Summary
- Institutional resilience cannot be inferred from uptime or reserves alone; it must be tested across legal authority, governance legitimacy, data integrity, finance, cryptographic trust and operator dependence.
- The core scenario set should combine failed elections, insolvency, sanctions and payment disruption, coordinated cyberattack, RPKI trust-anchor migration and a surge of contested or inter-regional transfers.
- Exercises must progress from documented decision tests to functional rehearsals, shadow service, controlled failover and full cross-institutional simulation without risking live resource control.
- Pass conditions should measure preservation of authoritative records, lawful decision rights, service restoration, holder access, route-security equivalence, correction capacity, regional self-governance and safe return of control.
- Emergency operators should receive the minimum temporary powers needed for continuity, with explicit prohibitions on policy change, discretionary reallocation and indefinite retention of authority.
- Operators must participate as active validators because a registry can believe a service is restored while relying parties, automation, directories and routing-security systems still observe inconsistent state.
- Public reports should disclose assumptions, tested scope, failures, evidence, remediation owners and retest dates while protecting credentials, personal records and exploitable security detail.
- NRS can convene discussion, collect authorized member accounts and submissions, and publish evidence-led comparisons of disclosed exercise results. It cannot control the exercise, provide conformance authority, hold protected operational evidence or displace the RIRs, IANA services, emergency operators and independent reviewers responsible for execution.
A decade is the right unit of seriousness
One annual exercise is too short to expose institutional memory loss, vendor turnover, cryptographic replacement, board change and legal drift. Ten years is long enough for senior staff to leave, contracts to expire, systems to be replaced, policy disputes to recur and emergency documentation to become stale. It is also short enough to assign milestones, budgets and public responsibility now.
The programme should operate as a sequence, not as ten repetitions of the same tabletop discussion. Early years establish inventories, authority maps and measurable recovery objectives. Middle years test functional substitution and cross-regional coordination. Later years combine failures and require independent teams to recover from incomplete or misleading information. Each stage should incorporate lessons from real incidents and changes in law or standards.
The point is not to manufacture drama. A test should be severe but plausible. Election rules can produce disputed results. Non-profit institutions can face revenue shocks, litigation or insolvency. Sanctions can restrict services, banking and counterparties. Sophisticated attackers can target identity, authentication, registration and publication systems at once. Trust-anchor keys eventually require migration because hardware and algorithms do not last forever. Scarcity and corporate restructuring can create bursts of transfers. None of these conditions is speculative.
The revised draft RIR Governance Document gives emergency continuity, an Emergency Operator, handover and post-event review explicit attention. The NRO's preliminary implementation assessment identifies the need for technical, administrative and legal arrangements for an Emergency Operator and stable handover. These are important institutional commitments. A stress test asks whether they can be executed with real inventories, authorities, staff, contracts, credentials and deadlines.
Define the system before trying to break it
The system under test is larger than any one registry. At its centre are authoritative records linking number resources to recognized holders. Around them sit member and holder identity, contracts, billing, transfer review, public directory services, reverse DNS, RPKI certification and publication, policy support, elections, dispute handling, audit evidence, communications and IANA-facing coordination. Operators consume the resulting state through human and automated systems.
Every participating institution should begin with a service-and-authority map. For each critical function, the map identifies the legal source of authority, decision owner, operational owner, data store, authentication dependency, critical supplier, upstream and downstream institution, maximum tolerable interruption, acceptable data-loss interval and authorized substitute. It should also identify which powers cannot be delegated under current law or governing documents.
The map must distinguish service continuity from governance continuity. An emergency team may be able to keep an RDAP service online without having authority to approve transfers. It may preserve RPKI publication without being entitled to issue new resource certificates. It may collect membership payments without being able to change the fee schedule. A stress test fails if technical access is mistaken for lawful power.
The inventory should classify functions into four recovery tiers. Tier one contains authoritative data preservation, read-only directory access, RPKI repository continuity, security monitoring and incident communication. Tier two contains holder authentication, record correction, urgent route-security changes and court-directed protective action. Tier three contains routine allocation, transfer, billing and policy support. Tier four contains events, training, research and discretionary projects. Local institutions may adjust the order, but every deviation should have a reason.
