CENTR warns revised EU Cybersecurity Act could overburden national domain registries

CENTR has urged EU policymakers to narrow proposed cybersecurity supply-chain rules, arguing that they could create unnecessary obligations for national domain registries and other internet infrastructure operators.
CENTR warns revised EU Cybersecurity Act could overburden national domain registries

CENTR has published a comment on the European Commission’s proposal to revise the EU Cybersecurity Act.

The proposal, known as the Cybersecurity Act 2, was presented in January 2026. It would strengthen EU cybersecurity governance and create a new framework for managing risks in information and communication technology supply chains.

The framework would apply to essential and important organisations covered by the NIS2 Directive. This includes country-code top-level domain registries, or ccTLD registries, which manage national internet domain endings such as .de, .fr, or .nl.

CENTR, which represents European national domain registries, supports the proposal’s general objective and the continued role of the EU Agency for Cybersecurity, ENISA. However, it warns that some provisions could impose overlapping or disproportionate requirements on domain registries.

The organisation argues that restrictions on suppliers considered high risk should be based on clear and verifiable security evidence. It says decisions should take account of the specific characteristics of critical internet infrastructure rather than applying broad rules across sectors.

CENTR also calls for an impact assessment before authorities exclude important suppliers. Affected organisations should be able to challenge decisions and participate in procedures for seeking exemptions.

Where a supplier must be replaced, CENTR says organisations should receive enough time to make the transition. Financial support should also be considered when no viable alternative is available.

The group further recommends narrowing the proposed definition of an ICT supply chain. It says the rules should generally cover suppliers that have a direct contractual relationship with an affected organisation, rather than referring broadly to internet protocols such as the Domain Name System.

CENTR welcomes an expanded support role for ENISA but says national domain registries must retain control over their own governance policies.

Civil Society Alliances for Digital Empowerment (CADE) is a project co-funded by the European Union.

Civil Society Alliances for Digital Empowerment (CADE) 2024. All rights reserved.

This website is co-funded by the European Union. Its contents are the sole responsibility of CADE and do not necessarily reflect the views of the European Union.

Web accessibility | Privacy policy

Go to Top