On June 3, 2020, EURid, the registry for .EU domains, published its timeline and action plan to withdraw and delete .EU domains registered to entities and individuals located in the U.K.
If your domain portfolio is managed by CSC, you may already be in compliance and may not be affected by this update. Below is an overview of the plan and the risks for non-compliant .EU domain name holders.
Background and Brexit
Following the .EU regulations that were published on March 29, 2019, registrations of .EU domain names may be held by EU citizens, citizens of Iceland, Liechtenstein, and Norway, independent of their place of residence—as well as organizations that are established in the EU.
Due to these regulations and subsequently Brexit Day, the day the U.K. formally left the EU, organizations that registered their .EU domains with their U.K. establishments will become non-compliant after the end of the transition period, which is from now until December 31, 2020.
Timeline and action plan
Note: Timeline is subject to change according to the Brexit transition period
From now until December 31, 2020: Unless the transition period is extended, U.K. organizations have from now until the end of the transition period to update these .EU domain names with an EU entity or lose control of their domain names as well as any content, service, dependencies, email, or server that was built on top of these domain names.
On October 1, 2020: All U.K. registrant entities should expect a courtesy email from EURid notifying them of this timeline and action plan.
On December 21, 2020: Any non-compliant entity will again receive an email reminder from EURid.
After January 1, 2021: Non-compliant domain names will not function and will be made available for registration in batches after January 1, 2022.
What must occur?
If your domain portfolio is managed by CSC, your .EU domains may already be compliant and no further action is needed.
Otherwise, check that your .EU domain names are registered with entities established in the EU. If any of them are not, modify the registration information in these .EU domain names to those of a legally established entity from one of the eligible EU member states, or be sure to register .UK domain names as alternatives. You must complete any changes by December 31, 2020 because you will not be able to modify any aspect of your .EU domain registrations after January 1, 2021.
Due to the anticipated surge in ownership modifications in the last quarter of 2020, it’s best for your organization to beat the crowd by committing to domain modifications in the early part of Q3. In addition, new .EU domain names can only be registered to entities legally established in the EU or EU citizens.
What are the risks?
Unless you’re not planning on renewing certain .EU domain names after January 1, 2021, there are three immediate risks that you must take note of with regards to this notification:
1. Disruption to VPN, VoIP, website, services, dependencies, servers, networks, or email
If any of the .EU domain names in your portfolio are being used for your organization, the domain names should be updated to full compliance so they continue to work and outlast Brexit’s transition period.
Use includes:
- Virtual private network (VPN) network
- Voice over IP (VoIP) services
- A content website
- As part of the server infrastructure or network of servers within your organization
- A dependent service, like email, web traffic, or any other way you may not be privy to
2. Loss of control and ownership
Non-compliant .EU domains will cease to work after January 1, 2021 and you will lose control of these domains. At that point, you won’t be able to modify the domain registration information to make them work. The registry will round them up and make them available for general registration after January 1, 2022, and you’ll only be able to make attempts at registering them if you fulfill the .EU registration criteria.
3. Hijacked activity trail from abandoned domain names
We reiterate the core message of our publication in in 2018 that an abandoned domain name could hurt you. An abandoned corporate domain name often carries a footprint of activity that can be leveraged as an attack vector by cyber criminals. If any of your .EU domain names were receiving email before, they could continue receiving email correspondence from unsuspecting entities that don’t know you abandoned the domains.
A re-registered domain name gives the new registrant instant access not only to emails—but also the ability to reset passwords to accounts, like management or financial portals, databases, and social media—giving criminals the ability to compromise your business through phishing attacks, data leaks, social engineering, and more.
In addition, if any of your .EU domain names get a certain level of web traffic, you should continue renewing them. KrebsOnSecurity further wrote that such domain names, if not renewed, could pose as a huge security risk to the organization. Reason being, the domain names could then be scooped up by crooks who could use them to set up fake eCommerce sites that steal credit card details from unwary shoppers. These sites capitalize on the visitor traffic that goes towards these sites even after the domain names expire.
Reducing these risks is the rationale behind why EURid will only purge non-compliant .EU domain names after withdrawing them from the active zone for a full year. Although one year may be a long enough period for significant levels of visitor traffic to die down, the other risks are not completely diminished.
Resourceful bad actors could still potentially register and restore expired domain names, and leverage them in the aforementioned ways.
What you can do right now
Review your .EU domain portfolio for non-compliance issues that will arise after the end of the Brexit transition period and modify their registration information where possible.
If you need help in narrowing down your vital domains, ask us about our CSC Security CenterSM.