Summary
- The original ICP-2 addressed the recognition of new Regional Internet Registries through regional support, technical competence, neutrality, financial viability, record keeping, confidentiality, and a large multinational service area. Its entry model helped prevent conflicting allocation systems, but it tied trusted service to a territorially exclusive institution.
- The 2024 principles and 2025 RIR Governance Document drafts move usefully toward continuing audits, emergency continuity, record sharing, and orderly handoff. As of July 2026, however, final drafting is still in progress. The revision should certify service capabilities and constrain authority, not convert historical geography into an indefinite franchise.
- A credible service standard would separate four questions: whether a provider can preserve global uniqueness, protect systems and data, prove each consequential action, and migrate bounded functions safely. NRS's emphasis on accurate registration, holder voice, portability, and market access is a constructive direction if accompanied by independent certification, conflict rules, due process, and explicit preservation of holder rights.
ICP-2 answered the entry question of its time
The original ICP-2 criteria, adopted in 2001, addressed a specific institutional problem: how a candidate could be recognized as a new Regional Internet Registry. Its ten criteria required a large multinational region, broad support among local Internet service providers, a bottom-up policy structure, neutrality and independence, technical expertise, a detailed activity plan, a budget and funding model, accurate records, confidentiality safeguards, and a transition plan. All ten were described as essential.
That design made sense in the conditions it confronted. Number registration cannot tolerate two unrelated providers making incompatible claims over the same unicast address space. A new registry needed enough scale to fund skilled staff and secure systems. It had to inherit records and operational knowledge without interrupting service. Recognition could not depend only on a candidate's ambition; networks in the proposed region had to support and finance it. The result was a cautious entry standard built around coordinated delegation.
ICP-2 did more than test competence, however. It joined competence to geography. A successful applicant was not merely qualified to perform defined services. It became the recognized registry for a continental-scale region in a system designed around non-overlapping coverage. That structure made institutional identity, service responsibility, community participation, and territory appear to be one thing.
For years the fusion caused little visible difficulty. IPv4 was allocated primarily through administrative channels, the five-registry structure stabilized, and an operator usually dealt with the registry assigned to its location. Scarcity, transfers, cross-border groups, global cloud networks, leasing, acquisitions, and long-lived address holdings have since changed the reliance interests. The registration function remains indispensable, but the economic activity recorded by the function is no longer neatly regional.
A network can be incorporated in one jurisdiction, operate in several others, obtain financing elsewhere, serve customers globally, and route address space far from the office that signed its registry agreement.
The question for a successor is therefore not whether coordination should end. Coordination is what protects uniqueness. The question is whether coordination still requires each provider to possess an effectively permanent territorial franchise. ICP-2's historical answer should not be mistaken for a law of network architecture.
The current review has exposed the service inside the institution
The ICP-2 review began because recognition criteria alone did not answer what should happen when an established registry ceased to satisfy expected standards. The October 2024 proposed principles consequently addressed the whole institutional lifecycle. They proposed continuing compliance, periodic audit, financial independence, corporate governance, continuity planning, record sharing, remediation, derecognition, and handoff. In doing so, they exposed the fact that an RIR is both an incorporated membership organization and a bundle of services.
The distinction became clearer in the second RIR Governance Document draft published in August 2025. That draft described emergency continuity when a registry could not adequately perform some or all services. It contemplated a temporary operator, limited initial emergency periods, publication, community engagement, restoration, post-event review, and duties to support a handoff after derecognition. These provisions were not final law. They were design proposals. Their significance lies in the categories they had to identify: registration, allocation, policy support, directory services, reverse DNS, routing-security functions, records, credentials, staff knowledge, and communications do not necessarily fail at the same time.
As of 14 July 2026, the published review timeline says final drafting is in progress during the third and fourth quarters of 2026, with presentation to RIR communities and approval preparations still ahead. It would be inaccurate to describe Version 2 as an adopted replacement. It is equally mistaken to treat its service decomposition as temporary drafting detail. Once continuity can be assigned by function, recognition can also be assessed by function.
