This Time Self-Hosted
dark mode light mode Search

The dot-EU kerfuffle — or how EURid is messing with their own best supporters

TL;DR summary: be very careful if you use a .eu domain as your point of contact for anything. If you’re thinking of registering a .eu domain to use as your primary domain, just don’t.


I have forecasted a rant when I pointed out I changed domain with my move to WordPress.

I have registered flameeyes.eu nearly ten years ago, part of the reason was because flameeyes.com was (at the time) parked to a domain squatter, and part because I have been a strong supported of the European Union.

In those ten years I started using the domain not just for my website, but as my primary contact email. It’s listed as my contact address everywhere, I have all kind of financial, commercial and personal services attached to that email. It’s effectively impossible for me to ever detangle from it, even if I spend the next four weeks doing nothing but amending registrations — some services just don’t allow you to ever change email address; many requires you to contact support and spend time talking with a person to get the email updated on the account.

And now, because I moved to the United Kingdom, which decided to leave the Union, the Commission threatens to prevent me from keeping my domain. It may sound obvious, since EURid says

A website with a .eu or .ею domain name extension tells your customers that you are a legal entity based in the EU, Iceland, Liechtenstein or Norway and are therefore, subject to EU law and other relevant trading standards.

But at the same time it now provides a terrible collapse of two worlds: technical and political. The idea that you any entity in control of a .eu domain is by requirement operating under EU law sounds good on paper… until you come to this corner case where a country leaves the Union — and now either you water down this promise, eroding trust in the domain by not upholding this law domain, or you end up with domain takeover, eroding trust in the domain on technical merit.

Most of the important details for this are already explained in a seemingly unrelated blog post by Hanno Böck: Abandoned Domain Takeover as a Web Security Risk. If EURid will forbid renewal of .eu domains for entities that are no longer considered part of the EU, a whole lot of domains will effectively be “up for grabs”. Some may currently be used as CDN aliases, and be used to load resources on other websites; those would be the worst, as they would allow the controller of the domains to inject content in other sites that should otherwise be secure.

But even more important for companies that used their .eu domain as their primary point of contact: think of any PO, or invoice, or request for information, that would be sent to a company email address — and now think of a malicious actor getting access to those communications! This is not just the risk that me (and any other European supporter who happened to live in the UK, I’m sure I’m not alone) as a single individual have — it’s a possibly unlimited amount of scams that people would be subjected to, as it would be trivial to pass for a company, once their domain is taken over!

As you can see from the title, I think this particular move is also going to hit the European supporters the most. Not just because of those individuals (like me!) who wanted to signal how they feel part of something bigger than their country of birth, but also because I expect a number of UK companies used .eu domain specifically to declare themselves open to European customers — as otherwise, between pricing in Sterling, and a .co.uk domain, it would always feel like buying “foreign goods”. Now those companies, that believed in Europe, find themselves in the weakest of positions.

Speaking of individuals, when I read the news I had a double-take, and had to check the rules for .eu domains again. At first I assumed that something was clearly wrong: I’m a European Union citizen, surely I will be able to keep my domain, no matter where I live! Unfortunately, that’s not the case:

In this first step the Registrant must verify whether it meets the General
Eligibility Criteria, whereby it must be:
(i) an undertaking having its registered office, central administration or
principal place of business within the European Union, Norway, Iceland
or Liechtenstein, or
(ii) an organisation established within the European Union, Norway, Iceland
or Liechtenstein without prejudice to the application of national law, or
(iii) a natural person resident within the European Union, Norway, Iceland or
Liechtenstein.

If you are a European Union citizen, but you don’t want your digital life to ever be held hostage by the Commission or your country’s government playing games with it, do not use a .eu domain. Simple as that. EURid does not care about the well-being of their registrants.

If you’re a European company, do think twice on whether you want to risk that a change in government for the country you’re registered in would lead you to open both yourself, your suppliers and your customers into the a wild west of overtaken domains.

Effectively, what EURid has signalled with this is that they care so little about the technical hurdles of their customers, that I would suggest against ever relying on a .eu domain for anyone at all. Register it as a defense against scammers, but don’t do business on it, as it’s less stable than certain microstate domains, or even the more trendy and modern gTLDs.

I’ll call this a self-goal. I still trust the European Union, and the Commission, to have the interests of the many in their mind. But the way they tried to apply a legislative domain to the .eu TLD was brittle at best to begin with, and now there’s no way out of here that does not ruin someone’s day, and erode the trust in that very same domain.

It’s also important to note that most of the bigger companies, those that I hear a lot of European politicians complain about, would have no problem with something like this: just create a fully-own subsidiary somewhere in Europe, say for instance Slovakia, and have it hold onto the domain. And have it just forward onto a gTLD to do business on, so you don’t even give the impression of counting on that layer of legislative trust.

Given the scary damage that would be caused by losing control over my email address of ten years, I’m honestly considering looking for a similar loophole. The cost of establishing an LLC in another country, firmly within EU boundaries, is not pocket money, but it’s still chump change compared to the amount of damage (financial, reputation, relationships, etc) that it would be a good investment.

Comments 10
  1. How do they justify being so strict when there are already exceptions for Norway, Iceland and Liechtenstein?
    Surely, as an individual, there are cheaper ways of establishing an official presence in the EU than creating an LLC? A not-for-profit association (e.g. under French “Loi 1901” status) comes to mind…

    1. Because those countries are part of the EEA. And UK doesn’t want to do that.

      I’m not sure about French law, but while an LLC is not cheap it also has fewer requirements or risks of conflicts, which is why I’m considering that route.

  2. How do you justify your presence as a person in a country, when registering as a eu citizen ?
    Couldn’t you pretend to live at a friend or family somewhere in EU ?

    1. Most countries require you to register a tax residence and the registar can request a proof of identity and/or address. My Italian ID card still has my address in Dublin on it so I could use that.
      But I expect that if they are this set into being a nuisance they’d have extra scrutiny on this.

      I actually plan on handing over one of my domains to my sister (pettenò.eu) since we share the surname and it would make sense for her to have it. Also I barely ever use it, I registered it out of fancy and because I didn’t want someone else to have it…

  3. It’s hard to see where to put the blame… Owners of a .fr residing in UK will have the same issue.
    If UK wanted to grant its residents access to EU institutions, it could – but it chose not to pay the cost.
    If EU wanted to grant access to .eu to UK residents, it could – but that is also true of .fr, and of all the other things that UK residents will loose.

    1. As I said in the article, it’s going to suck either way. But at least for the .it TLD, as long as you have a valid tax id (which you still keep even if you leave the country), you can keep the domain.

      Does the French NIC also enforce residency requirements? That’s mental, particularly for individuals.

      1. Yes, my understanding is that the AFNIC enforces residency requirements: https://www.gandi.net/en/tlds/fr/rules and so French living in UK will have similar issues.
        I think both registrar should allow their nationals to own a domain. I’ll make a suggestion to my deputy, let’s see if something happens 🙂

      2. Looks as if .se domains are free of residence requirements. And I suspect that you don’t really care about some of the odder (but for good, solid, local reasons) restrictions (a domain name cannot match /.[0-9]{6}-[0-9]{4}./, as that is a (possible) national ID).

    1. e-residency is extremely misnamed and is actually an identity management system akin to SPID. I’ve applied because I’m considering registering an LLC in Estonia just to keep the domain…
      But the registration itself is not a residency for purposes of domain registration.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.