Entities belonging to the digital infrastructure sector are in essence based on network and information systems and therefore the obligations imposed on those entities pursuant to NIS2 Directive should address in a comprehensive manner the physical security of such systems as part of their cybersecurity risk-management measures and reporting obligations.
Upholding and preserving a reliable, resilient and secure domain name system (DNS) are key factors in maintaining the integrity of the internet and are essential for its continuous and stable operation, on which the digital economy and society depend. Therefore, this Directive should apply to top-level-domain (TLD) name registries, and DNS service providers that are to be understood as entities providing publicly available recursive domain name resolution services for internet end-users or authoritative domain name resolution services for third-party usage.
NIS2 introduces detailed compliance obligations paired with a strong enforcement regime. Key obligations include implementing a list of cybersecurity measures and establishing strict incident reporting protocols. Many of these obligations are further clarified by implementing acts as Commission Implementing Regulation (EU) 2024/2690 concerning technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers.
NIS2 has far-reaching implications for various stakeholder categories:
- DNS and Internet Infrastructure Providers: By bringing DNS service providers and TLD registries explicitly into its scope, NIS2 elevates the cybersecurity expectations for the DNS sector. Providers like DNS4EU now join the ranks of energy and health providers as essential services, reflecting the internet’s critical role. This means DNS operators must invest significantly in security controls and incident preparedness. While this raises operational costs and complexity for these providers, it also provides a more secure DNS ecosystem for users. Importantly, DNS4EU’s designation as an Essential Entity (with no size exemption) underscores the EU’s recognition that even a single DNS resolver service can be “critical
for society”, implying greater responsibility but also validating DNS4EU’s importance. - Other Essential Entities (e.g., ISPs, Cloud providers, etc.): Internet Service Providers (many of whom operate recursive DNS for customers) and cloud/data center operators are also Essential Entities. They face similar mandates: robust cyber risk management and reporting. For such stakeholders, compliance efforts might include upgrading DNS security, since DNS is a common attack vector indirectly benefiting DNS security overall. NIS2’s broader scope (expanding from 7 sectors to 18 sectors) means thousands more organisations (estimated 100,000+ in total) fall under cybersecurity regulation, raising baseline security across the board.
- National Cybersecurity Authorities and CSIRTs: NIS2 strengthens the role and powers of national authorities. They must now supervise a larger set of entities with more stringent means, including “on- site inspections, off-site audits, security scans” and even sanctions like management disqualification. For DNS4EU, this likely means closer engagement with enforcement authorities (e.g., periodic compliance reports or inspections). Authorities also benefit from clearer incident reporting flows; for example, if DNS4EU suffers a major outage or cyberattack affecting EU users, authorities will be informed quickly and can coordinate response, which improves overall cyber resilience.
- European Coordination (EU Institutions, ENISA, Cooperation Group): At the EU level, NIS2 fosters greater harmonisation. ENISA and the Cooperation Group develop guidelines (such as the Commission Implementing Regulation detailing technical requirements for sectors including DNS to ensure consistent implementation. The EU’s cyber crisis cooperation network (EU-CyCLONe) and CSIRTs network also receive more timely and structured information on threats due to NIS2 reporting, improving cross-border awareness. This means a DNS incident in one country (e.g., large-scale DNS poisoning) can be quickly communicated to others, potentially prompting EU-wide defensive measures.
- End-Users and Society: Ultimately, NIS2’s impact should be a positive externality for citizens and organisations relying on essential services. As DNS providers and ISPs harden their infrastructure and processes, users benefit from more reliable and secure internet resolution (fewer outages, faster mitigation of DNS-based attacks). NIS2 also addresses ancillary issues like domain name WHOIS data accuracy (for TLD registries, requiring verification of registration data), which can help curb abuse such as phishing domains. Though DNS4EU is a resolver and not directly responsible for domain registration data, a more secure and trustworthy DNS environment (from registry to resolver) means a safer internet
experience.
In summary, NIS2’s enforcement is stringent and multi-faceted. Essential services such as DNS4EU are under greater scrutiny than ever: they must not only implement state-of-the-art security but also demonstrably prove it to regulators. DNS4EU, as an EU-funded initiative, is likely expected to lead by example in NIS2 compliance to showcase the EU’s commitment to cybersecurity.
This blog post was written by DNSC, a member of DNS4EU consortium.
