Guidance

Additional terms for .gov.uk agreements

This guidance explains what .gov.uk agreements Registrars, Registrant and sub-Registrants need in place to protect their .gov.uk domains.

• From: Central Digital and Data Office
• Published: 6 July 2023
• Last updated: 12 February 2024 — See all updates

The Central Digital and Data Office (CDDO) intends to procure a new .gov.uk Registry Operator. The changes below will come into effect when .gov.uk domains have migrated to this new Registry.

How we define .gov.uk agreements

We protect domains by using .gov.uk agreements.  A .gov.uk agreement is either a Registry Registrar Agreement (RRA) or a Registrant Agreement.

If you have been issued a .gov.uk domain or subdomain for your organisation’s use, there must be a chain of .gov.uk agreements in place that leads back to the Registry Operator.

What to do if you’re a Registrar

If you are a Registrar you must:

• have an RRA with the Registry Operator
• have a Registrant Agreement with each Registrant
• check the RRA and any Registrant Agreements include the terms on this page

What to do if you are a Registrant

If you are a Registrant you must:

• have a Registrant Agreement with your Registrar
• have a Registrant Agreement with any other organisations you delegate subdomains to as they are sub-Registrants
• check all your Registrant Agreements include the terms on this page

What to do if you are a sub-Registrant

If you have been delegated lower-level subdomains from a Registrant, you are a sub-Registrant, and you must:

• have a Registrant Agreement with your Registrant
• check the Registrant Agreement includes the terms on this page

Terms you must include in .gov.uk agreements

Drafting note: Your .gov.uk agreements may be written and agreed between the parties themselves, but you must make sure the following terms are included in their entirety in all agreements.

Precedence, latest version and updates

These terms take precedence over any other terms in this agreement.

The latest version of these terms can be found here https://www.gov.uk/guidance/additional-terms-for-govuk-agreements.

The party selling or issuing the gov.uk domain or subdomain must apply best endeavours to seek to update this agreement annually to reflect the latest version of the terms made available by the Critical Domain Holder (as defined below) from time to time. If this is a Registrant Agreement, the update should occur at the latest when the domain or subdomain is being renewed.

Role and responsibilities of CDDO as the Critical Domain Holder

The parties agree to and accept the role of the Critical Domain Holder as set out below in respect of the protection of .gov.uk domains and subdomains.

1. The Central Digital and Data Office (CDDO), acting on behalf of the Minister for the Cabinet Office and as part of the Crown, has rights over the ‘.gov.uk’ domain and subdomains. CDDO is the .gov.uk domain Critical Domain Holder.

2. The Critical Domain Holder does not need to be party to this agreement.

3. The Critical Domain Holder has appointed the .gov.uk Registry Operator.

4. The Critical Domain Holder permits the .gov.uk Registry Operator to enter into Registry Registrar Agreements.

5. The Critical Domain Holder is the only authority that may verify the identity of the Registrant.

6. The Critical Domain Holder approves a .gov.uk domain name for use by the Registrant.

7. The Critical Domain Holder is responsible for setting and maintaining the domain registration and management rules, which are defined in the Apply for your .gov.uk domain name guidance on GOV.UK.

8. The Critical Domain Holder acts as an escalation point and ultimate decision maker in the event of a dispute regarding the management or control of a .gov.uk domain name.

9. The Critical Domain Holder may, at its sole discretion, direct the Registry Operator, Registrar, Registrant or sub-Registrant to take action, including urgent action, to protect a .gov.uk domain name, at any time. Such action may include to suspend, withdraw or transfer a .gov.uk domain name:

    9.1. if the Registrant or sub-Registrant persistently or seriously violates the domain registration and management rules, which are defined in the Apply for your .gov.uk domain name guidance on GOV.UK,

    9.2. if the Registrant or sub-Registrant persistently fails to respond to communications from the Registrar, Registry Operator or Critical Domain Holder,

    9.3. to resolve disputes which concern the Registrant or sub-Registrant’s registered .gov.uk domain name,

    9.4. if the continued Registration of the Registrant’s .gov.uk domain name poses an immediate critical security threat to the Registrant’s services or other public sector services,

    9.5. if the Registrar persistently fails to meet the Criteria to be a .gov.uk Approved Registrar,

    9.6. if the Registrar is no longer a .gov.uk Approved Registrar as defined by the criteria,

    9.7. if there is any event that might lead to your organisation ceasing trading, such as a voluntary winding up, a bankruptcy, or an insolvency event as defined in section 123 of the Insolvency Act 1986,

    9.8. if required by the law.

