.nz Regulatory and Compliance Approach

This approach is the foundational strategy, approved by the Domain Name Commission Board, to guide the delivery of our regulatory functions. 

Our aim in publishing our approach is to ensure our regulatory activities are operated and enforced in a fair and transparent manner. We want to provide an overview of how we make decisions and how we can support and work with regulated parties (including registrars and domain name holders) to understand their rights and obligations under the .nz Rules.   

We will periodically review the effectiveness and efficiency of our approach to compliance to identify and address improvement opportunities, ensure continued alignment with the .nz Rules, and ensure consistency with the InternetNZ Group five-year strategy (a new Group Strategy will be published in the 2025/2026 financial year). 

Introduction

InternetNZ | Ipurangi Aotearoa has appointed the Domain Name Commission (DNC) to carry out the regulatory function for the .nz country code top-level domain. Our role, responsibilities, and functions are set out in the Authorisation Agreement with registrars, the Operating Agreement and the .nz Rules. 

Domain names are key for any person or organisation to have an effective digital presence. The .nz infrastructure that InternetNZ manage is critical to the performance of the modern Aotearoa New Zealand economy and the wellbeing of New Zealanders and our communities. 

Our regulatory and compliance approach is designed to ensure the ongoing security, stability, and resilience of the .nz domain name space and that the integrity of the .nz register is maintained. This includes ensuring a trusted and secure scheme of registration and renewal is in place that domain name holders can rely on; that registrars have and maintain the requisite skills, resourcing, and capability to ensure the ongoing availability of services and support for their domain name holders, and that abuse that exploits the domain name system for malicious purposes is disrupted. 

As an organisation, we recognise the importance and relevance of Te Tiriti o Waitangi and the principles of participation, protection, and partnership. We will continue to consult with Māori to gain a deeper understanding of how our regulatory activities can give practical application to Te Tiriti o Waitangi. 

Good outcomes are best achieved when everyone understands their rights and responsibilities and is motivated to act on them. Decisions about how we intervene to promote and protect the rights of domain name holders, ensure the integrity of the .nz register, and ensure the security, stability and resilience of the .nz domain name space must be predictable, rational, and defensible. We will use the right tool for the right situation. 

Our aim in publishing our approach is to ensure our regulatory activities are operated and enforced in a fair and transparent manner. Our goal is high levels of voluntary compliance.

Our vision 

A .nz that is Fair for Everyone. To be a fair, independent, and accessible modern regulator who provides trusted and effective management and oversight of the regulatory function for the .nz domain name space.

Our core functions

Our regulatory activities are broad and have been distilled into eight core functions:

Our authorisation approach

Our approach to registrar authorisation is risk-based. Applicants presenting a higher risk will receive greater scrutiny. Having clear standards and processes and applying a risk-based approach to authorisation allows us to assess applications efficiently, lessening the need for further engagement with lower risk applicants.

We recognise that a clear licensing guide is needed to step applicants through the authorisation process. We are continually working to improve our licensing guide so that it is clear and easy to understand and is responsive to any emerging risks. We also recognise that registrars may operate in multiple jurisdictions with different policies and rules, so we provide training and guidance for registrars as they are onboarded to ensure they are aware of their obligations under the .nz Rules.

Our compliance approach

We take a risk-based approach to our monitoring, investigations, and enforcement activities, meaning we prioritise resources to those regulated parties* or practices that present the greatest risk to the integrity of the .nz register or to the security, stability, and resilience of the .nz domain name space.

Our compliance strategy emphasises a 'top of the cliff' approach and focuses on lifting the standards of regulated parties. We seek to foster a culture where those we regulate proactively work to put in place a robust approach to managing and monitoring compliance with their obligations, facilitate good outcomes for domain name holders, and willingly share information with us.

As a modern regulator, we will be analysing data and insights to hone our approach, set our priorities and target our interventions where we can make the greatest difference, while providing flexibility to be responsive to ongoing issues and emerging trends. We will also work with other country code top-level domains, regulators, agencies, and interested parties both domestically and internationally to share knowledge and intelligence on current and emerging issues, to secure good compliance outcomes and to ensure that our response is effective and efficient.