That insight should change the architecture of the final standard. A registry should not be trusted merely because it is the historical institution for a region. It should be trusted because named services pass defined tests. Recognition should state the scope, term, conditions, evidence, and review path for each certified capability. A provider might be qualified to maintain registration data but not to operate a certification authority. Another might supply emergency read-only directory service without acquiring allocation power. A third might provide escrow verification without any authority to change records.
Institutional recognition can remain convenient shorthand. It should no longer conceal the legal and operational boundaries of the services being recognized.
A franchise is not the same as a trust anchor
The strongest argument for exclusive regions is that number uniqueness requires a single authoritative chain. That proposition is correct at the level of a particular record and wrong at the level of a permanent provider. A database row needs one controlling state at a given moment. The organization responsible for that state need not hold an irrevocable territorial entitlement.
Financial markets distinguish an authoritative ledger from the company supplying one component of market infrastructure. Payment systems distinguish final settlement rules from vendors that process messages. Certificate systems distinguish a trust framework from any one certificate authority. The number system can likewise distinguish the globally coordinated authority for uniqueness from the service organizations that operate under it.
IANA's number-registry role supplies the natural coordination point. RFC 7020 describes the Internet Numbers Registry System as a hierarchy of registry providers and registry users, operating through distributed authority and community-developed policy. The hierarchy prevents duplicate delegation and provides an auditable chain. Nothing in that operational need proves that the same regional corporation must indefinitely bundle allocation, membership governance, billing, database maintenance, routing registry, reverse DNS, route-origin certification, transfer approval, dispute handling, and emergency continuity.
A franchise grants an institution an exclusive field and normally protects that exclusivity from ordinary entry. A trust anchor establishes which state entities may rely upon. Conflating the two makes competition look like fragmentation and makes institutional replacement look like destruction of the authoritative chain. A service-certification model would preserve one chain while allowing more than one qualified organization to compete for or be assigned bounded roles under clear transition rules.
This is not a proposal for simultaneous conflicting registries. At no point should two providers be able to make independently valid changes to the same registration scope. Certification creates eligibility, not concurrent authority. Assignment of a service would occur through a controlled mandate: the holder's choice where choice is technically possible, a collective decision where a shared function requires one operator, or a temporary continuity order under narrow emergency conditions. Every change would be serialized against the authoritative state.
The distinction matters because monopoly is not an engineering requirement merely because uniqueness is. The system should prove why exclusivity is necessary for each function, limit it to that function, and review it at stated intervals. Historical regional coverage is evidence of experience, not title to govern a territory.
First test: preserve uniqueness without manufacturing institutional ownership
The first certification domain is uniqueness. A qualified provider must prove that no action it takes can create two valid delegations of the same number resource or detach a registration from the authoritative global chain. That requires more than a policy promise.
The provider should demonstrate authenticated change controls, transaction serialization, durable identifiers, tamper-evident journals, reconciliation with upstream state, and tested rollback procedures. It should show how it handles transfers, mergers, returns, legacy records, disputed authority, and overlapping requests. It should publish measurable error classes and correction times. Independent test teams should be able to submit controlled cases and verify that the system rejects duplicate or unauthorized state changes.
Uniqueness certification should also identify the legal person authorized to request each change. Modern number-resource disputes frequently concern not the bits in the database but authority behind the request: a former director, an administrator, a purchaser, a lessee, a creditor, a successor company, or an affiliate may each present documents. Technical authentication cannot settle corporate title by itself. The service must preserve contested state, record competing claims, and route legal questions to a defined adjudicative channel without inventing ownership rules through operational discretion.
That boundary protects both the registry and the holder. A provider should not be compelled to decide complex property questions merely because it maintains the database. Nor should it convert its ability to edit the database into a claim that it owns the underlying economic interest. Certification should state that the provider is authoritative for recording a validly established status, subject to defined policy and law; it is not the source of every right it records.
