ICANN, the organization that governs the global domain name system and sets the rules every accredited domain registrar must follow, holds its 86th public meeting in Seville from June 8 to 11, 2026. The meeting agenda includes a policy proposal that, if it eventually becomes a contractual requirement, would fundamentally change how domain registrars handle abuse: instead of investigating only the specific domain named in an abuse complaint, registrars would be required to investigate every other domain registered by the same customer. The proposal is in early stages and Seville will not produce binding rules. But the direction of the debate this week will signal how far the regulatory floor for registrars is likely to move over the next two years, and companies whose business includes domain registration need to be paying attention.

The same meeting will address the stalled question of who gets access to private domain registration data, a problem that has been unresolved since GDPR pushed registrars to redact WHOIS records in 2018. It is the first major industry gathering since the 2026 new generic top-level domain application window opened on April 30, with a hard deadline of August 12. And for the first time, AI’s role in accelerating phishing and domain-based abuse will be a formal agenda item at the plenary level.

Unstoppable Domains Adds 10 ICANN Entities for Drop-Catching

The Proposal That Would Change Every Registrar’s Abuse Workflow

Since April 2024, ICANN’s Registrar Accreditation Agreement has required every accredited registrar to publish an abuse reporting mechanism, acknowledge reports with timestamps, and take action when presented with evidence of phishing, malware, botnets, pharming, or spam campaigns. Those are the current minimum requirements. The Policy Development Process that ICANN formally launched earlier this year, called PDP1, is examining whether those minimums should be raised.

The proposal drawing the most attention is associated domain checking. The logic is that malicious actors running phishing campaigns rarely register a single domain. A criminal operation typically registers dozens of domains through the same account, often with similar payment methods, registration patterns, or contact details. Under current rules, when an abuse report names one of those domains, the registrar has no obligation to look at the rest of the account. Associated domain checking would create that obligation: receive an actionable abuse complaint against one domain, investigate all domains registered by the same account or registrant.

The operational burden is real. A high-volume registrar handling thousands of abuse reports per month would need to expand its investigation process from a single-domain review to an account-wide review for each actionable complaint. The proposal as written uses flexible criteria and “reasonably available information” rather than a fixed checklist, which the registrar community argues creates unpredictable compliance obligations: what counts as sufficient investigation is not defined, which creates both operational uncertainty and potential liability. Four dedicated sessions on DNS abuse are scheduled across the four-day Seville meeting. PDP1 is early in its process and no binding decisions will come out of Seville, but the community’s reception of the proposal here will determine how the working group refines it over the following months. Registrars that have not submitted comments to the working group should treat the Seville session as the first significant signal of where the policy is heading.

A parallel and faster-moving track addresses Domain Generation Algorithms, the automated systems that botnets use to generate thousands of domain names as command-and-control infrastructure. Because DGA-based abuse has distinct technical characteristics, the working group is exploring whether it can be handled outside the full PDP process to reach requirements more quickly.

A plenary session titled “The Current and Coming Impact of Artificial Intelligence on Domain Name System Abuse” is the first time AI’s role in domain abuse has been elevated to the main agenda at an ICANN meeting. The concern is operational: AI tools now allow anyone to generate convincing phishing sites at scale, automate domain registrations across thousands of accounts simultaneously, and improve the quality of malicious content. ICANN’s contractual framework was designed for abuse operated by humans at human scale. How it adapts to AI-accelerated abuse at machine scale is an open question that Seville will begin to address formally.

Verisign Starts a Four-Year .com Price Cycle. The First 7% Hits in November.

Customer Data Access: Two More Years of the Same Situation

When GDPR took effect in 2018, registrars across Europe and then globally began redacting WHOIS records, the public database that previously showed the name, address, email, and phone number of every domain registrant. Law enforcement agencies, intellectual property lawyers, and cybersecurity researchers who had relied on WHOIS to investigate fraud, trademark infringement, and phishing campaigns suddenly lost access to data they had used routinely. Eight years later, the question of how to restore legitimate access to that data remains unresolved at the ICANN policy level.

At the previous ICANN meeting in March 2026, the board voted not to adopt 18 policy recommendations produced by years of working group effort specifically to create a Standardized System for Access and Disclosure of registration data. The board’s stated reason was that the 18 recommendations were too interdependent to implement partially, and that the system should be informed by operational data before being finalized. The existing pilot, called the Registration Data Request Service, was extended for up to two additional years. RDRS provides a centralized pathway for law enforcement, IP professionals, and security researchers to request access to nonpublic registration data from registrars who voluntarily participate. The system has generated useful data on request volumes and response rates, but it remains a pilot rather than a mandatory system.

For registrars, the practical outcome is continuity: no new system to prepare for, and existing RDRS response obligations remain in place. The Seville sessions will focus on what supplemental recommendations can be built from the RDRS pilot data and how privacy proxy services, which allow registrants to register domains without their personal data appearing in any record, should be treated in any future access system. The question of who gets what registration data under what circumstances will not be resolved in Seville and is unlikely to be resolved before 2028 at the earliest.

On a separate note, the protocol used to query registration data has already changed. WHOIS was replaced by RDAP as the definitive source for gTLD registration data in January 2025. Most major gTLDs are no longer required to maintain WHOIS at all. RDAP query volumes across all servers exceeded 10 billion per month by late 2024. This transition is complete and is not on the Seville agenda; it is worth noting because it clarifies that the ongoing policy debate is about access rights and data governance, not about the technical protocol.

ICANN Is Opening the Door to New Domain Extensions for the First Time in 14 Years. Here Is What Hosting Providers Need to Know.

The gTLD Window Is Open and Closes in Ten Weeks

The 2026 new generic top-level domain application window opened April 30 and runs through August 12. ICANN86 is the first major industry gathering since the window opened, and several operational sessions will address questions about the evaluation process and timeline.

The base application fee is $227,000, covering one primary string and up to four variant strings. An Applicant Support Program reduces fees to between $34,500 and $57,000 for qualifying applicants from developing economies and underserved communities. The ASP application window, which closed in December 2025, received 75 applications from 27 countries, compared to 3 in the 2012 round. Geographic distribution shows 38 from Asia-Pacific, 20 from North America, 10 from Africa, 6 from Europe, and 1 from Latin America. The broader commercial application window is still open and accepting submissions through August 12; no total count has been published because the window remains active.

For a hosting company or registrar considering whether to apply for a new gTLD, or advising enterprise customers who are, Seville’s operational sessions may provide clarification on evaluation procedures and realistic timelines between application and delegation. The August 12 deadline is hard. Applications submitted after that date will not be considered regardless of their readiness at the time of the meeting.

The 2026 round accepts applications in 27 writing scripts, including Arabic, Chinese, Devanagari, and Thai, a significant expansion from the 2012 round’s limited internationalized domain name support. Universal Acceptance, meaning whether domains registered in non-ASCII scripts are actually usable in email clients and web applications globally, remains an unresolved infrastructure problem that will also be discussed in Seville. A domain registered in Arabic is of limited practical value if major platforms silently reject it as an email address or URL.