This prioritization prevents a common exercise error: declaring success because visible websites return while the functions that establish authority remain unavailable. It also prevents emergency powers from expanding merely because ordinary business is inconvenient. Continuity is the preservation of essential rights and records under constrained conditions, not the recreation of every service on the first day.
The resolution method needs fixed phases
Every scenario should be resolved through six observable phases. The first is detection: when did the institution know, and what evidence crossed the threshold? The second is classification: which services, authorities, populations and external dependencies are affected? The third is containment: what actions preserve evidence and prevent unauthorized change? The fourth is continuity: which temporary service arrangement is activated, by whom and under what limits? The fifth is recovery: how are authoritative state, holder access and dependent services reconciled?
The sixth is return: how does temporary authority end, and how is the decision reviewed?
Each phase needs a decision record. The record should identify the evidence available at the time, the authorized decision-maker, legal basis, dissent, affected services, expiry condition and next review point. Exercises should deliberately remove one expected decision-maker to test succession. They should also introduce contradictory evidence so that entities must distinguish urgency from certainty.
Pass conditions should be written before scenario details are revealed. They include maximum time to recognize the event, freeze unsafe changes, establish an authoritative snapshot, notify dependent institutions, activate a lawful substitute, restore prioritized services and reconcile downstream state. They also include qualitative conditions: no unauthorized allocation, no silent loss of review rights, no use of emergency authority to alter policy, no destruction of evidence and no indefinite temporary control.
Resolution should be reversible where possible. A temporary restriction can be lifted. A read-only service can return to transactional mode after reconciliation. An emergency operator can return authority to a restored regional institution. Irreversible actions, such as resource revocation or trust-anchor destruction, require stronger approval and evidence. Tests should penalize rapid but irreversible decisions that create greater long-term harm.
Scenario one: an election does not produce legitimate authority
The first scenario begins with an ordinary board election. Eligibility data is challenged shortly before voting closes. A supplier reports that a configuration error may have excluded some members and allowed duplicate credentials for others. The apparent margin is narrow. The incumbent board's term expires before a full independent review can finish. At the same time, the board must approve a budget and appoint signatories for critical contracts.
This scenario tests whether institutional continuity depends on accepting a disputed result. The entities must determine which body can preserve operations, whether incumbent authority continues temporarily, which decisions may be deferred, how evidence is secured and how affected members obtain review. The correct answer will vary by governing law and bylaws. The test is whether the answer is known, lawful and restrained before the dispute occurs.
Success does not mean producing a winner quickly. It means preserving ballot evidence, preventing interested parties from controlling the investigation, maintaining only necessary corporate authority and completing a credible remedy. The institution should be able to reissue ballots or rerun an election without losing registry operations. Temporary directors or officers should not make irreversible policy, executive-compensation or asset decisions unless delay would cause demonstrable harm.
The evidence package should include the eligibility snapshot, credential issuance counts, delivery failures, turnout denominators, independent verification, challenge timeline, decisions made during the interim and the final remedy. Personal votes remain secret. The public result should reveal whether every eligible class received equal treatment and whether the continuity arrangement altered the competitive field.
A harder variant combines election failure with disinformation. False notices circulate about voting dates and candidate withdrawal. The institution must authenticate communications without granting incumbents exclusive narrative control. Operators and members should be able to verify official notices through more than one channel. The exercise tests legitimacy, not merely ballot software.
Scenario two: financial failure reaches operational authority
The insolvency scenario should not begin with a clean declaration that funds have run out. It should begin with deteriorating signals: concentrated revenue, delayed member payments, litigation expense, currency loss, a supplier demanding advance payment and an auditor questioning the going-concern assumption. Management believes a recovery is possible. The board fears that disclosure will accelerate failure.
Entities must decide when financial stress becomes a continuity event, what must be disclosed and which expenditures receive priority. Payroll for critical operations, security, insurance, facilities, data custody, legal obligations and essential suppliers compete with ordinary programmes. The test should include a bank account freeze or payment-provider withdrawal so that nominal reserves cannot automatically be spent.
The NRO publishes the Joint RIR Stability Fund as a collective emergency-support commitment. Its current page records voluntary pledges from RIR reserves, a formal documented request by the affected RIR's board, unanimous NRO Executive Council approval and contributions made only when needed rather than a pre-funded pooled account. A credible exercise should test access conditions, timing, currency, governance, repayment or grant terms, and what evidence other RIRs need before releasing support. A commitment that requires a formal board request could arrive too late if the affected institution has already lost the capacity to make that request.
