Summary

  • ICP-2 reform is usually presented as a governance clean-up after AFRINIC's long crisis.
  • The most revealing scene in the AFRINIC crisis is not a courtroom, a policy meeting, or a public statement from one of the Internet governance bodies.

The market hidden inside a registry entry

The most revealing scene in the AFRINIC crisis is not a courtroom, a policy meeting, or a public statement from one of the Internet governance bodies. It is a finance table somewhere inside a network operator, cloud provider, hosting company, telecoms group, or address holder. On one side of the table sit routers, customers, service-level commitments, abuse desks, geolocation work, access-control lists, enterprise contracts and the cost of renumbering. On the other side sits a line in a registry database.

That line looks administrative. It says that an organization is recorded against a certain IPv4 block or autonomous system number. Yet the value attached to the line is not administrative. It comes from the fact that other networks will route the prefix, counterparties will treat the holder as legitimate, buyers will regard the registration as usable, and customers will not be forced through the disruption of renumbering. A registry entry is not the network, but in a scarce address market it is part of the capital structure that lets the network operate.

IPv4 scarcity made that capital structure visible. In 2019, KrebsOnSecurity reported allegations involving African address space whose market value was estimated at more than $50 million, at a time when individual IPv4 addresses were described as fetching roughly $15 to $25 on the open market. The exact market price moves over time and varies by block quality, route history, transferability and commercial context. The larger point is not a spot price. It is that a number resource once treated as a technical identifier had become balance-sheet material. The registry did not create that value. Operators created it by building services, customers, routing reputation and continuity around the address space. But the registry still sat near the recognition point.

AFRINIC's own policy materials show the formal mechanics. The registry distributes and registers Internet number resources in its service region. Public IPv4 addresses must be globally unique. Allocations and assignments must be registered in the AFRINIC database, and unregistered resources are treated as invalid for policy purposes. The policy manual defines Local Internet Registries, provider-aggregatable space, provider-independent space, transfers within the AFRINIC region, reverse delegation, ASN registration and other instruments of ordinary registry administration. On paper these are mechanisms for uniqueness, conservation, aggregation and documentation. In the economy built on top of them, they also affect liquidity, operating risk and business continuity.

That is why ICP-2 reform cannot be evaluated only as a constitutional exercise in Internet governance. It is an economic design problem. Recognition determines whether a registry is treated as a trusted issuer of usable status. Derecognition determines whether a failed registry can be replaced. Failure standards determine whether registry power can be disciplined. Portability determines whether members can leave before failure becomes catastrophic. Data escrow determines whether the ledger survives the officeholder. External review determines whether a registry can grade its own performance. Each of these ideas sounds procedural until one asks who bears the loss when the procedure fails.

For years the RIR system could avoid that question because abundance softened institutional error. If addresses were plentiful and transfers were marginal, registry governance could look like a club problem. Scarcity changed the calculation. A delay in transfer processing can affect a transaction. A dispute over registration status can affect financing, leasing, customer continuity and litigation strategy. A registry that cannot elect a board, process policy, maintain trust in voting, or explain its own records becomes more than an awkward nonprofit. It becomes a risk factor in a capital market it still refuses to describe as a capital market.

Recognition is the price at which that refusal becomes impossible. If global recognition simply says that the incumbent registry remains legitimate until other incumbents decide otherwise, recognition protects the incumbent. If recognition instead says that the registry's job is to maintain a verifiable ledger, provide neutral service, meet objective continuity standards and remain externally reviewable, recognition disciplines the incumbent. The difference is not semantic. It determines whether ICP-2 reform reduces registry power or constitutionalizes it.

AFRINIC turns the issue from theory into fact. It has been the African registry. It has continued to provide services through periods of governance breakdown. It has also operated through litigation, receivership, election failure, allegations of irregular voting documents, conflict over board legitimacy and periodic claims that it is recovering. In that setting, the economic question is not whether stability is desirable. Everyone wants stability. The question is stability for whom and under what incentive structure: stability of the ledger and users, or stability of the incumbent office.

That distinction should guide the whole ICP-2 debate.

Why AFRINIC makes recognition concrete

AFRINIC matters because it breaks the comfortable abstraction that recognition standards are only about future applicants for new registries. The original ICP-2 logic belonged to a world in which the main question was how a Regional Internet Registry could be established. The new problem is different: what happens when an existing registry becomes dysfunctional after the world has already built operational dependence around it?

The public record is unusually clear. AFRINIC is one of five Regional Internet Registries and serves Africa and parts of the Indian Ocean. The AFRINIC policy manual says its service region incorporates the African continent and Seychelles, Mauritius, Madagascar, Comoros and Reunion. The registry sits in the ordinary hierarchy of number-resource distribution: IANA allocates blocks to the RIR, and the RIR redistributes them to members and delegates authority for assignments and sub-allocations where policy allows. This is not a decorative role. It is the recognized interface through which a large region receives and records Internet number resources.

The difficulty is that AFRINIC's institutional life did not remain normal. Internet Governance Project described AFRINIC as entering receivership in 2023 after the Bankruptcy Division of the Supreme Court of Mauritius appointed a receiver. The Number Resource Organization's statement welcomed the appointment as a way to restore functional governance through an executive board and CEO, while noting that the receiver was to maintain the status quo of AFRINIC's assets, preserve business value, oversee elections and expedite board constitution. The statement framed the development as positive because members would keep receiving registry services.

