Summary

  • Separate corporate personality identifies the institution that contracts, owns assets, employs staff and can be held to its own obligations. It does not make the operational consequences of that institution's decisions internal to the corporation.
  • Published RIR agreements commonly combine consequential powers over registration or service status with broad exclusions, indemnities and low caps. Those clauses allocate risk between direct parties; they do not prove that the allocation is legitimate for every affected network or customer.
  • A number-resource record is not a router command. Even so, registry accuracy, RPKI, reverse DNS, directory data and transfer recognition are relied on across a wider operating environment, so incorrect or abrupt action can create foreseeable external costs.
  • Liability symmetry does not require unlimited damages. It requires the institution with stronger control to accept stronger duties of care, notice, reason-giving, independent review, continuity, rapid restoration and a meaningful residual remedy.
  • A more credible model would publish action and restoration data, distinguish account disputes from technical status, protect innocent downstream users where possible and fund bounded compensation for proven registry-caused harm.

The company is real, but so is the dependency

The modern Regional Internet Registry is usually encountered as a public-interest institution. It maintains authoritative registration data, applies regional policies, supports routing-security services, delegates reverse DNS and helps preserve the uniqueness of Internet numbers. Yet the person signing the agreement is not a diffuse Internet community. It is a corporation or incorporated association. That distinction is legally useful. A named legal person can hold money, employ staff, contract for systems, be audited and answer claims in a court or other forum.

The mistake begins when separate personality is treated as though it also contains every consequence of corporate action. It does not. If a registry changes a consequential record, suspends a service, revokes a credential or delays correction, the effect may be felt by a holder's customers, peers and users. Those parties do not become members of the corporation. Nor does the corporation become the operator of their routers. The point is narrower: a corporate boundary does not turn foreseeable external harm into an institutional irrelevance.

That matters because the RIR model often places several propositions side by side. The registry presents itself as neutral, authoritative and necessary to coherent number administration. Its agreement reserves substantial power to update rules, stop services or deregister resources. The same agreement then excludes broad categories of loss, caps the remainder and may require the member to indemnify the registry against third-party claims. Each proposition can have a rational explanation. Taken together, however, they create a governance question: how much control may an institution exercise while contractually exporting the cost of error?

The answer cannot be found in corporate form alone. Incorporation says who acts. It does not say whether an act was careful, whether reliance was foreseeable, whether a remedy is adequate or whether a contract term should carry decisive weight outside its parties. Institutional legitimacy requires a second inquiry after identifying the corporation: did the allocation of power, duty and risk remain proportionate?

Begin by separating four different forms of control

Registry debates become confused when every effect is described as control of an address. Four narrower forms of control should be distinguished.

First is record control. A registry can determine what its authoritative database says about the registered holder, status and associated information. That is direct institutional control. A member cannot normally alter the authoritative entry merely by publishing a competing spreadsheet.

Second is service control. The registry can provide or withhold services defined by contract and policy: record maintenance, reverse DNS support, certificates, directory functions, transfer processing and related facilities. The precise list varies by institution and agreement. Service control may affect operations without being ownership of the number resource.

Third is contractual control. The corporation can invoke agreed rights against the member, including requests for information, fees, suspension, termination or cooperation with deregistration. That power is bounded by the actual agreement, incorporated policies, governing law and review mechanisms.

Fourth is routing control. This is distributed among networks. An RIR does not sit inside every router and issue a universal command. RFC 7020 expressly places whether addresses are announced and how they are advertised outside the Internet Numbers Registry System. Route origin, propagation, filtering and acceptance depend on operators and technical signals.

These layers interact. A registry action may alter a signal that networks trust; a route may continue despite an administrative dispute; a valid record may coexist with poor connectivity; an operator mistake may cause an outage without any registry fault. Serious liability analysis therefore needs a causal chain. It should never assume that an administrative change automatically stopped packets. It should also never assume that, because routers remain independent, an authoritative record or security-service failure is operationally inconsequential.

The symmetry thesis applies to the forms of control the institution actually possesses. The more decisive its record and service decisions become in real practice, the more demanding its duties around those decisions should be. It is not a claim of total control. It is a rule against claiming narrow responsibility while cultivating wide reliance.