The scenario must also test court and creditor boundaries. Registration data, cryptographic keys, domains, equipment and receivables may be treated differently under local law. Entities should know which assets can be transferred, licensed or protected, and which require court approval. They should test whether an insolvency practitioner understands that authoritative number-resource records are not ordinary saleable inventory.
Pass conditions include uninterrupted preservation of authoritative records, no pledge or sale of control that exceeds institutional authority, continued priority services, documented use of reserves, activation of lawful assistance and a credible route to rehabilitation or interim operation. Public confidence cannot depend on hiding the problem until cash is exhausted.
Scenario three: sanctions fragment law, payment and service
Sanctions are a particularly useful stress test because they combine legal uncertainty, identity risk, banking dependence and political pressure. The RIPE NCC Q2 2026 sanctions report explains that applicable EU sanctions can freeze registration changes without deregistering resources or terminating membership, while payment constraints can also arise from banks' treatment of other sanctions lists. That distinction between registration, use, service and payment is exactly what an exercise must preserve.
The scenario should introduce a new designation that may apply to a member through indirect control. Screening produces a possible match but not a confirmed one. A bank rejects payments from several unrelated members in the same jurisdiction. A court in another country orders continued service, while a regulator where the registry is incorporated threatens penalties. The affected holder requests an urgent route-origin authorization change after a routing incident.
Entities must separate facts from legal interpretations. They must establish who can decide that a match is confirmed, what services are frozen, what safety changes remain permissible, how false positives are corrected and how similarly situated members are treated. They must record the effective time of each restriction and preserve a route for review.
The exercise should test aggregate public reporting without exposing private identity or legal advice. It should also test payment alternatives that comply with applicable law. A member who cannot pay because the registry's bank refuses a lawful transaction should not automatically be treated like a delinquent member who chooses not to pay. The institution needs a documented distinction and a way to preserve continuity while uncertainty is resolved.
Pass conditions include timely legal escalation, no unauthorized deregistration, a defined treatment of urgent security changes, evidence-based false-positive correction, consistent restrictions and a reversible return to ordinary service. A politically popular decision that violates the institution's legal duties is a failure; so is legal caution that leaves operators unable to protect routing without reasoned review.
Scenario four: coordinated cyberattack against authority
The cyber scenario should target confidence rather than availability alone. Attackers compromise a support account, alter some holder contact records, obtain a valid session for an administrator and publish a fabricated notice claiming that registry data has been corrupted. At the same time, denial-of-service traffic affects directory queries and one RPKI publication endpoint. Backups exist, but their most recent restoration test did not include all downstream services.
The institution must determine which state is authoritative. It must preserve logs, revoke access, freeze high-risk changes, establish a trusted snapshot and communicate uncertainty without inviting unsafe assumptions. A clean public website is not the objective. The objective is a defensible chain from evidence to restored authority.
Exercises should include insider-risk and supplier variants. A privileged employee may be unavailable or suspected. An identity provider may be compromised. A cloud supplier may restore infrastructure but not the precise event ordering needed to identify unauthorized changes. Entities should be forced to use independent evidence such as signed records, replicated logs, external observations and holder confirmation.
The technical response must remain connected to rights. If all transfers are frozen, holders need to know the basis, expected review and urgent exception route. If credentials are reset, organizations with departed contacts need a robust recovery path. If directory data is restored from an earlier snapshot, corrections made after that point must be replayed and verified rather than silently lost.
Pass conditions include bounded data loss, complete identification of changed records, independent validation of the restored snapshot, recovery of tier-one services, safe holder reauthentication, reconciliation of RPKI and directory state, and a public incident account after immediate security risk has passed. The exercise should measure the 95th-percentile time for affected holders to regain safe access, not merely the time at which administrators can log in.
Scenario five: trust-anchor key migration under uneven adoption
Cryptographic continuity is institutional because a registry does not control every relying party. RFC 9691 defines a signed Trust Anchor Key entity that can signal a current and successor public key and support planned RPKI trust-anchor rollover. It uses an acceptance period so relying parties can observe and validate the successor before switching. The standard also recognizes that some relying parties may not support automatic transition and may continue to use older trust information.
