NIS2 for DNS, TLD registries, and trust service providers.
Core internet infrastructure is regulated under NIS2 as essential entities independent of size. Even tiny organizations — if they operate a TLD or provide eIDAS trust services — face full obligations.
Why this matters now
Attacks on TLD registries and trust service providers have cascading effects across the internet. NIS2 responds by requiring the strictest controls regardless of operator size. Existing eIDAS-regulated trust service providers face layered NIS2 obligations on top of their eIDAS audits.
- Size-independent regulation — small nonprofit or community operators subject to same rules as DENIC
- Interaction with eIDAS for qualified trust service providers — overlap but distinct regimes
- DNS resolver operators vs DNS authoritative operators have different profiles
- Root-server operators have implicit global responsibilities
How Matproof covers NIS2 for Digital Infrastructure (DNS, TLD, Trust Services)
eIDAS + NIS2 dual compliance
For qualified trust service providers, NIS2 adds cyber obligations on top of eIDAS conformity. Matproof cross-maps eIDAS requirements to NIS2 Art. 21 so evidence is shared.
DNS-specific controls
DNSSEC deployment and monitoring, resolver integrity, authoritative name-server security, query-rate anomaly detection mapped to NIS2 measures.
Cross-border incident handling
Incidents on core internet infrastructure have automatic cross-border implications. CSIRT coordination via ENISA for certain categories. Matproof's workflow includes ENISA touchpoints.
Registration and jurisdiction
Digital infrastructure providers register at their main establishment. For pan-European operators, NIS2 designates a single Member State authority. Matproof captures this designation and tracks registration.
In scope
- DNS service providers (authoritative and resolver)
- TLD registries (country-code, generic, new gTLDs)
- Trust service providers under eIDAS (qualified and non-qualified)
- Internet exchange point (IXP) operators
- Top-level domain name registries
- Data center services and cloud computing at Annex I scale
Frequently asked questions
Are we subject to NIS2 if we operate a small TLD or niche DNS service?+
For TLD registries and core DNS: yes, regardless of size. NIS2 Annex I makes this explicit — the criticality of the function overrides size thresholds. Very small operators face the same 10 measures as large ones.
How does NIS2 interact with eIDAS for trust service providers?+
eIDAS remains the licensing and conformity framework (Regulation (EU) 910/2014 and the updated eIDAS 2). NIS2 adds cybersecurity obligations. Most QTSPs already have strong security posture from eIDAS audits — NIS2 gaps typically center on board-level accountability, supply-chain management, and training.
Do we need to register with BSI if we're a small IXP?+
Yes, if you operate in Germany — IXPs are in NIS2 Annex I regardless of size. Registration is mandatory within the NIS2UmsuCG-defined window after scope trigger.
Related resources
Ready to start with NIS2?
30-minute demo tailored to Digital Infrastructure (DNS, TLD, Trust Services). We show you exactly how Matproof covers NIS2 for your sector.