*Regulated parties include InternetNZ, domain name holders, registrars, resellers and moderators. The roles, responsibilities and obligations of regulated parties are set out in the .nz Rules.

Our monitoring approach

Our monitoring activities generally fall into one of four broad categories. 

Reactive monitoring

• Undertaken in response to information received from a regulated party themselves, a domain name holder, or other party, including complaints and abuse reports.

Thematic monitoring

• Deep-dive style review to better understand the regulated market and risk, specific or systemic issues, and/or identify current or emerging threats or issues. Some of this monitoring is exploratory in nature, to help build understanding, assist with setting expectations of regulated parties, share good practice, and assist us in managing .nz efficiently to ensure the security, stability, and resilience of the .nz domain name space. This work might be undertaken by way of a survey or requests for information.

Planned monitoring

• Includes sample testing, data validation or identity verification audits, audits or checks of business systems, processes and compliance obligations, and/or monitoring engagements that are planned in advance to take a more in-depth look at a particular regulated party or industry issue. This will generally include us undertaking a desk-based review of information requested from the regulated party and often one or more online (or, at times, in-person) meetings in order for our staff to conduct interviews with key staff or directors of the regulated party or vendors providing key services to the regulated party.

Reporting

• Includes annual reporting based on a pre-determined set of self-assessment compliance questions for attestation by regulated parties.

Where our monitoring activities identify likely or actual non-compliance, we may open a formal investigation and have a range of tools available in the .nz Rules to deliver a timely, effective, and proportionate response. In some cases, letters of expectations, notices, warnings, or directions may be appropriate. We may follow up to ensure any required actions are implemented, or we may undertake additional monitoring on a more regular basis.

Further or serious non-compliance may result in stronger action, such as suspension or cancellation of a domain name, suspension of some or all of a registrar’s functions, entitlements or rights or removal of authorisation or other enforcement action.

We will publish our annual monitoring and compliance plan in April each year for the following twelve months, and publish a report on the findings and outcomes of our monitoring activities each year.

Our investigations and enforcement approach

Our investigations and enforcement outcomes are underpinned by principles of:

• Natural justice and fairness 
• Impartiality and being free from conflict of interest 
• Risk-based regulation 
• Determining the facts and getting to the truth 
• Evidence-based decision making 
• Proportional response (using VADE). 

We operate a proportionate response model, which escalates or de-escalates our response using levels labelled VADE.

*  Responsive Regulation: Transcending the Deregulation Debate (1992), Ayres & Braithwaite.

The VADE levels 

Voluntary 

The ideal, where all regulated parties understand their obligations and are voluntarily compliant with the .nz Rules, Authorisation Agreement, and Connection Agreement. We want the majority of regulated parties, ideally all, to be voluntarily compliant. 

Assist 

Where a regulated party is mildly non-compliant or unclear about how to comply, we will assist and educate them to improve their compliance, encouraging and enabling them to move to voluntary compliance.  

Direct 

Where a regulated party is obviously non-compliant or remains non-compliant after we assist them, we may need to formally direct them to comply or face further action. 

Enforce 

Where a regulated party is persistently non-compliant or commits a breach requiring us to investigate their non-compliance with a view to imposing sanctions that are proportionate to the nature of the breach or level of non-compliance.  

Investigation process and potential sanctions

Where we determine that a regulated party has or likely has breached the .nz Rules, Authorisation Agreement, or Connection Agreement, an initial inquiry may be made to the regulated party requesting information or seeking clarification. This helps us to decide whether to open an investigation. This initial inquiry may rely on voluntary disclosure of information, or our powers in the .nz Rules or Authorisation Agreement to require documents or information to be provided within a requested timeframe.

An investigation may be initiated where:

• our initial inquiries indicate likely or actual non-compliance with the .nz Rules, Authorisation Agreement, or Connection Agreement; and

• an investigation is appropriate based on our assessment of the nature and level of the risk and harm relating to the issue or allegation.