That official framing is useful evidence, but not because it should be swallowed whole. It shows what the system values when a registry fails: continued service, status quo preservation, board restoration and return to ordinary RIR participation. Those aims are reasonable. They also reveal the system's instinct to preserve the institutional shell. A shell can be operationally useful and structurally dangerous at the same time. If recognition standards are built only to restore the shell, they may leave the underlying incentives untouched.

The 2025 election sequence sharpened the problem. Internet Governance Project wrote that AFRINIC had operated without a board since 2022 and that an election was underway in June 2025. ICANN challenged aspects of the nomination process and sought immediate reconstitution of the nominations committee. The Supreme Court of Mauritius dismissed the challenges, found ICANN lacked standing, and allowed the election process to proceed, while also requiring clarification that Cloud Innovation's listing as a registered member in corporate records was erroneous and attributable to the Registrar rather than AFRINIC or the receiver. The Register likewise reported that the court did not revisit the composition of the Nomination Committee, that electronic voting continued, and that ICANN remained concerned about election integrity.

Within days the picture deteriorated again. The Register reported that the election was suspended and then annulled after concerns over powers of attorney and voting documents. ICANN warned that it might initiate a compliance review and, if AFRINIC failed, ask another RIR to serve as an emergency registry for Africa. Further reporting in July 2025 described continuing silence from the receiver, allegations involving fraudulent powers of attorney, ICANN's demand for transparent reporting, and Cloud Innovation's call for winding up AFRINIC and transitioning its responsibilities to a more trusted framework. These are contested claims and should not be treated as final findings about every participant. For ICP-2 economics, the decisive point is narrower: an incumbent registry can enter a condition in which its legal shell, member legitimacy, voting mechanism, external overseer relations and service-continuity assurances all become economically relevant at once.

By early 2026 the tone had changed again. The Register reported from APRICOT that AFRINIC was "back on track", with staff morale improved, a board in action, interim management roles appointed, a budget and action plan under development, and a formal 2027-2030 strategy being prepared. It also reported that AFRINIC still had 773,376 unallocated IPv4 addresses. The same article said the RIR community had revisited ICP-2 because the policy described how to create an RIR but did not provide for dysfunction, and that the revised policy was expected to define a full RIR lifecycle, assistance during crises and provisions for derecognition.

This is the economic importance of AFRINIC. A registry can be recovering, fragile, necessary, contested and powerful at the same time. It can have staff who keep services running while governance legitimacy is disputed. It can have unallocated IPv4 inventory while members question whether the institution can administer elections. It can be defended as an instance of private governance resilience while also showing why private governance needs external failure standards. It can be portrayed by official bodies as a continuity problem, by critics as a mandate problem, by members as a voting problem, by litigants as a legal problem and by operators as a business-continuity problem.

ICP-2 reform has to survive all of those descriptions. If it chooses one institutional narrative and builds recognition around it, it will fail. A serious recognition standard cannot ask whether the incumbent's story is reassuring. It must ask whether the registry is objectively able to maintain the ledger, provide neutral service, respect member mobility, disclose material risks, keep data usable, run legitimate governance mechanisms and be replaced without damaging operational continuity if it cannot.

AFRINIC is therefore not merely an African crisis. It is a price-discovery event for the whole recognition system. It reveals what the RIR model had not priced: the cost of having no credible, external, reviewable, bottom-up failure standard when a registry becomes too important to ignore and too troubled to trust without verification.

Recognition as market power

To understand ICP-2 reform, start with a simple institutional-economics question: what does recognition produce? The official answer is coordination. Recognition tells the Internet which registry serves which region and therefore where number-resource records are expected to come from. It preserves uniqueness and avoids duplicate claims. That answer is true, but incomplete.

Recognition also produces collateral value. A block of IPv4 addresses is more valuable when the market believes the registration status is stable, transferable, routable and not likely to be attacked by the recognized registry. A network is less risky when its address holdings are not trapped in an institution that cannot govern itself. A transfer buyer will price uncertainty. A lender will price uncertainty. A leasing customer will price uncertainty. A cloud platform that depends on address continuity will price uncertainty. Recognition is not the same as property, but it affects the market's belief that a claimed use of a scarce resource will be respected by others.

This is why the language of mere administration has become misleading. AFRINIC's policy manual describes ordinary registry goals: uniqueness, registration, aggregation, conservation, documentation and fairness. Those goals remain technically important. But scarcity and transferability converted registry performance into an economic input. The registry's database is not simply a list; it is a coordination asset. The transfer policy does not merely tidy records; it regulates liquidity. The policy manual's requirement that a transfer recipient justify need, be an AFRINIC member and sign the Registration Services Agreement is not merely paperwork; it shapes who can acquire scarce resources and on what terms. Reverse DNS, RPKI, WHOIS and ASN records are not mere ancillary services; they help determine whether networks can operate smoothly and credibly.

Economists would describe this as an institutional layer with market-making effects. It does not create the underlying scarcity; IPv4's fixed 32-bit space and decades of allocation did that. It does not create all value; operators do that by deploying resources productively. But it can create or destroy confidence in claims, transfers and continuity. That gives the registry leverage over assets whose value greatly exceeds the registry's own balance sheet.

Once recognition has market-making effects, failure standards become economically material. A weak failure standard leaves members locked into a registry even when the registry no longer meets the minimum conditions for trustworthy administration. A vague failure standard gives external bodies discretion to threaten or discipline registries without predictable limits. A failure standard controlled by incumbent registries can become cartel protection. A failure standard controlled by ICANN or another global body without bottom-up constraint can convert a reform designed for accountability into a centralization instrument. The design challenge is to create discipline without creating a new monopolist of discipline.