The scenario begins with a planned hardware-security-module replacement. The old private key cannot be exported to the new device. The institution has staged a successor key, but measurement shows uneven support among relying-party implementations. During the acceptance period, a vulnerability announcement shortens the safe life of the old device. A separate service incident creates inconsistent repository content for a small subset of validators.
Entities must decide whether to continue, pause or restart the migration. They need evidence that old and new trust paths produce equivalent validated outcomes. They must coordinate with software maintainers and operators without allowing unverified messages to become a new trust root. They must retain the old key long enough for continuity while limiting exposure from the vulnerable hardware.
The exercise should run real validation against isolated test repositories and representative relying-party versions. It should measure adoption, failed retrieval, inconsistent validation, stale trust data and operator response. It should include an organization that deliberately pins old trust material and another that updates only through software releases. The outcome cannot be judged solely from the registry's own validator.
Pass conditions include equivalent resource coverage under both keys, successful acceptance by supported validators, a documented route for manual transition, authenticated public notice, rollback before destructive key retirement and evidence-based timing for removal of the old key. The test should fail if any significant operator class becomes blind to an entire regional certification tree without detection.
Scenario six: mass transfer after corporate and market shock
The transfer scenario begins with the insolvency of a large infrastructure group holding resources through many subsidiaries in several regions. Courts authorize sales in different jurisdictions. Some transfers are corporate successions, some are asset sales, some are contested by creditors and some involve buyers already holding substantial address space. Brokers submit overlapping documents. A portion of the resources has active route-origin authorizations and critical public-sector users.
The resulting volume should exceed ordinary capacity for several months. The test asks whether institutions can scale review without abandoning authority checks, favoring the best-resourced applicants or turning a queue into a hidden moratorium. It also tests whether inter-regional records reconcile when one institution approves a step and another requires additional evidence.
The scenario needs a synthetic but internally consistent inventory of legal entities, resource blocks, contracts, court orders, historic records, certification state and routing observations. Teams should receive documents in stages, including contradictions that require escalation. They should distinguish legal control of a company from authority to transfer a particular resource registration.
Emergency capacity should not mean relaxed identity review. Institutions can create triage, shared document verification, standardized court-order analysis and transparent priority rules. Urgent changes needed to protect active networks can be separated from final transfer. Every exception should be recorded, time-limited and reviewable.
Pass conditions include no duplicate disposition, complete linkage of source and recipient records, preservation of contested status, bounded tail delay, consistent inter-regional identifiers, timely certification reconciliation and public queue reporting. Concentration effects should be measured but not used to invent a policy prohibition during the event. If policy permits a transfer, emergency staff should not substitute their own market judgment.
Scenario seven: IANA-facing coordination becomes uncertain
The global numbering layer has a deliberately narrow transaction set, and its published performance is strong. The IANA number-resource performance reports show acknowledgement, response, implementation and accuracy against service targets, as well as reverse-DNS propagation and availability. That record makes IANA-facing coordination a suitable control scenario: ordinary performance is measurable, so departure from it can be detected precisely.
The scenario begins with conflicting requests that appear to come from authorized RIR contacts during a regional continuity event. One asks for a reverse-DNS change; another asks IANA not to act because authority is disputed. A third institution claims that an emergency arrangement has taken effect, but the activation notice is incomplete. At the same time, a communications outage affects one established verification channel.
The IANA team must preserve neutrality while deciding what evidence is sufficient to acknowledge, hold, reject or implement a request. Speed alone is not success. An accurately implemented instruction from an unauthorized requester would be a severe failure. Refusing every request indefinitely would also transfer risk to the numbering community. The test therefore needs a pre-agreed authority-verification ladder, out-of-band confirmation routes and a defined treatment of conflicting claims.
Entities should test whether emergency contact records are current, whether changes to those records require dual control, and whether the basis for recognizing a temporary authority can be audited later. A substitute RIR service should not gain IANA-facing authority merely because it has technical possession of copied data. Conversely, a formally appointed emergency body should not be blocked because one former officer retains access to an obsolete published contact points.
