NIS2 and Domain Validation: Why EU Domain Registrations Are Getting Stricter

For many years, registering a domain name was a fast and mostly automatic process. A customer selected a domain, entered contact details, completed the order, and the domain usually became active shortly after registration.

That process is now changing.

Across the European Union, domain registries and registrars are placing more emphasis on accurate and verifiable domain holder data. One of the main reasons is the NIS2 Directive, the EU’s updated cybersecurity framework, which introduces stronger obligations around domain name registration data.

For customers, this means that some domain registrations, transfers, or updates may now require additional checks before the domain is fully approved or allowed to remain active.

In short

Domain registration in the EU is becoming stricter because registries and registrars are expected to maintain more accurate and reliable domain holder data.

NIS2 requires accurate and complete domain registration data, while individual registries decide how they verify that data in practice. Depending on the domain extension and registry policy, customers may sometimes be asked to provide additional documents such as company registration details or proof of address.

If the requested verification is not completed on time, a domain may be delayed, suspended, placed on hold, or prevented from becoming active.

The best way to avoid issues: keep domain holder information accurate, use the correct legal company name and address, and respond quickly to any verification request.

What’s in this article

• What is NIS2?
• Why this matters now
• What NIS2 requires – and what registries do in practice
• Why does this affect domain registrations?
• A practical example
• What kind of documents may be requested?
• Can a domain stop working if verification is not completed?
• Why providers cannot simply bypass these requests
• Does this affect only large companies?
• What about countries outside the EU?
• What customers should do to avoid delays
• What this means for businesses
• Our role as your provider
• Conclusion

What is NIS2?

NIS2, formally known as Directive (EU) 2022/2555, is the European Union’s updated cybersecurity directive. It entered into force in January 2023, and EU Member States were required to transpose it into national law by 17 October 2024.

The purpose of NIS2 is to strengthen the security and resilience of essential and important digital infrastructure across the EU.

One part of NIS2 is especially relevant to the domain industry: domain name registration data.

In simple terms, NIS2 requires EU Member States to ensure that top-level domain registries and domain registration service providers collect and maintain accurate and complete registration data for domain names.

This includes data such as the domain holder’s name, contact details, and other information needed to identify who is responsible for a domain.

Why this matters now

Although the transposition deadline was 17 October 2024, implementation across Europe has not been fully uniform. Some countries moved faster, while others experienced delays in adopting national legislation.

This means that the practical impact of NIS2 may not be felt in exactly the same way or at exactly the same time in every country.

However, the direction of travel is clear: registries, registrars, DNS providers, hosting companies, and other digital infrastructure providers are facing higher expectations around cybersecurity, data accuracy, and accountability.

For domain holders, this can result in more checks, more verification requests, and sometimes slower domain activation than in the past.

What NIS2 requires – and what registries do in practice

It is important to separate two things.

First, NIS2 sets the general obligation: domain registration data must be accurate, complete, and properly maintained.

Second, individual registries decide how they will implement that obligation in practice.

This means that NIS2 does not necessarily say, in every case, “the customer must provide a utility bill” or “the customer must upload a business license”. Those specific requirements usually come from the registry’s own verification policy, registrar procedures, or risk-based validation process.

For example, a registry may decide that if company data looks incomplete, inconsistent, outdated, or suspicious, it will request additional evidence. That evidence may include a company registration document, proof of address, or confirmation that the domain holder is a real legal entity.

So, while NIS2 is one of the regulatory drivers behind stricter validation, the exact documents requested can vary depending on the domain extension, registry, registrar, country, and risk assessment.

Why does this affect domain registrations?

Domain names are not just technical assets. They are part of critical online infrastructure.

A domain can control:

• A company website
• Email delivery
• Customer portals
• Billing systems
• SaaS platforms
• Online shops
• Brand identity
• Login and authentication systems

At the same time, domains are frequently abused for phishing, spam, malware, fake shops, impersonation, and other online fraud. When the registration data behind a domain is fake, incomplete, or impossible to verify, it becomes much harder to investigate abuse and hold the responsible party accountable.

That is why registries are becoming stricter about who owns a domain and whether the provided contact details are reliable.

A practical example

Imagine a company registers a domain under a registry that applies stricter or risk-based validation checks.

The domain order is submitted, but during automated or manual review, the company data does not fully match publicly available information or appears incomplete. The registry or registrar may then flag the domain for additional verification.

The provider may be asked to collect documents from the customer, such as:

• A company registration extract or business license
• Proof of the company’s address
• Confirmation of the company’s legal name and legal form
• A working email address and phone number for the domain holder

Until the verification is completed, the domain may remain on hold, fail to activate, or in some cases stop resolving.

From the customer’s perspective, it may look like a DNS or hosting problem. In reality, the issue is not the hosting server, nameservers, or website files. The domain itself is blocked or restricted because the registry requires additional validation of the holder data.

This can happen with different domain extensions depending on the registry’s policies. Some registries may only perform light checks, while others may request more detailed supporting documentation.

What kind of documents may be requested?

The exact requirements depend on the registry, registrar, and domain extension.