10. The Critical Domain Holder is an independent data controller in its own right for personal contact data contained within the Registry Data. The Registry Data means any data, including but not limited to DNS resource records, public-key material for DNSSEC and personal contact data, in each case held by the Registry Operator:

    10.1. for use in its Registry Services,

    10.2. or for use by the Registry Operator in performance of its roles and obligations to the Critical Domain Holder, Registrar and/or Registrant,

    10.3. or for use by the Registrar in performance of its roles and obligations to the Critical Domain Holder, Registry Operator and/or Registrant.

11. The Critical Domain Holder and its suppliers are authorised to undertake monitoring of all .gov.uk domains and subdomains as described on the Domain Management team page. The purpose of monitoring is to test for the secure configuration of domains and associated digital services and alert the relevant service owners when problems are found.

The monitoring undertaken by the Critical Domain Holder, and/or its suppliers, may, on some rare occasions, temporarily impair the function of the domain and associated digital services. In those circumstances, the Critical Domain Holder will work with the Registrar, Registrant, and/or Sub-Registrant to overcome the temporary impairment as soon as is reasonably practicable. The Critical Domain Holder and its suppliers are authorised to undertake monitoring of all .gov.uk domains, and subdomains, regardless as to this risk of impairment.

In undertaking monitoring, the Critical Domain Holder, and/or its suppliers, may process personal data. The processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Critical Domain Holder, and/or its suppliers as a data controller. Details associated with a domain will be retained for as long as the domain is registered and in use. If details change to another person the Critical Domain Holder, and/or its suppliers, will remove the old contact within six months

Role and responsibilities of the Registry Operator

The parties agree to and accept the role of the Registry Operator as set out below in respect of the protection of .gov.uk domains and subdomains.

12. The Registry Operator means the administrative and technical operator of the policies, processes and systems required to manage and operate the .gov.uk domains and subdomains. The Registry Operator is the only operator for gov.uk domains and subdomains, as appointed by the Critical Domain Holder.

13. The Registry Operator must only accept .gov.uk domain registrations from .gov.uk Approved Registrars. The Registrar Operator must not accept .gov.uk domain registrations from any reseller or any other entity.

14. The Registry Operator must use reasonable endeavours to verify that organisations that wish to be .gov.uk Registrars meet the Criteria to be a .gov.uk Approved Registrar.

15. The Registry Operator has a Registry Registrar Agreement with all .gov.uk Approved Registrars.

16. The Registry Operator must ensure that all Registrars have Registrant Agreements in place that reference this GOV.UK page and include these terms as updated from time to time and published on the aforementioned page.

17. All normal communications that the Registry Operator has with a Registrant must be through a Registrar. The exceptions to this are:

    17.1. if a Registrar is not supporting their Registrant in accordance with the Criteria to be a .gov.uk Approved Registrar or

    17.2. if the Registrant itself is not accepting such support.

In these exceptional cases the Registry Operator may contact a Registrant directly to help the Registrant meet the domain registration and management rules, which are defined in the Apply for your .gov.uk domain name guidance. The  Registry Operator must always copy the relevant Registrar in on communications with a Registrant in these cases.

18. The Registry Operator must maintain a published list of .gov.uk Approved Registrars.

19. The Registry Operator operates a fair marketplace for .gov.uk Approved Registrars. If the Registry Operator itself chooses to be a .gov.uk Approved Registrar, it must not grant itself more favourable terms or treatment than other .gov.uk Approved Registrars. The Registry Operator must not favour any .gov.uk Approved Registrar over any other.

