Database of domain name registration data
Directive on the security of network and information systems · UE 2022/2555
Database of domain name registration data
1. For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall require TLD name registries and entities providing domain name registration services to collect and maintain accurate and complete domain name registration data in a dedicated database with due diligence in accordance with Union data protection law as regards data which are personal data.
2. For the purposes of paragraph 1, Member States shall require the database of domain name registration data to contain the necessary information to identify and contact the holders of the domain names and the points of contact administering the domain names under the TLDs. Such information shall include:
| (a) | the domain name; |
| (b) | the date of registration; |
| (c) | the registrant’s name, contact email address and telephone number; |
| (d) | the contact email address and telephone number of the point of contact administering the domain name in the event that they are different from those of the registrant. |
3. Member States shall require the TLD name registries and the entities providing domain name registration services to have policies and procedures, including verification procedures, in place to ensure that the databases referred to in paragraph 1 include accurate and complete information. Member States shall require such policies and procedures to be made publicly available.
4. Member States shall require the TLD name registries and the entities providing domain name registration services to make publicly available, without undue delay after the registration of a domain name, the domain name registration data which are not personal data.
5. Member States shall require the TLD name registries and the entities providing domain name registration services to provide access to specific domain name registration data upon lawful and duly substantiated requests by legitimate access seekers, in accordance with Union data protection law. Member States shall require the TLD name registries and the entities providing domain name registration services to reply without undue delay and in any event within 72 hours of receipt of any requests for access. Member States shall require policies and procedures with regard to the disclosure of such data to be made publicly available.
6. Compliance with the obligations laid down in paragraphs 1 to 5 shall not result in a duplication of collecting domain name registration data. To that end, Member States shall require TLD name registries and entities providing domain name registration services to cooperate with each other.
In Luxembourg, the ILR is the designated competent authority for the digital infrastructure sector, which covers TLD name registries and domain registration service providers. The law of 28 July 2023 on cybersecurity (amended by the law of 28 July 2025) transposes Article 28 and entrusts the ILR with operator designation, incident notifications, inspections and administrative fines up to 7 million euros or a percentage of turnover for important entities, and up to 10 million euros or 2 percent for essential entities. The deadline to answer access requests remains 72 hours.
Luxgap practice: map early whether your registry or registrar activity qualifies you as an essential or important entity under the annexes, then connect Domain Data Sentinel to your EPP to keep a timestamped access log directly usable during an ILR inspection.