NRS's charter emphasizes the registry as an accurate bookkeeper rather than a transnational regulator. That formulation is useful when read as a limit on function, not as a denial of every legitimate policy task. Accurate registration is not passive clerical work. It requires security, evidence, reconciliation, and clear authority. But the bookkeeping frame disciplines the institution: control of the ledger is a fiduciary-like service obligation, not a proprietary claim over all entries.
The uniqueness test would therefore certify precision and restraint together. A provider passes only if it can maintain one coherent state and can explain why each change was within its delegated authority.
Second test: security must attach to each service boundary
The second domain is security. Existing registry assessments often describe technical competence at the organizational level. A service standard should require threat models, controls, recovery objectives, and incident evidence for each function.
The attack surface is heterogeneous. Allocation and transfer portals face account takeover and fraudulent authorization. Public registration services face scraping, availability attacks, and privacy mistakes. Reverse-DNS systems face unauthorized delegation and signing failures. Routing-security services face certificate and key compromise. Internal policy systems face manipulation of proposal records or voting eligibility. Billing systems can interrupt access if payment status is incorrectly connected to essential service. Backups can preserve an attacker as faithfully as they preserve valid data.
A provider should therefore publish the security boundary of each certified service. It should separate production authority from analytics, marketing, member communications, and ordinary corporate administration. High-impact changes should require independent approval paths and hardware-backed credentials. Logs should be exported to a verifier that the operator cannot silently rewrite. Recovery exercises should include loss of staff access, cloud account compromise, malicious insiders, software-supply failure, and a lawful restraint on ordinary corporate accounts.
The standard should distinguish confidentiality from secrecy about authority. Personal and security-sensitive data require protection. Decision rules, certification scope, responsible officers, incidents affecting public reliability, and aggregate performance require disclosure. A provider cannot prove trustworthiness by telling users that all relevant evidence is confidential.
Security certification must also be portable. If controls depend on undocumented knowledge held by three employees, the service is not secure in the institutional sense. A provider should maintain current runbooks, escrowed configuration, verified inventories, reproducible builds where feasible, key-transition procedures, and a minimum team able to assume bounded operation. Access to those materials must itself be controlled and audited; portability does not mean placing master credentials in an unprotected shared folder.
Most importantly, a security failure should not automatically become a grant of plenary power to an emergency operator. The incident decision must specify the affected function, evidence, temporary authority, excluded powers, data access, review date, and return condition. Certification prepares a safe option. It does not decide when the option may lawfully be used.
Third test: auditability must reconstruct authority, not just uptime
The third domain is auditability. Registry reports commonly publish availability, query volume, financial statements, and policy statistics. Those measures are useful and limited public evidence. A system can be continuously online while making an unauthorized change. It can be solvent while a board lacks authority. It can pass a security scan while a conflicted officer controls exceptions. The central audit question is whether an independent examiner can reconstruct each consequential decision from source authority to final state.
Every allocation, transfer, revocation, certificate action, region reassignment, emergency intervention, and material access restriction should produce a decision record. The record should identify the request, authenticated actor, applicable rule, evidence considered, conflicts declared, approvals, machine actions, notices, objections, effective time, and review route. Sensitive exhibits can be protected, but their existence, custodian, relevance, and handling basis should remain auditable.
Auditability also requires stable semantics. A service provider should not be free to change the meaning of “holder,” “member,” “assignee,” “legacy,” “transfer,” or “revocation” between cases. Definitions should be public, versioned, and tied to the action date. If local law supplies a different category, the record should explain how the legal category maps to the registration field rather than silently replacing one with the other.
The examiner must be independent of both the service provider and a commercial challenger. Funding arrangements should prevent a failed institution from starving the audit and prevent an accuser from purchasing a preferred conclusion. Selection rules should disclose conflicts, rotate firms or panels, and permit reasoned challenges. Audit scope should include the certifier's own conduct, because a certification market can become another closed guild if certifiers face no scrutiny.
