Be aware of FAKE EMAILS pretending to be from us. Read more here.
Hele Danmarks .dk

Questions and answers related to NIS2

Below we have compiled various questions and answers regarding NIS2 that registrars have asked.

General information about data- and ID-control

Why are there new requirements for email addresses?

According to the NIS2 directive, companies' (legal entities) email addresses must be published in WHOIS for Danish domains from 1 November 2025. This requires that all email addresses registered must be verified.

Can a registrar change their registration settings related to whether they want to perform data- and ID-control?

A registrar can change their registration settings at any time to determine whether they want to do the verification, but they must complete what they have initiated.

If the registrar initiates an ID check and stops in the middle of the process – what should happen?

The registrar must finish what they have started, so they can't stop in the middle of it. Unless they renounce their role as a registrar in which Punktum dk will initiate a new ID check

Should the process be changed for registrar transfers so that verification is carried out before transfer - unlike today?

Same process as today. Both registrar-managed non-DK registrants (if extracted in risk engine) and danish registrants must be verified before the transfer can be completed. For non-danish registrants who are registrant-managed, a data and ID check may be carried out after the domain name has been transferred.

Who is responsible for validation, for registrants who have already performed a data-and ID control by the registrar or Punktum dk, if there is a change of registrar?

You retain your status as verified unless a situation arises that requires a new ID check.

Should a domain name be activated when the registrar has marked it as verified, regardless of whether the customer is Danish, and the system cannot lock the domain to CPR or CVR?

A new data- and ID-control is initiated, and the domain name is only activated after the data- and ID-control has been completed. This applies to both registrant and registrar management.

Is the domain name activated if the registrar says that a danish registrant is validated, but we cannot lock them to the register?

No, activated only after locked to register.

Should a registrar be able to choose whether to perform data- and ID-control of a registrar-managed customer in the middle of the registration process?

No, the customer keeps the registration setting that was at the time of creation.

Can the registrar mark that a field has been verified, and thereby close the request for verification, even if it is Punktum dk that has started validation on a registrar-managed customer? For example, if the customer verifies required data via registrar, instead of using our request.

No, the registrar may not mark that the customer is verified, only Punktum dk can do so due to the all-or-nothing principle. The customer must apply the request they have received.

Can registrar, on registrar-managed customers, mark that a field is verified when updating, when the registrar has chosen that it is Punktum dk that performes data- and Id-control? For example, if the customer verifies required data via registrar, instead of using our request.

They can't close or ignore an active request if Punktum dk is responsible for verification. Cf. the all-or-nothing principle

Do we need to start a new verififcation request if the registrar flags that information is no longer valid?

No, in practice, the registrar needs to make sure that the information is correct and does not have to mark that data is not ok while doing data and ID checks. We trust them.

Is it approved that there can only be one active verification request per customer?

Yes, in relation to the fact that we do not give a new deadline. 

If a registrar or registrant/proxy updates information that requires verification, it will be added to the active request. For example, the customer updates an address on 1.1, and then updates the address again. 20.1, before the request has expired and the address has been verified. Verification of the address, becomes part of the active request, and the customer now only has 5 days to update the address.

Should a registrar be able to mark that a customer has name and address protection?

Yes, documentation must be submitted for private individuals to the registrar just as if a registrant is a sole proprietorship.

Should the registrar be able to mark which e-mail may be published publicly when creating a company contact?

No, the solution is that the secondary email will appear automatically. If there isn't a secondary email, the primary email is published.

What email address is published in WHOIS?

We always publish the secondary. If there is no secondary email, the primary email will be published.

What is the difference between Primary and Secondary email?

Primary email: The legally required, primary contact address. This MUST always be verified to ensure the functioning of the domain.

Secondary email (optional): An additional email address that registrants can choose to add. It also needs to be verified, but is optional.

Is it approved that companies can specify one public email for publication in WHOIS, and another email for contact for Punktum dk?

Secondary email is treated as public. If there isn't a secondary email, the primary email is published.  (Both email addresses are verified)

Is the “all-or-nothing” principle still applicable?

We have chosen a model where a registrar can decide whether verification of customer data is handled by Punktum dk or by the registrar itself. If a registrar chooses to handle all verification themselves, the registrar is responsible for:

  • ID verification when the contact is created and updated
  • Email verification when the email address is created and updated
  • Handling any ID and email verification checks that Punktum dk may initiate for the contact

If a registrar chooses Punktum dk to handle the verification, the registrar can still indicate that the customer has already been verified when creating a contact. Any subsequent verification will, however, be handled by Punktum dk in this case.

Can a registrar choose to validate only registrants with a non-Danish address?

Yes, a registrar can choose to verify only contacts without a Danish address when creating contacts. However, if a registrar has chosen to handle all verification themselves, they cannot limit verification to only registrants without a Danish address.

Can a registrar choose to validate only the email while Punktum dk handles ID verification (and vice versa)?

No, registrars cannot choose to verify only the email or only the name and address. The all-or-nothing principle applies - either the registrar handles all contact verifications, or the verifications is handled by Punktum dk. This applies to both contact creation and updates.

The verification process

How is the verification done?

The verification must take place by active response from the registrant:

If Punktum dk verify:  Punktum dk sends separate verification emails with unique links to the primary and secondary addresses.

If the registrar verifies: The registrar must ensure that both the primary and secondary addresses are verified by the registrant using active response.

What if I, as a registrar, am responsible for the verification?  

If you choose to do the verification, make sure that the registrant actively verifies both email addresses (if a secondary one has been added). Upon request from Punktum dk, you must be able to present documentation that the email addresses have been verified.

Does a changed email address need to be verified again? 

Yes. When updating either the primary or secondary email address, the updated address must be verified again before the change takes effect.