Summary

  • ICP-2 required a candidate RIR to prove broad regional support, bottom-up governance, neutrality, technical capability, funding, record keeping and confidentiality. The IANA evaluation of AFRINIC shows how carefully those conditions could be examined at entry, but recognition did not expire and the evidence was not routinely retested by an independent body.
  • The ICANN procedures ratified in December 2024 made continuing ICP-2 obligations explicit, yet their compliance review is event-driven. It begins when possible material non-compliance is serious enough to threaten stable and secure operation, not on a predictable cycle designed to detect weakening controls before a crisis.
  • A limited recertification should occur at least every three years and test only defined continuity capabilities: accurate records, recoverable systems, protected credentials, sufficient staffing, legally available operating resources, incident performance and a rehearsed service handoff. Failed controls should normally produce repair and retesting, not automatic loss of recognition.
  • Recertification must not become a recurring vote on regional policy, leadership popularity or institutional ideology. A common evidence standard, an independent rotating auditor, public summaries, confidential security annexes and a clear separation from derecognition would make assurance stronger while keeping political permission weaker.

Recognition is a decision; competence is a condition

Institutional recognition has a seductive finality. A candidate submits evidence, reviewers examine it, a competent authority decides, and the resulting status becomes part of the surrounding system's settled architecture. Finality is valuable. Networks cannot coordinate around a registry whose authority evaporates every budget cycle. Staff cannot plan secure infrastructure if recognition depends on the latest conference dispute. Resource holders should not have to wonder whether an unpopular policy proposal will cause their registration provider to disappear.

But finality in status does not create permanence in capability. Staff leave. Recovery procedures age. Backup media remain intact while the knowledge required to use them disappears. Corporate rules that worked with a full board become unusable after vacancies. A reserve appears large until a legal restraint separates the organisation from its accounts. A database remains available while the untested process for transferring it to another operator becomes obsolete. Recognition can be durable even as the evidence that justified recognition decays.

The existing Regional Internet Registries occupy both sides of this distinction. Their place in the coordinated numbering system should be stable. Their ability to perform essential registration services should remain demonstrable. Treating these propositions as identical creates a poor choice between complacency and political supervision. Either past approval is presumed to prove present competence, or an external actor is invited to reconsider the RIR's legitimacy whenever concern arises.

A better design protects recognition while making selected capabilities expire unless retested. The institution does not periodically ask permission to exist. It periodically demonstrates that records can be restored, credentials can be recovered, qualified staff can sustain service, incidents are handled within stated objectives, and a limited handoff can occur if ordinary authority fails. This is recertification in the sense used for safety-critical capacities: evidence has a defined validity period because the underlying condition can change.

The distinction matters politically. If recertification is a general review of whether an RIR remains good, aligned or popular, it becomes an instrument of leverage. If it is a bounded test of whether named services survive named failure conditions, it becomes infrastructure assurance. The first invites discretion. The second can be specified, observed and appealed.

ICP-2 was exacting at entry and silent about the next test date

The original ICP-2 criteria were not a casual endorsement. They described ten conditions for a new RIR and said the numbering of those conditions was insignificant because all were essential. A candidate needed a region of approximately continental scale, broad support from local registries and internet service providers, bottom-up policy procedures, neutrality, technical expertise, policies consistent with global goals, a detailed activity plan, a credible funding model, proper records and strict confidentiality.

Several criteria were already phrased as operating disciplines rather than ceremonial promises. The candidate had to provide production-grade connectivity, reverse-DNS support, suitable internal infrastructure and enough technically capable staff. Policy processes had to be open, documented and accessible. Records had to preserve the auditability necessary to demonstrate responsible and neutral operation. Core material had to be available in English for exchange and review. Funding had to move toward independence through member support.

The text also expected migration. When a new RIR was created, existing registries serving networks in that region needed to be able to propose migration of service agreements to the new institution. ICP-2 therefore understood that recognition was not merely a title. It connected authority, records, customer relationships, technical systems and an operational transition.

