Home M3AAWG Blog M3AAWG Issues Feedback to The UK’s Internet Domain Registry (Prescribed Practices and Prescribed Requirements) Regulations 2024
Posted by the M3AAWG Content Manager
March 31, 2025

 

As a result of the United Kingdom’s Department for Science, Innovation and Technology (DSIT) publishing the consultation outcome for “Powers in Relation to UK-related Domain Name Registries,” new regulations entitled “The Internet Domain Registry (Prescribed Practices and Prescribed Requirements) Regulations 2024” took effect in November 2024.

This legislation caught the attention of our members given its potential to combat pervasive online abuse tactics. As a result, when the consultation was brought to the public’s attention in July 2023, the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) eagerly submitted comments.

With this regulation now in place, M3AAWG members are encouraging additional improvements and taking this opportunity to reiterate some of our initial concerns while voicing further suggestions to enhance this newly enacted regulation.

M3AAWG Members’ Comments and Concerns

The scope of the powers described in the proposals was assumed to be limited to situations where there has been a serious relevant failure in relation to an internet domain registry or any of its registrars in scope country code top-level domains (.uk) and generic top-level domains (gTLDs) (.scot / .wales / .cymru / .london) that are targeting the UK.

From M3AAWG’s perspective, the following aspects should be considered:

The definitions of DNS abuse should be expanded.

We support a broader definition of DNS abuse, especially considering the changing nature of cybercrime and the speed by which criminals change tactics. Discussions and disagreements about definitions have hampered and delayed various attempts to tackle DNS abuse.

As a result, we encourage the adoption of a flexible definition that focuses on risks, threats, and harms rather than just fixed categories to protect the UK public from the increasing emergence of new threats. Indeed, the UK should look to the scope of the Budapest Convention to ensure that the types of cybercrimes it enumerates are included in the definition of DNS abuse.

Address the lack of availability of WHOIS data by tracking NIS2 requirements.

M3AAWG members have identified the lack of WHOIS data as a barrier to the investigation, mitigation, and prevention of cybercrime, as is reflected in the findings of the M3AAWG study “ICANN, GDPR, and the WHOIS: A Users Survey – Three Years Later.”  

While we applaud the steps Europe has taken to rectify this problem through the adoption and transposition of the revised European Union (EU) Directive on Security of Network and Information Systems (referred to as NIS2), we believe this development may not fully address the topic of WHOIS access and availability outside of the EU. As a result, we are calling for a UK-specific solution.

DNS misuse mitigation requirements should be included in contracts.

At a minimum, the UK should adopt best practices regarding DNS abuse to be included in the contracts with registrars and registries, ensuring swift mitigation of DNS abuse.

Ensure transparency in DNS abuse mitigation measures to increase confidence.

As DNS abuse mitigations evolve, it will be even more important to consider transparency so that good actors can maintain confidence in the deployed DNS abuse mitigations. For example, open reporting of actions taken and details of mitigation techniques can help avoid perceptions of bias on the part of law enforcement, regulators, registries, and registrars. We encourage UK authorities to consider how to best ensure transparency in DNS abuse mitigation measures and to periodically reevaluate this position as techniques and deployments evolve. M3AAWG has taken the opportunity to follow a Call for Comments by the UK government to provide views on proposals regarding powers in Relation to UK-Related Domain Name Registries. The scope of the powers described in the proposals was assumed to be limited to situations where there has been a serious relevant failure in relation to an internet domain registry or any of its registrars in scope country code top-level domains (.uk) and generic top level domains (gTLDs) (.scot / .wales / .cymru / .london) that are targeting the UK.

From M3AAWG’s perspective, the following aspects should be considered:

 

The definitions of DNS abuse should be expanded.

We support a broader definition of DNS abuse, especially in light of the changing nature of

cybercrime and the speed by which criminals change tactics. Discussions and disagreements about definitions have hampered and delayed various attempts to tackle DNS abuse. As a result, we encourage the adoption of a flexible definition that focuses on risk, threats, and harms rather than just set categories, in order to protect the UK public from the growing emergence of new threats.

Indeed, the UK should look to the scope of the Budapest Convention7 to ensure that the types of cybercrimes it enumerates are included in the definition of DNS abuse.

 

The UK should address the lack of availability of WHOIS data by tracking NIS2

requirements.
M3AAWG members have identified the lack of WHOIS data as an impediment to the investigation, mitigation, and prevention of cybercrime, as is reflected in the findings of the M3AAWG study “ICANN, GDPR, and the WHOIS: A Users Survey – Three Years Later.”8 While steps have been taken in Europe to rectify this problem through the adoption and transposition of the revised EU Directive on Security of Network and Information Systems (referred to as NIS2),9 this development may not fully address the topic of WHOIS access and availability outside of the EU. As a result, a UK-specific solution is called for.

 

DNS misuse mitigation requirements should be included in contracts.

At a minimum, the UK should adopt best practices with regard to DNS abuse (as described in

greater detail below) to be included in the contracts with registrars and registries to ensure swift mitigation of DNS abuse.

 

Transparency increases confidence in DNS abuse mitigation measures.

As DNS abuse mitigations evolve, it will become increasingly important to consider transparency so that good actors can maintain confidence in the deployed DNS abuse mitigations. For example, open reporting of actions taken and details of mitigation techniques can avoid perceptions of bias on the part of law enforcement, regulators, registries, and registrars. We encourage the UK authorities to consider how best to ensure transparency for DNS abuse mitigation measures and to periodically re-evaluate this position as techniques and deployments evolve.

 

All M3AAWG Public Policy Comments can be viewed on the M3AAWG Public Policy page.

 

The views expressed in DM3Z are those of the individual authors and do not necessarily reflect M3AAWG policy.