20. The Registry Operator must not unreasonably refuse to sign a Registry Registrar Agreement with a .gov.uk Approved Registrar.

21. The Registry Operator must use reasonable endeavours to help .gov.uk Approved Registrars continue to meet the Criteria to be a .gov.uk Approved Registrar.

22. The Registry Operator must notify the Critical Domain Holder before removing the status of .gov.uk Approved Registrar or terminating a Registry Registrar Agreement with a .gov.uk Approved Registrar.

23. The Registry Operator is an independent data controller in its own right for personal contact data contained within the Registry Data. As a data controller, the Registry Operator will be responsible for ensuring agreements to cover the sharing and processing of personal data with other parties, such as the Registrars, are in place. The Registry Data means any data, including but not limited to DNS resource records, public-key material for DNSSEC and personal contact data, in each case held by the Registry Operator:

    23.1. for use in its Registry Services, 

    23.2. or for use by the Registry Operator in performance of its roles and obligations to the Critical Domain Holder, Registrar and/or Registrant, 

    23.3. or for use by the Registrar in performance of its roles and obligations to the Critical Domain Holder, Registry Operator and/or Registrant.

Role and responsibilities of the Registrar

The parties agree to and accept the role of the Registrar as set out below in respect of the protection of .gov.uk domains and subdomains.

24. The Registrar must meet the Criteria to be a .gov.uk Approved Registrar at all times.

25. The Registrar must only provide .gov.uk domains directly to the Registrants that they have Registrant Agreements with. The Registrar must not provide .gov.uk domains via any reseller.

26. The Registrar must maintain a list of all Registrants that have delegated lower-level subdomains out to sub-Registrants.

27. The Registrar must ensure that if a Registrant transfers a domain name:

    27.1. the new Registrant is eligible to have the domain, 

    27.2. any new Registrar is a .gov.uk Approved Registrar,

    27.3. all parties follow the Transfer your domain name guidance.

28. The Registrar agrees that any persistent failures, as defined and/or determined by the Registry Operator, and confirmed at the sole discretion of the Critical Domain Holder, to meet the Criteria to be a .gov.uk Approved Registrar, will result in:

    28.1. the Registrar no longer being a .gov.uk Approved Registrar,

    28.2. the Registrar, in consultation with the Registrant, to transfer the management of its .gov.uk domain names to an alternative .gov.uk Approved Registrar,

The Registrar must at its own cost and expense, provide all such support, assistance and cooperation and execute or procure the execution of all such documents as the Critical Domain Holder or the Registry Operator may from time to time require for the purpose of giving full effect to this provision.

29. The Registrar is an independent data controller in its own right for personal contact data contained within the Registry Data. The Registry Data means any data, including but not limited to DNS resource records, public-key material for DNSSEC and personal contact data, in each case held by the Registry Operator:

    29.1. for use in its Registry Services, 

    29.2. or for use by the Registry Operator in performance of its roles and obligations to the Critical Domain Holder, Registrar and/or Registrant, 

    29.3. or for use by the Registrar in performance of its roles and obligations to the Critical Domain Holder, Registry Operator and/or Registrant.

Role and responsibilities of the Registrant

The parties agree to and accept the role of the Registrant as set out below in respect of the protection of .gov.uk domains and subdomains.

30. The Registrant is an entity which has registered a .gov.uk domain name in the .gov.uk Registry.

31. The Registrant must remain in legal control of their .gov.uk domain name at all times. This includes not reselling or passing control of their .gov.uk domain name to a non-public sector organisation.

32. The Registrant must get approval from The Critical Domain Holder prior to transferring their .gov.uk domain to any other organisation.