For companies, registries or registrars may request:

• Company registration extract
• Business license
• Chamber of commerce document
• VAT or tax registration document
• Proof of address, such as a utility bill, bank statement, lease document, or official correspondence
• Confirmation that the contact person is authorized to manage the domain on behalf of the company

For individuals, the process may involve:

• Email verification
• Phone verification
• Proof of identity
• Proof of address

Not every domain will require all of these documents. In many cases, validation may be limited to an email confirmation or automated data check. However, when a registry flags a registration as higher risk or incomplete, more documentation may be required.

Can a domain stop working if verification is not completed?

Yes, in some cases.

If a registry requests validation and the required information is not provided within the required timeframe, the domain may be suspended, placed on hold, deactivated, or prevented from becoming active.

This can affect:

• Website access
• Email service
• DNS records
• Customer portals
• Online applications
• Any service depending on that domain

This is why it is important to treat verification requests seriously and respond quickly.

Why providers cannot simply bypass these requests

Hosting companies, domain resellers, and registrars often act as intermediaries between the customer and the registry.

When a registry requests verification, the provider cannot simply ignore the request or manually override it. The provider must follow the registry’s rules, collect the requested information from the customer, and submit it through the correct channel.

This can be frustrating, especially when a customer has registered domains for years without being asked for documents. But the domain industry is moving toward stricter compliance, better data quality, and more accountability.

In practice, domain registration is no longer always a purely technical or automated process. It is increasingly connected to compliance, cybersecurity, and identity validation.

Does this affect only large companies?

NIS2 generally focuses on medium-sized and large entities in important or essential sectors. However, there are important exceptions.

Certain types of digital infrastructure providers, including top-level domain name registries and DNS service providers, can fall under NIS2 obligations regardless of their size.

This is important because it shows how seriously regulators treat DNS and domain infrastructure. Even if a provider or registry is not a large company, the service it provides may still be considered critical for the functioning of the internet.

What about countries outside the EU?

NIS2 is an EU directive, but its influence goes beyond the EU.

Countries outside the European Union are also updating their cybersecurity and resilience rules. For example, Serbia and the United Kingdom have introduced or developed cybersecurity and resilience legislation that is closely aligned with the direction of NIS2 and related EU requirements.

For customers in Serbia and the wider region, this means that the trend toward stricter cybersecurity, infrastructure compliance, and more reliable registration data is not only an EU issue. It is becoming part of the broader European regulatory environment.

This is especially relevant for companies that register EU domain extensions, work with EU customers, use EU-based providers, or operate across multiple jurisdictions.

What customers should do to avoid delays

To reduce the risk of domain activation delays or unexpected suspension, customers should make sure their domain holder data is accurate and consistent.

We recommend the following:

1. Use the correct legal company name. The company name on the domain should match official company documents.
2. Include the correct legal form. For example: GmbH, BV, Ltd, d.o.o., LLC, AG, or another applicable legal form.
3. Keep the address up to date. The address in the domain contact data should match a real and verifiable company or residential address.
4. Use a working email address. Verification requests are often sent by email and may be time-sensitive.
5. Keep business documents ready. Companies should have a recent registration extract and proof of address available.
6. Respond quickly to verification requests. Delays may result in domain suspension, failed activation, or service interruption.
7. Keep domain data consistent across services. The company name, address, email, and phone number should be consistent between the domain order, billing profile, and official documents.

What this means for businesses

Businesses should treat domain names as critical infrastructure.

A domain is often connected to email, websites, authentication, customer communication, and revenue-generating services. If the domain is suspended because the ownership data cannot be verified, the impact can be serious.

This is especially important for companies that:

• Manage multiple domains
• Register domains under different legal entities
• Operate internationally
• Use resellers or external IT providers
• Register domains on behalf of clients
• Rely heavily on email or online platforms

Domain compliance is becoming part of operational risk management.

Our role as your provider

As your hosting and domain provider, our role is to help you complete the verification process as smoothly as possible.

If a registry requests additional validation, we will inform you what information or documents are needed and help submit them through the correct channel.

However, these requirements are imposed by the registry, registrar, or applicable regulatory framework. They are not something we can bypass, ignore, or override.

The best way to avoid delays is to keep your domain holder information accurate and respond quickly when verification is requested.

Conclusion

NIS2 is changing expectations around domain registration data in the European Union.

The directive focuses on accurate and complete domain holder data. In response, registries are introducing stricter verification procedures, risk-based checks, and documentation requirements.

This may make some domain registrations slower or more complex than before, but the purpose is to improve trust, reduce abuse, and make domain ownership more transparent and accountable.

For customers, the best approach is simple: keep your domain data accurate, keep your documents ready, and treat verification requests as time-sensitive.

Domain registration is no longer just a technical step. It is becoming part of a broader cybersecurity and compliance framework.

Need help with a domain verification request?

If you’ve received a verification request for one of your domains, or you’re not sure whether your domain holder data is accurate and up to date, our support team is here to help. Get in touch and we’ll guide you through exactly what’s needed and how to submit it.