What it did not do was place an expiry date on the proof. There was no three-year restoration exercise, no recurring independent review of service levels, no periodic verification of emergency access to records and no scheduled demonstration that a successor could use the transferred material. The record-keeping criterion made operations auditable, but auditability is a property of evidence. It is not itself a timetable, a reviewer, a method or a consequence.

That omission fits the historical task. ICP-2 was concerned with the establishment of additional RIRs. It had to distinguish a viable candidate from an aspirational association and ensure a regional transition would not fragment number administration. The urgent question was whether a proposed institution could begin. The designers were not writing a complete maintenance code for mature bodies that might operate for decades after the expansion phase ended.

The result is an asymmetry. Entry competence was proved through an exceptional process. Continuing competence was largely presumed through ordinary operation unless a problem became visible enough to provoke scrutiny. The launch gate was evidentiary; the mature system relied heavily on reputation, self-reporting and the absence of an acknowledged emergency.

The AFRINIC recognition file shows the strength and limit of a snapshot

The IANA report on AFRINIC's recognition illustrates the entry method at its strongest. IANA reviewed the application against each ICP-2 principle. It examined the proposed region, support, governance, technical operations, policies, activities, finances, records and confidentiality. The other RIRs, acting through the Number Resource Organization, had assessed readiness and supported final approval. The transition from incumbent service was monitored rather than assumed.

The technical account was concrete. The report described redundant connectivity, database and reverse-DNS arrangements, backup and disaster-recovery capability, trained staff and operational support from established registries. It noted a distributed design involving technical operations, disaster recovery, training and the incorporated institution in different African locations. It found the technical operation and expertise impressive.

The financial account was similarly directed at launch. Membership fees were linked to resource categories. Supporting organisations would carry parts of the first two years' costs. AFRINIC was expected to become fully responsible for the distributed locations after incubation, supported by its own membership revenue. The business plan was treated as evidence that it could assume that burden.

This was serious diligence. The problem is not that IANA failed to predict every event over the following two decades. No review could do that. The problem appears when the 2005 finding is allowed to answer a different question in 2026. The report established that a particular team, plan, system and support arrangement met the entry criteria at a particular time. It did not establish that the same restoration path, authority structure, cash access or staffing depth would remain effective indefinitely.

A recognition file naturally favors what can be shown before operations mature. Architecture diagrams, staff resumes, policies, budgets and transition plans are available. Long-run incident data are not. A candidate can rehearse recovery, but it cannot yet show years of recovery performance. A candidate can promise a member-supported model, but it cannot demonstrate how that model responds to a prolonged governance dispute. Entry evidence is prospective. Periodic evidence can be observational.

That difference should improve later assurance rather than embarrass the original reviewers. A mature RIR can show actual service availability, correction times, security incidents, restoration exercises, staff turnover, reserve accessibility, complaint outcomes and records supplied to counterparties. Refusing to examine such evidence because recognition is already settled wastes the chief informational advantage of maturity.

Permanent recognition converts launch proof into an indefinite presumption

In most licensing systems, the initial decision and the continuing condition are connected by renewal, inspection, reporting or event-triggered enforcement. The Internet numbering system evolved with a less explicit bridge. Once an RIR was recognized, its continuing legitimacy drew from several sources: ordinary service, regional participation, peer coordination, corporate law and the practical reliance of resource holders. That mixture can be resilient, but it makes the evidentiary basis difficult to locate.

Successful daily operation supplies powerful evidence. If records resolve, reverse DNS works, resource requests are processed and coordination with IANA continues, the institution is plainly performing important functions. Yet absence of visible failure is a weak test of controls designed for rare events. A disaster-recovery system can remain untested for years while ordinary service looks excellent. A board succession mechanism can appear adequate until vacancies interact with quorum rules. An emergency signatory arrangement can exist on paper while the named people have departed.

Permanent recognition therefore produces a quiet evidentiary transformation. Facts proved at entry become part of the institution's identity. The RIR was technically capable, autonomous, supported and well governed; later discussion easily shortens that to the RIR is those things. The verb changes while the proof does not.

