NIS2 implementation: DENIC releases certain owner data of .de domains

New transparency obligations for .de domain registrations apply in Germany as of December 6, 2025. As DENIC reports in its blog, the regulations also directly affect the WHOIS query for .de domains. The background is the national implementation of the European NIS2 Directive on cybersecurity.

The domain query now provides additional information. For all .de domains, the managing DENIC member is generally published – i.e., the provider through whom the domain is registered and administratively managed. This means that for every .de domain, there is a clearly named and contactable entity, even if the owner data cannot be displayed for data protection reasons.

For domains of legal entities such as companies, associations, or organizations, the name and address of the domain owner, email address and phone number, as well as the domain registration date, are publicly visible. In addition, the name and contact details of the managing DENIC member are included. For domains of natural persons, however, personal owner data remains protected – only the registration date and the name and contact details of the DENIC member are visible. These were once freely visible.

The changes are part of the comprehensive NIS2 implementation in Germany. The NIS2 Implementation Act significantly tightens cybersecurity requirements and forces companies and government agencies to recognize information security as a strategic, ongoing task. Germany is consistently using the directive's scope and in some cases exceeding the European minimum requirements.

Access to non-public data

Domain owners can continue to view their own data stored at DENIC. This requires appropriate authorization within the domain query, for example, by entering the postal code or confirming via email link. Furthermore, third parties such as rights holders, authorities, insolvency administrators, or claimants with an enforceable title can gain access to non-publicly visible data if there is a legitimate interest and after individual case review. DENIC provides specialized forms for this purpose.

The WHOIS query provides the extended information in a structured format as text or JSON. The regulations are intended, in particular, to reduce abuse through incorrect or incomplete registration data and to facilitate contact in case of legal problems.

Risk Assessment from April 2026

In Phase II, starting on April 14, 2026, contact and domain orders will be subjected to an automated risk assessment. The system works with a traffic light principle and classifies domains by risk level (Low/Suspicious/High Risk). Anomalies in the registration data – such as suspicious IP addresses, names, or patterns – trigger a verification request to the responsible DENIC member.

If the provider does not respond or cannot verify the data, consequences are imminent: the affected domain will be placed in quarantine, which deactivates its DNS resolution, and may be deleted if no further action is taken. Domain owners will also be informed by email about the verification request within the first three weeks. DENIC members must henceforth ensure that all registration data is correct and verifiable, including valid phone numbers and email addresses.

The NIS2 Directive covers DNS and TLD providers like DENIC as critical infrastructure. The requirements of NIS2 also apply to micro and small enterprises that manage domains for their customers. In Germany, an estimated 29,500 companies are affected by the new cybersecurity obligations.

Companies should check their .de domains immediately and ensure that all registration data is complete, correct, and up-to-date. Validation of email addresses and phone numbers is particularly important, as these will be systematically checked in Phase II. The European Commission is already working on further adjustments to the NIS2 Directive.

(mki)