request, coming from a StatusDomain command response.
Alternatively, you can check the contacts that are subject for verification using QueryContactList command with the right parameters.
Within the 14 days before suspension, one initial email will be sent, followed by 1 reminder 3 days before.
What happens to the domain once it is suspended?
The nameservers of the domain will be replaced. A banner will be displayed on the website. Completing the verification would restore back to the previous nameservers. This is in place to provide a better user experience of the website, instead of having the domain not resolving anymore.
NIS2 Compliance
The EU NIS2 Directive is coming into effect, introducing new obligations for both registrars and resellers. In our newsletters, we introduced important updates in our OT&E (Operational Testing & Evaluation) environment on 24th March 2025 that form part of our commitment to the EU NIS2 Directive (repeated below).
This is to enhance registration data accuracy and allow our customers to test early, ensuring a seamless transition before the updates go live.
The updates are now scheduled for deployment to the live environment on 25th November 2025.
Key Requirements Under NIS2
Article 28 of the directive applies to entities providing domain name registration services, including registrars, resellers, and providers of ancillary services (such as privacy and local presence services). Under NIS2, both registrars and resellers share the responsibility for ensuring that registration data is accurate and complete in our database. This includes essential data elements such as the registrant’s name, contact email address, and telephone number.
Additionally, NIS2 requires registrars and resellers to implement and publish policies to maintain accurate registration data, including adequate verification procedures. The publication of registration details of legal entities will become mandatory.
As a reseller, you have a direct relationship with customers, making your role in data accuracy critical. You are expected to:
Basic Compliance Requirements:
Failure to comply with these requirements may result in:
Please note that any fines applied to us by a registry operator regarding unverified registration data supplied by you may be charged to your account.
Upcoming Registrar Enhancements:
We will extend our existing validation and verification processes for gTLD domain names (see: https://kb.centralnicreseller.com/domains/icann/contact-verificationhttps://kb.centralnicreseller.com/domains/icann/contact-verification) to cover all domain registrations and contact data updates on our platform. Additionally, a non-intrusive validation of registrant telephone numbers will be introduced as part of this process. Please see details below.
Contact Verification Details
Additional parameters and responses will be introduced to allow the users to record details on the verification method used. For now, these parameters are optional. We will monitor how the different registries adapt NIS2 and adjust where necessary.
This change will be applied to the following API commands:
From 25th October 2025, this change will be available in the OT&E environment.
Then from 25th November 2025, it will be available in the live environment.
To ensure a smooth transition, please test these updates in OT&E ahead of the production rollout.
NIS2 – Email Verification
We are extending email verification to all TLDs, covering both gTLDs and ccTLDs.
This applies to all TLDs, except fulfilment TLDs. Fulfilment TLDs will operate as they are currently.
From 25 November 2025, new domain registrations, transfer-in and owner-changes in the live environment will require email verification to be completed.
NIS2 – Phone Validation
There will be a syntax validation check on international phone numbers to ensure compliance to RFC5733.
Contact telephone number structure is derived from structures defined in [ITU.E164.2005]. Telephone numbers described in this mapping are character strings that MUST begin with a plus sign ("+", ASCII value 0x002B), followed by a country code defined in [ITU.E164.2005], followed by a dot (".", ASCII value 0x002E), followed by a sequence of digits representing the telephone number. An optional "x" attribute is provided to note telephone extension information. From 25 November 2025, this change will be applied to the following APIs in the live environment::
To ensure a smooth transition, we invite you to test these updates in OT&E ahead of the production rollout.
None of these enhancements should be code-breaking, but they may lead to a higher number of failed transactions if the data quality is low.
We encourage you to review these requirements and ensure your customers are properly informed and the contact data fields are submitted according to the base requirements. This will result in fulfilling the data quality requirements of the registries and avoiding unnecessary transaction failures or domain suspensions/deletions.
Please note that certain EU member states and the TLDs in those jurisdictions may have additional or even stricter requirements. We will inform you about such requirements, including special penalties for failure to comply with those special requirements by newsletter and updates to our TLD appendices when they become available.
For further details on our NIS2 compliance journey, please refer to our previous blog post.
Please note that nothing in this notification constitutes legal advice regarding any responsibilities you may have under NIS2.
FAQ
Alternatively, you can check the contacts that are subject for verification using QueryContactList command with the right parameters.
https://kb.centralnicreseller.com/domains/icann/contact-verification/contact-verification-statusdomain
https://kb.centralnicreseller.com/domains/icann/contact-verification/contact-verification-querycontactlist