RIPE-812 states the asymmetry with unusual clarity

The RIPE NCC Standard Service Agreement, published as ripe-812 in November 2023, provides a clear starting point. It identifies RIPE NCC as a membership association under Dutch law. It says that the organisation has authority, as an RIR, to register Internet Number Resources; undertakes to provide defined services; incorporates current policies and procedures; requires complete and accurate member information; and permits suspension, deregistration and termination in stated circumstances.

The liability section then allocates exposure sharply. The member is liable for all aspects of its use of services and all that follows from its use of Internet Number Resources. RIPE NCC excludes liability for direct and indirect damages, including business loss, lost profit and third-party damage, except in cases of wilful misconduct or gross negligence by RIPE NCC or its management. It excludes damages connected with failure to make number resources available on time and damages connected with their use.

It adds force-majeure protection, requires the member to indemnify RIPE NCC against third-party claims related to service use and limits liability to the member's service fee for the relevant financial year.

The agreement also says that termination can lead to the end of services and cooperation with deregistration. It separately states that registration does not constitute property or confer ownership. These clauses do not mean that RIPE NCC owns the number resource. They do show that the corporation reserves meaningful control over registration and service consequences while containing its financial exposure.

That combination may be commercially understandable. A member-funded association cannot sensibly insure every downstream business model built on addresses. The annual fee is not priced like a guarantee of every customer's revenue. Networks control their own announcements and resilience. If every service defect opened unlimited consequential claims, the registry could become financially unstable, shifting risk back onto the membership.

But commercial explanation is not the end of public-interest analysis. A liability cap calibrated only to the annual fee may bear little relation to the foreseeable cost of a mistaken high-impact action. The same standard form covers members of very different size and dependency. A one-fee ceiling treats the registry service as the measure of value, while the system's legitimacy partly rests on the claim that its record is uniquely authoritative. That divergence needs procedural and substantive safeguards even if the cap remains.

ARIN's drafting narrows rights and damages at the same time

The ARIN Registration Services Agreement, version 14.0 dated 15 August 2025, offers a related but distinct model. It defines services to include registry entries, reverse name service, RPKI, record maintenance and address administration. It gives the holder an exclusive right to be the registrant of included number resources within the ARIN database, a right to use those resources within the database and a right to transfer the registration under policy.

That vocabulary is careful. The agreement describes database and service rights rather than an unbounded dominion over every operational use. Yet those bounded rights can be highly consequential because counterparties use ARIN data and linked services as recognised signals.

ARIN's limitation clauses exclude consequential, incidental, indirect, punitive, exemplary and special damages between the parties and as to third parties, expressly including holder clients and customers. Aggregate liability is capped at the greater of the amount the holder paid for services during the preceding six months or US$100. The agreement also establishes suspension and termination routes. As with RIPE NCC, the form places a limited financial remedy beside services whose wider reliability supports network decisions.

The explicit mention of clients and customers is revealing. It shows that downstream exposure is not unimaginable. The contract anticipates that holder customers could claim harm and seeks to limit that exposure. That is rational risk drafting, but it also confirms the governance problem: the parties known to rely on the service may be excluded from meaningful recovery by a contract they did not negotiate.

No conclusion about enforceability follows automatically. Governing law, mandatory rules, the exact breach, bargaining context and judicial interpretation matter. A current agreement may not govern a legacy resource. Exclusions may be treated differently for ordinary negligence, gross fault, statutory duties or particular representations. The responsible finding is not that every cap fails. It is that the published risk allocation cannot substitute for evidence about care, causation and remedy.

APNIC demonstrates that process can partly offset a hard remedy

The current APNIC Membership Agreement also excludes broad liability to the extent permitted by law and requires member indemnity. It allows APNIC to revoke rights under its documents, including delegated resources, and to terminate the agreement after the notice process described in the form.

The agreement is useful because it also exposes a procedural counterweight. A member receiving a revocation notice may appeal to the Executive Council, which must consider the appeal within 30 days. If justified, the notice is withdrawn. Notice must describe the believed breach and the action necessary to cure it. Procedure does not erase the liability exclusion, but it can reduce the probability and duration of wrongful harm.