The reverse-DNS element should use synthetic zones and isolated infrastructure. Teams should measure request authentication, decision time, implementation accuracy, propagation and rollback. The registration element should test whether the authoritative allocation state remains unambiguous across IANA and all RIR entities after the event. No live global allocation or delegation needs to be endangered.
Pass conditions include correct identification of the authorized requester, preserved evidence of contradictory claims, bounded hold time, no unauthorized global record change, accurate implementation after resolution and consistent downstream state. The public report should disclose the tested authority path and timing while withholding authentication secrets. This scenario proves that institutional continuity extends across boundaries rather than stopping at the regional office door.
The decisive test is a compound scenario
Testing each shock separately is necessary and limited public evidence. In 2033 or 2034, the programme should conduct a compound exercise in which election legitimacy is disputed, a financial covenant is breached, a sanctions update affects a major holder, attackers exploit the confusion, a trust-anchor transition is already under way and a mass-transfer case reaches a court deadline.
The scenario should not simply add six independent tasks. Dependencies should force choices. Freezing all changes helps cyber containment but may prevent a necessary key or route-security correction. Public disclosure may protect members but worsen a bank run. Releasing stability funds may require signatures from a disputed board. Activating an emergency operator may preserve services but trigger legal restrictions on cross-border data access. Extending the old trust-anchor key may aid compatibility but increase security exposure.
Entities should receive incomplete information on realistic schedules. Independent controllers can inject new evidence based on decisions. If a team fails to preserve logs, later attribution becomes impossible. If it issues an overbroad legal freeze, operator harm increases. If it waits for certainty, service restoration slows. The purpose is to expose trade-offs, not to reward theatrical decisiveness.
No organization should control the entire exercise narrative. Separate teams should represent the affected RIR, other RIRs, IANA numbering services, an emergency operator, operators, resource holders, auditors and legal authorities. NRS may participate as an advocacy observer or as the representative of a member that has expressly authorized it. NRS must not receive operational credentials, decision rights or protected evidence custody. Authority boundaries should match plausible arrangements. Observers should record not only decisions but also requests that went unanswered and assumptions no one verified.
Success means preserving a minimum legitimate state: authoritative records remain intact, unsafe changes are contained, critical public services continue, urgent holder rights can be exercised, certification remains interpretable, temporary powers stay limited, evidence survives and regional control returns when restoration criteria are met. It does not mean that every routine service meets normal targets.
Baselines, injects and exercise control
A stress test can be manipulated before it begins by selecting an easy baseline. Each shared exercise should therefore start from a signed inventory statement: counts of authoritative records, active holders, open cases, certificates, directory entities, privileged accounts, critical contracts and service dependencies. Independent reviewers should verify samples and record known defects. Teams cannot then attribute every inconsistency to the scenario or quietly exclude an awkward population.
Scenario injects should be derived from documented risk and real institutional dependencies. They can include a court order, bank notice, election supplier alert, security log, validator result, member complaint or staff-availability change. Each inject needs an issue time, source role, reliability class and intended evidence consequence. Entities may question an inject's reliability, just as they should question uncertain evidence in a real event, but controllers must preserve the ground truth needed for later assessment.
Controllers should not steer teams toward a preferred policy result. Their job is to maintain consistent facts, apply consequences, measure decisions and prevent unsafe contact with live systems. A separate assessment group should judge pass conditions. Another protected group should manage any confidential technical material. Separation reduces the risk that those who designed the scenario declare their own assumptions correct.
The exercise clock should reflect the tested function. A financial or sanctions scenario may compress weeks into hours while preserving decision order and notice periods. A trust-anchor transition cannot simply compress acceptance behaviour if the duration itself provides security. Functional testing may simulate long intervals, but the final programme should also conduct at least one real-time extended rehearsal that exposes handoffs between shifts and regions.
Every communication should be captured through agreed channels. Informal calls often carry decisive context during incidents, yet leave no record for review. Exercises should require a short decision note after oral instructions and should test failure of the primary conference or messaging service. Public notices should be drafted and authenticated as if they were real, then distributed only within the exercise environment unless clearly labelled as tests.
An exercise may be stopped if it risks live services, protected data or entity safety. Stop authority and criteria must be defined in advance. Stopping for safety is not a failure; creating avoidable live risk is. The assessment should still record which design assumption caused the stop and require a safer retest.