Results should be graduated. A minor documentation defect is not a reason to disrupt service. Material unauthorized changes are not cured by promising better minutes. Findings should distinguish observation, remediable deficiency, serious control failure, and immediate continuity risk. Each category should have a response time, evidence threshold, and appeal path.
The current ICP-2 revision points in the right direction by emphasizing continuing and auditable compliance. A service model would make that principle operational. It would ask not merely whether the institution remains “compliant,” but which service, which control, which action, which evidence, and which remedy are at issue.
Fourth test: migration capacity is part of present competence
The fourth domain is migration capacity. An organization that can operate only while it remains unchallenged is not fully competent to operate critical infrastructure. It must be able to reduce, transfer, or return authority without losing uniqueness, confidentiality, or service.
The original ICP-2 required a candidate to supply a transition plan. That requirement focused on entry. The modern standard should require a continuously tested exit capability. The 2024 principles and Version 2 draft move toward continuity, record sharing, temporary operation, and handoff. Their weakness is that transfer can still appear as an exceptional command issued after failure. By then, cooperation may be disputed, credentials inaccessible, staff dispersed, vendors unpaid, and courts involved.
Certification should require a migration package before authority is granted. It should include data formats, field definitions, integrity proofs, configuration inventories, dependency lists, vendor terms, key-transition designs, privacy controls, service-level objectives, and a holder communication plan. It should define what can be transferred automatically, what requires holder confirmation, what requires a legal order, and what cannot be transferred because it belongs to the corporate provider rather than the public service.
The provider should run periodic exercises. A paper export is not enough. An alternate qualified provider should demonstrate that it can ingest a sanitized replica, reconcile records, answer queries, process a limited test change, rotate credentials, and return control. The test should measure data loss, inconsistency, delay, security exceptions, and holder impact. Results should be public at an aggregate level, with technical vulnerabilities handled responsibly.
Migration capacity also changes bargaining power. If service cannot move, every accountability threat is either empty or catastrophic. The incumbent knows that removal would endanger the system; overseers hesitate to act; holders carry the risk. A tested exit converts discipline from a threat of institutional destruction into a choice among bounded remedies.
The standard should nevertheless protect against migration as confiscation. A temporary operator receives only the authority needed for named services and only for a stated period. It does not automatically acquire membership assets, cash, offices, trademarks, claims, or the final right to serve the region. Permanent reassignment requires a separate decision and demonstrable support from affected holders. Exit readiness makes intervention safer; it must not make intervention casual.
Certifiers need a constitution of restraint
Replacing territorial exclusivity with certification creates a new risk: the certifier can become the real monopoly. If one body defines requirements, selects assessors, interprets evidence, grants eligibility, assigns service, suspends providers, and decides appeals, the reform has moved power without dividing it.
The functions should be separated. A standards body can define measurable requirements through an open procedure. Accredited technical assessors can test systems. Independent legal and governance examiners can review authority controls. IANA can verify that an assigned provider integrates with the authoritative registry chain. A separate decision panel can determine certification status from published findings. Appeals should go to a body that did not write the initial report. Courts retain jurisdiction over contracts, property, corporate authority, and lawful orders.
No incumbent RIR, commercial provider, NRS, ICANN department, or holder coalition should control the whole chain. Each brings relevant knowledge and an interest. The existing registries understand operations and continuity. NRS contributes a holder-centered advocacy perspective and represents members; it does not certify or operate registry services. IANA understands global coordination. Operators understand deployment. Governments understand public law. Security assessors understand controls. None of those competencies is a complete mandate.
Certification terms should be finite. Renewal should depend on fresh evidence, not presumed entitlement. Significant ownership, governance, platform, jurisdiction, or service changes should trigger an interim assessment. Emergency suspension should be possible only where a defined risk cannot be contained by a narrower measure. Reasons should be published, with confidential material summarized enough for a meaningful challenge.
