Summary
- ICP-2 reform should be judged as a recognition-standard design problem: the standard must measure whether a registry can provide reliable, auditable, member-accountable number-resource services, not whether incumbents can preserve their franchise.
- ARIN is the mature regional test because IPv4 scarcity, legacy resources, transfer-market reliance, cloud concentration and external reliance on registry records make recognition economically consequential even when the institution is stable.
- A credible standard should define observable obligations, independent review, audit scope, continuity remedies and graduated sanctions before de-recognition, while avoiding vague global discretion.
- The principal danger is not too little governance language but too much: NRO, ICANN or RIR consensus processes can launder institutional preference into global gatekeeper power if criteria are not narrow and evidence-based.
- The next 12-24 months should be watched for audit design, emergency-operator readiness, anti-capture safeguards, transfer-market neutrality, and whether ARIN treats reform as discipline on itself rather than as protection against challengers.
Recognition standards are economic instruments
The old language of internet-number governance can make recognition sound ceremonial. A regional internet registry is "recognized"; it joins the familiar system; it serves a region; it participates in coordination; it follows open policy processes. Those words describe real institutional arrangements, but they understate the economics. Recognition is not a medal. It is a license to operate the authoritative regional ledger for IPv4 addresses, IPv6 addresses and autonomous system numbers. That ledger is used by operators, brokers, banks, courts, cloud providers, security teams, customers and governments to decide who may act, which record is reliable, which transfer can close and which network contact is credible.
That is why the reform of Internet Coordination Policy 2 should be treated less as institutional housekeeping and more as recognition-standard design. The original ICP-2 document, accepted in 2001, was mainly a standard for the establishment of new RIRs. It belonged to a period when the regional system was still settling into its five-registry shape. The current reform process, described on the NRO ICP-2 page, has become larger. It now covers recognition, ongoing operation, audit, emergency continuity and potential de-recognition. It asks not only how a new registry should enter the system, but how existing registries should remain worthy of recognition and what happens if one fails.
That change is economically unavoidable. A recognition standard sets the terms on which registry services remain trusted infrastructure. If it is too weak, a failing registry can impose continuity risk on an entire region while the global system lacks a credible remedy. If it is too strong, or too discretionary, the standard becomes a global gate through which incumbent registries, ICANN processes and NRO coordination can discipline disfavoured communities or potential challengers. If it is too vague, markets will price the uncertainty. If it is too detailed, it may freeze one institutional model and make regional adaptation expensive.
ARIN matters because it is not the crisis case. It is the mature North American and Caribbean case. Its free IPv4 pool has been depleted since 24 September 2015, as ARIN's IPv4 options page records. Transfers, legacy records, waiting-list allocations, RPKI, Whois/RDAP, reverse DNS and contractual service boundaries now carry more economic weight than ordinary first-time allocation from abundance. In such a market, a recognition standard is not merely about preventing collapse. It is about defining the price of trust.
The right question is therefore not whether ARIN should be subject to global expectations. It should. The question is what those expectations should measure, who should apply them, what evidence should count, which remedies should exist short of de-recognition, and how to prevent the standard from becoming incumbent protection dressed as stability.
ARIN is the mature market test
ARIN's region is a useful laboratory because it combines institutional stability with high economic dependence on registry records. ARIN serves Canada, the United States and many Caribbean and North Atlantic territories; its region page lists jurisdictions ranging from Canada and the United States to Bermuda, Jamaica, Puerto Rico, Saint Lucia, the British Virgin Islands and others. This is not a single national economy. It is a registry service area covering hyperscale cloud platforms, national carriers, rural broadband providers, universities, government contractors, data centres, Caribbean operators, legacy enterprise holders, brokers and small networks with little spare address capacity.
The region's stability can mislead. Because ARIN is orderly, the risk does not present itself as dramatic institutional failure. It appears as friction: transfer timing, documentation cost, legacy-resource uncertainty, waiting-list constraints, fee incidence, policy participation cost, routing-security dependency and the difficulty of distinguishing a neutral registry rule from an economic gatekeeping rule. In a rich region, many participants absorb that friction quietly. A hyperscale platform hires counsel. A large cable operator retains specialist staff. A bank inserts recognition conditions. A broker structures a transaction around ARIN review. A small ISP, by contrast, may experience the same process as a liquidity discount or a blocked expansion.
The post-2015 IPv4 market makes the difference visible. ARIN says ordinary requests cannot be fulfilled from a free pool except through special reserved-policy routes, waiting-list distributions or transfers. Its waiting-list page explains that organisations above a /20 equivalent are not eligible, that the maximum aggregate at one time is a /22, and that address blocks returned or revoked are used to fill requests in a first-approved sequence subject to the size of available blocks. Its transfer guidance describes specified-recipient transfers within the ARIN region under NRPM 8.3 and inter-RIR transfers under NRPM 8.4, with compatible transfer-policy relationships currently listed for APNIC, LACNIC and RIPE NCC but not AFRINIC.
Those pages are factual exhibits, not the normative frame. They show a mature scarcity economy in which the registry is not the seller, not the broker and not the network operator, but still controls the recognized settlement layer. A private purchase of IPv4 capacity is not operationally complete until the registry record moves. A routing-security posture depends on the holder's recognized relationship to ARIN services. A court, bank or buyer may look to registry records as evidence of control even when legal title language remains contested. Customers may not know ARIN exists, but they experience its record layer through continuity, reputation and supportability.
This is why ARIN is the hard test for ICP-2 reform. A standard built only for visible collapse will miss the mature-market problem. It will define emergency continuity after failure while leaving everyday market power untouched. A standard built only for ARIN's orderly culture will miss weaker regions and over-protect incumbent registries. The useful standard has to do both: discipline ordinary registry power before crisis, and provide credible continuity tools if crisis arrives.
