On March 6, 2026, IONOS made all business domain registration data publicly visible in WHOIS directories. The company permanently removed its WHOIS privacy option for every TLD it offers. Not as a product decision – as a legal obligation under Germany’s NIS2 transposition law, which took effect in December 2025 with no transition period.

IONOS is not alone. Hetzner partnered with identity verification provider iDenfy to implement KYC checks for new customers. Plesk shipped a NIS2 compliance mode that makes it impossible to disable security logs. Openprovider warned its reseller network that Article 28 verification requirements “may break your existing code.” And domain registrars across Europe are scrambling to implement identity verification procedures that most of them have never had to run before.

These are not hypothetical compliance scenarios. They are happening now. The NIS2 Directive – the EU’s overhauled cybersecurity law – classifies hosting providers, DNS operators, and domain registrars as essential infrastructure, and the effects are already visible in the products, processes, and pricing of the companies that make up this industry.

Hosting Trends For 2026: AI Hype Or Threat, Agencies, Products and… regulation

What Changed and Why It Matters

NIS2 was supposed to be transposed into national law across all 27 EU Member States by October 17, 2024. Only four countries made the deadline: Belgium, Croatia, Italy, and Lithuania. The Commission opened infringement proceedings against the other 23. As of March 2026, roughly 20 countries have completed the process. France, the Netherlands, and several others are still not done.

For the hosting industry, three things matter most:

First, DNS providers and TLD registries are classified as “essential entities” regardless of company size. There is no small business exemption. Domain registrars are in a separate legal position – the directive brings them into scope regardless of size (Article 2(4)) but does not explicitly classify them as essential or important, leaving that decision to each Member State. Poland classified registrars as essential – the most demanding tier. Other countries may classify them as important, or leave the classification ambiguous. Cloud and data center operators are essential if they have 50+ employees or EUR 10 million in turnover. Managed service providers are classified as “important” – a step below essential, but with the same baseline security requirements.

Second, incident reporting is mandatory within 24 hours. When a significant incident occurs, hosting providers must submit an early warning to their national CSIRT within 24 hours, a detailed notification within 72 hours, and a final report with root cause analysis within one month. Cyprus shortened the early warning window to 6 hours – four times faster than the directive requires.

Third, the supply chain cascade pulls in companies that are not directly in scope. Banks, hospitals, energy companies, and government agencies are all NIS2-regulated. They are now flowing compliance requirements down to their hosting vendors through contracts. Even a small hosting provider below NIS2’s size thresholds will face NIS2-level security demands from enterprise customers. Klaus Landefeld, a member of eco Association’s board, described the scale in Germany alone: “With such a number of affected parties – six times more than before! – the scope of application and the group of addressees must be determined in an absolutely binding manner.”

What Hosting Companies Are Already Doing

IONOS took the most visible action. Following Germany’s NIS2 transposition in December 2025, IONOS permanently removed WHOIS privacy for all TLDs. From March 6, 2026, contact details of organizations and companies are published in public WHOIS. Individual registrants remain protected under GDPR. But IONOS warned sole proprietors: if the “Company” field is populated in their account, they are treated as an organization and their data will be published. The company’s workaround – delete the Company field and use “Additional address” instead – shows how granular the compliance decisions have become.

Hetzner partnered with iDenfy to implement AI-powered identity verification for new customers. Andreas Fischer, Hetzner’s Head of Marketing, framed it as a trust issue: “Our customers trust us with the infrastructure that empowers their businesses. That relationship starts at sign-up, and it was important to us that the very first experience a new customer has on our platform reflects that trust.”

Plesk shipped a NIS2 compliance mode in Obsidian 18.0.60. Activating it (via a nis2compliant flag in panel.ini) makes it impossible to disable logging of DNS and authentication changes, prevents complete removal of audit log events, and logs all API requests that modify server settings. Plesk recommends forwarding logs to an external server – since logs stored on the same machine they monitor can be tampered with during a breach. On the Plesk community forum, hosting providers are already debating the operational implications. One administrator asked how long logs must be retained and whether 18-month retention conflicts with GDPR’s data minimization rules. The answer is not clear – and that tension between “keep everything for security” and “keep nothing you do not need” runs through NIS2’s entire relationship with GDPR.

Openprovider, a Dutch registrar platform serving resellers across Europe, warned that Article 28 verification requirements may break existing API integrations. Prasad Fernando, Openprovider’s Head of Development, acknowledged the burden: “We understand the challenges faced by smaller companies in the area of compliance – it is a process that requires significant resources, both in terms of time and money.”

eco Association developed a practical solution for Article 28: a supplementary contract template for Registry-Registrar Agreements. Thomas Rickert, eco’s Director of Names & Numbers, created the template. Ronald Schwarzler, CEO of domainworx (operator of .wien, .koeln, .cologne, and .tirol TLDs), called it “a valuable tool for us to reach the necessary agreements with our registrars in accordance with Article 28 – without having to contact each accredited registrar individually.” The approach was presented as best practice at ICANN84 in Dublin. Rickert’s take on the broader situation: “Like it or not, we’re all on Team 28 now and have to make it work one way or the other.”

