.DE NIS2 - Domain Registration & Data Verification Changes

DENIC, the registry operator for .DE domains, is introducing changes to domain registration, WHOIS data publication, and registrant verification processes to comply with the EU NIS2 Directive. These changes introduce new data accuracy, verification, and enforcement requirements for both new and existing .DE domains.

Failure to meet these requirements may result in domain deletion.

What’s changing for .DE domains?

To comply with NIS2 and updated DENIC policies:

• Registrant contact data must be accurate, complete, and verifiable
• A valid telephone number will become mandatory
• Registrant email addresses must be verified
• Certain WHOIS data will be published
• Domains with suspicious or high-risk data may be subject to mandatory verification

These requirements apply to new registrations, contact updates, and existing domains.

Key dates

Already in effect

Email verification

• When a registrant email address is entered for the first time and has not been verified, a verification email is sent to the domain holder.
• The registrant must confirm the email address.
• Failed verifications results will be shared with registry. Failed email verification will trigger a risk assessment by DENIC.
• Please refer to the email verification process outlined here.

Effective 28 January 2026

The following requirements apply to all .DE registrations:

Mandatory telephone number

• A valid and reachable phone number is required.
• Dummy, placeholder, or invalid numbers are no longer accepted.

WHOIS data publication

The following will be published for all .DE domains:

• Domain registration date
• Managing DENIC member:
  • Name
  • Address
  • Email address
  • Telephone number

Domain holder data publication

The following data will be published:

• Legal entities: 
  • Name
  • Address
  • Email address
  • Phone number will be published.
• Private individuals:
  • Registration date
  • Administering DENIC member
    
    

Important: The contact type “Individual” must only be used for natural persons. Incorrect classification may result in compliance issues or unintended data publication.

Effective 14 April 2026

Annual WHOIS data reminders

• Domain holders will receive annual reminders to review their registration data.
• Any missing or inaccurate information must be corrected.

Transition period for existing domains

• Existing .DE domains missing a telephone number must be updated within one year, by April 2027.

What information must be accurate?

For new registrations and contact updates, all of the following fields are mandatory and must be valid:

• Name (real first and last name)
• Organization (required for legal entities)
• Email address (valid and reachable)
• Telephone number (valid and reachable)
• Postal address, including:
  • Street and house number
  • Postal code
  • City
  • Country

Failure to provide accurate information may result in domain deletion.

How verification works for .DE domains

DENIC uses a risk-based verification model that applies to:

• New registrations
• Contact updates or ownership changes

Email verification

If a registrant’s email address is unverified, a verification request will be sent to the registrant. If email verification fails:

• Low-risk cases require verification of the email address only.
• Suspicious or high-risk cases require verification of the registrant’s name, address, and email address.

Resellers will be notified and given 7 days to resolve the issue. If the issue remains unresolved, the domain will enter a 90-day quarantine period, during which verification can still be completed. 

If verification is not completed by day 91, the domain will be deleted. 

Important: This process is subject to change. Any updates will be communicated accordingly.

Please refer to the email verification process outlined here.

What happens if verification fails?

If verification is requested and no response is received:

1. The domain may be placed into quarantine
   • The domain stops resolving in DNS
   • Verification is still possible
2. If verification is not completed:
   • A final warning is issued
   • The domain is deleted if unresolved within the required timeframe.

Risk-based enforcement model

DENIC applies a traffic-light risk system:

• Low Risk – No verification required
• Suspicious – Verification requested; warning issued before quarantine
• High Risk – Domain placed into quarantine; final warning before deletion

Verification requests apply to all domains linked to the flagged contact. 

Acceptable verification documents

Depending on the registrant type, DENIC may request supporting documentation:

Natural persons

• Passport or national ID
• Utility bill
• Bank statement
• Payment verification
• Video or on-site identity verification

Legal entities

• Commercial register extract
• Founding documents
• Federal Gazette entry
• VIES request
• Comparable official documentation.

List of Proofs

The table below lists the proofs accepted by DENIC. 

What do resellers need to do?

Due to the white-label model:

• Resellers are responsible for verifying:
  • Registrant name
  • Phone number
  • Postal address
• Resellers must:
  • Contact the registrant
  • Collect updates or proof where required
  • Report the verification outcome to OpenSRS
• Proof documents are only shared if explicitly required by the registry or policy.

What do domain holders need to do?

To avoid disruption:

• Ensure all contact details are accurate
• Respond promptly to verification emails or reseller requests
• Update missing information when notified
• Monitor email regularly for verification requests

Was this article helpful? If not please submit a request here