This is the problem with treating "stability" as a conclusion rather than a claim requiring proof. Incumbents always say stability means protecting the incumbent. Markets know better. Sometimes stability means protecting the clearinghouse. Sometimes it means moving activity away from a failing clearinghouse before it damages the market. Sometimes it means leaving the brand intact. Sometimes it means preserving the records while replacing the operator. The same is true for a registry. The stable thing is not necessarily the board, the staff hierarchy, the corporate shell, the office, the logo or the historical claim to regional representation. The stable thing is the ledger of legitimate number-resource records and the ability of networks to continue using, routing, transferring and documenting resources without arbitrary interruption.

That distinction is easy to state and hard to implement. If recognition follows only historical incumbency, a failing registry can use continuity language as a shield. If recognition follows only external displeasure, a powerful outside body can use failure language as a weapon. If recognition follows verifiable technical and administrative facts, the reform begins to look like a credible accreditation regime. Accreditation does not mean blind trust in the accreditor. It means a bounded standard, public evidence, repeatable tests, defined remedies and review by parties that are not trying to inherit the power they judge.

In normal markets, bad intermediaries are disciplined by exit. Customers switch banks, exchanges, cloud providers, auditors, brokers or insurers, although switching may be expensive. In the RIR system, exit is structurally weak. A network is ordinarily tied to the registry that serves its region. AFRINIC's transfer policy is intra-regional; portability across RIRs is not an unconditional safety valve. Registry dependence is therefore not a normal supplier relationship. It is a lock-in regime justified by uniqueness and historical coordination.

Lock-in can be efficient when the locked-in institution is narrow, reliable and externally disciplined. It becomes dangerous when the institution is broad, discretionary and insulated from exit. ICP-2 reform is the moment to decide which model the RIR system wants to be. If recognition standards merely give the incumbent registry club more tools to protect itself, the reform will intensify lock-in. If they make recognition conditional on measurable performance, member consent, external accountability and continuity-first transition rights, recognition can become the substitute for market discipline that the system currently lacks.

AFRINIC's case shows why the substitute is needed. The system cannot rely on moral language about stewardship when the assets have become economically significant. It cannot rely on informal community correction when elections themselves become contested. It cannot rely only on courts, because courts can preserve legal rights but are not designed to operate a global registry. It cannot rely only on ICANN or the NRO, because their incentives may favor preserving the incumbent model. It needs recognition standards that are narrow enough to prevent centralization and strong enough to prevent failure from being normalized.

That is the hidden capital market inside ICP-2. The reform will decide how registry risk is priced, who can force disclosure, when exit becomes credible, and whether the economic value created by operators remains hostage to a recognition system that still speaks as if it were performing only clerical coordination.

What a failure standard should measure

A failure standard should not begin with punishment. It should begin with measurement. The first mistake in many institutional crises is to ask who is good, who is bad, who belongs to which faction and which narrative should be vindicated. That is politics. Recognition standards need a colder vocabulary.

The relevant question is whether the registry is performing the functions that justify recognition. Those functions can be measured without deciding every political dispute inside the region. The ledger must be accurate, accessible, auditable and protected against unauthorized alteration. Core registration services must be available. WHOIS or RDAP data, reverse DNS processes, RPKI services, ASN records, transfer records and member status records must be maintained under documented controls. Policies must be adopted and implemented through a process that affected participants can understand and challenge. Governance mechanisms must be capable of producing legitimate directors and accountable management. Conflicts of interest must be disclosed and managed. Financial condition must be sufficient to operate without making service continuity hostage to litigation, factional capture or emergency fundraising. Material disputes must not be hidden behind public-relations language.

None of these tests requires a global body to become a super-board. They require evidence. Can the registry show signed and time-stamped snapshots of its registry data? Can it show independent security audits? Can it show that member records match legal and operational reality? Can it show that transfer requests are processed under stable criteria? Can it show service uptime? Can it show that RPKI and reverse DNS operations are separable from board factionalism? Can it show that elections are run under rules that prevent proxy fraud, undisclosed vote aggregation and arbitrary annulment? Can it show that staff have operational independence from factions seeking control of resource policy? Can it show that liability, insurance and reserves bear some rational relation to foreseeable harm?

AFRINIC illustrates why such questions matter. The policy manual says registration data must be correct at all times because it supports network operations. It says documentation should be realistic and justifiable. It says policies and practices should apply fairly and equitably regardless of location, nationality, size or other factors. These are not just noble phrases. They are the measurable claims that justify recognition. A registry that cannot keep its registration data reliable, treat similarly situated members fairly, or administer documented processes consistently is not merely having a governance disagreement. It is eroding the economic basis for recognition.

The history of alleged address misuse in Africa also supports a measurement-based approach. KrebsOnSecurity's reporting on the alleged $50 million African IP address heist described accusations that an AFRINIC policy coordinator had secretly operated companies tied to the sale of address blocks and that official records had been altered in relation to legacy African address space. AFRINIC's then-new CEO said the organization was investigating. The point for ICP-2 is not to retry every historical allegation. It is that registry failure can involve data integrity, insider conflicts, dormant-resource exploitation and record manipulation, not only board elections. A recognition standard that looks only for formal governance paralysis will miss the economic forms of failure that matter most.