Meanwhile, GoDaddy, Hostinger, and Namecheap have made no NIS2-specific product changes. OVHcloud, Scaleway, and SiteGround have not published public NIS2 compliance statements. The industry’s response is split between companies actively adapting and companies treating NIS2 as someone else’s problem.

11 US States Want to Ban Data Centers. Here’s What Every Bill Says.

The WHOIS Problem Returns

When GDPR took effect in May 2018, registrars stripped personal data from public WHOIS databases almost overnight. Law enforcement, IP rights holders, and cybersecurity researchers lost access to registration data they had relied on for decades. NIS2’s Article 28 partially reverses that: registrars must now collect and verify registrant data (name, email, phone number), publish non-personal data, and respond to legitimate access requests for personal data within 72 hours.

The practical implementation is messy. ICANN replaced WHOIS with RDAP as the definitive lookup protocol in August 2025 and moved registries to a “thin” data model with minimal data. Critics on CircleID accused ICANN of inaction on NIS2, calling it “the elephant in the room” at ICANN76.

Polina Malaja, Policy Director at CENTR (the council of European TLD registries), identified the core tension: “The verification obligation is one of the most challenging aspects of the NIS2 Directive for the domain industry.” CENTR’s position is that domain registration data “is not necessary for the technical function (nor security) of DNS,” and that verification costs “will make European domain names less competitive,” driving market consolidation as smaller operators cannot sustain the burden.

The fragmentation makes it worse. Lars Steffen, eco’s Head of International Digital Infrastructures, warned that “in future, there could be up to 27 different procedures for validating registrants” – one per EU Member State. Registrars operating across borders face a patchwork of rules with no unified compliance path.

27 Countries, 27 Different Rules

NIS2 was designed to harmonize cybersecurity requirements across the EU. Instead, the transposition process produced significant national variation in exactly the areas where hosting companies need consistency.

The differences are not minor:

  • Reporting deadlines: The directive says 24 hours. Cyprus says 6. Latvia added a 5-working-day vulnerability disclosure requirement the directive does not include.
  • Entity classification: Germany uses a three-tier system with a separate “critical facility operator” category. The directive leaves registrar classification (essential vs. important) to Member States – Poland classified them as essential, the most demanding tier. Croatia added educational institutions and local government bodies.
  • Compliance mechanisms: Belgium built its own CyberFundamentals (CyFun) framework with three assurance levels and a presumption-of-compliance certification. Italy’s ACN formally notifies entities of their status rather than relying on self-assessment. Most other countries expect entities to figure out their own classification.
  • Personal liability: Germany requires board-level cybersecurity training every three years and bars full delegation of responsibility. Poland imposes penalties up to 600% of monthly salary on management. Croatia can ban individuals from management roles.
  • Scope: Poland: approximately 38,000 entities. Germany: approximately 29,850. France: approximately 15,000. Croatia: 8,000 to 10,000. Belgium: 4,000 registered.

For a hosting company operating across multiple EU markets, a single compliance framework is not enough. What satisfies German requirements may fall short of Cypriot reporting deadlines or Belgian certification standards. EuroISPA warned in a March 16, 2026 position paper that the EU’s planned single reporting entry point “risks merely consolidating fragmentation” unless definitions, thresholds, and timelines are aligned across NIS2, DORA, the Cyber Resilience Act, and GDPR.

The Transposition Mess

The country-by-country picture tells its own story about how seriously – or not – EU Member States took the October 2024 deadline.

Belgium was the model student. Its NIS2 Law passed in April 2024. Digital infrastructure entities registered by December 18, 2024. As of late 2025, 1,500 essential and 2,500 important entities were in the system. CyFun Basic/Important certification is due by April 18, 2026. Essential certification by April 18, 2027.

Croatia was the fastest, with its Cybersecurity Act in force from February 2024 – eight months early. It expanded from 1,000 entities under NIS1 to an estimated 8,000 to 10,000 under NIS2, and added a unique requirement: important entities must perform cybersecurity self-assessments every two years. Authorities can withdraw business licenses for severe non-compliance.

Germany was derailed by politics. The Federal Cabinet adopted the NIS2 draft in July 2024. Then the Scholz government collapsed in November 2024. Under the Diskontinuitatsprinzip – Germany’s discontinuity principle – all pending legislation lapsed. The bill had to be reintroduced from scratch after snap elections in February 2025. It finally took effect on December 6, 2025, with no transition period. Approximately 29,850 entities fell in scope overnight. The BSI registration portal opened January 6, 2026, with a March 6 deadline.