Self-reporting partly corrects the problem. RIRs publish annual reports, audited accounts, statistics, meeting records and technical information. These publications are valuable and should remain the first source of ordinary accountability. But management chooses the reporting frame, and a financial auditor does not necessarily test registry handoff, key recovery, reverse-DNS continuity, policy-implementation knowledge or authority during loss of quorum. Different RIRs publish different measures, frustrating comparison across institutions that perform related essential services.

Peer observation also helps. RIRs exchange information and depend on one another's coordination. A peer may notice missed obligations or weakened capability earlier than a distant reviewer. The difficulty is that peers are both monitors and incumbents. They share operational interests, participate in joint bodies and may later be asked to assist during failure. Their knowledge is useful; exclusive reliance on their judgment creates conflicts and makes assurance vulnerable to solidarity or rivalry.

The missing instrument is not constant supervision. It is an occasional, common and independently verified answer to a narrow question: do the continuity capabilities that justify reliance still work?

The 2024 procedures recognized continuing duties but remained crisis-triggered

The Implementation and Assessment Procedures for ICP-2 Compliance, ratified by the ICANN Board on 24 December 2024, resolved one ambiguity. They state that the criteria apply throughout an RIR's recognized status and that all five RIRs accept the same continuing obligations. The document translates the original principles into present-tense duties concerning support, governance, equality, technical capability, operational autonomy, records and confidentiality.

That is an important advance. Recognition is no longer easily described as a one-time test with no continuing content. The procedures also establish a route to review. The other RIRs may unanimously request an ICANN review when material non-compliance is reasonably suspected. ICANN may initiate a review on its own when it reasonably believes an RIR puts secure operation of the unique identifier system at risk. The subject RIR must provide information and access, may protect confidential material through an agreement, and can correct material factual errors in draft findings.

But this is an alarm procedure, not routine recertification. Section 3.1 says the assessment machinery is for circumstances in which performance or non-performance is significant enough to affect stable and secure operation. The need for review depends on the total circumstances and materiality. An ICANN-initiated review is expressly limited and must not become a broad general compliance role.

Those limits are sensible for enforcement. External intervention should not begin over every delayed report or ordinary disagreement. Yet a threshold appropriate for a compliance case is too high for preventive assurance. By the time there is a reasonable belief that secure operation is at risk, the relevant control may already have failed. The trigger asks whether a problem is serious enough to investigate. Recertification asks, on schedule and before an allegation, whether the protective mechanisms still perform as designed.

The possible outcomes confirm the remedial orientation. ICANN can find that no action is needed, that the RIR can restore compliance swiftly under an agreed process, or that no realistic restoration path exists quickly enough to avoid harm. In the latter situation, ICANN works with the remaining RIRs toward an emergency provider and, if necessary, a successor. These are responses to impairment. They do not create a recurring baseline against which gradual deterioration can be detected.

The 2024 procedures should therefore be preserved, not stretched. Turning every scheduled test into a Section 3 compliance review would attach enforcement stigma to ordinary assurance and invite ICANN into the broad role the document rejects. A separate recertification lane can produce evidence and repair without pretending that every failed exercise is material non-compliance.

Auditability without an audit cycle is only latent accountability

ICP-2's record-keeping principle is often treated as evidence that periodic assurance was already implicit. The text does emphasize auditability. The 2024 procedures require records of registry activities and information needed for operational audit to be available in English within a reasonable time. These are necessary foundations.

Yet an auditable institution is not necessarily an audited one. A database may preserve decision records while no independent reviewer samples them for accuracy. Logs may show every administrative change while nobody tests whether they can be reconciled after restoration. A recovery plan may list critical dependencies while no exercise withdraws the primary system and measures actual recovery. Evidence can remain complete, organized and unused.

Latent accountability has three weaknesses. First, it tends to activate after conflict. A litigant, member, peer or overseer asks for records when confidence has already fallen. Second, the scope is shaped by the allegation. Investigators seek evidence of the suspected failure and may miss a different weakness. Third, the stakes encourage defensiveness. Once recognition or emergency intervention is in view, every admission can appear costly.