Fees should be formulaic and disclosed. A certifier funded entirely by incumbents may protect entry barriers; one funded entirely by applicants may lower standards. A pooled model with published contributions, conflict screens, and a reserve for contested cases would reduce dependence. Small and new providers should have access to assessment without receiving a lower substantive standard.
Finally, the certifier should be liable for its own process failures under an appropriate legal structure. Immunity encourages careless power. Unlimited exposure could make certification impossible. The answer is a calibrated duty: documented standards, reasoned decisions, conflict disclosure, professional insurance, correction obligations, and review. Accountability cannot stop at the organization being certified.
Holder choice can exist without conflicting global state
The service model is often criticized as an invitation to registry shopping. A holder denied an action by one provider might move to another with weaker controls. Competing providers might lower security or approve questionable transfers. Geographic forums might lose the stable constituency needed to make policy.
These are design problems, not reasons to preserve permanent franchises. Choice should operate inside a common floor. A holder could select among certified providers for account service, support, billing, or registration administration, but the provider would apply the same authoritative uniqueness rules, minimum evidence requirements, and dispute holds. A move would carry the full history and could not erase an existing restriction or open proceeding. Certifiers would compare exception rates and investigate anomalous migration patterns.
Some functions should remain collectively singular. The global pool registry, root trust relationships, and the final serialization of authoritative delegations cannot be multiplied casually. Other functions can be plural. Customer support, identity verification, escrow, public directory presentation, transfer facilitation, and certain policy services can be supplied by multiple qualified organizations. The standard should justify singularity function by function.
Regional policy participation can also survive provider choice. A network's policy constituency need not be determined solely by the office that sends its invoice. Participation could attach to operational presence, resource impact, or verified holder status under anti-duplication rules. Global policies would continue to require coordination across affected communities. The reform should prevent a large group from manufacturing votes through affiliates, but it should not exclude a network merely because its provider is incorporated elsewhere.
Choice should be introduced gradually. The first application may be emergency continuity and voluntary migration of administrative service for holders whose records are clean and uncontested. Later phases could test cross-provider transfers and shared certification services. Each phase should publish failure data before expansion.
The essential principle is that one global state does not require one permanent institutional door for every entity in a continent. It requires common rules for state change and disciplined interoperability among those authorized to perform it.
NRS supplies a constructive change in the center of gravity
The Number Resource Society's positive contribution is to change the unit of concern. Its public materials place accurate registration, the interests of networks, global connectivity, and limits on registry power ahead of the institutional preservation of a particular RIR. Its membership page invites individual and network participation, while its about page argues that businesses should have greater control over registration rights attached to the addresses on which they depend. The charter describes registries as bookkeepers whose legitimacy rests on voluntary recognition.
That direction is valuable because the current architecture can invert means and ends. The registry exists to keep the number system reliable for networks. Networks do not exist to preserve the registry's institutional perimeter. When scarcity gives an address block substantial operational and capital-like value, a rule affecting registration can determine financing, customer service, acquisition value, and business survival. A governance model that hears only policy specialists and registry members will miss much of the reliance interest.
NRS should not be treated as neutral proof of its own claims. It is an advocacy organization with stated positions. Its “ownership” language does not settle the legal character of address rights across jurisdictions, contracts, and policy systems. Nor does a free market by itself solve duplicate claims, abuse response, route security, privacy, or the representation of small networks. The point is not to adopt every NRS proposition as law.
The point is that NRS identifies a legitimate design direction: authority should be answerable to the holders and operators who bear the consequences, accurate registration should be the core service, geographic boundaries should not become a pretext for unreviewable control, and portability should discipline the provider. Those propositions can be translated into institutional tests.