France is bundling three EU directives – NIS2, CER, and DORA – into a single “Loi Resilience.” The National Assembly’s special committee adopted 245 amendments over three days in September 2025. ANSSI launched a MonEspaceNIS2 pre-registration portal. The scope expands from roughly 500 entities under NIS1 to approximately 15,000. Essential entities will face mandatory ANSSI-certified audits every three years. Final promulgation is expected in Q1 2026.

The Netherlands was delayed by the collapse of the Rutte IV cabinet in July 2023 and a year-long caretaker period. The Cyberbeveiligingswet went through a legislative consultation in the House of Representatives on March 23, 2026. The plenary vote has not yet taken place. The government is targeting entry into force by July 1, 2026.

Italy took a distinctive approach: entities register on the ACN platform, and the agency formally notifies them of their classification by April 15, 2025. Full technical compliance is due within 18 months of notification. Italy emphasized personal liability for directors beyond the directive’s minimum.

Lithuania introduced a phased timeline: organizational requirements by April 2026, technical requirements by April 2027. It mandates two separate roles – a cybersecurity manager and a security officer – with distinct responsibilities. Government entity fines are capped at EUR 60,000.

When Is the Right Time to Sell Your Webhosting Business?

The Cost Question Nobody Can Answer Precisely

The European Commission’s impact assessment (SWD/2020/344) estimated that entities newly brought into NIS2 scope would need to increase their ICT security spending by up to 22% in the first years. For entities already regulated under NIS1, the estimate was 12%.

Concrete per-company costs are harder to pin down. No authoritative source publishes reliable first-year compliance cost ranges broken down by entity type. The spending depends on the company’s existing security posture, size, and how many of the 13 requirement areas already have controls in place. What is clear is that the bulk of first-year effort goes to internal work: writing policies, training staff, documenting processes, and collecting audit evidence.

ENISA’s NIS Investments 2024 report – based on a survey of 1,350 organizations across all 27 Member States – found that 34% of SMEs cannot secure the additional budget required for NIS2 compliance. For hosting companies just above the 50-employee or EUR 10 million turnover threshold, compliance costs can represent a disproportionate share of revenue. One CSO Online analysis described the process bluntly: companies “produce mountains of documentation that neither increases actual security nor is realistically verifiable.”

Companies with existing ISO 27001 certifications have a head start. ENISA’s technical implementation guidance maps NIS2 requirements directly to ISO 27001 controls. European cloud providers like Hetzner, OVHcloud, and Scaleway are using existing certifications as their compliance foundation. Being EU-native is itself becoming a competitive advantage – using a US-owned cloud provider is now a documented risk factor in NIS2 supply chain assessments.

The Commission Already Wants to Fix It

On January 20, 2026 – barely a year after the transposition deadline – the European Commission proposed amendments to NIS2. The key changes: a new “small mid-cap” category (under 750 employees, under EUR 150 million turnover) that would be classified as important rather than essential, benefiting approximately 22,500 companies. A harmonization clause that would prevent Member States from adding national requirements beyond what the Commission’s implementing acts specify – directly targeting the gold-plating problem. Mandatory ransomware reporting including ransom demands, payments, and cryptocurrency wallet details. And total scope relief for roughly 29,000 companies across the EU.

The amendments are a proposal, not law. Negotiations are expected later in 2026. For hosting providers dealing with compliance today, the simplification offers hope but no immediate relief.

No Fines Yet – But the Infrastructure Is Ready

As of March 2026, no public enforcement actions or fines have been issued under NIS2. But the penalty frameworks are in place: up to EUR 10 million or 2% of global turnover for essential entities, EUR 7 million or 1.4% for important entities. Belgium doubles fines for repeat offenses within three years. Croatia can withdraw business licenses. Poland added a PLN 100 million super-penalty for incidents threatening national security, plus personal management liability up to 600% of salary.

Belgium is the furthest along operationally – its registration deadlines have passed, its CyFun certification deadlines are approaching, and entities that have not registered are technically in violation. Germany’s BSI has the authority to register entities that fail to register themselves. The enforcement machinery is built. It is waiting.

What This Means for Hosting

NIS2 treats digital infrastructure as critical infrastructure. A decade ago, a shared hosting company was a commercial service provider, full stop. Under NIS2, cloud providers and data center operators are in the same regulatory category as energy and transport companies. DNS providers and domain registrars are classified as essential regardless of size.

The hosting industry has operated for 25 years with minimal sector-specific regulation. NIS2 ends that. Arnaud Martin, a cybersecurity regulation expert at Agoria, noted the shift: “NIS2 places significant emphasis on supply chain security, which might become the most impactful change.” For hosting providers, that cuts both ways – they must audit their own suppliers while being audited by their customers.

The question is not whether to comply. It is whether you are building for compliance or waiting until someone forces your hand. IONOS, Hetzner, and Plesk made their choice. The providers who have not yet started should consider what Rickert said: like it or not, we are all on Team 28 now.