A scheduled cycle changes the incentive. The date is known years in advance. The RIR can budget for the exercise, preserve the required evidence and repair weaknesses before the reviewer arrives. Comparable tests across all five registries reduce the sense that one institution has been singled out. A failed control becomes a normal governance fact to remediate rather than an immediate verdict on institutional legitimacy.

Routine testing also creates a useful historical series. One successful restoration says a system worked once. Repeated exercises reveal whether recovery time improves, whether staff depth survives turnover and whether the same exception remains open across cycles. Trend evidence distinguishes temporary deviation from structural neglect.

This does not require continuous access by an external supervisor. The test can be periodic, limited and conducted by an independent specialist under published terms. Most evidence can remain with the RIR until the scheduled review. The public needs a summary of method, findings and repair commitments, not a live feed of security controls.

The current draft moves toward periodic audit, and exposes unfinished choices

The August 2025 RIR Governance Document Version 2 is explicit about the missing cycle. Its draft Article 4 requires each RIR to participate in periodic or ad hoc audits conducted by an external independent auditor appointed by ICANN. It says a summary should be published and requires a periodic audit no less often than once every three years.

The proposal also defines more suitable continuing duties than the 2001 entry text could. Performance, continuity, governance, transparency, dispute resolution, financial independence and ecosystem stability are distinct obligations. Continuity includes sharing sufficient records, procedures and systems with an emergency operator, subject to escrow and data-protection controls. This is closer to an adulthood standard because it tests service under institutional substitution, not only operation by the incumbent.

The February 2026 NRO status report shows why periodicity alone is not enough. It records feedback that the draft did not expressly require action after an audit report and says the text will be amended to clarify RIR obligations. It also says transition provisions need more detail to protect resource-holder rights and maintain community engagement. Audit is therefore present in the design, while consequence and beneficiary protection remain under refinement.

That is not a reason to abandon the three-year rule. It is a reason to define the bridge between finding and remedy. An audit that merely publishes a weakness can become theatre. An audit whose every weakness opens derecognition can become coercion. The missing middle is a correction protocol: classification of findings, a dated repair plan, verification, a repeat test and escalation only when the defect is material, persistent and connected to protected services.

The draft's status also matters. As of July 2026, the public text remains a draft rather than the final replacement for ICP-2. Its periodic audit is evidence of reform direction, not a claim about a currently completed worldwide recertification regime. The operational design can still be improved before adoption by naming exactly what expires, what is retested, who chooses the reviewer and what a failed test does not authorize.

Recertify the service capability, not the regional mandate

The word recertification can alarm institutions because it suggests that recognition itself becomes temporary. That is not necessary. The certificate should attach to a bundle of defined capabilities, not to the RIR's political right to exist.

The first bundle is record integrity. The reviewer should test whether sampled registration changes can be traced to authority and supporting evidence; whether backups reconcile with the production state; whether historical changes remain available; and whether restoration preserves pending disputes, restrictions and correction history. A registry that restores only the latest public fields has not restored the administrative truth needed to continue service.

The second bundle is technical continuity. Exercises should measure restoration of directory services, reverse-DNS administration, registration systems, secure communication and the RPKI services the RIR actually provides. The test should include loss of a primary site or privileged account, not merely review a document. Recovery-time and recovery-point objectives should be published at an appropriately aggregated level, with detailed topology protected.

The third bundle is human continuity. Essential service cannot depend on one administrator who remembers a manual sequence. The reviewer should examine role coverage, succession, privileged-access recovery, separation of duties and the ability of a secondary team to operate from written procedures. This is not a judgment on staffing policy. It is a test of whether named services survive foreseeable absence.

The fourth bundle is institutional access. Money, contracts and authority must remain usable when ordinary governance is impaired. The test should verify minimum-service funding, lawful emergency spending authority, vendor continuity and the corporate mechanism for replacing signatories or directors. It should not prescribe ordinary budgets. It should answer whether essential commitments can still be met during the scenario the RIR itself has identified.