This is the first practical meaning of symmetry. The response to bounded damages need not be unlimited damages. It can be a more reliable decision path. If an institution cannot compensate the full economic perimeter of every error, it should invest heavily in avoiding error, isolating consequences and reversing mistakes quickly. Notice, a meaningful cure period, impartial review, preserved evidence, reasoned decisions and rapid restoration are not administrative extras. They are part of the consideration for placing risk elsewhere.

The quality of the safeguard depends on operation, not only drafting. A 30-day review may be adequate for an ordinary compliance dispute but far too slow for a live service interruption. An appeal to the same governing body may be knowledgeable yet insufficiently independent in a dispute concerning staff or institutional policy. A right to appeal may be hollow if disputed technical services are disabled before review and restoration cannot repair lost customers.

Published aggregate data would make the safeguard testable: notices issued, matters cured, revocations imposed, appeals filed, decisions reversed, median review time and median restoration time. Without those denominators, the form proves that a path exists but not how well it protects operational reliance.

AFRINIC exposes the difference between best efforts and no responsibility

The AFRINIC Registration Service Agreement, dated 27 November 2017, describes service on a best-efforts basis and an obligation of means. It says AFRINIC is not liable for interruption, errors, inaccuracies, service that does not meet applicant requirements or technical configuration, or damage of any nature to an applicant or third party, subject to a qualification concerning failure to use appropriate means. It states a cap based on the greater of six months of payments or US$100. On termination or expiry, the agreement says resources will be revoked and services will cease without liability.

Best efforts is not the same as absence of duty. An obligation of means directs attention to conduct: whether suitable systems, competent staff, verification, escalation, continuity and restoration measures were used. It does not promise a perfect outcome. For a complex registry, that can be an appropriate standard. Databases fail, credentials are compromised, counterparties submit false documents and routing consequences cannot be fully controlled.

The governance risk appears when broad outcome exclusions swallow the conduct standard. If interruption and inaccuracy are excluded regardless of foreseeable precautions, the promise to use appropriate means becomes difficult to value. Conversely, if failure to use appropriate means remains reviewable with a meaningful remedy, a best-efforts model can align responsibility with actual institutional control.

The distinction should be explicit. A registry need not warrant uninterrupted global reachability. It should be accountable for its own identity checks, record changes, certificate operations, access controls, backups, escalation and correction. It need not compensate an operator for a route leak the operator caused. It should face a credible response where a proven internal error foreseeably disabled a trusted service and the institution failed to act with due care.

This is not a conclusion about any particular AFRINIC dispute. The cited form establishes the written allocation and the relevant conceptual tension. A claim about an actual interruption would require the applicable contract, dated technical evidence, staff actions, notices, route observations and the governing law at the time.

Corporate personality protects members; it should not erase the corporation

Separate personality performs an important accountability function. Ordinary members are not automatically the owners of every corporate asset or personally liable for every corporate debt. Directors and officers act through defined roles. The association can survive changes in membership. Creditors and counterparties know which legal person they face.

In a registry, that protection also preserves collective service. If each member were personally exposed to every alleged error by the institution, participation would become hazardous and governance could collapse into defensive behaviour. The corporate entity pools operational capacity and risk.

The protection becomes distorted only when the argument runs in one direction. The institution may speak with the authority of a recognised regional registry when requiring compliance, yet present itself as an ordinary low-fee service contractor when harm occurs. It may invoke the interests of the whole membership to justify broad discretion, yet rely on bilateral privity to exclude the customers whose dependence made the decision consequential. It may stress the uniqueness of its record when demanding deference, then stress the independence of routers when asked about effects.

Each statement contains part of the truth. The problem is selective combination. A legitimate account must hold all parts together: the corporation has bounded authority; routers remain independent; the record attracts foreseeable reliance; members and downstream users can be harmed; not every harm is caused by the registry; and proven registry fault should trigger a proportionate remedy.

Corporate personality therefore marks the beginning of attribution, not its end. Once the corporation is identified, the inquiry turns to its conduct and the external reliance it knowingly supports.