Exercise methods must progress beyond discussion
The first method is document verification. Independent reviewers inspect whether authorities, inventories, contacts, contracts, recovery objectives and substitution powers are current and mutually consistent. This can reveal contradictions before any simulation. A document that names a former employee or expired supplier should count as a finding, not as completed readiness.
The second method is decision simulation. Leaders and technical staff receive timed injects and must produce actual decision records, notices, legal escalations and service priorities. Observers compare decisions with governing documents and pass conditions. Entities should not receive the expected answer in advance.
The third method is functional rehearsal in isolated environments. Teams restore authoritative snapshots, rebuild identity access, reissue test certificates, reconcile directories and process synthetic transfers. Measured outputs come from systems and independent validators, not self-report. Credentials and data must be synthetic or strongly protected.
The fourth method is shadow service. A substitute team receives replicated non-production state and attempts to provide defined functions without help from the primary team. Results reveal undocumented knowledge, proprietary dependencies and ambiguous authority. The primary institution remains in control of live services.
The fifth method is controlled failover. A narrow, reversible service such as a public read-only dataset or test RPKI repository is switched to a prepared alternate under observation. Any live element requires strict change controls, prior member notice where appropriate, rollback and explicit approval. Exercises must never create unnecessary risk to actual resource control.
The final method is a cross-institutional simulation with real communications, independent timing and representative operator systems. It should include night, weekend and multi-time-zone conditions. Recovery plans that work only when every specialist is immediately available are not resilient.
Operators are validators, not an audience
Registry institutions can test internal service restoration and still miss external failure. Operators may cache directory data, run diverse relying-party software, automate certificate changes, depend on allowlists or interpret incident notices differently. Their observations determine whether restored state is usable.
The programme should recruit operators of different sizes, regions and technical models. Entities should include access providers, hosting networks, public-sector networks, content networks, enterprises and route-security software maintainers. Their role is to validate synthetic results, test communications and report operational consequences. Participation should not grant access to private holder data.
Operator measures should include time to authenticate an official notice, time to retrieve current directory state, validator convergence, inconsistent route-validity outcomes, failed automation, manual intervention and residual uncertainty. A service can meet an internal availability target while operators receive contradictory results. External convergence is therefore a pass condition.
Operators should also test restraint. Emergency communications must not encourage networks to reject routes based on uncertain or incomplete evidence. Registry authority over records does not convert an institution into a universal routing controller. Notices should describe observed state, confidence, affected services and recommended verification without overstating command.
Emergency authority must be narrow and temporary
An Emergency Operator needs enough access and legal standing to preserve essential services. It should not inherit an unrestricted mandate. The activation instrument should list permitted functions, prohibited actions, data boundaries, spending authority, review intervals, expiry conditions and return criteria.
Prohibited actions should normally include changing regional number policy, reallocating contested resources, altering election rules, disposing of institutional assets, using member data for unrelated purposes and extending its own appointment. Exceptions should require a separately authorized body and public reasons. The emergency body should not become judge of its continued necessity.
The return of authority deserves as much testing as activation. The restored institution must demonstrate governance legitimacy, security, data integrity, staffing, financial capacity and lawful control. The emergency body must provide complete records and relinquish credentials. Parallel operation may be necessary for reconciliation, but decision ownership must be unambiguous.
The draft governance material's emphasis on post-emergency review is important. Every exercise should use the same discipline even when no live emergency occurred. The public report should identify duration, services provided, authority exercised, exceptions, affected rights, return decision, unresolved defects and recommendations.
NRS can convene institutions that may distrust one another, help smaller members articulate their experience and publish research comparing the public measures and outcomes. It must not maintain test assets, define conformance, hold protected evidence, operate the exercise or control a transfer of authority. Those functions belong to the participating RIRs, IANA services, qualified emergency operators and independent reviewers. NRS's legitimacy is strongest when its advocacy makes power more answerable without acquiring any of that power itself.
A score should preserve failure, not conceal it
A single resilience grade would be attractive and misleading. Institutions can be strong in technical recovery and weak in legal authority, or financially resilient and cryptographically brittle. The result should use a multi-dimensional scorecard with hard failure conditions.