The economic shift since the first ICP-2
The first ICP-2 emerged when recognition mainly meant admitting new regional registries to an expanding system. The global internet had not yet lived through complete IPv4 exhaustion at the IANA level, every RIR region had not yet confronted post-exhaustion allocation constraints, and address transfers had not become a mature commercial architecture. Recognition criteria could focus on whether a candidate registry had regional support, neutral policies, technical capacity, financial backing and a plausible service area. The underlying assumption was growth.
The present reform occurs under a different scarcity regime. IANA's number resources page describes IANA's role in coordinating global Internet Protocol addressing systems and autonomous system numbers, allocating pools to RIRs under global policy rather than directly to most ISPs or end users. For IPv4, the old inventory logic is gone. Address blocks are still technically identifiers, but their scarcity has made them capital-like. They can support network expansion, customer retention, cloud onboarding, acquisition value, lender confidence, reputation and business continuity. They are not ordinary property in a simple sense, but markets price them as economically durable inputs.
Recognition therefore has a different function. In the old world, recognition determined who could distribute future resources in a region. In the new world, recognition also determines who maintains the ledger around resources already embedded in networks and balance sheets. A registry that fails can no longer be replaced by telling networks to reapply elsewhere for a generous supply of new IPv4. A registry that overreaches can no longer be disciplined by easy renumbering. A registry that cannot process transfers predictably can impose a market tax. A registry that loses auditability can degrade confidence in title-like evidence, routing-security assertions and public contacts.
The NRO process reflects this shift. The NRO page records that in October 2023 the NRO Executive Council asked the ASO AC/NRO Number Council to establish and manage a process to update ICP-2, and that a questionnaire ran from 8 October to 6 December 2024 with 298 submissions. A first RIR Governance Document was published in April 2025, a second version on 28 August 2025, and a May 2026 status report described continuing work after ICANN85. The timing matters less than the institutional change: the reform is no longer simply about new entrants. It is about lifecycle governance.
Lifecycle governance is valuable only if it is specific. "Stable", "accountable", "community-driven" and "transparent" are useful aspirations, but they do not by themselves tell a market what happens when records are stale, when a transfer is delayed, when fees shape participation, when a board is captured, when an audit is requested, when emergency services must be operated, or when member remedies should begin. Recognition standards must convert institutional adjectives into observable duties.
For ARIN, the economic test is particularly demanding. Because the registry is functioning, reform should not be judged only by whether ARIN can survive an emergency. It should be judged by whether the standard gives ARIN, members and market participants a clearer boundary between registry infrastructure and market control.
What a credible recognition standard should measure
A recognition standard should not ask whether a registry sounds like the existing RIRs. It should ask whether the registry reliably provides the services on which the numbering community and adjacent markets depend. That requires measurable categories. The first is continuity: can the registry keep allocation, registration, public directory, reverse DNS, RPKI, IRR or related routing-security functions available under stress? Does it have tested redundancy? Are data escrow and emergency handoff arrangements usable rather than aspirational? Can an emergency operator perform the minimum service set without taking over broader institutional politics?
The second category is record integrity. The registry must maintain accurate holder records, authenticated change pathways, dispute markers, transfer histories and public query services. Accuracy is not perfection. It is a disciplined system for knowing which data is verified, which is pending, which is challenged and which has been corrected. For ARIN, this includes a special burden around legacy resources. Some resources predate ARIN's current agreement structure; a standard that pretends all records can be normalised through current contracts will misunderstand the historical ledger.
The third category is market neutrality. A registry should be able to prevent fraud, duplicate recognition, forged authority and technically unsafe record changes. It should be much more cautious about using recognition to judge commercial merit. In a post-exhaustion transfer market, the line between record verification and business-plan approval is economically material. If a standard rewards registries for preserving old allocation-era controls without asking whether those controls still reduce net harm, it will entrench friction. If it strips away all safeguards, it will invite fraud. The credible standard should make registries justify market-affecting conditions in terms of concrete registry risk.
The fourth category is member accountability. The current RIR Governance Document Version 2 would require open membership for resource holders, a member-elected majority of the governing body, transparent policy development and mechanisms for members to ask questions and receive meaningful responses. That is directionally right, but it should not be treated as self-executing. A voting right is not accountability if nomination rules, information asymmetry, travel costs, meeting culture, low turnout or incumbent networks make the election structurally predictable. The standard should measure access to information, contested elections, conflict controls, participation cost and responsiveness, not merely the formal right to vote.
The fifth category is auditability. It is not enough to publish annual reports and meeting minutes. A registry should be externally reviewable against operational, governance, financial and service-continuity criteria. The audit must be scoped so that it does not become a fishing expedition or a political weapon. It must also be strong enough to reveal whether the registry can do what recognition claims it can do. Without audit, recognition becomes trust in reputation. With excessive audit, recognition becomes permanent bureaucracy. The standard has to set a middle price.
ARIN's strengths are not a substitute for discipline
ARIN enters this debate with real institutional strengths. Its Board of Trustees page states that in 2025 the board consisted of ten members, nine elected by General Members in Good Standing, with the President and CEO serving as the tenth trustee. ARIN publishes policy materials, meeting information, transfer procedures, service documentation and fee schedules. It participates in the NRO system, operates mature registry services and has decades of experience managing difficult legacy and transfer questions. These are not cosmetic virtues.
But institutional strength can become an argument against reform if it is used carelessly. A mature registry may say, in effect, that it already has the processes reform seeks. That may be partly true. Yet the purpose of a recognition standard is not only to rescue weak institutions. It is to make strong institutions legible and constrained. In a system with constrained exit, trust should not depend on the current board's temperament, the current staff's professionalism or the current community's habits. It should be embedded in durable tests.