The standard should distinguish four types of failure. Operational failure occurs when the registry cannot deliver minimum services reliably. Ledger failure occurs when the registry's records cannot be trusted as accurate, authorized, complete or recoverable. Governance failure occurs when the institution cannot produce legitimate authority, manage conflicts or run accountable processes. Market-continuity failure occurs when members cannot rely on registration, transfer, routing-supporting services and dispute processes sufficiently to plan business. These failures can overlap, but they are not identical. A registry may keep servers running while governance collapses. It may have a board while data integrity is compromised. It may process tickets while transfer confidence evaporates. Recognition standards need to see all four.

Thresholds matter as much as categories. Not every mistake is failure. A registry should be able to correct errors, suffer litigation, change staff, delay meetings or lose a case without facing derecognition. If the threshold is too low, recognition becomes a weapon. If it is too high, failure becomes permanent. The threshold should turn on persistence, materiality, non-remediation and threat to continuity. A missed deadline is not enough. A pattern of unexplained missed deadlines affecting member rights may be. One disputed election document is not enough. A voting system unable to verify authority, detect forged documents, explain annulment and complete a legitimate election may be. A court dispute is not enough. A legal state that prevents ordinary governance for years and leaves members without an accountable board may be.

Accreditation without an unaccountable accreditor

Recognition standards need an accreditor, but the accreditor must not become the new problem. This is the paradox at the centre of ICP-2 reform. A failing registry cannot be left to certify itself. Yet a global body that can declare failure, appoint substitutes, block new entrants and define acceptable governance without effective constraint may become more dangerous than the registry it disciplines.

The danger is not imaginary. Lu Heng's published notes on ICP-2 argue that any mechanism to de-accredit or re-accredit an RIR must remain driven by members rather than by the NRO or ICANN. The underlying point is institutional, not personal. The RIR system exists through voluntary consensus rather than ordinary sovereign coercion. It has no army, tax base or treaty jurisdiction. Its authority survives because operators, states, software, route filters, contracts and counterparties accept the coordination structure as useful. If the recognition layer begins to look like top-down command, participants will not necessarily obey. They may route around it, litigate it, fork operational practice, or withdraw consent.

This matters because accreditation can be abused in two directions. In one direction, a registry captures the process and uses recognition as immunity from members, courts and market discipline. In the other, external bodies capture the process and use recognition to impose their preferred governance outcomes. Both are failures. The first protects local incumbency. The second centralizes global power. A credible ICP-2 has to avoid both.

The institutional design should separate evidence collection, failure determination, remediation supervision and successor selection. The same body should not define the evidence, prosecute the failure, choose the remedy, inherit the authority and then declare the system stable. That is how accountability language becomes mandate expansion. The more economically material IPv4 becomes, the greater the temptation to turn recognition standards into control over transferability, member status and regional policy. Reform must be designed around that temptation, not around idealized assumptions about institutional virtue.

A useful model is not a ministry, but a constrained accreditation market. Standards are public. Tests are repeatable. Auditors are independent. Affected members can trigger review under objective conditions. The registry has a right to respond. Remedies are staged. Replacement is a last resort under predefined continuity rules. The accreditor's job is not to decide the region's politics. It is to determine whether the recognized registry continues to meet minimum conditions for the narrow coordination function that recognition confers.

Member initiation is crucial. If only ICANN, the NRO or incumbent RIRs can trigger serious review, members remain dependent on the institutional class whose incentives may be to avoid precedent. If any member can trigger full review on demand, the system becomes unworkable. The middle ground is a structured threshold: a defined share of members, resource holders, affected operators, or objectively affected service users should be able to compel a preliminary review; a higher threshold should be required to escalate to formal non-compliance proceedings; emergency review should be available for service-threatening ledger or security failures. The details can be debated. The principle is clear. Review must be accessible from below and bounded from above.

The accreditor also needs economic constraints. It should not be allowed to demand policy outcomes unrelated to minimum registry fitness. It should not use compliance review to settle ordinary disputes over address leasing, out-of-region use, transfer liberalization, pricing philosophy, or regional development strategy unless those disputes affect objective recognition criteria. Otherwise accreditation becomes a route by which global institutions launder policy preferences into recognition conditions. The standard should be deliberately boring: ledger integrity, service continuity, financial viability, neutral administration, governance capacity, data escrow, conflict controls, member rights, portability safeguards and transparent remediation.

The lesson is not that ICANN should never act, nor that incumbents should be left alone. The lesson is that recognition standards must make action less dependent on institutional improvisation. If the rules are objective, evidence-based, member-triggerable, externally auditable and limited to registry fitness, intervention looks less like power and more like discipline. If the rules are vague, discretionary and controlled by the same institutions whose power they expand, intervention looks like cartel management.

Exit, portability and the price of lock-in

The most powerful form of accountability in a market is not complaint. It is exit. A supplier that knows customers can leave behaves differently from a supplier that knows customers are captive. The RIR system has always been weak on exit because regional uniqueness was built around exclusive service territories. That weakness was tolerable when number resources were plentiful and registry discretion was thin. It is dangerous when resources are scarce and registry discretion affects continuity.

Portability is therefore not an ideological add-on to ICP-2. It is the economic safety valve without which recognition standards will be asked to do too much. If every serious failure requires global derecognition, the system has only a nuclear option. Because the nuclear option is frightening, it will be delayed. Because it is delayed, members remain trapped. Because members are trapped, the registry's incentives deteriorate. A credible exit right reduces the need to use derecognition by disciplining the registry earlier.