If an inquiry or investigation uncovers concerns that need to be addressed, there are a range of possible outcomes which include us taking no action to taking the types of actions set out below (note this is not an exhaustive list). 

Before a final decision is made, we first provide notice of an intended action (e.g. to issue a breach notice) or a draft provisional investigation report to the regulated party that sets out our findings and the reasons for a proposed sanction (if any). The regulated party will be given an opportunity to provide comments on any proposed sanction, to correct any factual errors or provide any other feedback within the timeframe we have specified. Any response will be considered before making a final decision. Once a decision has been made, a final breach notice or investigation report will be provided to the regulated party and any sanctions imposed.

When choosing a particular outcome, we take into account a number of factors, including our assessment of the nature and level of the risk and harm we are addressing which includes any impact on domain name holders (and number impacted) or to the security, stability, and resilience of the .nz domain name space, or any impact to the integrity of the .nz register and the principles set out above.

In addition to the powers set out below, we can also provide guidance and advice on how to comply with the requirements of the .nz Rules, Authorisation Agreement, and Connection Agreement and support on how to address any issue identified through our regulatory activities.

Suspension or cancellation of a .nz domain name

We may suspend or cancel a .nz domain name if the domain name holder is not contactable and does not validate the data in the registration record, or if they do not verify their identity or meet the eligibility criteria in the .nz Rules.

Formal letters of expectations

Formal letters of expectations may be used where an inquiry or investigation uncovers issues of non-compliance and the regulated party concerned has worked with us to put in place credible measures or has taken sufficient action to address the concerns raised.

This type of compliance tool can be imposed at our discretion under the .nz Rules, and can be an effective way of dealing with issues that don’t meet the threshold of serious wrongdoing, and/or where the regulated party has made a significant effort to remedy any issues that have been identified through an inquiry or investigation. They provide a formal record that we have required a regulated party to address certain issues and set out our expectations going forward. We have a record of the letter that can be referred to in the future. For example, if similar issues arise with the regulated party in the future, then the regulated party can expect a stronger compliance response.

Warnings (private or public)

Warnings are used when a regulated party has breached the .nz Rules, Authorisation Agreement, or Connection Agreement or engaged in serious wrongdoing. The purpose of a warning is to focus the regulated party on the actions that must be addressed, in particular to ensure compliance with the .nz Rules, Authorisation Agreement, or Connection Agreement.

A warning notice will set out the reasons for the notice and what actions the regulated party must take to address the issues we have identified. The warning will also set out what might happen if the regulated party does not comply with the notice within the specified timeframe.

Failure to address the issues highlighted in the warning or if a more punitive sanction is warranted can result in us publishing a notice naming the regulated party and summarising the issues and the action we have taken, or are considering taking, in relation to those issues.

Removal of authorisation

We will only remove a registrar’s authorisation on certain grounds — for example, if the registrar is no longer qualified for authorisation or because there has been a material breach or significant or persistent failure by the registrar to meet its obligations under the .nz Rules, Authorisation Agreement, or Connection Agreement.

Education, guidance, and reporting

We encourage regulated parties to seek out the ‘How to’ guides and resources available on our website to improve their knowledge, understanding, or compliance with the .nz Rules. We also support regulated parties and individuals’ understanding of the .nz Rules and the .nz domain name space through:

• Providing a welcome pack to registrars as they are on-boarded along with follow up engagement in the first six months of being authorised to assist with any enquiries.

• Offering training to registrars when they are onboarded or when there are any substantive changes to the .nz Rules.

• Providing a customer support function via email or telephone to assist with any issues or provide support.

• Providing educational Shopsafe tips on our website to help the public recognise and avoid being harmed by phishing.

• The ongoing development of our Chatbot knowledge base tool.

• Writing informational blog posts and publishing .nz dispute resolution scheme determinations and case summaries.

• Publishing a quarterly newsletter about relevant industry issues and the work we are doing. 

• Engaging with media and social media.

We also publish an Annual Report, Statement of Service Performance, and Transparency Report to share insights and information about our work, including our monitoring, investigations and enforcement activities and outcomes.