The registry does not run the network, but it shapes trusted signals

The architecture prevents an easy causal story. RFC 7020 says that the registry system maintains allocations to ensure uniqueness and accurate information, while route announcement and advertisement are operational matters outside it. This boundary protects analytical discipline. A registry cannot be blamed for every outage involving addresses in its database.

At the same time, the boundary is not a wall. Operators consult registration data to identify contacts and assess claims. Reverse DNS relies on delegated structures. RPKI provides cryptographically verifiable statements used in route-origin validation. Transfer recognition affects whether counterparties accept a transaction. A change in these services can influence filters, incident response, due diligence and customer confidence.

The right causation model is therefore a chain rather than a slogan. What exact registry act occurred? Which record or service changed? Which network or counterparty consumed that signal? What independent decision followed? Were there redundant signals? How quickly was the change noticed and corrected? What loss remained after reasonable mitigation?

That method can exonerate as well as attribute. If traffic continued and a holder's customer loss arose from an unrelated equipment failure, the registry action is not the cause. If an operator ignored a valid warning or maintained a broken configuration, responsibility may lie elsewhere. If a forged corporate document deceived a careful process despite appropriate checks, fault may be shared or absent.

But where a high-trust registry system makes a negligent change, distributes it through linked services, receives prompt credible notice and fails to restore the record, distributed routing should not become a universal defence. Independent networks can be part of the causal chain without breaking it. The relevant question is whether the registry's contribution was proven and foreseeable.

Foreseeability expands beyond contractual privity

The direct member is the obvious counterparty, but the operating perimeter is wider. A hosting company may support thousands of customers on a registered block. A public network may serve hospitals, emergency communications or government services. A transit provider and peers may maintain filters tied to trusted data. Customers may have no direct relationship with the RIR and no practical ability to monitor a registry dispute.

Privity answers who can enforce the contract. It does not answer who can be harmed. Nor does it resolve whether another body of law recognises duties outside contract. Those questions vary by jurisdiction and facts, so no universal result should be asserted. The governance point is prior to legal classification: institutions should map the dependency they can reasonably foresee and design decisions to avoid unnecessary spillover.

Foreseeability is strongest where the registry knows the scale and role of the holder, knows that the action affects shared technical services and knows that downstream users cannot easily renumber. It is weaker for speculative trading losses, remote reputational claims or harm caused mainly by an operator's own choices. A symmetry model can distinguish these categories.

The registry need not know every customer name. It can use risk indicators: address-block size, active route visibility, RPKI coverage, reverse-DNS use, critical-service declarations, downstream assignment counts where available and evidence of shared infrastructure. These indicators should not create privileged ownership. They should determine the care and continuity applied before an irreversible action.

A system that refuses to observe dependency because the customer is not a party is choosing blindness. A system that assumes every dependent customer has a direct legal right is overstating the law. The middle course is operational due diligence paired with clear statements about available remedies.

A disclaimer allocates risk; it does not manufacture legitimacy

Contracts routinely exclude consequential damages because such losses can be vast, difficult to price and partly controlled by the other party. A registry agreement is not unusual merely because it includes a cap. The public-interest concern arises when the clause is asked to do more than contract law can reasonably support.

A disclaimer can show what two parties accepted. It may influence insurance, fees and litigation. It can preserve an institution from ruinous exposure. It cannot prove that the underlying action was neutral, accurate, proportionate or procedurally fair. It cannot give a non-party notice. It cannot restore a record. It cannot establish causation. It cannot convert an avoidable internal error into responsible administration.

Legitimacy comes from the quality and boundedness of power. ICP-2, accepted in 2001 as criteria for recognising new RIRs, emphasises neutrality, impartiality, professional operation, continuity, documented procedures and support from the community served. Those characteristics concern institutional performance, not merely the existence of a signed waiver.

Recognition therefore creates a useful benchmark. If the system gives one regional institution a singular recognised role, that institution should meet a higher standard of continuity and review than an easily replaceable vendor. The point is not that ICP-2 itself supplies damages. It does not. The point is that institutional legitimacy rests on qualities that a limitation clause cannot establish.

The sharper the registry's claim to authoritative and neutral administration, the less persuasive a response that treats every failure as a low-value bilateral service defect. Authority and accountability must be described at the same scale.