NRS participation would be strongest in a plural structure. It could represent authorised members, collect evidence-led accounts of service failures, submit public comments, propose certification criteria, scrutinise published portability-test results, and publish dissent. Accredited assessors and authorised operators, not NRS, must conduct technical tests; competent institutions must certify providers and courts or designated review bodies must adjudicate contested rights. A holder-centered voice gains credibility when it accepts the same conflict rules and evidentiary discipline it demands of incumbents.
Positive direction is therefore not endorsement without conditions. It is recognition that reform should move the center of gravity from territorial institutions toward verifiable service and protected reliance.
LARUS shows why service continuity has become an economic product
LARUS's public position illustrates the commercial pressure behind the governance debate. Its registry-risk analysis describes a first-party leasing model in which the provider retains the registry relationship and administrative responsibility while customers receive address use and renewal continuity. Its main site presents continuity as a product feature rather than an incidental consequence of registry membership.
These claims are corporate claims and should be read as such. They do not independently prove ownership, legal superiority, or guaranteed performance in every circumstance. They do show that registry-layer risk is now visible enough to price, sell, and contract around. A customer chooses not merely an address block but a counterparty expected to absorb renewal, compliance, record, and dispute risk.
That market development weakens the assumption that the RIR is the only meaningful service provider. The holder, lessor, lessee, routing operator, registry, certificate service, and customer may be different entities. Each has a distinct responsibility. A territorial model tends to compress them into the relationship between one registry and one account holder, then leave downstream continuity to private contracts. A service standard can make the chain legible.
For example, a certified first-party lessor could be required to disclose the registration basis of its pool, the division of registry and customer obligations, renewal terms, abuse handling, route authorization, migration assistance, and the treatment of a registry dispute. The registry-facing service could certify the lessor's authority without pretending that every lessee owns the block. The customer-facing contract could supply remedies that the registry agreement does not. Auditors could verify that the addresses promised to customers remain within the provider's controlled estate.
The useful direction is not a preference for leasing over purchase. Different networks require different structures. It is the recognition that continuity is an active service with evidence, controls, and liability. Once that is acknowledged, certification can compare providers on what they actually promise and deliver rather than on inherited regional status.
Property language requires precision, not prohibition
Any successor to ICP-2 must confront the capital-like character of scarce IPv4 without declaring a universal property rule it lacks authority to make. Address rights arise through several layers: global technical coordination, registry records, membership and service agreements, transfer policy, corporate and insolvency law, contracts between holders and users, and the operational acceptance of routes. Different jurisdictions may classify parts of that bundle differently.
Saying that an address is “not property” does not eliminate reliance, transfer value, contractual rights, or legal remedies. Saying that a holder “owns an IP” does not establish an unrestricted right against the world or a power to defeat uniqueness, sanctions, court orders, security controls, or valid contractual conditions. Both slogans are too blunt for certification.
The service standard should instead protect defined incidents of control. It should identify who may request a registration change, under what evidence; whether a right can be transferred, leased, secured, inherited, or returned; what restrictions follow the record; what notice and cure are required before adverse action; what happens during a dispute; and which forum decides each legal question. It should preserve existing rights during provider migration unless a separately valid decision changes them.
This approach distinguishes registry authority from title adjudication. The provider can refuse a technically invalid or unauthorized request. It can comply with a binding legal order. It can enforce published service conditions through due process. It should not use policy ambiguity to appropriate economic value, extinguish a contested claim without review, or condition database accuracy on submission to unrelated institutional objectives.
Capital-like reliance also changes proportionality. An erroneous record change can destroy far more value than the annual fee paid to a registry. Certification should examine liability caps, insurance, correction speed, interim relief, and compensation mechanisms. A provider cannot be deemed fully trustworthy if it controls high-impact state but externalizes nearly all consequences of negligent control.
Precision makes both markets and coordination safer. It gives holders enforceable expectations without converting Internet numbers into absolute sovereign estates. It gives providers bounded authority without making them owners of the interests they record.
