Registration as an fi-domain name registrar

Start Responsibilities and obligations Providing information Confirmation

Responsibilities and obligations

All operators launching registration operations must submit a notification to FICORA and make sure that all notified information is up to date as provided in the Information Society Code (917/2014). Requirements for the registrar's operations are laid down in the Act and specified in part in FICORA's Regulation (68/2014 M). The requirements for domain name registrars concern:

content and quality of the service provided for customers
permitted technical interfaces
ensuring information security
duty to report information security incidents.

Obligations concerning the services

The registrar shall advise its customers to ensure that the domain names comply with law (section 170(1)(1) of the Information Society Code). A fi-domain name shall not violate a name or a trademark registered for someone else.

The registrar shall instruct the customers to check legally protected names and trademarks in respective registers (section 7 of the Regulation).
A domain name must always be registered in the actual domain name holder's name (section 167(1) of the Information Society Code).
The registrar shall enter the domain name holder’s correct, up-to-date and identifying information as well as the email address to be used for hearing and service of notices ("address for service") via a technical interface in FICORA's domain name register.
Domain name holders shall be informed in time of the domain name’s expiry, its consequences and how the domain name may be renewed (section 170(1)(4) of the Information Society Code).

Obligations at the request of a holder include:

renewing a domain name (section 167(3) of the Information Society Code);
transferring a domain name to another holder (section 168(1) of the Information Society Code);
switching domain name registrars (section 168(3) of the Information Society Code);
removing a domain name from the register (section 170(1)(5) of the Information Society Code).

The registrar shall ensure with due care that the request is made by an authorised party. Transferring a domain name or switching registrars shall be carried out within five working days (sections 10–11 of the Regulation).
The domain name registrar must inform its customers of terminating its operations and of FICORA's prohibition decision (section 165(2) of the Information Society Code and section 6 of the Regulation).

Requirements concerning technical interfaces

The domain name registrar must be able to enter data in the domain name register using the technical system prescribed by FICORA (sections 170(1)(3) and 167(4) of the Information Society Code).
The technical interface to be used is either a browser-based user interface or an EPP interface (Extensible Provisioning Protocol) defined by FICORA (section 9 of the Regulation).
If the domain name registrar uses the EPP interface, the client software of the domain name registrar must be compatible with FICORA's EPP interface description and it must pass the tests required by FICORA in an EPP sandbox environment (section 9 of the Regulation).
A domain name registrar using FICORA’s EPP interface must meet the criteria derived from the requirements of the protection level (IV) of subdivision I, technical information security, of the currently valid version of Katakri (information security auditing tool) with respect to (section 20 of the Regulation) security of data communications and information systems.

Requirements concerning information security

The domain name registrar must ensure the information security of its operations (section 170(1)(6) of the Information Society Code). Chapter 4 of Regulation (68/2014 M) describes the information security management of the operations in more detail. Each domain name registrar is obliged to determine detailed and sufficient instructions for handling information security threats.

The domain name registrar must document and maintain an up-to-date description of how they address the following areas of information security in their operations:

administrative information security;
personnel security;
security of hardware, software and data communications;
security of information material and usage;
physical security.

Furthermore, the domain name registrar must have up-to-date documentation of:

risk management processes and results of regular risk surveys;
a classification system for any information material that is important for the registration operations and a processing procedure for information material associated with the classification system;
control mechanisms for information security threats in registration operations;
instructions for managing situations disturbing or threatening information security;
processes for changes in network, software, hardware, configuration, interface and equipment facilities.

It is not needed to send FICORA the documents without a separate request.

Disturbance notification

The domain name registrar must notify FICORA of significant violations of information security or threats of such violations in its domain name services and of anything that essentially prevents or disturbs such services (section 170(1)(7) of the Information Society Code). The disturbance notification must be made within 24 hours of the domain name registrar becoming aware of the significant disturbance (section 21(2) of the Regulation). FICORA's document Explanations and Application of Domain Name Regulation (MPS) covers the criteria to be paid attention to, when assessing the significance of a disturbance.

Accepting legal responsibilities and obligations

I have read and understood the legal responsibilities and obligations of domain name registrars.

Cancel Back