33. The Registrant must protect its .gov.uk domain name by following the domain registration and management rules, which are defined in the Apply for your .gov.uk domain name guidance on GOV.UK that apply to them, found here:

• Get permission to apply for a .gov.uk domain name

• Identify a domain name administrator

• Choose your .gov.uk domain name

• Get started with your .gov.uk domain name

• How you are accountable for protecting your .gov.uk domain

• Creating and managing .gov.uk subdomains

• Keeping your domain name secure

• Renew your domain name

• Make changes to your .gov.uk domain name

• How to stop using your domain name

• What to do if your domain is compromised

34. The Registrant has the right to move its .gov.uk domain name from the Registrar to any other Registrar at any time and for any reason. The Registrant is not entitled to a refund for any remaining term of the registration.

35. The Registrant accepts that if their Registrar is no longer a .gov.uk Approved Registrar, then the Registrant must move its .gov.uk domains to a .gov.uk Approved Registrar.

36. If the Registrant has delegated lower-level subdomains out to a sub-Registrant, the Registrant:

    36.1. must tell its Registrar,

    36.2. must help the sub-Registrant meet the domain registration and management rules, which are defined in the Apply for your .gov.uk domain name guidance on GOV.UK that apply to them,

    36.3. is a data controller of the personal data that the sub-Registrant has shared with it.

37. The Registrant is an independent data controller in its own right for personal contact data contained within the Registry Data. The Registry Data means any data, including but not limited to DNS resource records, public-key material for DNSSEC and personal contact data, in each case held by the Registry Operator:

    37.1. for use in its Registry Services,

    37.2. or for use by the Registry Operator in performance of its roles and obligations to the Critical Domain Holder, Registrar and/or Registrant,

    37.3. or for use by the Registrar in performance of its roles and obligations to the Critical Domain Holder, Registry Operator and/or Registrant.

38. The Registrant agrees that the Critical Domain Holder and its suppliers are authorised to undertake monitoring of all .gov.uk domains and subdomains as described on the Domain Management team page. The purpose of monitoring is to test for the secure configuration of domains and associated digital services and alert the relevant service owners when problems are found.

The Registrant consents to the Critical Domain Holder and/or its suppliers processing personal data, specifically collecting DNS records and WHOIS records where they are available, to:

• provide support; protect the domain names in the public sector
• reduce the risk of attack to associated services such as email, web, and digital services
• ensure the governance and accessibility of web services

The Registrant consents to the retention of personal data by the Critical Domain Holder and/or its suppliers.

Role and responsibilities of the sub-Registrant

The parties agree to and accept the role of the sub-Registrant as set out below in respect of the protection of .gov.uk domains and subdomains.

39. The sub-Registrant is an entity which has been given a lower-level domain from a .gov.uk Registrant. The sub-Registrant is not the same organisation as the Registrant.

40. The sub-Registrant must protect its .gov.uk domain name by following the domain registration and management rules, which are defined in the Apply for your .gov.uk domain name guidance on GOV.UK that apply to them, found here: 

• How you are accountable for protecting your .gov.uk domain

• Creating and managing .gov.uk subdomains

• Keeping your domain name secure

• How to stop using your domain name

• What to do if your domain is compromised

41. The sub-Registrant is a data controller of the personal data it shares with the Registrant.

42. The sub-Registrant agrees that the Critical Domain Holder and its suppliers are is authorised to undertake monitoring of all .gov.uk domains and subdomains as described on the Domain Management team page. The purpose of monitoring is to test for the secure configuration of domains and associated digital services and alert the relevant service owners when problems are found.

The Sub-registrant consents to the Critical Domain Holder and/or its suppliers processing personal data, specifically collecting DNS records and WHOIS records where they are available to:

• provide support; protect the domain names in the
• public sector; and to reduce the risk of attack to associated services such as email, web, and digital services
• ensure the governance and accessibility of web services

The Sub-registrant consents to the retention of personal data by the Critical Domain Holder and/or its suppliers.

Pricing for .gov.uk domain names

43. The pricing for .gov.uk domain names is to be confirmed.

Published 6 July 2023
Last updated 12 February 2024 + show all updates

1. 12 February 2024

   We had new sections 11, 38 and 42. These cover roles and responsibilities of CDDO, the Registrant and Sub-Registrant when it comes to the monitoring of domains.

2. 6 July 2023

   First published.