ARIN's maturity also gives it influence. A standard shaped around the practices of a strong incumbent can become a template that weaker or different regions must copy. That can be efficient when the practice is genuinely necessary, but harmful when it turns one region's administrative culture into global orthodoxy. For example, requirements around corporate governance, member voting, dispute resolution, audit and financial independence should be defined at the level of function, not procedural mimicry. A registry in a different legal environment may satisfy the same control objective through a different mechanism. A standard that allows no variation will favour incumbents and lawyers over local institutional design.
The opposite risk is that ARIN's own practices are treated as sufficient because the region is stable. Stability does not prove optimality. It can hide deadweight loss. Transfer-market participants may accept friction because alternatives are worse. Small operators may avoid policy participation because the cost is too high. Legacy holders may sign agreements for access to routing-security services even if they dislike the broader policy stack. Cloud platforms may adapt by overbuying, leasing or diversifying address portfolios. These adaptations keep the system functioning, but they are evidence of cost, not proof that the cost is justified.
ICP-2 reform should therefore be used to discipline ARIN even if ARIN is not in crisis. The standard should ask whether ARIN can explain market-affecting decisions in narrow registry terms, whether member accountability reaches small and non-repeat players, whether audit would reveal meaningful operational risk, whether continuity could survive institutional shock, and whether remedies are proportionate. A strong institution should welcome that test if it believes its legitimacy rests on performance rather than incumbency.
Transfer-market reliance is the central ARIN fact
No analysis of ARIN and ICP-2 economics can avoid transfers. ARIN's post-depletion environment makes transfer recognition one of the most important ways the registry touches economic value. The transfer guide says source organisations in specified-recipient transfers must be current registered holders, not involved in disputes over the resources, and provide signed and notarized officer acknowledgement letters. It sets a /24 minimum, restricts sources that recently received resources, excludes reserved-pool resources and imposes waiting-list consequences. For inter-RIR transfers, ARIN requires reciprocal, compatible, needs-based policies, and recipients within the ARIN region must demonstrate up to a 24-month supply need.
These rules are not arbitrary on their face. They guard against fraud, policy arbitrage, duplicate claims, reserved-pool laundering and speculative churn. But they also shape the market. They affect timing, bargaining power, price, lender conditions, broker value and the ability of smaller networks to acquire capacity. A recognition standard that ignores transfer-market effects will miss a core part of registry power.
The difficult issue is not whether a registry should verify a transfer. It must. The difficult issue is whether verification should include forward-looking business judgments inherited from the allocation era. In a market transaction, the buyer's willingness to pay reveals need in a way that an administrative forecast cannot easily improve upon. There are cases where hoarding, fraud, sanctions exposure or abuse require intervention. But the recognition standard should ask registries to separate those cases from ordinary market movement. A rule should say what harm it prevents, what evidence triggers it and why a narrower record-integrity tool is insufficient.
This matters for ICP-2 because the current draft's operational requirements include impartial and consistent policy application, stable and accountable services, and compliance with number-resource policies. Those duties are necessary but not enough. A registry can apply an economically restrictive policy consistently. It can process transfers predictably while preserving unnecessary market barriers. It can be transparent about rules that should be narrower. Reform therefore needs a market-neutrality lens: does the registry's use of recognition preserve the ledger, or does it protect an allocation-era ideology after scarcity has changed the function?
ARIN is a useful case because its transfer market is relatively mature. Participants understand pre-approval, documentation, inter-RIR compatibility and settlement risk. That sophistication can make the system look healthy. Yet it can also mask costs that only smaller or less expert participants feel. If ICP-2 reform is to strengthen the system, it should not merely require registries to have policies. It should require them to show that policies touching scarce transfers remain proportionate to registry risk.
Auditability is where trust becomes price
Audit design is one of the most important economic questions in the reform. The current Version 2 document says each RIR must participate in periodic or ad hoc audits by an independent external auditor appointed by ICANN, with a summary report published, and that periodic audits should occur at least every three years. The May 2026 status report says further drafting was underway after ICANN85 and that regular audit frequency, audit thresholds and the ad hoc process were still being revised, including discussion of moving regular audits to every five years and renaming ad hoc audit as compliance review.
The frequency debate matters, but scope matters more. An audit that asks whether a registry has documents will be cheap and weak. An audit that examines every contested policy judgment will be costly and politicised. A useful audit should measure service continuity, data integrity, governance controls, member accountability, financial independence, security controls, disaster recovery, publication transparency, conflict management, transfer-process consistency and evidence handling. It should not become an appeal on every transfer file or a referendum on unpopular policy choices.
For ARIN, auditability would have two market effects. First, it would reduce uncertainty for external users of registry data. If banks, courts, brokers and operators know that ARIN's continuity and record controls are externally tested, registry records become more credible. Second, it would discipline ARIN's own internal incentives. A documented audit criterion makes it harder to rely on inherited language or informal confidence. If the registry says continuity arrangements exist, the audit can ask whether they have been tested. If the registry says members can hold the board accountable, the audit can examine participation and information pathways. If the registry says transfers are processed consistently, the audit can examine process categories without exposing confidential transaction details.
The danger is that audit becomes a new centre of power. If ICANN appoints auditors, sets scopes, interprets reports and triggers compliance consequences without clear limits, the audit system can become global gatekeeping by another route. If RIRs collectively shape the audit to avoid discomfort, it becomes incumbent protection. If member thresholds are so high that ad hoc review is impossible, the remedy is decorative. If thresholds are too low, audits become harassment tools in commercial disputes. The standard should therefore specify both audit triggers and anti-abuse controls.
