The NIS Directive [1] defines critical infrastructures and operators of essential services. It also calls for organizational measures to ensure these infrastructures are protected from cybercrime and terrorism. This also includes the establishment of a national framework for emergency response. The list of essential services in Annex II does contain certain elements of Internet infrastructures, such as Domain Name Servers and Internet Exchange Points. However, in a truly remarkable omission, the Directive does not include Internet Service Providers (ISP) [2]. Since operators of essential services are subject to stringent security requirements, it would be helpful to include them as operators of essential services. This seems even more appropriate as many other Annex II infrastructures, such as banking, health and transport, heavily rely on a working Internet infrastructure, which is largely dependent on ISPs.
This paper discusses the omission in the NIS Directive of the ISPs and the incomplete list and codependent registries namely, the IP address space registry and the Autonomous System registry and their necessity in supporting the root Domain Name System.