Here you can download the proposed text for the new agreement (in Norwegian).Download
English translation of the proposed text:Download
Please send your input by e-mail to email@example.com. Please enter “Input to registrar agreement” in the subject field and specify your registrar ID (REG handle).
Need for adjustments to the registrar scheme
In line with the Norwegian Domain Name Regulations 1 Norid delegated part of the process of registering domain names to registrars.
We are responsible for designing the registration scheme so that it functions properly and within the framework set by the Norwegian authorities. This includes, among other things, specifically defining which tasks are to be centralised at Norid, and which tasks are to be left to the registrars. The relationship between Norid and the registrars is regulated through agreements under civil law.
The Internet is becoming an increasingly important part of the value chain for many of society’s critical services, and the Norwegian Communications Authority points out that the robustness of the infrastructure must be continuously strengthened in step with increased physical loads 2 . The domain name system is a basic function that is necessary for Internet infrastructure to work properly 3 . This places increased security demands on all players involved, including domain registrars.
In order to succeed in maintaining security and quality for the Norwegian top-level domain, it is important for Norid to have professional registrars. At the same time, it must be attractive for registrars to offer Norwegian domain names so that .no remains competitive. Against this background, we see a need to revise and modernise the registrar agreement.
Current practice will continue largely unchanged
The proposed new agreement will mainly continue current practice and the established division of responsibilities between Norid and the registrars. It collects, describes and elaborates on the duties, rights and responsibilities of registrars and Norid, and which today are partly found in the registrar agreement, partly in the domain name policy for .no and partly follow from established practice. Gathering all this under one agreement will make it clearer and provide greater predictability both for Norid and for the registrars.
In addition, the agreement is being modernised. The new agreement adds a number of terms and conditions that are common in business relationships (regulation of the use of marks, intellectual property rights, duty of confidentiality etc.), so that Norid and the registrars do not have to examine the background law to know how to handle these areas. Consequences in the event of breach of contract are nuanced so that Norid has other options than terminating the agreement with a registrar in breach. In line with established practice, the new agreement makes it clear that the registrar is free to use assistants, such as resellers, but that the registrar is responsible for the assistants’ actions. The registrars continue to have an obligation to pay for what they order, but the detailed description of the invoicing process has been removed. The new agreement then makes it possible for Norid to change the current payment model from pre payments to a more standarised model with after-payment.
In recent years, developments in electronic communication have gone in the direction of increased requirements for user authentication 4. We are not making any changes in this area at this time. The responsibility for verifying that domain name holders are who they claim to be still rests with the registrar, who is free to choose an appropriate method to fulfill this requirement. However, this is an area where the authorities may set new requirements in the future.
Some new additions
The proposed new agreement places some increased demands on registrars. The most important changes are:
- Information security requirements: All registrars have access to our registry service and to an extended lookup service for the domain registrations. This access can provide a possible attack route into Norid’s systems. The proposed new agreement sets clear security requirements, including that registrars must have an overview of which persons and systems have access to our systems, and that they must have procedures for updating accesses. Furthermore, registrars must notify Norid of security breaches or potential security breaches that may compromise our systems. They must otherwise follow normal industry standards for information security requirements. We can also expect that this will be an area where there may be increased requirements in the future.
- Updating subscription information in our registry: Domain name holders are responsible for ensuring that their contact information and their technical information registered with us are correct and up to date. However, fulfilling this obligation depends on the registrar. The proposed new agreement requires registrars to have a procedure where they inform domain name holders once a year about what information is registered on the domain registrations managed by the registrar.
- Increased competence requirements: Currently, we have a mandatory test for new registrars. The requirement is that one of the registrar’s employees must complete the test. For many registrars, it has been more than ten years since one of their employees took the test, and the person who took the test is no longer necessarily employed by the registrar. The proposed new agreement requires that the employee whom the registrar designates as the primary contact person for Norid and the person or persons who control the registrar’s access to Norid’s systems (admin user on Norid’s registrar web) must have taken the registrar test. This means that there is at all times at least one employee at the registrar who has taken the test. The registrar must also ensure that all personnel who receive access to Norid’s systems receive the necessary training.
All registrars who wish to continue under the new agreement must complete an extended registrar test.
- Increased requirements for minimum activity: A registrar must maintain a certain level of annual minimum activity in the form of establishing new domain registrations or renewing existing registrations, in order to maintain its registrar status. The requirement is currently a minimum of 40 such transactions. The proposed new agreement increases the minimum requirement for activity from 40 to 100 transactions a year. Registrars with lower activity will be invoiced a number of ordinary subscription fees (currently 60 kroner ex. VAT) corresponding to the lack of activity.
The principle for the registrar model is that Norid will delegate certain tasks to a professional registrar that will convey domain subscriptions to interested enterprises and individuals. In our view, the proposed new requirements are necessary to further develop the quality of the Norwegian top-level domain, and they will not prevent competition among registrars either within the low-price segment or the segments that offer larger service packages. We know that some domain registrars exist for historical reasons, or they only handle domain names for internal use. As the agreement now sets stricter requirements for security and competence, this can be an opportunity to take a step back and consider alternatives.
Process moving forward
After the feedback deadline of 21 May 2021, we will process the input and then send out a final agreement for signing. In line with the current agreement, there will be a transition period from the time the new agreement is sent out until it enters into force. Registrars will thus have time to decide whether they want to continue as a registrar under the new agreement.
- 1. Section 5 of the Norwegian Domain Name Regulations
- 2. EkomROS 2020 (only in Norwegian)
- 3. Consultation for Official Norwegian Report NOU 2018: 14 ICT security in all stages and draft legislation to implement the NIS Directive in Norwegian law (only in Norwegian)
- 4. Consultation on amendments to the Norwegian Electronic Communications Act and the Norwegian Electronic Communications Regulations with proposals for legal authority for the obligation to deliver broadband and clearer requirements for unambiguous identification of end users (only in Norwegian)