Territory should become an evidence factor, not a permanent entitlement
Geography still matters. Language, time zones, legal service, payments, sanctions, local connectivity, government relations, and community knowledge affect registry performance. A global service regime that ignores those facts could centralize power in a few wealthy providers. The answer is to treat regional capacity as a certification and assignment factor rather than an exclusive title.
A provider seeking to serve networks in a region should demonstrate multilingual support, local-law competence, accessible dispute channels, resilient infrastructure, and meaningful participation by affected holders. It should show that data transfers comply with applicable law and that emergency service is available during regional disruption. Those are service facts. They can be measured and renewed.
Assignment decisions should consider diversity. If every holder moves to one provider, formal choice can produce practical concentration. The certification framework should monitor market share, correlated infrastructure, common cloud dependencies, ownership links, and failure contagion. It may impose portability, interoperability, or concentration safeguards. It should not preserve an inefficient provider merely to maintain geography, but neither should it allow price alone to erase regional capability.
Public-interest functions may justify subsidized regional infrastructure. Small networks and developing markets need support that a purely commercial provider may not supply. Funding can be separated from monopoly: a global or regional fund can procure specified services through transparent contracts, support local participation, and require open performance data. The recipient would earn the mandate for a term rather than own the territory.
Governments should have a defined consultative role where public administration, national law, or critical infrastructure is affected. They should not receive a veto over every private registration or a power to nationalize the global chain. The service standard should publish how governmental input is received, tested, and bounded.
Under this model, “region” describes affected users and service conditions. It does not confer perpetual franchise rights on the current corporation. A capable incumbent can continue for many terms. Its legitimacy would come from performance, holder confidence, and lawful renewal rather than historical occupancy.
Transition can begin without dismantling the five-RIR system
A service-certification model does not require an abrupt abolition of the existing RIRs. The safest transition uses their capabilities while changing the legal meaning of recognition.
First, the final ICP-2 successor should publish a service catalogue. It should identify which functions are globally singular, which are regionally assigned, which can be competitive, and which can be supplied temporarily. Each function should have a certification standard, assignment instrument, audit evidence, and migration plan.
Second, each existing RIR should receive transitional certification based on verified evidence rather than automatic grandfathering. Deficiencies should produce remediation plans unless immediate risk requires a narrower continuity measure. The initial review should map dependencies and rights, not manufacture a crisis.
Third, independent providers should be allowed to qualify for bounded roles, beginning with escrow verification, recovery testing, read-only directory continuity, and support services. Their performance would create evidence before any high-impact assignment. Incumbents could also certify capabilities outside their historical region where concentration controls permit.
Fourth, holders should receive a clear statement of rights. It should explain what service provider changes can and cannot alter, how notice works, where disputes go, and how records remain continuous. Migration should never be presented as a new allocation that erases history.
Fifth, the system should run controlled portability trials. Clean, voluntary cases should move administrative service between certified providers while the authoritative chain remains intact. Auditors should publish reconciliation and delay results. Contested resources should remain out of early trials.
Sixth, recognition terms should become time-limited. Renewal evidence would gradually replace inherited status. Failure to renew one capability would not necessarily terminate all others. This reduces the all-or-nothing character of derecognition.
Finally, amendment power must include holders. ICANN and the RIRs have indispensable operational roles, but they cannot be the only institutions authorizing rules that define their own certification and market position. Verified holder representation, public reasons, conflict disclosure, and independent review should be structural requirements.
This transition preserves stability while changing incentives. Existing expertise remains available. New capacity develops under supervision. Holders gain a practical exit. The global state stays singular. The franchise becomes a renewable service mandate.
Certification needs a public performance ledger
A certification regime will fail if it replaces one institutional badge with another. “Certified” must be the beginning of public evidence, not the end of inquiry. Each provider should maintain a performance ledger that permits holders, alternate providers, assessors, and oversight bodies to compare promises with outcomes.