Liability symmetry is a design rule, not a demand for unlimited damages

Symmetry means that control, duty and remedy should move in the same direction. If a registry has only a narrow clerical role, modest obligations may be enough. If it can make high-impact changes to authoritative records and security-linked services, it should carry stronger obligations around those changes.

The first obligation is care. Identity and authority checks should be proportionate to the consequence of a requested change. High-risk changes should require separation of duties, preserved evidence and stronger verification than routine contact updates.

The second is notice. A holder should receive clear notice of the proposed action, factual grounds, affected services, cure route and effective time unless secrecy is legally required or immediate security action is genuinely necessary. Where downstream harm is foreseeable, public status information may be appropriate without disclosing confidential details.

The third is review. The decision maker should not be the only reviewer. Urgent technical review must operate on network time, not only on a monthly board calendar. A credible challenge should be able to pause irreversible consequences while preserving security.

The fourth is continuity. An account or fee dispute should not automatically disable every technical service. Registration, portal access, certificates, reverse DNS and routing data should be separated so that the narrowest effective measure is used.

The fifth is restoration. The institution should maintain tested procedures to reverse an incorrect change, republish data, restore credentials and notify relying parties. Restoration time is a core accountability metric.

The sixth is residual financial responsibility. Where registry fault and causation are proved, a remedy limited to refunding a small service fee may be too remote from the institution's actual control. A bounded fund, insurance layer or tiered cap can preserve solvency while recognising serious operational harm.

Unlimited consequential liability is not required. Indeed, it could undermine the shared service. Symmetry asks for credible responsibility, not institutional self-destruction.

Separate account enforcement from technical continuity

Many high-impact risks arise because several institutional functions are bundled. A member fails to pay, provide documents or satisfy a rule. The registry can respond through account restrictions, termination, deregistration and linked service changes. If every consequence occurs together, a bilateral compliance dispute can spill into downstream operations.

The safer design is graduated. A payment default might first restrict new requests and voting privileges while preserving existing authoritative data. An identity concern might freeze transfers but retain routing-security entities until review. A credible hijack or fraud case may require immediate protective action, but the measure should be tailored to the threat. Termination of membership need not erase historical chain of custody.

This separation is not leniency. It can strengthen enforcement by making the response more precise and defensible. When every remedy is maximal, decision makers may hesitate to act or courts may intervene broadly. Graduated tools allow the registry to stop the harmful conduct without creating unnecessary third-party loss.

The published forms show different combinations of notice, cure, suspension and revocation. What is missing is a cross-registry operational account of sequencing. Do certificates cease at the same time as portal access? Does reverse DNS continue during an appeal? Are public records marked disputed rather than removed? How are routes and customers affected in observed cases?

Answering those questions would make liability analysis evidence-based. It would also allow members to build contingency plans. A disclaimer is less troubling when narrow interventions, rapid review and tested continuity make catastrophic loss genuinely rare.

Members are not the whole affected public

RIRs often ground legitimacy in membership and open regional policy processes. That participation is valuable. Members elect boards, approve budgets or charging schemes, debate policy and scrutinise performance. It gives the institution information and a constituency.

But membership is not identical to the population exposed to registry decisions. Downstream customers may not be members. Networks outside the service region may rely on the data. End users, public bodies and smaller organisations may lack time or expertise to participate. A large holder and a small operator may each have a vote while carrying very different dependencies.

This does not invalidate membership governance. It defines its limit. A member vote can authorise a charging scheme or agreement amendment under the corporate constitution. It cannot by itself establish that external interruption costs are fairly allocated. A majority may rationally favour a low cap because members fund the registry, while each member expects serious harm to fall elsewhere when it occurs.

The conflict resembles an insurance pool with external beneficiaries. The membership wants affordable administration; the wider network wants reliable authoritative services. Good governance makes the trade-off visible rather than treating member approval as a complete answer.

External perspectives can enter through independent technical review, public incident reporting, consumer or critical-infrastructure consultation and representation of downstream operators. The purpose is not to give every user a veto. It is to ensure that the institution's risk model includes parties who cannot protect themselves through the standard agreement.