An economically credible audit system would publish summary findings, identify material non-compliance, protect confidential records, distinguish operational defects from policy disagreement, provide cure periods, and allow members to understand whether weaknesses are being fixed. It would make recognition cheaper to price. That is the point of audit: not bureaucracy, but lower risk premiums.
Remedies should come before de-recognition
De-recognition is the nuclear remedy in registry governance. It is necessary to define, but dangerous to centre. A system that can only choose between tolerating failure and removing recognition will tolerate too much failure for too long. A system that reaches quickly for de-recognition will destabilise the very continuity it claims to protect. The useful standard is a ladder of remedies.
Version 2 contains the beginning of such a ladder. It provides for audits, emergency continuity, rehabilitation, a presumption in favour of helping a non-compliant RIR cure failures, and de-recognition only as a last resort where harms outweigh the benefits of continued tolerance. That structure is sound. The economic question is whether the rungs are concrete enough to work before a crisis.
Possible remedies short of de-recognition should include formal notice of non-compliance, published cure plans, independent compliance review, targeted technical assistance, temporary restrictions on specific discretionary actions, required governance changes, enhanced reporting, supervised data escrow, emergency-continuity exercises, member-information obligations and independent review of conflict-prone decisions. Not every remedy belongs in the base document, but the standard should make clear that the system has options between politeness and institutional death.
For ARIN, graduated remedies would likely be relevant not because the registry is about to fail, but because mature-market frictions need disciplined correction. Suppose an audit found that transfer-processing reasons were insufficiently specific, or that small operators faced disproportionate documentation burdens, or that emergency handoff material existed but had not been tested, or that board conflict disclosures were hard to connect to high-value market decisions. None of those findings should threaten immediate de-recognition. All of them should produce corrective obligations.
Remedy design must also protect against incumbent gaming. Existing RIRs could use compliance language to burden a potential challenger, a reform movement or a registry under political pressure. Conversely, an incumbent subject to criticism could describe every challenge as a threat to stability and demand global support. The standard should require evidence, proportionality and publication. A remedy should be tied to a specific obligation, a specific deficiency and a specific cure. Vague concern should not become supervisory control.
The most important remedy is service continuity. If a registry is under stress, the first obligation is to keep minimum registry services operating: public records, authenticated changes, reverse DNS where applicable, routing-security publication where applicable, transfer and dispute queues, and customer communication. De-recognition should not be the first practical mechanism by which the global system learns how to keep those services alive. Emergency continuity should be rehearsed before it is needed.
Who applies the standard is as important as what it says
The current draft gives substantial roles to the RIRs and ICANN. Recognition and de-recognition proposals involve RIR recommendations and ICANN decision-making. ICANN cannot recognize or de-recognize an RIR unless it has received a proposal approved by the RIRs under the specified procedure, and affected parties may use ICANN review procedures. Emergency continuity requires agreement by the other RIRs and ICANN. Audit processes also involve ICANN. This distributes power, but it does not eliminate power.
The economics of application are delicate. Existing RIRs have expertise. They understand registry operations, data escrow, policy development, routing-security services and cross-registry coordination. They also have incumbent interests. They may prefer a small club, familiar operating models and standards that make entry difficult. ICANN sits outside the RIR system in one sense and inside the broader internet-governance establishment in another. It can supply neutrality, but it can also become a central gate if standards are vague. The NRO coordination layer can protect stability, but it can also turn consensus into cartel-like conservatism.
The standard should therefore separate expert input from final evidence. Existing RIRs should be able to comment on operational feasibility, cross-registry coordination, emergency handoff and legal cooperation. They should not be able to block a candidate or reform path with unexplained institutional preference. ICANN should be able to appoint independent reviewers, publish reasons and enforce process. It should not be able to convert a numbering standard into broad political discretion. Members should be able to trigger review under defined thresholds. They should not be able to use compliance procedures as a weapon in ordinary commercial fights.
For ARIN, this question has two sides. As an incumbent, ARIN should want a standard that prevents frivolous attacks on functioning registries. As a registry subject to the same system, it should also want a standard that prevents other incumbents or global bodies from using stability language to overrule regionally legitimate choices. A self-interested ARIN might prefer maximum incumbent veto. A system-minded ARIN should prefer reasoned review, independent evidence and clear limits on both ICANN and RIR discretion.
Application design should also include transparency. Recommendations for recognition, refusal, audit, emergency continuity or de-recognition should be published with reasons, except where confidentiality is strictly necessary. If a candidate or affected RIR disputes the result, the independent review should examine whether objections are grounded in fact, law and operational risk. Secret consensus is not a standard. It is club governance.
Incumbent protection is the reform's largest moral hazard
Every recognition standard creates a barrier to entry. Some barriers are necessary. The internet does not need a casual proliferation of regional registries, overlapping service areas or politically motivated number-resource authorities. The draft's coordination limitation, which expects the number of RIRs to remain small and service regions not to overlap, reflects a real operational concern. But necessary barriers are still barriers. They can be used to protect users or to protect incumbents.
The draft's "material improvement" criterion for recognizing a candidate RIR is therefore economically significant. A candidate that meets basic requirements would still need to show that recognition would materially improve the functioning of the Internet Numbers Registry System compared with the existing state of affairs. The idea is defensible: adding a registry increases coordination costs and should not be done merely because a group wants a badge. But "material improvement" can also become an incumbent veto if it is undefined. Existing registries can always say the current system is stable enough.
A good standard should specify what material improvement can mean. It might include restoring services in a region where the incumbent cannot function; improving member accountability where representation is structurally broken; reducing severe transaction costs; resolving persistent legal incompatibility; enhancing continuity for an underserved region; or replacing a registry that has failed objective obligations. It should not mean ideological preference, commercial rivalry or dissatisfaction with one policy outcome.
