Registries love to call themselves the guardians of the internet. They talk about trust, security, and stability as if they invented those words. But when you look closer, too many of them are busy dismantling the very foundations they claim to protect.
Take Sweden’s .se registry. In a world where the EU is pushing through the NIS 2 Directive to enforce accurate, verified data in ccTLD databases, .se decides to drop the requirement for registrants to have a physical address. That’s not modernization, that’s sabotage. While regulators demand stronger cybersecurity and cleaner registrant data, some registries are opening the door wide to fake identities, abuse, and chaos. And who pays the price? Registrars. Always registrars.
We’re the ones cleaning up the mess. NIS 2 compliance is dumped on our shoulders. We’re the ones verifying contacts, scrubbing databases, and dealing with the fallout. Registries pat themselves on the back for “simplifying” rules, while we drown in abuse complaints, legal threats, and technical overhead. They get the glory; we get the blood, sweat, and invoices.
Meanwhile, in the gTLD world, registries are running away from responsibility by becoming thin registries — a fancy way of saying “we don’t want to touch GDPR, let the registrars deal with it.” That means we’re forced to store and manage sensitive contact data, effectively turning us into mini‑registries subject to GDPR compliance. Add RDAP into the mix, now mandatory, and registrars are expected to provide structured access to registrant data while registries wash their hands of the whole mess. They dodge accountability, ICANN piles on requirements, and registrars are stuck hiring programmers, lawyers, and compliance officers just to keep the lights on.
And then comes the abuse avalanche. Fake identities are cheap on the Dark Web, and they’re flooding domain registrations. Abuse complaints pile up daily — sometimes hundreds for a single domain, often weaponized by competitors to harass us. Every complaint demands a response, every ticket eats into resources. Law enforcement, CERTs, and even lawyers don’t understand the basics. They don’t know how to use RIPE WHOIS, they don’t know how to identify hosting providers, so they attack registrars for content issues we’re not responsible for. Suddenly, we’re expected to play judge, jury, and executioner for political disputes, defamation claims, or “hurt feelings” masquerading as abuse.
This is what the registrar business has become: a compliance nightmare with NIS 2, GDPR, RDAP, ISO 27001, and whatever new acronym regulators dream up next. A daily grind of abuse tickets that require entire teams just to process. Constant firefighting against registry rule changes that make no sense. Rising registry fees justified by “economic conditions,” while they offload more work onto us. We’re expected to run abuse teams, legal teams, and development teams — just to survive. Meanwhile, registries change policies on a whim, sometimes even discriminating against registrants based on nationality, while pretending they’re champions of openness.
Here’s the truth: registries want the glory of being guardians of the internet, but they’re outsourcing the dirty work to registrars and leaving us to bleed. We’ve become the unpaid janitors of the DNS, cleaning up messes we didn’t make, while registries cash in and regulators pile on.
The registrar business is being pushed to the brink. Every day feels like a new ambush: abuse spam, legal threats, technical mandates, regulatory burdens. And yet registries keep pretending they’re the heroes of internet governance. The reality is uglier: they’re undermining trust, eroding security, and turning registrars into cannon fodder in a war we didn’t start.
Dušan Stojičević