The fifth bundle is transfer readiness. A protected independent team should receive a current package of data, procedures, credentials or controlled substitutes sufficient to demonstrate a limited service handoff. The exercise need not move live authority. It must prove that another qualified operator can understand the state, reproduce defined outputs and identify unresolved exceptions within a measured period.

None of these tests asks whether the auditor likes a regional transfer policy, meeting format, fee level or board candidate. They ask whether existing obligations can still be performed. Recognition remains permanent unless separate, pre-existing procedures establish material non-compliance and justify a proportionate remedy.

A recertification matrix can keep discretion small

Bounded review requires a matrix published before evidence is collected. Each capability should have a defined objective, permitted evidence, test method, finding scale and correction period. Without that structure, even a technically described audit can become a negotiation over institutional virtue.

Record integrity might be tested through a statistically defensible sample of recent and historical changes, restoration of a protected snapshot and reconciliation against signed or independently preserved checks. The pass condition is not perfection in every field. It is an error rate within a disclosed threshold, complete preservation of high-risk state and a functioning correction process for discrepancies.

Continuity might be tested through a scenario selected from a published family: primary-site loss, credential compromise, unavailable leadership, a restrained operating account or a major vendor failure. The reviewer can choose the scenario shortly before the exercise so the result is not scripted. The RIR should know the capabilities under examination but not every event sequence.

Transfer readiness requires more care because a live handoff could create risk. A shadow environment can receive a sanitized or cryptographically protected package, reconstruct services and compare outputs without publishing an alternative authoritative answer. Where personal or confidential information is needed, controlled access, minimization and deletion should be independently verified. The exercise tests usability, not public disclosure.

Findings should have at least four levels. An observation identifies improvement without a failed requirement. A minor non-conformity requires correction before the next cycle. A major non-conformity affects a continuity capability and requires a near-term repeat test. A critical finding means an essential service is presently exposed to material interruption and should be referred to the existing compliance procedure with immediate protective measures.

The matrix should also name exclusions. The auditor cannot reopen substantive regional policy, infer community support from a narrow survey, demand privileged legal strategy unrelated to continuity, or recommend leadership removal. These exclusions are not favors to incumbents. They are jurisdictional safeguards that make a strong operational test acceptable.

Independence must be designed on both sides of the review

Calling an auditor independent does not make the relationship independent. Appointment, funding, repeat business, access and publication can all shape the result. A reviewer selected solely by ICANN may be perceived as extending ICANN authority. One selected by the subject RIR may soften findings to preserve the engagement. A peer-RIR team brings expertise but not distance.

A standing panel offers a better arrangement. ICANN and the RIR communities could approve qualification criteria through a public process. Firms or multidisciplinary teams would need registry operations, security, corporate continuity, data protection and assurance competence. Individual assignments would then be made by rotation or transparent random selection, with disclosed conflict checks. The subject RIR could challenge a reviewer for a documented conflict but not choose a preferred replacement.

Funding should come from a common assessment paid by all RIRs under a pre-set formula, not a fee negotiated after a concerning event. Equal exposure matters: APNIC, ARIN, LACNIC, RIPE NCC and AFRINIC should face the same cycle and core method. Risk-based additions can address scale or prior findings, but the existence of the test cannot depend on whether an institution is currently controversial.

The auditor should report to a small assurance secretariat with no power to decide recognition. That body checks method, protects confidential material, publishes summaries and tracks repair. It does not negotiate regional policy or direct ordinary RIR management. If a finding may warrant formal compliance action, the record moves into the separate procedure, where notice, factual correction and the applicable decision rights attach.

Reviewer rotation should be mandatory. No firm should audit the same RIR indefinitely. Work papers should undergo periodic quality review by another panel member, with sensitive material protected. A public methodology-change log should reveal whether criteria have shifted between cycles.

Independence also protects the RIR. A common process can rebut opportunistic allegations by showing that the relevant control was recently tested. External assurance is not only a route to criticism. It is an evidentiary defense against political claims that cannot survive a defined standard.

Publication should reveal assurance without publishing an attack manual

RIR accountability requires public evidence, but continuity testing touches sensitive systems. Publishing credentials, failover topology, vendor dependencies, personal data or exploit details would weaken the service the audit is meant to protect. Complete secrecy would be equally defective because the public could not distinguish a real test from a ceremonial attestation.