The risk is not only new RIR formation. Incumbent protection can also appear in audit and de-recognition. Existing registries may design audit scopes that match their current practices and burden alternative models. They may insist on consensus rules that allow one incumbent to slow change. They may treat NIR arrangements or sub-regional innovations as threats rather than design choices. They may favour policies that preserve their own membership economics. The language will be stability, coordination and trust. The effect may be franchise protection.
ARIN should be particularly sensitive to this hazard because it benefits from a strong region. North America contains vast address wealth, high-value legacy holdings, deep markets and large platforms. A standard that privileges current scale and financial depth may look neutral from ARIN's vantage point while disadvantaging communities with different histories. Conversely, a standard that ignores financial and operational depth may admit fragile structures that create continuity risk. The balance is functional measurement: does the registry perform the required services, with accountable governance and continuity protection, at acceptable risk?
Incumbent protection is best controlled by evidence. Every barrier should have a reason tied to service stability, record integrity, member accountability or cross-registry cooperation. If the reason cannot be stated without appealing to incumbent comfort, the standard is too protective.
Emergency continuity should preserve services, not institutions
The draft's emergency-continuity mechanism is one of the most important innovations in the reform. It contemplates a temporary arrangement when an RIR cannot adequately provide all or part of its services, with an emergency operator authorised by the other RIRs and ICANN. The Version 2 text sets procedural conditions, including discussion with the affected RIR and its community where reasonably possible, publication of the rationale and scope, community engagement and a 90-day limit unless renewed.
This mechanism is economically necessary. Registry failure is not like the failure of an ordinary vendor. Resource holders cannot simply take the same recognized records to another registry overnight. Customers, routes, reverse DNS, abuse contacts, RPKI objects, transfer queues and public records depend on continuity. A region without functioning registry services would create uncertainty far beyond the registry office.
The design risk is that emergency continuity becomes either too hard to initiate or too easy to abuse. If unanimity and process requirements make action impossible in a genuine emergency, the mechanism will be decorative. If vague emergency language allows other RIRs and ICANN to displace a registry because they dislike its governance, the mechanism becomes a coup tool. The standard should define emergency by service failure: inability to maintain essential registry functions, not mere disagreement with policy or leadership.
For ARIN, emergency continuity is not mainly a plan for ARIN's collapse. It is a discipline on every registry, including ARIN. To participate in a system with emergency continuity, ARIN should be able to identify the minimum service set it would need to preserve for another region and the minimum data another operator would need if ARIN itself faced a severe disruption. That requires data escrow, technical documentation, security controls, legal compatibility, staff playbooks, communication plans and rehearsal. A promise to cooperate is not enough.
The emergency operator should also be narrow. Its job is to maintain registry services, not to make long-term policy, restructure regional governance, decide ownership philosophy or impose market ideology. Temporary operation should preserve last verified states where possible, process urgent safety and continuity changes, maintain public query and security functions, and prepare for return or transition. If emergency continuity becomes a way to govern the region, it will destroy the trust it was designed to protect.
This is the central principle: continuity protects users from institutional failure; it should not protect institutions from accountability. The services are the public interest. The incumbent is not.
Member accountability must be measured, not assumed
Member control is a core part of RIR legitimacy. The draft would require open membership for resource holders and a governing body majority elected by members. ARIN already has an elected board majority, a policy community, an Advisory Council and election processes. That looks strong on paper. The economic question is whether member accountability reaches the parties that bear registry risk.
A member system can fail quietly. Turnout may be low. Candidates may come from a narrow network of repeat participants. Small operators may lack time to attend meetings, read policy lists or understand board implications. Large platforms and sophisticated networks may have more capacity to influence nominations, consultations and working culture. Caribbean operators may face travel, cost, language or scale barriers even when the formal region includes them. Legacy holders may interact with ARIN only when a problem arises, not as active members. Customers who depend on resource holders have no direct vote at all.
This does not make member governance illegitimate. It makes it incomplete. A recognition standard should not simply ask whether a vote exists. It should ask whether members receive timely information, whether board minutes and financial materials are understandable, whether conflict disclosures are meaningful, whether nomination processes are open, whether contested elections occur, whether remote participation works, whether minority questions receive substantive answers, and whether policy participation is accessible beyond a small expert class.
For ARIN, the most important accountability issue is not whether members can theoretically replace trustees. It is whether members can see how registry economics are changing. Do fee structures affect small holders differently from large holders? Do transfer policies create regressive documentation costs? Do security-service boundaries pressure legacy holders into agreements? Do reserve policies reflect service continuity needs or institutional expansion? Do legal budgets reveal governance risk? These are economic questions that members need to understand before voting can discipline the institution.
The reform should also avoid pretending that member accountability can solve global externalities. ARIN members are not the whole internet. They are resource holders and participants in one region. Their choices can affect customers, counterparties and other regions through inter-RIR transfers, routing-security dependencies and global trust in the numbering system. That is why ICP-2 needs global standards. But global standards should complement member accountability, not replace it. If ICANN and other RIRs can override regional members too easily, membership becomes theatre. If members face no external discipline, regional capture becomes possible. The standard must hold both truths at once.
ARIN's legacy resources complicate recognition economics
ARIN's region contains many legacy resources issued before current registry contracts and before the post-exhaustion market. Legacy resources make recognition economics more complicated because they separate historical recordkeeping from modern agreement-based service delivery. A registry standard that treats all resources as if they began under the current policy stack will misunderstand North American reality.
Legacy records matter for several reasons. First, they often represent large and economically significant IPv4 holdings. Second, they may have incomplete corporate histories after mergers, name changes, bankruptcies or long dormancy. Third, holders may value basic registry accuracy while resisting broader contractual obligations. Fourth, access to advanced services such as RPKI or IRR may depend on agreement status, which can create soft pressure to enter the modern regime. Fifth, buyers and lenders may discount resources if legacy status creates uncertainty around transfer readiness or service access.
