Hi Karolina I have some concerns with the Terms & Conditions (T&C) as written. Let's start with the recent changes, then move on to some more general points.
"5.6. The Registrant or the Maintainer may report any identified incident via the 24/7 Technical Emergency Hotline." There are several million INETNUM objects in the RIPE Database. That is a lot of Registrants and Maintainers. So which one is 'the' Registrant and 'the' Maintainer? Maybe you mean "A Registrant or a Maintainer.." or perhaps "Any Registrant or any Maintainer.."? Or do you mean "The Registrant or the Maintainer may report any identified incident concerning their resources..? But is this reporting limited to only Registrants and Maintainers? Can a 'User' not report incidents to this hotline? That could be someone who queries data but doesn't have the right to update the database. I guess it depends what type of incident you are referring to. That is also not clear. The same arguments apply to 5.7. "5.9. The RIPE NCC may perform security checks and/or audits to the RIPE Database. The RIPE NCC may share any available report of such checks and/or audits upon request by the Registrant or the Maintainer and subject to a non-disclosure agreement." Are these checks and audits going to be applied to the whole RIPE Database, or some sub section of the database, or to a specific resource? As you don't define what checks you are going to do, could they apply to secondary objects or routing or domain data rather than resources? Who will you share a report with? You have the same problem with 'the' Registrant/Maintainer. "8.6. The RIPE NCC shall publish information regarding the integrity, privacy and confidentiality of the data it processes in the RIPE NCC Trust Portal" These are the T&C for the RIPE Database. This is a public database. Anyone can use it and query any of the data contained therein. There is no privacy or confidentiality with respect to any of this data. Most of the data is entered into the database by resource holders. The RIPE NCC has no control over, or ability to check, the integrity of this data. So I don't see any relevance to this clause. "2.6. A Maintainer may only Update the RIPE Database with these types of data:" This line ends with a ':'. That suggests there should be a list following it. There is no list. If you change ':' to '.' then the sentence makes no sense. The policy proposal 2023-04 introduced the concept of aggregation. A consequence of that was to make IPv4 assignments optional. I believe that violates the T&C. To understand this point you need to cross reference several clauses of the T&C. "3.1. The RIPE Database contains information for the following purposes: - Providing information about the Registrant and Maintainer of Internet number resources when the resources are suspected of being used for unlawful activities, to parties who are authorised under the law to receive such information." Now let's look at "Article 1 - Definitions" "Internet number resources - globally unique address space (IPv4 and IPv6) and Autonomous System Numbers (ASNs) issued by any Internet Number Registry." Note it says 'any' Internet Number Registry. An LIR is a Local 'Internet (Number) Registry'. So 'Internet number resources' covers address space issued by an LIR. These are assignments. So one of the defined purposes of the RIPE Database is to 'Provide information about the Registrant and Maintainer of assignments when the assignments are suspected of being used for unlawful activities'. This information can be provided 'to parties who are authorised under the law to receive such information', ie the police. By making assignments in the RIPE Database optional, the database can no longer fulfill this purpose for IPv4 address space, as defined in the T&C. cheers denis On Mon, 13 Oct 2025 at 15:22, Karolina Bochenek <[email protected]> wrote: > Dear all, > > At its 188th RIPE NCC meeting on 4-5 September 2025, the RIPE NCC > Executive Board approved amendments to the RIPE Database Terms and > Conditions. > > These changes are in response to the EU regulation Digital Operational > Resilience Act (DORA) which came into effect in January 2025. While the > requirements apply to financial institutions, the RIPE NCC aims to > facilitate the implementation of this regulation for those entities that > are RIPE NCC members to a reasonable extent. > > The following changes include: > > > - > > Adding details of how we manage planned maintenance and how incidents > can be reported. We also added information about security measures and > audits (articles 5.5-5.9) > > > > - > > Adding subcontractor, service level and data protection information > (articles 8.4-8.6) > > > The updated RIPE Database Terms and Conditions are available at: > https://www.ripe.net/manage-ips-and-asns/db/support/documentation/terms > > You can find more information about DORA and other relevant regulations in > the RIPE NCC Trust Portal: > https://trust.ripe.net/legal-compliance/ > > The RIPE NCC Executive Board Meeting minutes are available at: > > > https://www.ripe.net/about-us/executive-board/minutes/2025/188th-executive-board-meeting-minutes/ > > > The amendment will come into effect on 13/11/2025. > > Kind regards, > > Karolina Bochenek > RIPE NCC > > ----- > To unsubscribe from this mailing list or change your subscription options, > please visit: https://mailman.ripe.net/mailman3/lists/db-wg.ripe.net/ > As we have migrated to Mailman 3, you will need to create an account with > the email matching your subscription before you can change your settings. > More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/db-wg.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