The answer is a layered report. The public summary should name the scope, date, reviewer, methodology version, scenarios tested, capability ratings, unresolved findings, correction dates and the RIR's response. It should disclose material limits, including systems excluded from testing and reliance on management representations. It should state whether the auditor verified remediation.

A restricted annex can contain evidence samples, security architecture, personal data, legal opinions and detailed failure sequences. Access should follow a defined role list and leave an audit trail. Confidentiality decisions should be reviewed rather than left entirely to the subject institution, and every redaction category should be explained in the public summary.

Aggregate metrics should be comparable across RIRs: restoration time, maximum tested data loss, proportion of essential roles with qualified backups, age of the latest handoff package, closure time for major findings and success of repeat tests. Precision should be limited where it creates security risk, but direction and threshold can still be published.

Incident history deserves the same discipline. A recertification should examine whether previous incidents produced corrective action. The public report need not retell every security event. It can state how many material recommendations remained overdue, whether recurrent causes appeared and whether the tested controls reflected the lessons claimed.

Trust grows from bounded candor. A registry that reports one failed restoration step, corrects it and passes a repeat exercise may deserve more confidence than one that publishes only flawless self-description. The regime should reward evidence of learning rather than demand an implausible record of perfection.

Failure should first create a right and duty to repair

An assurance regime becomes political permission when a reviewer can turn any defect into a threat to status. The default consequence of a failed recertification must therefore be correction, not derecognition.

Minor findings can be closed through documentary evidence or the next scheduled exercise. Major findings need a dated plan, named accountable owner, interim control and independent retest within months rather than years. The public summary should remain open until the retest passes. Repeated delay should raise the classification because failure to repair becomes evidence distinct from the original defect.

Critical findings require immediate protection. If privileged access cannot be recovered, records cannot be restored or minimum service lacks lawful funding, the RIR and relevant coordinators should isolate the endangered function, preserve evidence and activate limited assistance. Referral to the 2024 compliance procedure may be justified because the issue has crossed from preventive assurance into material operational risk.

Even then, the audit itself should not determine derecognition. The compliance process must evaluate total circumstances, the prospect of swift restoration and the harm of intervention. The subject RIR must receive notice and an opportunity to correct factual errors except where urgency makes immediate determination necessary under the existing procedure. Emergency service should protect continuity rather than punish the institution.

The regime also needs review of the auditor's finding. A technical appeal panel can examine whether the method was followed, evidence was misread or a classification was disproportionate. It should not rerun the entire exercise because management dislikes the result. A short, published disposition is enough for most disputes.

This separation produces a rational ladder: test, finding, interim control, repair, retest, formal compliance review if material risk persists, emergency continuity if service is endangered, and only then any separate recognition consequence authorized by the governing rules. Each step answers a different question and requires its own evidence.

Recertification cannot be a referendum on community support

ICP-2 required broad regional support at entry and the 2024 procedures describe ongoing support as a continuing obligation. That principle matters. An RIR cannot claim bottom-up legitimacy while systematically excluding the resource holders it serves. Yet periodic recertification should not attempt to re-prove regional consent through a plebiscite.

Support is difficult to measure without manipulation. Membership counts mix active networks, intermediaries and dormant accounts. Meeting attendance favors entities with time and travel budgets. Surveys depend on question framing and response rates. Elections measure choice among candidates under corporate rules, not consent to the institution's existence. A determined actor can turn any threshold into a campaign for or against recognition.

The assurance cycle should instead test the machinery through which support can be expressed: published election rules, accessible participation, accurate member rolls, timely notices, conflict controls, complaint handling and the implementation of valid outcomes. These are observable institutional conditions. They do not tell entities what position to take.

Evidence of severe exclusion or fabricated process can become a major compliance concern, but the auditor should not ask whether the community approved the latest policy. Policy disagreement is a sign of a living system, not proof of institutional failure. Nor should low turnout automatically invalidate an RIR. The relevant inquiry is whether barriers, unequal treatment or defective records prevented a fair opportunity to participate.