Lu Heng's note on portability states the case directly: networks should have an unconditional right to move IP addresses or ASNs from one RIR to another, so that a registry that performs poorly cannot hold members hostage. One need not accept every detail of that proposal to see the economic logic. Portability lowers switching costs. Lower switching costs create performance discipline. Performance discipline reduces the need for emergency global intervention. Emergency intervention, when still required, becomes more credible because the system has already recognized that the ledger and user continuity matter more than the incumbent registry's territorial exclusivity.

The current AFRINIC mechanics show the gap. Its policy manual contains a policy for IPv4 transfers within the AFRINIC region. The transfer source must be an existing AFRINIC member account or legacy resource holder in the region. The source must be the rights holder recognized by AFRINIC and not involved in a dispute over the resources. The recipient must justify need, be an AFRINIC member and sign the Registration Services Agreement. These mechanics make sense as intra-regional administration. They do not solve the failure problem. If the registry itself becomes the source of risk, requiring the member to remain inside the same registry and subject to the same agreement is not exit. It is a change of seat inside the same theatre.

There are real objections. Unconditional portability could create forum shopping, uneven policy burdens, routing-data confusion, regulatory arbitrage, or pressure on better-run registries. It could undermine regional development goals if the poorest regions lose resource-holder relationships to better-capitalized registries. It could be exploited by large holders seeking the lightest compliance regime. These concerns matter. They are arguments for designing portability carefully, not for rejecting it categorically.

A sensible portability regime would distinguish ordinary portability from failure portability. Ordinary portability might be limited, phased or conditioned on harmonized data requirements. Failure portability should be stronger. If a registry enters formal non-compliance, loses minimum service capability, cannot maintain trustworthy records, or remains under unresolved governance paralysis past a defined threshold, members should have a recognized path to move administrative service to another qualified registry or interim operator without losing resource continuity. The moving member would not acquire new address space or escape globally applicable uniqueness rules. It would move the administrative relationship away from the failing institution.

The design should also protect the receiving registry. A failure-portability path cannot simply dump unresolved disputes, bad records or policy conflicts onto another institution. It should carry the record history, dispute flags, authority documents, transfer status and audit trail. It should preserve the fact that a block may be contested. It should maintain reverse delegation and routing-supporting services where continuity requires them, while preventing the move from becoming a laundering event. Exit is valuable because it disciplines the incumbent. It should not become a method for erasing obligations.

Discipline without destroying continuity

The strongest argument for caution in ICP-2 reform is also the strongest argument for reform. Registries carry real operational responsibilities. Breaking them carelessly would damage networks that had no role in the governance failure. But using continuity as a reason to protect incumbents indefinitely commits the opposite error. It confuses the continuity of the ledger with the continuity of the gatekeeper.

The ledger is the core asset. It records who is associated with which number resources, which contacts are responsible, which reverse delegations exist, which route-origin authorizations are supported, which transfer history matters and which member authority documents are relevant. The ledger is not merely a database in a narrow technical sense. It is the shared factual substrate on which routing, troubleshooting, abuse handling, contracting and transfers depend. Continuity means protecting that substrate and the services that make it usable.

An incumbent officeholder is different. A board, CEO, receiver, committee, staff hierarchy or corporate shell may be useful if it protects the ledger. It should not be treated as identical to the ledger. A recognition standard that cannot separate the two will always be biased toward incumbency. Whenever a registry fails, defenders will say that touching the incumbent endangers continuity. Sometimes that will be true. Sometimes the incumbent is what endangers continuity. The standard must be able to tell the difference.

AFRINIC's receivership shows the tension. The NRO statement in 2023 welcomed the receiver as a way to preserve assets, maintain the status quo, oversee elections and keep services flowing. Internet Governance Project framed receivership as evidence of private Internet governance resilience, with rule of law and government enforcement acting as checks that preserve organizational stability. That interpretation contains an important truth: courts and receivers can prevent a governance dispute from destroying registry services. It also contains an institutional bias: it treats restoration of the existing registry as the natural endpoint. ICP-2 should be more precise. Receivership is a continuity instrument, not proof that the incumbent model is economically sound.

Discipline without destruction requires a ladder of remedies. The first rung is disclosure: public reporting of service metrics, election status, financial condition, legal constraints and material risks. The second is independent audit: technical, financial, governance and data-integrity review by qualified parties. The third is remediation: a time-bound plan with measurable milestones and member oversight. The fourth is supervised assistance: other registries or neutral technical operators providing defined support without acquiring policy control. The fifth is limited transfer of functions: escrow activation, emergency service operation or portability for affected members. The final rung is replacement or derecognition.

The ladder matters because it makes replacement credible without making it casual. A registry should not be derecognized because it is unpopular, litigious or politically inconvenient. It should face replacement only when objective failures persist, remediation fails, continuity is at risk, and a successor or interim arrangement can protect the ledger better than the incumbent. Conversely, a registry should not avoid replacement merely by invoking stability while refusing audit, disclosure or member control.

Data escrow is the practical foundation. Without escrow, every crisis becomes a hostage situation. The incumbent controls the data needed to replace it, so replacement appears too risky. With regular, signed, independently verifiable escrow, the ledger can survive institutional failure. The escrow should include not only raw allocation records but transfer history, member authority records, dispute flags, reverse DNS delegations, RPKI materials where feasible, audit logs and documentation needed to distinguish settled records from contested records. The goal is not to publish sensitive data. It is to ensure that an authorized emergency operator can preserve continuity without guessing.