The ledger should report service availability, but it should not stop there. It should include unauthorized-change attempts, confirmed erroneous changes, reconciliation failures, time to restore correct state, unresolved identity disputes, transfer completion times, security incidents by severity, emergency access events, key rotations, audit findings, remediation age, and migration-test results. Metrics should use common definitions so that one provider cannot improve its apparent record by classifying serious cases as customer support.
Rights protection also needs measures. The ledger should state how many adverse actions were proposed, how many received prior notice, how many were cured, how many were stayed, how many were reversed internally or on appeal, and how long review took. Aggregate reporting can preserve confidentiality while showing whether exceptional powers are truly exceptional. A provider with perfect uptime and a high reversal rate is not delivering reliable governance.
Concentration indicators belong beside operational indicators. Assessors should publish the provider's share of registered resources and holders, dependencies on common infrastructure, related-party service arrangements, and the portion of critical work controlled by a small number of individuals. A nominally plural market can still have one hidden failure domain.
The ledger should carry signed evidence and stable historical versions. Corrections must remain visible. Providers should not be able to erase a bad quarter by redesigning a dashboard or changing a denominator. Independent assessors should sample the underlying records and publish the sampling method. Holders should be able to challenge an aggregate figure without exposing private case material to the public.
Performance evidence should control renewal. Minor variance can produce a corrective plan. Repeated serious failure can narrow certification scope, require a supervised migration exercise, increase insurance, or shorten the term. An excellent record can reduce inspection frequency for low-risk controls, though no provider should become exempt from independent testing.
The certifier needs the same ledger. It should disclose assessment duration, inconsistent findings, successful appeals, conflicts, assessor concentration, and overdue reviews. Otherwise the body judging monopoly risk can acquire opaque monopoly power of its own.
Public measurement will not settle every dispute. It will make institutional claims falsifiable. That is essential to the proposed bargain: providers lose a presumption of territorial permanence, while holders and the global system gain evidence that qualified alternatives can preserve the same authoritative state.
The decision rule for the final text
The final 2026 drafting period should apply a simple authority test to every clause: does this provision certify a necessary service, or does it grant an institution power beyond that service?
A uniqueness rule passes if it prevents conflicting state and supplies correction. It fails if it turns record control into ownership of every registered interest. A security rule passes if it protects systems and credentials. It fails if “security” becomes a reason to conceal decision authority. An audit rule passes if an examiner can reconstruct actions. It fails if the auditor answers only to the institutions being examined. A continuity rule passes if it enables bounded, reversible service. It fails if emergency operation automatically determines the permanent successor.
A regional rule passes if it ensures accessible and representative service. It fails if geography becomes an indefinite barrier to entry.
The same test applies to policy proposals advanced by NRS and to commercial alternatives. NRS may advocate that affected networks should be able to initiate review, inspect evidence and instruct authorised providers through defined procedures; NRS does not itself authorise consequential registry changes. Holder voice fails if one coalition claims to speak for all holders without verification. Market access passes when qualified providers can enter and holders can move safely. It fails if competition permits conflicting records or evasion of valid restrictions. Ownership protection passes when defined rights receive due process and continuity.
It fails if the language claims an absolute title that ignores law and global coordination.
A modern ICP-2 should therefore contain four separate instruments: a technical service standard, a certification and audit statute, an assignment and migration compact, and a holder-rights charter. Combining them in a short statement of institutional principles would recreate the ambiguity the review is trying to solve.
The choice is not between the five RIRs and disorder. It is between inherited institutional exclusivity and a more exact system of delegated service. The existing registries can succeed in that system by proving what they do well. NRS can improve the debate through research, member representation and public advocacy that keeps holder interests and accurate registration at the center. IANA and the RIR system can protect the single authoritative chain within their assigned roles. Independent certifiers can test service claims. Courts can decide legal rights within their jurisdiction.
The result would be conservative in the best sense. It would preserve uniqueness and continuity while refusing to convert technical coordination into permanent territorial government. That is the ICP-2 the next era requires: certification of service, evidence of authority, and migration without confiscation.