This boundary prevents recertification from becoming a regional-confidence vote administered by outsiders. It also keeps technical continuity from compensating for procedural abuse. The two lanes can be examined with different evidence: service capability through tests, and governance machinery through verifiable process records. Neither reviewer receives a general mandate to declare the institution politically acceptable.

A three-year cycle is a floor, not a substitute for monitoring

The draft Version 2 interval of no less than once every three years is a defensible starting point. It is long enough to avoid permanent audit mode and short enough to catch turnover, system replacement and control drift. Many RIR systems and governing bodies can change materially within three years.

The cycle should be staggered so the same reviewer and coordination staff are not overloaded. Core methods should remain common, while scenarios vary. The first cycle can establish a baseline without treating every historical gap as misconduct. New obligations need a published transition period and technical assistance where appropriate.

Three years cannot carry the whole burden. RIRs should report a small set of annual continuity indicators and promptly disclose material service incidents. A major architecture change, merger, prolonged governance vacancy, loss of key staff or serious restoration failure can trigger a focused out-of-cycle test. That is not the same as a broad ad hoc compliance review; the scope remains tied to the changed capability.

Conversely, a clean recertification should not immunize an RIR until the next date. Evidence can change immediately. The certificate should state the tested conditions and known limits, not promise future performance. If a critical event occurs, ordinary incident and compliance mechanisms remain available.

The method itself needs review at least every five years, with public consultation and an explanation of changes. New services may enter the minimum bundle; obsolete tests may disappear. Method revision should not be used retroactively to declare a prior pass invalid. The objective is current assurance under a known standard.

Over time, the dataset will support better thresholds. Early cycles should resist false precision. A twelve-minute restoration may be excellent for one service and irrelevant for another. Comparative figures need context, service definitions and disclosure of exercise conditions. The aim is evidence capable of judgment, not a leaderboard.

The costs are real, but monopoly-like reliance raises the duty

Periodic independent testing consumes staff time and money. Exercises can disrupt normal work. Preparing evidence may favor larger RIRs with mature compliance teams. External auditors may import habits from financial or domain-name regulation that do not fit number administration. These objections deserve design answers.

Scope is the first control on cost. The common core should concern services whose interruption or corruption would harm resource holders or global coordination. The reviewer should reuse reliable evidence from financial, security and corporate audits rather than demand duplicate work. Sampling should replace exhaustive re-performance where risk allows. A multi-year schedule lets institutions combine exercises with planned maintenance.

Shared technical support can reduce unequal burden without weakening independence. Test harnesses, data schemas and scenario libraries can be maintained collectively and published. Each RIR remains responsible for passing, but no one needs to invent the method alone. Smaller teams can receive preparation guidance that does not reveal the selected scenario.

The strongest answer is proportionality to reliance. Resource holders generally cannot choose a different recognized RIR while keeping the same regional service relationship. The institution's failures can therefore impose costs on parties with limited exit. Where provider choice is constrained, evidence of continuity should be stronger, not weaker. The absence of competition removes one source of discipline and increases the case for a bounded independent test.

Recertification may also reduce crisis cost. A usable handoff package, tested recovery sequence and current authority map are cheaper to maintain than to reconstruct during litigation or leadership failure. An independent pass can lower uncertainty for vendors, members, courts and counterparties. The exercise produces operational value even if no enforcement action follows.

The cost argument finally depends on what is being protected. This is not a certification for a peripheral association. It concerns the institutions maintaining authoritative registration relationships, related technical services and records on which networks rely. A three-year demonstration of continuity is a modest burden compared with decades of presumed competence.

The narrow model strengthens legitimacy by limiting permission

The case for periodic recertification is easily misunderstood as an argument for a stronger central overseer. It is the opposite if designed correctly. Unstructured concern gives ICANN, peer RIRs and political actors room to define failure during the crisis. Predefined tests reduce that discretion.

