Criteria to be a .gov.uk Approved Registrar
Follow this guidance to understand how to become a .gov.uk Approved Registrar
The Central Digital and Data Office (CDDO) intends to procure a new .gov.uk Registry Operator. The changes below will come into effect when .gov.uk domains have migrated to this new Registry.
How to become a .gov.uk Approved Registrar
Your organisation must:
-
meet all the criteria if it’s a registered company or sole trader
-
meet all the criteria from section 5 onwards if it’s a public sector organisation
-
continue to meet all relevant criteria for as long as it registers .gov.uk domain names
-
make sure your Registrants understand you have to meet these criteria
The Central Digital and Data Office (CDDO) may update this criteria from time to time at its reasonable discretion, for example to help keep the .gov.uk domain namespace secure. CDDO will invite feedback from Registrars on any proposed changes to these criteria before updating them.
Registrars must have met the criteria no later than 30 September 2024.
Costs to meet the criteria
CDDO has no current intention of charging your organisation to become a .gov.uk Approved Registrar. However, as CDDO has not yet contracted with the Registry Operator CDDO cannot yet confirm how the Registry will be funded.
Your organisation is responsible for all costs to meet the criteria to be a .gov.uk Approved Registrar.
Making sure your organisation is eligible
The following apply only to organisations that are not UK public sector organisations:
1. You are a registered company or sole trader.
2. You commit to having a commercial contract with your Registrants for .gov.uk domains.
3. Your contracts with Registrants fall under the jurisdiction of courts in England and Wales to settle any dispute or claim, including non-contractual disputes or claims.
4. You commit to having Cyber Essentials or Cyber Essentials Plus certification for the teams and tools you use to manage .gov.uk domain names, and keeping this certification up-to-date. If you do not have Cyber Essentials or Cyber Essentials Plus certification at this time, you commit to getting either certification by 30 September 2024.
The following apply to all organisations:
5. You commit to making the Registry Operator and your Registrants aware if:
-
you can no longer meet the Criteria to be a .gov.uk Approved Registrar, or your status as a .gov.uk Approved Registrar has changed.
-
control of your organisation has changed or is expected to change
-
if there is any event that might lead to your organisation ceasing trading, such as a voluntary winding up, a bankruptcy, or an insolvency event
6. You commit to having a complaints policy in place.
7. You commit to complying with the Data Protection Act 2018 (as amended, updated or replaced from time to time) and all applicable privacy legislation in relation to the storage and handling of your Registrant’s personal data.
8. You commit to having a privacy policy in place.
9. You consent to being listed on the publicly available list of .gov.uk Approved Registrars.
Helping your Registrant meet their obligations
10. You commit to helping Registrants meet the domain name registration and management rules that apply to them, listed below. You must subscribe to updates and request your Registrants to subscribe to updates on these pages:
11. You commit to ensuring changes to domain records advised by Registry Operator or the CDDO Domain Management Team’s are made, either by supporting your Registrants or - if authorised - doing the changes yourself.
12. You commit to allowing the Registry Operator or the CDDO Domain Management Team to interact directly with the Registrant to help them meet the domain name registration and management rules.
13. You commit to escalating to the Registry Operator any instances where your Registrants are persistently failing to meet the domain name registration and management rules. You commit to taking any resulting action required by the Registry Operator or the CDDO Domain Management Team to protect the .gov.uk domain, dependent services and namespace.
14. You commit to recommending .gov.uk domain names as the preferred option to UK public sector organisations because .gov.uk domain names are monitored and protected and identify official public sector organisations. For example, central government departments, ALBs, city, town, parish councils or any other appropriate public sector organisations.
Providing customer support for your Registrant
15. You commit to providing reasonable support to your Registrants as is appropriate in the circumstances to move to another .gov.uk Approved Registrar whenever they wish, and in the case of you losing your .gov.uk Approved Registrar status.
16. You commit to providing Registrants with customer support between Monday to Friday during normal UK business hours, unless otherwise specifically agreed in writing with your Registrant.
17. You commit to telling the CDDO Domain Management Team and your Registrants what out-of-hours support (if any) you provide for urgent changes or changes required at specific times. The CDDO Domain Management Team will determine in its sole discretion what is an urgent change.