ICP-2 reform should not decide ARIN's legacy policy in detail. It should, however, require registries to maintain accurate records and fair service access rules without using essential registry functions as leverage unrelated to registry risk. Basic public registration, authenticated updates, dispute handling and continuity should be treated as core ledger obligations. Optional or higher-reliance services may require additional terms, but those terms should be tied to the service's risk and not used to obtain unrelated institutional concessions.
This distinction is important for market neutrality. If the safest or most marketable version of a resource requires accepting a broad contract, the registry has a pathway to consolidate authority without formally forcing anyone. That may be commercially rational, but it should be visible. A recognition standard should make registries explain which services are essential, which are optional, which require agreements, and why. It should also require predictable treatment of historical records so that holders and counterparties can price risk.
ARIN's legacy-resource complexity gives the global reform a useful caution. A clean governance standard may be attractive, but number-resource history is not clean. Recognition standards should be robust enough to handle old records, imperfect documentation and plural legal relationships without turning uncertainty into discretionary power. If the standard becomes too tidy, incumbents will use it to normalise history on their own terms. If it becomes too loose, fraud and stale records will proliferate. The balance is evidence-based continuity: preserve the record, verify authority, mark uncertainty, and narrow the conditions under which broader institutional claims attach.
Cloud platforms and small operators price reform differently
ARIN's region includes some of the world's largest cloud and platform companies. It also includes small ISPs, rural networks, Caribbean operators, hosting firms, universities and public bodies with little policy staff. ICP-2 reform will not affect them equally. Large platforms care about certainty, scale, automation, inter-RIR transfer compatibility and routing-security reliability. Small operators care about cost, continuity and avoiding a process that turns every registry interaction into a legal project.
Standards often reflect the voices best able to participate. A large operator can support detailed audits, complex documentation and sophisticated security obligations because it already has teams for them. A small operator may support the same goals but experience the implementation as fixed cost. A standard that looks neutral can therefore be regressive.
ARIN's post-depletion market deepens the asymmetry. A large cloud platform can obtain address space through purchase, leasing, acquisition, architecture, dual-stack deployment and global portfolio management. A small operator may need one transfer or one waiting-list allocation to serve customers. A delay that is nuisance for the platform can be existential for the smaller firm.
The recognition standard should not lower core integrity requirements for small operators. Fraud prevention, record accuracy and security cannot be optional. But it should require proportional implementation. If a registry imposes documentation, audit, transfer, membership or service obligations, it should ask whether the cost is scaled to risk. It should publish plain-language paths, cure steps and service expectations. It should keep essential services stable while disputes are resolved. It should avoid using opaque language that forces small operators to hire specialists merely to understand their rights.
For cloud platforms, the key issue is capture by the largest buyers. Large platforms have legitimate operational needs, but they also have incentives to shape transfer markets, routing-security norms and policy processes in ways that suit scale. A recognition standard should include anti-capture controls not only against governments or hostile factions, but against concentrated commercial influence.
The credibility of ICP-2 reform will depend on whether both groups can say the same thing: the standard makes the registry more reliable without making participation more expensive than the risk justifies.
ICANN, NRO and NIR bureaucracy are not neutral by default
Global coordination is necessary. IANA, ICANN, the NRO, the ASO and the RIRs form the institutional mesh through which number-resource governance remains coherent. But coordination should not be romanticised. Bureaucracy has incentives. It prefers procedures it can administer, documents it can interpret, meetings it can schedule, thresholds it can count and roles it can preserve. A reform that adds global process without strict boundaries may increase accountability in form while reducing accountability in practice.
The NRO process is valuable because it brings operational expertise from the five registries. It is risky because the registries are also the regulated incumbents. ICANN involvement is valuable because it adds an external decision point and review mechanisms. It is risky because ICANN can become the global gatekeeper if the standard gives it broad interpretive discretion. NIR and sub-regional registry issues are also sensitive. The Version 2 document says it does not directly pertain to National Internet Registries, Local Internet Registries or other sub-regional registries that do not receive resources directly from IANA, while preserving RIR discretion over such arrangements. That avoids one form of overreach, but it also leaves room for RIRs to manage sub-regional structures in ways that may affect local accountability.
The economic danger is mandate laundering through process. A registry or global body may say that a decision follows consultation, consensus, implementation procedures or coordination needs. Those words can be true and still hide the distributional effect. Who benefits from the procedure? Who can afford to participate? Who drafts the implementation detail? Who controls the data? Who triggers review? Who interprets audit reports? Who pays for compliance? These are not procedural footnotes. They are the economics of governance.
The reform should therefore insist on a narrow hierarchy. The base standard should define obligations and limits. Implementation procedures should give effect to those obligations, not rewrite them. ICANN should publish reasons and appoint independent review where needed, not become a discretionary supervisor of regional policy. The NRO should supply operational coordination, not cartel discipline. RIRs should cooperate on continuity, not protect each other's institutional comfort. NIR and sub-regional arrangements should be evaluated by whether they preserve service quality, record integrity and local accountability, not by whether they match one preferred model.
ARIN should have an interest in this restraint. Today, ARIN may trust its own influence in global rooms. Tomorrow, a global procedure could be used against ARIN's region or members. Institutions should not design rules assuming they will always be the trusted incumbent.
Markets will price the standard before lawyers finish debating it
Market participants do not wait for governance theory to settle. They price uncertainty through discounts, warranties, escrow, indemnities, timing conditions, leasing structures, legal opinions, due-diligence checklists and avoidance. If ICP-2 reform produces a credible recognition standard, some of those costs fall. If it produces vague global discretion, the costs rise.
