EU cybersecurity law risks overloading domain registries, CENTR warns

The European Commission’s proposed Cybersecurity Act 2 (CSA2) has drawn cautious support from the continent’s national domain registries, though concerns persist over potential regulatory overreach. CENTR, the association representing country-code top-level domain (ccTLD) operators, has welcomed efforts to strengthen cyber resilience but warned that certain provisions could create unnecessary operational and financial strain on critical internet infrastructure providers.

The CSA2, introduced in January 2026, aims to bolster EU cybersecurity governance by expanding the mandate of the European Union Agency for Cybersecurity (ENISA) and establishing a "trusted ICT supply chain framework" for entities already subject to the NIS 2 Directive. While CENTR endorses these objectives, it argues that the legislation risks duplicating existing obligations for essential infrastructure operators, including ccTLD registries.

Regulatory overlap and supplier risks

A core concern for CENTR is the framework’s approach to identifying "high-risk" suppliers. The association contends that supplier restrictions should be grounded in verifiable security risks rather than subjective or non-technical criteria. Broad definitions, it warns, could inadvertently extend regulatory obligations beyond direct contractual relationships—potentially encompassing foundational internet protocols like the Domain Name System (DNS). Such an expansion, CENTR argues, could disrupt operations without delivering proportional security improvements.

The association has called for thorough impact assessments and meaningful consultation with affected entities before finalizing the rules. It also advocates for mechanisms allowing organizations to challenge decisions that could disrupt their operations, alongside adequate transition periods and financial compensation where supplier replacements incur significant costs or prove unfeasible.

Governance and autonomy

While CENTR supports ENISA’s expanded role in supporting high-criticality sectors, it emphasizes the need for ccTLD registries to retain autonomy over their governance policies. The association argues that local flexibility is essential for serving diverse internet communities and maintaining the resilience of Europe’s digital infrastructure. Imposing uniform requirements, it suggests, could undermine the adaptability that has allowed ccTLDs to address region-specific challenges effectively.

CENTR’s position reflects broader tensions between harmonized cybersecurity standards and the operational realities of decentralized internet infrastructure. The association’s recommendations—narrower definitions, evidence-based risk assessments, and safeguards against overreach—aim to balance regulatory goals with the practical constraints faced by registries.

What to watch

The CSA2’s progress through the EU legislative process will be closely monitored by domain registries and other critical infrastructure operators. Key points of contention include the final scope of the ICT supply chain framework, the criteria for designating high-risk suppliers, and the extent to which ENISA’s expanded mandate will encroach on registry governance. Industry stakeholders are likely to push for amendments that address CENTR’s concerns, particularly around consultation processes and the preservation of local autonomy.

For now, ccTLD operators face uncertainty over how the legislation will ultimately shape their compliance obligations. The outcome could set precedents for future cybersecurity regulations affecting the broader internet ecosystem, making this a pivotal moment for Europe’s digital infrastructure policy.