18. You commit to acting in a professional manner when interacting with Registrants, the gov.uk Registry Operator and the CDDO Domain Management Team in relation to all .gov.uk domain names.
19. You commit to providing accessible channels for your Registrants. For example, any website for Registrants must meet the international WCAG 2.1 AA accessibility standard.
Acting on behalf of your Registrant
The .gov.uk Technical Point of Contact is responsible for the technical management of a .gov.uk domain as outlined in the Keeping your domain name secure guidance. . The Technical Point of Contact must be someone from the Registrant or Registrar.
20. You commit to confirming in writing with the Registry Operator and CDDO Domain Management Team who the Technical Point of Contact is, or being the Technical Point of Contact if your Registrant requests it.
21. You commit to providing the Registry Operator with accurate and complete data to support and maintain every .gov.uk domain name you manage, and allowing the Registry Operator to share this data with the CDDO Domain Management Team.
Protecting the Registrant’s domain and Registry data
22. You commit to checking all Registry data change requests meet best practice as outlined in the Keeping your domain name secure guidance.
23. You commit to providing notifications of any changes made to key contacts to the CDDO Domain Management Team and keeping WHOIS details up-to-date.
24. You commit to assessing and mitigating the risks of any suppliers you depend on to protect Registrant data.
25. You commit to providing multi-factor authentication (MFA) to Registrants if you allow them to use your domain management tools. For our purposes MFA can be done using an authenticator app, email, specific characters from a memorable word or single use backup codes.
26. You commit to using MFA when Registrar staff use any services that relate to managing a Registrant’s .gov.uk domain name or data.
27. You commit to making sure a .gov.uk domain name is made safe by following the how to stop using your .gov.uk domain name guidance when a Registrant or the CDDO Domain Management Team tells you the domain is no longer in use.
28. If you are the Technical Point of Contact, you commit to including a default DMARC record for .gov.uk domains you host using the CDDO Domain Management Team’s recommended record template.
29. If you are the Technical Point of Contact, you commit to being able to roll-back any changes you make for Registrants. This could be done by keeping a last known good copy of the domain name data.
30. If you are the Technical Point of Contact, you commit to sharing an up-to-date copy of your Registrant’s .gov.uk zone file with the CDDO Domain Management Team, and using the CDDO Domain Management Team’s approved mechanisms for doing so.
Handling domain name issues
31. You commit to addressing issues raised by the CDDO Domain Management Team or the Registry Operator to protect the .gov.uk domain names you manage and the .gov.uk domains namespace generally.
32. You commit to monitoring the approved channels such that you are made aware of such issues. The approved channels may be email, web-based or instant messaging tools and in the case of an emergency, phone.
33. You commit to responding to such issues in the following timeframes:
| Type of issue | Initial response, including an analysis and timeframe to fix the issue | Time to fix, from the issue being raised |
|
Critically Impacting: Widespread or entire organisation functionally disrupted and financially impacted |
4 hours if you have a 24/7 support agreement with your Registrant Or 4 business hours in all other cases |
8 hours if you have a 24/7 support agreement with your Registrant Or 1 business day in all other cases |
|
Highly Impacting: Part of the organisation functionally disrupted and financially impacted |
24 hours if you have a 24/7 support agreement with your Registrant Or 2 business days in all other cases |
72 hours if you have a 24/7 support agreement with your Registrant Or 3 business days in all other cases |
|
Moderately Impacting: Small part of the organisation functionally disrupted and financially impacted. |
7 days | Timeframe by agreement with the CDDO Domain Management Team |
|
Low Impacting: Reputation damage |
7 days | Timeframe by agreement with the CDDO Domain Management Team |
|
Non-impacting Hygiene: A configuration that if left for a period of time might create a vulnerability |
7 days | Timeframe by agreement with the CDDO Domain Management Team |
Retaining domain records
34. You commit to maintaining all communications with Registrants in respect of their .gov.uk registrations, including the content of the registration records, and changes.
35. You commit to making this data available to the CDDO Domain Management Team and/or the Registry Operator upon request and for 2 years after any loss of your status as a .gov.uk Approved Registrar.