In ARIN's market, recognition risk appears in several places. A buyer of IPv4 space may discount the price if the transfer path is uncertain. A seller may accept deferred payment until registry approval. A lender may require evidence that the borrower controls usable resources and can maintain registry services. A cloud provider may diversify address sources to avoid exposure to one registry process. A small ISP may avoid monetising unused space because transfer uncertainty exceeds expected gain. A legacy holder may enter agreements to access security services because customers demand them, even if the holder dislikes the policy implications.
ICP-2 reform can reduce these premiums if it makes registry recognition more predictable. Audit reports can reassure counterparties. Clear emergency-continuity procedures can reduce disaster risk. Defined member remedies can lower governance-risk discounts. Proportionate transfer-market rules can improve liquidity.
It can also increase premiums. If the standard introduces broad audit triggers without anti-abuse controls, counterparties may fear politically motivated reviews. If de-recognition criteria are vague, markets may worry that a regional dispute can escalate into global uncertainty. If implementation procedures are unpublished or controlled by incumbents, participants may price hidden rules. If ICANN's role is unclear, parties may worry about a second gate above the registry. If emergency continuity is not technically rehearsed, the mechanism may be seen as a false promise.
Recognition standards are not only internal governance instruments. They are market infrastructure. Their quality will be observed in spreads between clean and uncertain resources, transfer timing, bank conditions, broker documentation, leasing demand and member mobilisation. ARIN should treat these signals as evidence of whether the recognition layer is trusted.
The de-recognition threshold should be high, but not impossible
The Version 2 de-recognition process allows a proposal by any RIR or group of RIRs, by ICANN, or by a member group of the affected RIR consisting of at least 25% of total members or 2,000 members, whichever is lower. The other RIRs, excluding the affected registry, must unanimously recommend de-recognition before ICANN makes the final decision. The May 2026 status report indicates that the NRO NC was not planning to change the de-recognition threshold, while separating audit-threshold issues from de-recognition.
This is a sensible area for caution. De-recognition should be hard. A regional registry is deeply embedded infrastructure. A low threshold could let factions, commercial rivals or political campaigns destabilise a registry. A high threshold also protects markets: counterparties need confidence that recognition will not be removed casually.
But "hard" must not mean impossible. If a registry loses effective governance, cannot maintain services, refuses audit, fails record integrity, is captured, or cannot provide member accountability, the system needs a route to intervention. The challenge is that the most serious failures may also make member mobilisation difficult. If records are poor, members may not know they are members. If governance is captured, information may be controlled. If services are failing, operators may focus on survival rather than procedure. A 25% member threshold or 2,000-member threshold may be credible in one registry and unrealistic in another.
The answer is not necessarily to lower the de-recognition threshold. It is to make audit and compliance-review thresholds more usable. If members cannot trigger de-recognition, they should still be able to trigger an independent review of specific failures under lower and anti-capture-protected conditions. Other RIRs and ICANN should also be able to act on credible evidence before member mobilisation reaches the nuclear threshold. De-recognition should come after a record of non-compliance, failed cure and continuity planning.
For ARIN, the threshold question is mostly prospective. The region is not facing de-recognition. But ARIN members should care because high thresholds without meaningful intermediate remedies can leave any registry, including ARIN, too dependent on informal goodwill. A mature standard should make early correction easier so that de-recognition remains rare.
The legitimacy of a high threshold depends on the strength of the steps below it. If audits, cure plans, emergency continuity and member information rights are real, de-recognition can remain a last resort. If they are weak, a high threshold becomes incumbent immunity.
The anti-capture problem is larger than one faction
The draft requires RIRs to maintain governance rules and controls to ensure that no person, entity or affiliated group can effectively control the registry. That is necessary. It is also difficult. Capture is not always a hostile takeover. It can be cultural, commercial, procedural, geographic, linguistic, financial or informational.
ARIN's capture risks differ from those of smaller or more visibly fragile institutions. The obvious North American risk is not one actor seizing the registry overnight. It is the gradual dominance of well-resourced repeat players: large network operators, cloud companies, brokers, lawyers, long-standing community figures or institutional insiders whose views become the default. That form of capture can coexist with formal elections, public meetings and polite process. It is harder to see because it looks like expertise.
Expertise is valuable. The people who understand routing, RPKI, transfers, fraud, corporate reorganisations and registry operations should be heard. The problem begins when expertise becomes an entry barrier. If a small operator cannot understand a policy proposal without years of mailing-list history, the policy process is technically open but economically closed. If nomination networks favour known participants, elections are open but socially filtered. If financial or conflict disclosures are too general, members cannot know whether decision-makers have material interests in address markets. If remote participation is formally available but meeting culture rewards physical presence, geography still matters.
An anti-capture standard should therefore measure more than affiliated voting control. It should ask whether the registry publishes useful conflict information, whether board and policy roles have clear recusal rules, whether participation channels are accessible, whether election materials allow meaningful comparison, whether staff interpretations are reviewable, whether large commercial actors have disproportionate agenda-setting power, and whether minority or small-operator concerns receive substantive responses.
This is not an argument for populism against expertise. It is an argument for making expertise accountable. In a scarce-address economy, the people best informed about policy often have economic exposure to the market. That does not disqualify them. It requires disclosure, recusal where appropriate and clear reasoning. Otherwise, the recognition standard will certify institutions whose decisions are technically sophisticated but commercially tilted.
ARIN has the administrative capacity to model better practice here. If it treats anti-capture as more than a formal rule, it can strengthen the whole ICP-2 process. If it treats anti-capture as a box already checked by elections, reform will miss one of the main ways mature registries accumulate power.
