NIS2 Guidelines

Domain Registration Guidelines pursuant to NIS2 Regulation (EU) 2022/2555

Last updated: December 2025

§ 1

Verification Duties

1.1 Pursuant to Article 28 of the NIS2 Directive (EU) 2022/2555, we as a domain registrar are obliged to verify the identity of domain holders. This serves to ensure correct and complete registration data.

1.2 For each domain registration, verification of both the email address and telephone number of the domain holder is required. A domain is only considered fully verified once both contact details have been confirmed.

1.3 The verification requirement applies to natural persons as well as legal entities and organisations. For legal entities, an authorised contact person must be named and verified.

§ 2

Verification Process

2.1 Email verification is performed by sending a confirmation link to the registered email address. The link is valid for 24 hours and must be confirmed by clicking.

2.2 Telephone verification is performed optionally by:

  • SMS code to the registered mobile number
  • Automated phone call with a verification code announcement

2.3 The verification codes are each valid for 10 minutes. A new code can be requested if they expire.

2.4 Successful verification is displayed in the customer account and documented with a timestamp.

§ 3

Deadlines and Revalidation

3.1 For new domain registrations, full verification must be completed within 14 days of registration.

3.2 When contact details (email or telephone number) are changed, re-verification of the changed data is required. The deadline is also 14 days from the change.

3.3 For existing domains that were registered before this directive came into force (import), a revalidation period of 14 days from request is set.

3.4 We reserve the right to request re-verification in justified cases, particularly if there is suspicion of incorrect data or complaints from third parties.

§ 4

Consequences of Non-Compliance

4.1 If the verification deadline expires without successful confirmation, a reminder will first be sent by email to the registered address.

4.2 If verification is not completed within a further 7 days after the reminder, the affected domain may be suspended. A suspended domain is no longer reachable on the internet.

4.3 The suspension can be lifted by subsequent successful verification. Regular domain fees continue to apply during suspension.

4.4 In case of permanent non-verification (more than 60 days), the domain may be deleted. Recovery is not possible in this case.

Part 2: Disclosure of Registration Data

§ 5

Authorised Requesters

5.1 Pursuant to NIS2 Article 28 paragraph 5, we grant authorised applicants access to specific domain registration data. The following are considered authorised:

  • Law enforcement authorities (LEA) in the course of ongoing investigations
  • Computer Emergency Response Teams (CERT/CSIRT) in case of security incidents
  • Intellectual property enforcement authorities (IP Enforcement)
  • Courts and court-appointed executors
  • Other authorities with a legal basis

5.2 Private lawyers or companies are not directly entitled to request information, but may obtain information through competent authorities or in the course of court proceedings.

§ 6

Request Process

6.1 Requests must be submitted in writing to: disclosure@itsh.dev

6.2 The request must contain the following information:

  • Name, organisation and contact details of the requester
  • Proof of authorisation (e.g. official ID, court order)
  • File reference or case number
  • Affected domain(s)
  • Legal basis for the request
  • Specific data required and justification

6.3 Incomplete requests will be rejected with reference to missing information.

§ 7

Decision Criteria

7.1 Each request is assessed according to the following criteria:

  • Legitimacy: Is the requester authorised pursuant to section 5?
  • Legal basis: Is there a valid legal basis?
  • Proportionality: Is the requested data necessary for the purpose?
  • Data minimisation: Is only necessary data being requested?

7.2 If there are doubts about the authorisation, a query may be made to the requester or the superior authority.

7.3 Rejections are given in writing with reasons. The requester may lodge a complaint against the rejection with the Data Protection Officer.

§ 8

Processing Deadlines

8.1 We commit to the following processing times:

  • Law enforcement authorities (LEA): 72 hours
  • CERT/CSIRT for active security incidents: 72 hours
  • Court orders: 72 hours
  • Other authorised requests: 7 business days

8.2 For urgent requests (imminent danger), we endeavour to process them more quickly. Please mark such requests accordingly.

8.3 Deadlines begin upon receipt of a complete request pursuant to section 6.2.

§ 9

Disclosed Data

9.1 The following data may be disclosed upon authorised request:

  • Name of the domain holder (natural or legal person)
  • Address of the domain holder
  • Email address of the domain holder
  • Telephone number of the domain holder
  • Registration and expiry date of the domain
  • Technical contact details (if different)

The following data will not be disclosed:

  • Passwords or access credentials
  • Payment information (credit cards, bank details)
  • Internal customer numbers or account IDs
  • Communication history with customer support

9.3 A court order is required for further data.

Part 3: Abuse Handling

§ 10

Reporting Process

10.1 Abuse reports can be submitted through the following channels:

  • Online form via the "Report Abuse" link in the footer
  • Email to: abuse@itsh.dev

10.2 A report should contain the following information:

  • Affected domain(s)
  • Type of abuse (see section 11)
  • Description of the incident with evidence (screenshots, URLs, etc.)
  • Contact details of the reporter (email required)

10.3 Anonymous reports will be processed, but no feedback can be provided without contact details.

§ 11

Categories

11.1 We process abuse reports in the following categories:

  • Spam: Unsolicited mass emails or advertising via the domain
  • Phishing: Deceptive websites for obtaining credentials
  • Malware: Distribution of malicious software via the domain
  • Incorrect registration data: Obviously false holder information
  • Trademark infringement: Infringement of registered trademarks
  • Other: Other violations of our terms of service

11.2 For criminally relevant content (e.g. child abuse), a report is immediately made to the competent authorities.

§ 12

Processing Workflow

12.1 After receipt of a report, processing takes place in the following steps:

1. Acknowledgement of receipt

The reporter receives an automatic confirmation with a case number.

2. Review

Our team reviews the report for completeness and plausibility.

3. Investigation

For legitimate reports, the domain holder is contacted and asked to respond.

4. Decision

Based on the results, a decision is made on measures.

5. Closure

The reporter is informed of the outcome (where contact details are available).

12.2 We aim for a maximum processing time of 7 business days. Complex cases may take longer.

§ 13

Domain Suspension

13.1 A domain may be suspended in the following cases:

  • Confirmed abuse pursuant to section 11
  • Non-compliance with verification requirements pursuant to section 4
  • Court order or official decree
  • Serious violations of the Terms and Conditions

13.2 Upon suspension, the domain holder is notified by email. The domain is not reachable on the internet during suspension.

13.3 The domain holder may lodge an objection within 14 days. The objection must be submitted in writing with reasons to support@itsh.dev.

13.4 In case of a justified objection, the suspension will be reviewed. The decision on the objection will be made within 7 business days.

13.5 In case of permanent suspension without successful objection, the domain may be deleted after 60 days.