Evidence before compensation

A stronger remedy model must resist weak claims. Number-resource disputes can involve contested corporate control, forged documents, unpaid fees, policy breaches, route hijacks and commercial rivalries. An outage may coincide with a registry action without being caused by it. Compensation without disciplined proof could encourage strategic claims and drain member funds.

The evidentiary sequence should begin with a dated action log. It should record the request, identity checks, approvals, database changes, certificate events, notices, objections and restoration. Independent route observations can then show whether announcements, validation states or acceptance changed. Customer evidence can establish service impact. Contract records identify who promised what.

Causation should distinguish necessary contribution from background conditions. If a registry incorrectly revoked a certificate but operators did not reject the route, there may be an administrative breach without proven traffic loss. If operators rejected it under announced policies and service failed, the chain is stronger. If the holder could have mitigated quickly but did not, damages may be reduced without excusing the original error.

The registry should preserve evidence even where its contract excludes most damages. Transparency supports correction, insurance and public learning. A closed investigation that announces only that terms were followed cannot establish whether appropriate care was used.

Independent review is especially important when the institution controls the logs, interprets the agreement and would fund the remedy. Reviewers need technical and legal competence, conflict rules and power to order restoration or recommend compensation. Published redacted findings can improve future controls without exposing security details.

Metrics would turn institutional promises into an auditable standard

The public cannot assess symmetry from agreement text alone. Each RIR should publish a consistent annual set of high-impact action metrics. At minimum: suspensions proposed and imposed; deregistrations; transfer freezes; RPKI or reverse-DNS changes caused by enforcement; appeals; reversals; emergency restorations; median and maximum time to acknowledge a credible error; and median and maximum restoration time.

The denominator matters. Ten reversals mean something different among twelve actions and ten thousand. Reports should separate routine closures from contested actions and identify how many active registrations or routed prefixes were affected. They should describe severity bands without naming vulnerable customers.

Incident reporting should identify the control failure: incorrect identity verification, unauthorised access, software defect, policy misapplication, data replication delay or communications failure. It should state what changed and whether the change prevented recurrence. A simple assertion that no liability was admitted provides little operational value.

Financial reporting should disclose insurance coverage in aggregate, reserves for operational incidents and compensation paid without exposing confidential settlements. If the institution believes unlimited exposure would threaten stability, the public should be able to see the bounded capacity it has built instead.

These measures benefit the registry as well as users. They distinguish feared catastrophe from actual performance, reveal whether appeals work and support more accurate pricing. A strong record of rapid correction can justify a cap more persuasively than broad legal language alone.

A bounded compensation model is possible

The choice is not between a one-fee refund and unlimited business loss. A shared registry can build graduated responsibility.

At the first level, service fees can be refunded for ordinary service failure. At the second, documented direct technical recovery costs caused by a proven registry error can be reimbursed up to a higher cap. At the third, a separately governed incident fund or insurance policy can address exceptional high-severity harm where gross failure, prolonged non-restoration or serious control weakness is established.

Indirect speculative losses can remain excluded. Claimants should prove mitigation and disclose insurance recovery. Duplicate recovery should be barred. Time limits and evidence requirements should be clear. An independent panel can determine eligibility without turning every incident into years of litigation.

The fund could be financed through a modest risk reserve, not by treating number resources as property or charging a percentage of their perceived market value. Contributions could remain largely socialised because the authoritative service benefits the whole membership. Higher-risk optional services might carry additional coverage where justified.

Such a model would not solve every legal question. It would demonstrate that the institution accepts some consequence when its own high-trust function fails. That acceptance can improve legitimacy even if the payments cover only direct recovery rather than full lost profit.

The strongest safeguard remains prevention and restoration. Money cannot easily recover customers lost during a prolonged dispute. Financial responsibility matters because it aligns incentives and acknowledges harm, but it should sit behind rigorous operational controls.

Recognition should include continuity and remedy testing

The IANA Number Resources page describes global coordination of IP addressing and AS numbers through a hierarchy of RIRs, local or national registries, providers and users. This structure depends on institutional continuity. If one recognised registry fails, another ordinary vendor cannot simply publish a competing authoritative ledger the next morning.

