NIS2 Art.28.1: Database of Domain Name Registration Data (WHOIS)
What This Control Requires
Member States shall require TLD name registries and entities providing domain name registration services to collect and maintain accurate and complete domain name registration data in a dedicated database with due diligence in accordance with Union data protection law.
In Plain Language
Domain registration data (WHOIS) might seem like a niche concern, but NIS2 takes it seriously. TLD registries and domain registrars must collect and maintain accurate, complete registration data - and that means all organisations registering domains need to provide correct information in the first place. The directive requires registration data to include the registrant's name, contact details, and administrative and technical contacts. This data must be made available to legitimate access seekers within 72 hours of a request, all while respecting GDPR personal data requirements. Even if you are not a registrar, this matters. Your domain registration data can be accessed by competent authorities, law enforcement, and CERT teams. Inaccurate registration information can complicate incident response and regulatory interactions. Keeping your domain records clean is basic digital hygiene that pays off when you need it most.
How to Implement
Audit all domain names registered by your organisation. Make sure the registration data is accurate, complete, and current: registrant name and organisation, administrative contacts, technical contacts, and billing contacts. Put a domain governance process in place. You need a central inventory of every domain name the organisation owns or manages, regular accuracy reviews (at least annually), procedures for updating data when organisational details change, and clear ownership of who manages domains. Check how your registrar implements the NIS2 WHOIS requirements. Verify they are compliant with Art.28 and maintaining your data properly. If your organisation might receive domain registration data access requests, establish procedures for evaluating and responding to legitimate requests, ensure GDPR compliance when processing personal data in registrations, and loop in your legal team on disclosure decisions. Protect your domain registrations from unauthorised changes. Enable domain lock features, use registry lock where available, and deploy DNSSEC. A compromised domain registration is a serious attack vector that can undermine everything else you have built. Work domain name security into your broader cybersecurity risk management. Domain hijacking, typosquatting, and registration data manipulation are real threats that deserve assessment and mitigation alongside your other risks.
Evidence Your Auditor Will Request
- Central inventory of all organisational domain names
- Evidence of accurate and current domain registration data
- Domain name governance procedures and review records
- Domain security measures (registry lock, DNSSEC) implementation evidence
- Process for handling domain registration data access requests
Common Mistakes
- Domain registration data is outdated with former employees' contact details
- No central inventory; domain names registered by various departments without oversight
- Domain security features (lock, DNSSEC) not enabled
- Expiring domain names not monitored, risking loss of business-critical domains
- No process for evaluating legitimate access requests for registration data
Related Controls Across Frameworks
Frequently Asked Questions
Does this apply to all organisations or only domain registrars?
How does WHOIS data access work under NIS2?
Track NIS2 compliance in one place
AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.
Start Free Assessment