The dimensions are authority, governance, finance, data integrity, security containment, service continuity, holder access, RPKI equivalence, external convergence, communication, reversibility and learning. Each dimension should show the target, observed result, evidence source and confidence. Hard failures include unauthorized resource change, loss of authoritative data, inability to identify a lawful decision-maker, unbounded emergency power, undetected certification divergence and failure to preserve review rights.
Time measures should report distributions. Holder recovery cannot be represented by the first successful login. Transfer recovery cannot be represented by one easy case. Validator convergence cannot be represented by the institution's own implementation. Tail outcomes reveal who bears the cost of institutional stress.
Findings should be classified by consequence and recurrence. A documentation defect may be minor until it blocks emergency signatory authority. A failed test is not reputational defeat if it produces timely remediation and a successful retest. Concealing or narrowing the test after failure is more serious than discovering weakness.
Remediation and retest are part of the result
An exercise report without funded remediation is an observation, not resilience improvement. Every material finding should have an accountable owner, approved resources, interim risk treatment, target date and retest method. If management accepts the risk, the approving body should state why the residual exposure is tolerable and when that judgment expires. Critical findings should return to the board or equivalent governing body rather than disappearing into technical maintenance.
Retests should reproduce the failed condition closely enough to prove correction. A new document is not sufficient when the failure concerned actual restoration. A supplier assurance letter is not sufficient when the failure concerned cross-provider substitution. A successful internal validator is not sufficient when operators observed divergent RPKI outcomes. Evidence must match the original pass condition.
The programme should distinguish immediate containment, durable correction and systemic learning. Immediate containment reduces present exposure, such as updating emergency contacts or preserving an additional backup. Durable correction changes the capability, such as establishing lawful delegated authority or an independently tested restoration path. Systemic learning changes related institutions or standards so that the same weakness is not repeated elsewhere.
Retest timing should reflect severity. A hard failure involving authoritative data, unlawful power or cryptographic divergence should be retested within six months. A major continuity weakness should be retested within a year. Lower-severity findings can follow the next annual exercise, but overdue items must remain public. Institutions should not wait for the same scenario's next decade milestone.
Repeated failure needs escalation. If two retests fail for the same underlying cause, independent reviewers should examine whether the stated remedy addresses the cause, whether resources are adequate and whether leaders have incentives to delay. Collective support may be appropriate, especially for specialized cryptographic or legal capability. Assistance should strengthen the affected regional institution before replacement is considered.
Successful retests should not erase original findings. The ten-year record should show discovery, interim treatment, correction, evidence and closure. This history lets members distinguish institutions that learn from those that merely rotate language. It also protects staff who report weaknesses: a transparent improvement record makes discovery a sign of effective control rather than a reason to suppress bad news.
By 2036, the most persuasive success measure may be the closure rate for difficult findings across several institutions. That measure captures willingness to fund unglamorous resilience, accept independent evidence and return after an initial failure. A perfect first exercise is less credible than a demanding programme that finds real defects and proves they were repaired.
Public evidence and protected detail can coexist
The public report should state scenario assumptions, entities by role, services tested, excluded scope, pass conditions, decisions, observed results, failures, affected rights, remediation owners and retest dates. It should include enough timing and reconciliation data for outsiders to understand the result.
It should not publish credentials, personal records, privileged legal advice, detailed vulnerabilities, private keys, exploitable architecture or confidential member evidence. Independent auditors can examine those materials and issue a scoped assurance statement. Security findings can be delayed until remediation where disclosure would create immediate risk, but the existence and severity of the finding should not vanish.
Evidence must be durable. Exercise records should preserve signed snapshots, event logs, validator outputs, decision records, communications and revisions under controlled custody. Public reports should link to stable, integrity-checked artefacts where safe. Later retests should cite the original finding and show what changed.
The public should also see disagreement. If legal advisers, operators and institutional leaders interpret a pass condition differently, the report should explain the divergence and final decision. Consensus theatre is not resilience. Institutions earn trust by showing how contested evidence was resolved.
The 2026-2036 test calendar
2026: establish the joint charter, authority maps, service tiers, shared terms, pass conditions and protected evidence rules. Publish institution-level gaps.
2027: test election dispute, succession and communications at every participating institution. Require independent ballot and authority review.