The continuity-first principle therefore has a sharp edge. It protects the registry when attacks on the registry would harm the ledger. It disciplines or replaces the registry when the registry harms the ledger. It refuses to equate a corporate shell with the public need it serves. That is the balance ICP-2 must strike if it wants economic credibility.

Replacement as a credible but bounded option

Every accreditation regime needs a terminal sanction. If the recognized institution cannot fail recognition no matter what it does, the standard is theatre. If it can lose recognition too easily, the standard becomes a weapon. Replacement must therefore be both credible and bounded.

Credibility is the harder part in the RIR world because incumbency has been treated as almost natural. There are five RIRs. They have service regions. They coordinate through the NRO and interact with ICANN. Their existence has been stable enough for operators to build around them. That stability is valuable. It is also the source of moral hazard. An institution that believes it is irreplaceable will behave differently from one that knows recognition is conditional.

AFRINIC's crisis made the supposedly unthinkable thinkable. The Register reported that the revised ICP-2 work was triggered because existing policy did not define what to do if an RIR became dysfunctional. It also reported that the revised policy would define the full lifecycle of an RIR and include provisions for derecognition. ICANN's 2025 correspondence, as reported by The Register, raised the possibility that if AFRINIC failed a compliance review, another RIR could be asked to serve as an emergency registry for Africa. Whether that particular path is wise is a separate question. The important fact is that the system has conceded the conceptual point: the shell is not metaphysically permanent.

Replacement must also be bounded by purpose. The purpose is not to punish a registry, settle political conflict, redistribute assets, impose external policy preferences, or create a precedent for central management of regions. The purpose is to preserve unique-number coordination when the recognized registry no longer meets minimum conditions. This narrow purpose should be written into the recognition standard. If replacement authority can be used for broader governance objectives, it will become the centralization tool critics fear.

The replacement option should have three forms. The least intrusive is functional substitution: another qualified operator temporarily performs specific services such as data hosting, RPKI operations, reverse DNS support or ticket processing under audit. The next is administrative portability: affected members move their registry service relationship to a qualified registry or interim operator while regional governance is repaired. The most intrusive is full derecognition and succession: the incumbent loses recognition and a successor becomes the recognized registry for the region. These are not the same remedy and should not be collapsed into one.

Member consent must play a decisive role in full succession. The reason is not romantic faith in community processes. It is economic legitimacy. A successor registry that lacks acceptance by the networks it serves will struggle to maintain voluntary coordination. But consent must be structured. A successor vote or consultation must use a verified member register, transparent authority documents, limits on proxy aggregation, conflict disclosures and independent supervision. AFRINIC's contested election experience shows that "let the members decide" is not enough unless the mechanism for deciding is itself trustworthy.

The terminal sanction should be rare, but not imaginary. In banking, payments, auditing, insurance and utilities, supervision without resolution authority often fails because everyone knows the supervisor will not pull the trigger. The failing institution gambles on forbearance. Counterparties remain trapped. Losses grow. Registry recognition has a similar problem. If derecognition is impossible, recognition standards will become another layer of official language. If derecognition is possible only through opaque global discretion, it will frighten members and states. If derecognition is possible through objective, staged, continuity-first rules, it becomes a credible threat.

The danger of cartel protection

The RIR system has an awkward structure. It is a small group of regionally exclusive institutions that coordinate with one another, share a common interest in preserving the RIR model, and participate in defining the standards by which RIRs are recognized. In many contexts, economists would immediately ask whether such a structure risks cartel behavior. Internet governance culture often avoids that word because the institutions are nonprofits, the rhetoric is public-spirited and the technical mission is real. Yet incentives do not disappear because the participants use stewardship language.

Cartel protection in this context does not necessarily mean price fixing. It means protecting incumbency, limiting entry, restricting exit, controlling recognition and treating challenges to the institutional class as threats to stability. A recognition standard can easily become cartel protection if it makes new registry formation practically impossible, makes existing registries effectively irreplaceable, and defines failure review through bodies dominated by incumbent registries. The result would be a system in which accountability language strengthens the monopoly position that produced the accountability problem.

Lu Heng's commentary on the ICP-2 revision warns of this risk in stark terms: a draft presented as protection and stewardship may block entry, restrict exit, make new institutions impossible and convert coordination into permission. That argument should not be reduced to anti-institutional rhetoric. It identifies a classic political-economy pattern. When an incumbent system faces stress, it often responds by raising barriers to exit and entry. It calls the barriers safety. Sometimes they are safety. Sometimes they are self-preservation.

The line between safety and self-preservation should be drawn by objective necessity. Unique-number coordination does require common rules. It does not require every current legal shell to remain permanent. Registry continuity does require careful transition. It does not require members to be trapped in a failing institution. Global interoperability does require avoidance of conflicting records. It does not require a private club to decide all future recognition questions without external review. If ICP-2 cannot state which restrictions are technically necessary and which merely protect incumbency, it will not be economically credible.

AFRINIC makes cartel risk visible because external bodies had competing incentives. On one hand, they had legitimate reasons to worry about service continuity, election integrity and the global numbering system. On the other, they had institutional reasons to avoid a precedent in which a court, member movement, litigant or successor structure could fundamentally reorder an RIR. Official statements therefore need to be read as evidence of incentives. When the NRO says receivership helps restore governance and maintain services, that tells us continuity matters. It also tells us the incumbent RIR class values restoration of the existing model. When ICANN says it is concerned about election integrity, that may reflect genuine risk. It also tells us ICANN is willing to intervene when RIR governance threatens the global coordination order as ICANN understands it.