What ARIN should want from the reform
ARIN should want a reform that narrows and strengthens recognition. Narrowing means the standard should focus on essential registry functions: continuity, record integrity, member accountability, auditability, financial independence, operational independence, open policy development, anti-capture controls, dispute handling and emergency service preservation. Strengthening means those functions should be observable, independently reviewable and linked to graduated remedies.
ARIN should not want maximum incumbent veto, even if that seems comfortable. A system that protects ARIN because it is an incumbent also protects weaker incumbents when they fail. It can make the global numbering system less credible and invite external political intervention. Nor should ARIN want a vague ICANN-centred standard. Today that may look like useful neutrality. Tomorrow it may become global discretion over regional registry choices.
The best ARIN position would be a disciplined one. It would support independent audits with practical scope. It would support emergency-continuity readiness, including tested data and service handoff plans. It would support publication of reasons for recognition, audit and compliance decisions. It would support member-triggered review at thresholds that are high enough to prevent abuse but low enough to be real. It would support anti-capture evidence, including conflict and participation metrics. It would support a clear distinction between market-affecting policy choices and minimum recognition criteria.
ARIN should also use the reform internally. It can ask whether its own transfer processes are as ledger-like as they should be after IPv4 depletion. It can ask whether small operators can understand and cure defects without specialist counsel. It can ask whether legacy-resource service boundaries are economically transparent. It can ask whether board and policy disclosures are strong enough for a market where number-resource decisions can move value. It can ask whether its members see budget, reserve and legal-risk choices in enough detail to discipline them.
The point is not to make ARIN timid. A registry must act against fraud, capture and instability. The point is to make ARIN's power easier to justify. The more clearly ARIN can say, "this action protects the ledger, continuity or accountable governance, and here is the evidence," the less it needs broad stewardship language.
That would be good for ARIN, good for its members and good for the reform.
The 12-24 month watchpoints
The next phase of ICP-2 reform should be assessed through practical watchpoints, not slogans. The first is audit scope. If regular audits become infrequent, vague or document-only, the standard will not discipline trust. If they are intrusive and politicised, they will create cost and fear. The test is whether audits can reveal material failure in continuity, governance, finance, security and record integrity without becoming case-by-case market supervision.
The second watchpoint is compliance-review thresholds. De-recognition thresholds can remain high if compliance review is usable. If members, ICANN or other RIRs cannot trigger independent review until a crisis is already obvious, the system will again rely on informal negotiation. If thresholds are too low, reviews will become tools in commercial or political campaigns. The standard needs anti-capture and anti-harassment design.
The third is emergency-operator readiness. The reform should not merely state that an emergency operator may exist. It should require minimum data, service definitions, security arrangements, rehearsal and publication of non-sensitive readiness information. Emergency continuity that has never been tested is not continuity. It is reassurance.
The fourth is market neutrality. Watch whether implementation language treats transfer-market design, needs assessment, regional connection rules or legacy-resource contract pressure as recognition issues. Some may be legitimate policies. Not all are recognition criteria. The more the reform turns incumbent policy preferences into global minimums, the more it becomes franchise protection.
The fifth is ARIN's internal posture. Does ARIN use the reform to examine its own accountability and market effects, or only to comment on global process? Does it make participation easier for small and Caribbean operators? Does it publish clearer reasoning around economically significant processes? Does it treat audit as discipline or as a public-relations exercise? Does it separate essential registry continuity from optional institutional leverage?
The sixth is ICANN and NRO restraint. The final standard should make their roles clear, reasoned and reviewable. If implementation procedures become the place where real power is written, the reform will have moved discretion out of sight. If ICANN's role expands without limits, the system may trade regional registry risk for global gatekeeper risk. If RIR consensus becomes a shield against change, the system will have chosen incumbent comfort over accountable recognition.
The final watchpoint is market behaviour. Transfer timing, address-price discounts, broker contract terms, lender conditions, leasing demand, member mobilisation and public disputes will reveal whether the standard lowers recognition risk. Markets are not morally infallible, but they are good at detecting uncertainty. If ICP-2 reform is credible, ARIN-region participants should eventually see less mystery around registry risk. If the reform is vague, the risk premium will remain.
The disciplined answer
ICP-2 reform is necessary because registry recognition has become more economically consequential than the original establishment criteria assumed. The internet-number system needs global expectations for continuity, accountability and emergency response. It also needs those expectations to be narrow enough that they do not become a global franchise-protection system.
ARIN shows both sides of the problem. It is a functioning registry with mature services, public procedures and member governance. It is also the ledger for a region where IPv4 scarcity, legacy records, transfer-market reliance, cloud scale and external dependence on registry records make every recognition rule more valuable than it looks. The fact that ARIN works is not an argument against discipline. It is the reason discipline should be designed carefully before crisis.
A credible standard would measure performance rather than pedigree. It would ask whether a registry can maintain accurate records, reliable services, accountable governance, financial and operational independence, transparent policy development, anti-capture controls, dispute pathways, audit cooperation and emergency continuity. It would provide remedies before de-recognition. It would make de-recognition hard but not impossible. It would let regional policy differ where difference does not threaten the system. It would stop ICANN, the NRO and incumbent RIRs from turning coordination into gatekeeping.
For ARIN, the reform's highest value is not that it protects the region from some distant failure. It is that it clarifies what ARIN itself is: a trusted recognition and service layer for scarce number resources, not the owner of the market, not a global appellate forum, not a broker, not a bank, and not a franchise-holder entitled to protection from every alternative. The narrower the mandate, the stronger the trust. The more observable the standard, the lower the risk premium. The more credible the remedies, the less likely the system will ever need the final remedy.
That is the economics of ICP-2 reform. Recognition disciplines registries only when the standard disciplines recognition itself.