An RIR that knows the exact capability standard does not need to seek favor. It can pass by producing evidence. A reviewer that dislikes a regional policy cannot move the threshold. ICANN can receive the report without turning it into broad supervision. Peers can contribute operational knowledge without voting on whether the subject remains worthy. Resource holders can see unresolved continuity risk without mounting a campaign for existential action.

The design also corrects the unfairness of crisis-only scrutiny. Institutions that encounter visible disputes receive extraordinary attention while quiet institutions may carry equally stale controls. A universal cycle examines all five RIRs on the same basis. It can discover excellence as well as weakness and spread proven methods without treating one region as the permanent problem.

Most important, the limited certificate answers the right temporal question. Recognition asks whether a candidate should enter the coordinated system. Recertification asks whether a named set of current capabilities was demonstrated during a recent period. Compliance review asks whether material obligations are being breached. Emergency continuity asks how service will be protected now. Derecognition asks whether the institutional relationship must end. Collapsing these questions creates power without precision.

ICP-2's achievement was to make entry conditional on evidence rather than aspiration. Its weakness was not requiring the decisive evidence to age. The remedy is not to put every RIR on political probation. It is to place an expiry date on the assurance that records, systems, authority and handoff still work.

A workable first recertification round

The first worldwide round should be deliberately limited. It can test six propositions common to every RIR: production records reconcile with a restored protected copy; critical directory and reverse-DNS functions recover within declared objectives; privileged access survives loss of primary administrators; minimum service has lawful authority and funding through a governance disruption; security and service incidents produce verified corrective action; and a qualified secondary team can use a protected handoff package.

Each RIR should publish a readiness statement six months before its test. The statement would identify the services in scope, declared recovery objectives, applicable data-protection restrictions and major changes since the prior baseline. It would not contain sensitive topology or credentials.

The independent panel would then choose one restoration scenario and one authority scenario. It would sample records across recent and older periods, observe recovery, interview primary and secondary role holders, inspect evidence of incident closure and supervise the handoff demonstration. Management representations would be labeled rather than treated as verification.

Within sixty days, the reviewer would issue a public summary and restricted annex. Major findings would receive a correction deadline and repeat test. The report would say explicitly that a pass does not approve substantive policy and a failure does not by itself alter recognition. Only a critical present risk or persistent major failure would be referred into formal compliance review.

After all five reports, an independent method review would compare exercise quality, not rank the institutions. It would identify tests that produced ambiguous evidence, security information that should be better protected and thresholds requiring revision. Resource-holder groups could comment on whether the public reports answered continuity concerns without seeking confidential operational details.

This first round would turn a constitutional debate into practical evidence. It would show how much of the proposed handoff can be tested without moving live authority, how expensive independent review actually is and whether three years is the correct interval. The system would learn before expanding scope.

Evidence and analytical limits

The ICP-2 criteria support the account of the original entry conditions, their equal importance, the role of auditability and the expected migration into a new regional institution. They do not establish a scheduled recertification cycle.

The 2005 IANA AFRINIC evaluation supports the description of a detailed entry assessment covering technical capability, funding, governance, records, confidentiality and transition readiness. It is not used to claim that IANA promised those conditions would persist indefinitely or that later failures were predictable at recognition.

The 2024 implementation and assessment procedures support the claims that ICP-2 obligations are continuing, all five RIRs accept them, review can be requested by unanimous peer action or initiated by ICANN under stated conditions, and an ICANN-initiated review must remain limited. Their threshold is material risk under the total circumstances; they do not prescribe a routine audit at a fixed interval.

The NRO Version 2 draft supports the description of a proposed independent audit at least every three years, separate performance and continuity obligations, emergency operation and handoff readiness. The Q1 2026 status report supports the narrower claim that audit consequences and transition protections remained under drafting. Neither source is presented as a final adopted replacement for ICP-2 as of publication.

The recertification matrix, assurance panel, finding scale, layered publication model and first-round design are analytical proposals. No cited source establishes that ICANN, the NRO or all RIR communities have adopted them. The article does not evaluate whether any current RIR would pass the proposed test, does not infer technical weakness from the absence of a public certificate, and does not treat an audit finding as automatic authority for derecognition.