How Brexit increases the risks for non-compliant .EU domain names


On June 3, 2020, EURid, the registry for .EU domains, published its timeline and action plan for retiring and deleting .EU domains registered with entities and individuals located in the UK.

Context and Brexit

In accordance with the .EU regulations published on March 29, 2019, .EU domain name registrations can be held by EU citizens, citizens of Iceland, Liechtenstein and Norway, regardless of their place of residence, as well as by organizations established in the EU.

Due to these regulations and subsequent to Brexit Day, the day the UK officially left the EU, organizations that have registered their .EU domains with their UK establishments will become non-compliant after the end of Brexit. transition period, i.e. until December 31. 2020.

Calendar and action plan

Note: timing is subject to change depending on the Brexit transition period

Check that your .EU domain names are registered with entities established in the EU. If any of them are not, replace the registration information of these .EU domain names with those of an entity legally established in one of the eligible EU member states, or ensure you to register .UK domain names as alternatives. You must make all changes by December 31, 2020, as you will not be able to change any aspect of your .EU domain registrations after January 1, 2021.

What are the risks ?

Unless you plan to renew some .EU domain names after January 1, 2021, there are three immediate risks you should consider regarding this notification:

1. Disruption of VPN, VoIP, website, services, dependencies, servers, networks or emails

If any of the .EU domain names in your portfolio are used for your organization, the domain names must be updated for full compliance so that they continue to function and survive the Brexit transition period.

Usage includes:

  • Virtual Private Network (VPN) Network
  • Voice over IP (VoIP) services
  • A content site
  • As part of the server infrastructure or network of servers within your organization
  • A dependent service, such as email, web traffic, or any other medium you may not be aware of
2. Loss of Control and Ownership

Non-compliant .EU domains will stop working after January 1, 2021 and you will lose control of those domains. At this point, you will no longer be able to modify the domain registration information to make it work. The registry will collect them and make them available for general registration after January 1, 2022, and you can only attempt to register them if you meet the .EU registration criteria.

3. Hacked activity trail from abandoned domain names

We reiterate the central message in our article that an abandoned domain name could harm you. An abandoned corporate domain name often bears a fingerprint of activity that can be exploited as an attack vector by cybercriminals. If any of your .EU domain names were previously receiving emails, they may continue to receive emails from unsuspecting entities who are unaware that you have abandoned the domains.

A re-registered domain name gives the new holder not only access to emails, but also the ability to reset passwords to accounts, such as management or financial portals, databases and social networks, giving criminals the ability to compromise your business through phishing attacks, data leaks, social engineering, and more.

Also, if one of your .EU domain names gets a certain level of web traffic, you should keep renewing it. KrebsOnSecurity further wrote that these domain names, if not renewed, could pose a huge security risk to the organization. The reason for this is that domain names could then be taken over by scammers who could use them to create fake e-commerce sites that steal credit card details from unwary buyers. These sites capitalize on the traffic of visitors heading to these sites even after the domain names have expired.

Reducing these risks is why EURid will only purge non-compliant .EU domain names after removing them from the active zone for a full year. While a year may be a long enough period for significant levels of visitor traffic to die out, other risks are not completely diminished.

Resourceful malicious actors could still potentially register and restore expired domain names, and exploit them in the aforementioned ways.

What you can do now

Examine your portfolio of .EU domains for non-compliance issues that will arise after the end of the Brexit transition period and amend their registration information if possible, and use tools this can help narrow your home ranges.

Previous Beware of abandoned domain names in these turbulent times and as the global economy evolves
Next NCIP facilitates IPs' dialogue with the UN and the international community