NIS2 Directive: What Does It Mean for Domain Holders?

The NIS2 Directive (Network and Information Security Directive 2) developed by the European Union changes cybersecurity requirements not only for critical infrastructures but also affects other sectors within Europe.

INWX as a domain registrar is also affected. Because NIS2 requires that registrars and registries, the administrative bodies for domain extensions, ensure correct data for domain holders.

In Germany, the law resulting from the directive came into force on December 6, 2025. And as of April 14, 2026, the new regulations of DENIC, the registry for .de domains, came into effect.

But what does this mean concretely for you as a domain holder? This article shows you which NIS2 requirements affect you and what steps you need to take.

What is the NIS2 directive? A quick overview

The NIS2 Directive—officially Directive (EU) 2022/2555—is the EU-wide legal framework for the protection of networks and information systems. It establishes unified cybersecurity standards and changes security requirements across Europe.

NIS2 is the successor to the original NIS Directive from 2016 and goes significantly further: instead of seven sectors, NIS2 now covers 18 sectors. Newly added are, among others, domain registration services, data centers, and managed service providers.

The EU Directive came into force on January 16, 2023. When NIS2 becomes mandatory depends on individual countries. This is because EU member states implement the directive's requirements into national law at different timelines. Germany passed its implementation law on December 6, 2025, while Austria will implement it in October 2026.

Since NIS2 is merely a directive, the concrete implementation and requirements vary by country. You can find the complete NIS2 Directive text on EUR-Lex.

Who does NIS2 apply to – and what does it mean for domain owners?

NIS2 affects a total of 18 sectors, including traditional areas such as energy, transport, health, and finance, as well as digital infrastructures. However, Article 28 specifically addresses registrars and registries. This means INWX is also affected by the statutory requirements.

Specifically, Article 28 stipulates that registrars and registries must ensure that data from domain holders is complete, correct, and reachable. During domain registration, data such as name, email, address, and phone number must be collected and simultaneously validated, and in certain circumstances, verified.

If you or your company have registered a domain, you are indirectly also affected by NIS2—even if your company is not itself active in a traditional NIS2 sector.

One reason for these new NIS2 obligations is the ever-increasing cybercrime, such as phishing, scamming, and fraud. Because when these attacks run through domains with incorrect or incomplete registration data, nobody can be held accountable.

The NIS2 Directive in Germany closes exactly this gap: only with correct data can criminal activities be traced and prevented. With verified data, it becomes much harder to hide behind a domain. This protects you, other internet users, and the digital infrastructure as a whole.

How exactly this verification works in practice depends on two factors:

First, it depends on your domain extension, meaning which country's laws the registry follows. Registries implement the laws of their respective countries and set corresponding new requirements for registration data. Registrars then implement these new obligations.

Second, the registrar itself is subject to the legislation of its own country. As a German registrar, INWX complies with the NIS2 Directive in Germany and the current information from the BSI on NIS2 implementation in Germany.

This means we must comply with both German NIS2 requirements and the conditions of the respective registry.

What NIS2 means in practice for domain owners

Email Verification Becomes Mandatory

One of the NIS2 obligations is the verification of email addresses. If verification does not take place, your domain will be deactivated. This means all associated services will temporarily be unavailable. Once you confirm your email address, the domain will be reactivated.

Annual Reminders to Review Your Data

Every year on your domain's renewal date, you'll receive an email from us asking you to review your domain contact data and correct it if necessary. This ensures your data always stays current.

Changes in WHOIS and RDAP

WHOIS and RDAP are databases where information about domain holders is publicly accessible. Learn more in our article What WHOIS is and what data is stored there.

With NIS2, certain changes have occurred for some domain extensions, such as .de: for companies and organizations, data is now publicly visible. Therefore, it's recommended to use neutral contact data for email and phone numbers without reference to individuals.

The data of private individuals remains hidden—nothing has changed here.

Verification of Domain Contacts

To ensure data is correct, additional verification may be triggered for some domain contacts. However, not all holders are directly affected, and not all data needs to be verified. If your data is complete and correct, usually, nothing will happen.

Verification will only be requested if there is reason to believe that the provided data is not correct. Risk checks and possible subsequent verifications are typically triggered for certain actions, such as new registrations, updates, restorations, provider changes, or changes to contact data.

Who performs this risk check and carries out the NIS2 domain verification varies by registry. The verification request can come from either the registrar INWX or the respective registry.

What INWX is doing – and what you need to do next

As a registrar, INWX is directly affected by NIS2 and acts proactively. We have already implemented measures to meet the new requirements.

INWX acts as an interface between national registries and you. We forward verification requests but can also take action ourselves if we suspect incorrect data.

How Does Email Verification Work at INWX?

If the email of the domain contact has not yet been verified, you will receive an email with a confirmation link when registering a new domain. You then have 14 days to confirm this link. This process has existed longer for gTLDs due to the ICANN Registrar Accreditation Agreement 2013. In the course of NIS2, it has now been extended to ccTLDs as well.

How Does Verification of Name and Address Work?

Where possible, we automatically validate your data—for example, through address databases or information from online transfers. If this is not possible and verification is required, verification takes place via documents. You will then receive an email asking you to verify your domain contact with a document. Simply upload this to our customer area. We then check your information and perform the verification.

Step by step: Check and verify your contact data at INWX

Your Responsibility as a Domain Holder

As a domain holder, it is your responsibility to ensure that the data provided during domain registration is correct and current.

Pay particular attention to correctly filling in the "Company" field: if this field is filled in, the registered company is considered the domain holder. The specified person is merely the contact person. If the "Company" field is left blank, the holder is a personal contact.