That dependence suggests a modern extension to recognition and periodic accountability. An RIR should demonstrate tested backups, secure control transfer, emergency record continuity, independent review and a funded response to proven operational harm. These are not claims that IANA or ICANN owns the resources. They are conditions for trusting a singular regional service.

ICP-2 already connects recognition with professional operation, continuity and community support. Periodic evidence could make those principles concrete without converting recognition into day-to-day corporate control. Each institution would remain responsible for its contracts and operations, while the wider system would verify that essential safeguards exist.

Testing should include difficult scenarios: disputed corporate control, compromised credentials, court orders, prolonged governance paralysis, data corruption and inability to operate from the primary site. A successful exercise should preserve the ledger, identify who may authorise changes and maintain reviewable records. It should also show how an incorrect emergency action can be reversed.

Continuity planning is part of liability symmetry because the greatest harm may arise not from one negligent employee but from institutional incapacity. A corporation that holds consequential records must be replaceable at the service layer even if its legal disputes continue.

NRS can be a future direction only if it avoids repeating the asymmetry

A future Number Resource Society model could help if it makes stewardship duties, continuity and user representation more explicit. Shared infrastructure, portable service relationships and independent review could reduce dependence on one corporate counterparty. A society could support a compensation reserve and publish common incident metrics.

The label alone proves nothing. A new institution that reserves the same unilateral powers, attracts the same operational reliance and uses the same narrow remedy would reproduce the problem. Nor should a society claim ownership of number resources merely because it maintains records. Its value would lie in accountable service design: transparent authority, separable operators, strong chain of custody and proportionate responsibility.

NRS is therefore a brief positive direction, not an answer imported into current disputes. Existing RIRs can implement most safeguards now. Better notices, faster review, continuity separation, restoration tests and bounded compensation do not require a wholesale institutional replacement.

The unresolved evidence should discipline the conclusion

The published agreements establish substantial facts about written powers and risk allocation. They do not establish how often a registry action has caused operational interruption, how courts would apply each clause, how many appeals are successful or what losses remained after restoration. No complete cross-registry denominator of suspension, deregistration, reversal and downstream impact is available in the materials considered here.

That gap prevents a claim that the current model routinely causes outages or that every limitation clause is invalid. It also prevents a confident claim that existing safeguards are sufficient. Contract language shows possible authority; operational records show how authority behaves.

The next research step is empirical. Select dated contested actions across regions. Preserve registry notices and change histories. Compare RPKI, reverse DNS, directory and route observations before and after the action. Identify customer impact and the timing of review. Record whether restoration occurred and whether any remedy was available. Then compare the evidence to the clause actually in force.

Until such data are published, governance should err toward reversible decisions and transparent review. Uncertainty about the frequency of harm is not a reason to assume no duty. It is a reason to build observation into the institution.

The final test is symmetry

Corporate personality is a foundation of the registry model. It identifies the contracting institution and shields ordinary members from automatic personal exposure. Broad disclaimers may also have a legitimate role in protecting a shared, low-fee service from speculative or catastrophic claims.

Neither proposition answers the harder question. A registry's authoritative records and linked services are deliberately trusted beyond the walls of the corporation. The institution can reserve powers whose consequences reach customers that never signed its form. When that trust is invoked to secure compliance, it cannot be ignored when allocating the cost of institutional error.

The right response is not to pretend that the registry runs every router or owns every address. It is to identify exactly what it controls: records, service access, credentials, reverse delegations, recognised transfers and correction. Duties should attach to those functions. Causation should be proved through technical and documentary evidence. Remedies should remain bounded but meaningful.

An institution deserves deference when its process is careful, reasons are reviewable, interventions are narrow, continuity is protected and mistakes are restored rapidly. It earns deeper legitimacy when it accepts a proportionate consequence for proven failure. A contract that simply pushes every operational cost outward may protect a balance sheet, but it cannot by itself justify the authority that made the loss possible.

Control and liability do not need to be identical. They do need to face the same direction. The modern registry will remain credible only when stronger control brings stronger care, stronger review and a remedy capable of being felt beyond a refunded annual fee.