Cartel protection can also appear through vocabulary. "Community" can be used to make a narrow procedural class sound like a whole region. "Stability" can be used to make incumbent preservation sound like user protection. "Bottom-up" can be used to validate processes in which participation is unequal, records are contested or organized interests dominate. "Global coordination" can be used to suppress local accountability. "Recognition" can be used to turn a recordkeeping function into a permission layer. These words are not useless. They are dangerous when undefined.

A credible ICP-2 should therefore include anti-cartel safeguards. Failure review should not be controlled solely by the incumbent RIRs. Entry criteria for successor or interim operators should be demanding but achievable. Portability should prevent territorial lock-in from becoming absolute. Data standards should make ledgers replaceable. Emergency assistance should be modular and temporary. Recognition decisions should publish evidence and reasoning. Member-triggered review should prevent the incumbent club from ignoring failure. Limits on the accreditor should prevent global centralization. No one should be able to convert the fear of fragmentation into a blank cheque for power.

The best defense is not hostility to coordination. It is thin coordination. Define the invariants that must be common: uniqueness, accurate records, continuity, security, portability of essential data, non-duplication, transparent dispute marking and minimum service levels. Keep everything else from becoming a recognition condition unless there is a demonstrable technical or administrative necessity. The thicker the recognition standard becomes, the more it will invite capture. The thinner and more verifiable it is, the more it can discipline without ruling.

The danger of cartel protection is not a reason to abandon ICP-2 reform. It is the reason reform must be narrow, external, reviewable and member-grounded. A failed registry is bad. A failed registry protected by a global cartel of recognition is worse.

What operators, courts and governments need from reform

The actors who bear the cost of registry failure need different things from ICP-2. The reform will fail if it speaks only to Internet governance insiders.

Operators need predictability. Their first concern is not institutional philosophy. It is whether they can keep networks running, acquire or lease addresses, maintain routing credibility, update records, obtain reverse DNS, manage abuse contacts, use RPKI, satisfy customers and avoid catastrophic renumbering. They need to know that a registry's internal crisis will not suddenly become their business-continuity crisis. They need published service levels, exportable records, transfer timelines, dispute-marking rules, emergency contacts and portability rights under defined conditions. They also need assurance that registry discretion will not be used to punish commercial models disfavored by institutional insiders unless those models violate clear, adopted rules.

Operators also need price signals. If a registry is under formal review, the market should know what that means. Is it a service risk, a governance risk, a financial risk, a data-integrity risk or a political dispute? Are transfers still being processed? Are certificates and reverse DNS stable? Are member records frozen? Is portability available? A vague cloud over recognition can be as damaging as a formal sanction because it leaves counterparties guessing. ICP-2 should require public risk classification so markets can price facts rather than rumors.

Courts need a different thing: a clear distinction between registry continuity and institutional privilege. Courts are already involved because RIRs are domestic legal entities, not sovereigns floating above law. When a registry enters insolvency-related proceedings, receivership, injunction disputes or corporate-record conflicts, judges need to understand which registry functions are operationally critical and which claims are merely institutional. A court should be able to protect the ledger without being told that every registry preference is a matter of global Internet stability. ICP-2 can help by defining minimum continuity functions, escrow duties, emergency service protocols and the factual consequences of registry disruption.

This does not mean courts should run registries. They should not. It means the registry system should stop relying on mystical claims when it appears before ordinary law. If the ledger is critical, show why. If a service must continue, identify it. If a member record is disputed, preserve the evidence. If an election is necessary, specify the authority documents and verification rules. Courts can work with facts. They are less well suited to adjudicating the sacred vocabulary of Internet governance.

Governments need a third set of assurances. States bear public downside when numbering continuity fails. Communications, emergency services, financial systems, cloud platforms, telecoms networks and public administration all depend on Internet continuity. Yet the upstream registry layer is often a private entity incorporated in one jurisdiction and serving many others. AFRINIC is incorporated in Mauritius and serves a large region. APNIC, RIPE NCC, ARIN and LACNIC likewise operate through specific legal forms while serving broad regions. This arrangement can be efficient, but it creates sovereignty inversion if states bear the downside while private registry bodies hold practical leverage without sufficient accountability.

Governments therefore need ICP-2 to clarify that recognition is not political ownership of a region. A registry service region is an administrative footprint, not a sovereign mandate. Recognition should not give a registry the right to claim immunity from ordinary law or to treat an entire region's numbering continuity as its institutional property. At the same time, governments should not respond by nationalizing or politicizing number-resource administration. The public interest is continuity, neutrality and interoperability, not state capture.

The reform should give governments confidence that there is a non-political failure path. If a registry fails, there should be predefined mechanisms for maintaining services, protecting data, validating member authority, communicating with national regulators where necessary, and preventing a registry crisis from becoming a geopolitical contest. If no such path exists, governments will eventually improvise their own. That would be worse for global coordination than a narrow, credible ICP-2 failure regime.

Members and resource holders need voice, but voice has to be verifiable. The AFRINIC election controversies show the fragility of representation when powers of attorney, proxy limits, corporate classification and member registers become contested. ICP-2 should not assume that membership process is legitimate merely because it is bottom-up in name. It should require registries to maintain verified member authority records, transparent proxy rules, auditable election systems and independent channels for reporting irregularities. A bottom-up system without verifiable membership is not bottom-up. It is a market for procedural capture.