2028: test financial distress, bank interruption, stability-fund access and court boundaries. Reconcile core-service cost and liquidity assumptions.
2029: test sanctions, false positives, payment barriers, urgent security exceptions and cross-border legal conflict.
2030: conduct coordinated cyber functional exercises, including authoritative snapshot recovery, holder reauthentication and downstream reconciliation.
2031: conduct planned RPKI trust-anchor migration tests against diverse relying-party implementations and manual transition paths.
2032: run a mass-transfer surge with corporate succession, insolvency, inter-regional cases and contested authority.
2033: operate shadow continuity services and test an Emergency Operator's legal, administrative and technical readiness.
2034: conduct the first compound international scenario with independent control and representative operators.
2035: remediate, retest hard failures and repeat selected scenarios with unannounced staff and supplier unavailability.
2036: conduct a second compound scenario, compare ten-year evidence, revise continuity arrangements and set the next testing cycle.
Annual institution-level exercises should continue between milestones. The calendar identifies the shared focus, not the only resilience work. Real incidents should trigger targeted retests. Material system, legal, vendor or key changes should not wait for the scheduled year.
What credible success would look like
By 2036, a member should be able to ask who can act when a board is disputed and receive a precise, lawful answer. An auditor should be able to trace how emergency funds support core services. A sanctioned or falsely matched holder should retain a documented review route. An operator should be able to validate a trust-anchor transition through more than one channel. A successor service provider should be able to restore prioritized functions from tested inventories without inheriting policy power.
The institutions should also know their irreducible limits. Some court conflicts cannot be solved by technical coordination. Some relying parties will remain slow to update. Some suppliers cannot be replaced immediately. Some confidential evidence cannot be public. Stress testing does not abolish uncertainty. It makes uncertainty bounded, owned and visible.
The worst outcome would be a polished series of exercises in which scenarios never threaten decision rights, senior leaders always remain available, substitute teams receive perfect instructions and reports declare success without external validation. That would test presentation, not institutions.
The best outcome is more modest and more demanding: repeated evidence that the registry system can degrade safely, preserve authority, protect urgent rights, recover coherent technical state and return temporary power. RIRs remain regionally accountable. IANA numbering services remain stable and measurable. NRS contributes advocacy, convening, authorized member representation and public comparison without acquiring operational authority. Operators validate what institutions cannot see from inside.
Institutional legitimacy is often discussed as consent during normal times. Its sharper test is restraint during abnormal ones. A body proves its fitness not only by acting, but by knowing which powers it lacks, which decisions must wait, which evidence must survive and when control must be returned. A ten-year stress test would make those virtues observable before the Internet number registry system has to learn them in public under real pressure.
Evidence base
- The draft RIR Governance Document, version 2 provides the current proposed framework for emergency continuity, an Emergency Operator, handover, readiness and post-event review.
- The NRO preliminary readiness assessment identifies implementation needs for legal, technical and administrative arrangements and stable transfer of services.
- The consultation summary on RIR governance records concerns about service prioritization, restoration criteria, limited emergency authority and return of regional control.
- The Joint RIR Stability Fund supplies the existing collective financial-continuity context.
- IANA Number Resource Performance Reports provide an existing model for explicit stage, timing, accuracy and availability measures.
- RFC 9691 defines the RPKI Trust Anchor Key mechanism for signaling current and successor keys and supporting planned trust-anchor rollover.
- The RIPE NCC RPKI Certification Practice Statement describes current certification, key-change and revocation practices.
- The APNIC RPKI Certification Practice Statement documents APNIC's current CA hierarchy, key-compromise and revocation procedures, HSM transfer constraints and trust-anchor key-lifetime dependencies.
- The RIPE NCC Quarterly Sanctions Transparency Report for Q2 2026 distinguishes registration freezes, continued use, membership treatment, identity uncertainty and payment effects.
- The RIPE NCC RPKI security and compliance page provides current external assurance and security-review context.
- The NRS FAQ identifies NRS as a global non-profit membership organization that campaigns, empowers and supports businesses, while its network-membership page describes member advocacy, policy participation and Power-of-Attorney-based representation. Those sources support NRS participation as an advocate or expressly authorized representative; they do not make it an RIR, IANA service, Emergency Operator, conformance authority or custodian of protected exercise evidence.