The technical community needs a final assurance: that the reform will not turn registry recognition into broad policy command. Engineers and network operators accept coordination because it preserves uniqueness and interoperability. They do not need a global recognition authority that can impose thick social, economic or political preferences under the cover of registry fitness. ICP-2 should therefore define the minimum technical and administrative invariants of recognition and leave ordinary policy debates to regional processes, member choice and operational adoption.

That voluntary nature is essential. The Internet numbering system works because networks accept the records as useful and act accordingly. Recognition standards that ignore the economics of consent may appear strong on paper and weak in reality. The reform's task is to make consent rational again.

The narrow bargain that would make ICP-2 credible

The credible bargain is narrow. Incumbent registries may retain exclusive recognition for their regions only if that recognition is conditional, measurable and defeasible. Global bodies may help enforce recognition standards only if their authority is bounded, evidence-based and reviewable. Members may trigger accountability only through verified and structured mechanisms. Emergency operators may protect continuity only without converting temporary assistance into political control. Everyone gives up something. That is why the bargain could work.

Start with ledger primacy. ICP-2 should state, in substance, that continuity protects the ledger and users, not incumbent officeholders. Every remedy should be judged by whether it preserves accurate records, routing-supporting services, member access, dispute evidence, transferability and operational use. This principle would not force replacement. Often the incumbent registry will remain the best vehicle for ledger continuity. But it would prevent continuity language from automatically protecting the incumbent when the incumbent becomes the risk.

Recognition should then depend on public criteria: service availability, data integrity, financial viability, governance capacity, conflict controls, member-rights protection, audited elections, escrow compliance, security posture, transfer administration and remediation performance. The criteria should be specific enough to test and narrow enough to avoid policy empire-building. They should measure whether the registry can perform the recognized function, not whether outsiders like its politics.

The trigger should come from below as well as above. Members and affected resource holders should be able to compel preliminary review when defined thresholds are met. External review should then be conducted by independent auditors and technical reviewers who do not stand to inherit the registry's authority. ICANN, the NRO and other RIRs may have roles, but they should not be the only gatekeepers. The point is to prevent both local capture and global centralization.

Relief should be available before collapse. Members should not have to wait for full derecognition before obtaining help from a failing registry. If objective non-compliance persists or certain emergency triggers are met, administrative portability should become available through predefined mechanisms. This does not mean conflicting number claims or unverified transfers. It means the service relationship can move while uniqueness and dispute records are preserved. Portability is the market discipline that makes recognition less brittle.

Every recognized registry should maintain independently verifiable escrow of essential registry data and operational metadata. The escrow should be tested, not merely promised. A fire drill that cannot restore services is not a continuity plan. Escrow reduces the incumbent's ability to hold the system hostage and reduces the accreditor's fear that intervention will break the Internet.

Remedies should be staged. Disclosure, audit, remediation, assistance, limited functional substitution, portability, emergency operation and derecognition should be separate stages. Skipping stages should require evidence of immediate continuity risk. This protects registries from opportunistic attack while protecting members from endless forbearance.

The recognition process should also contain an anti-cartel limit. It should not be allowed to block all new institutional forms, freeze all current service territories forever, or allow incumbent registries to judge possible competitors without independent oversight. Entry should be hard because uniqueness is important. It should not be impossible because incumbency is comfortable. Exit should be controlled because records must remain coherent. It should not be forbidden because registries prefer captive members.

Finally, ICP-2 should refuse mandate expansion by vocabulary. Words such as stewardship, community, stability, recognition, compliance and global coordination should be tied to specific operational meanings. A registry is a coordinator of number-resource records and related services. It is not the political owner of a region. An accreditor is a verifier of minimum registry fitness. It is not a world government for number resources. A community process is a method of policy development. It is not a magic conversion of narrow participation into universal consent.

If these terms sound modest, that is the point. ICP-2 reform should not attempt to solve every argument over IPv4 markets, leasing, out-of-region use, transfer philosophy, regional development or the long-term future of Internet coordination. Other pieces and other processes can debate those questions. The immediate recognition question is narrower: how can the Internet identify, discipline and, if necessary, replace a failing RIR without turning that power into a new unaccountable hierarchy?

AFRINIC is the test because it contains every temptation. The temptation for incumbents is to say the crisis proves the need for stronger protection of the existing system. The temptation for central bodies is to say the crisis proves the need for stronger global intervention. The temptation for critics is to say the crisis proves the old system should be swept away immediately. The economic answer is less satisfying and more durable: protect the ledger, discipline the institution, preserve exit, constrain the accreditor, and make replacement possible before it is needed.

The Internet's numbering system was built on a narrow form of trust. Networks did not need to trust a global sovereign. They needed to trust that records were unique, services were reliable, processes were fair enough and no single intermediary could arbitrarily destroy their continuity. IPv4 scarcity has made that trust more expensive. AFRINIC has shown what happens when the price is not paid in advance.

ICP-2 reform will be credible only if recognition becomes conditional on facts rather than mythology. A registry that maintains the ledger, serves members neutrally, accepts external audit and permits bounded exit should be protected. A registry that cannot do those things should be disciplined. A registry that still cannot do them after remediation should be replaceable. And the bodies that enforce those standards should themselves be constrained by the same principle that justifies the whole system: coordination exists to serve the networks that run the Internet, not to turn recordkeepers into rulers.