Summary
- Essential RIR services should be capable of limited, temporary transfer before a derecognition decision. Service continuity is an operational safeguard, not a preliminary judgment that the incumbent has lost its regional mandate.
- IANA, the other RIRs, and a qualified interim operator need a tested readiness arrangement covering authoritative records, identity and access, reverse DNS, routing-security functions, request processing, security, privacy, funding, public notice, and return of service.
- Resource holders must keep their registrations, requests, credentials, technical dependencies, and challenge rights without being required to support either side of an institutional dispute. No actor should be able to create service anxiety as leverage for recognition, leadership, litigation, or policy concessions.
The networks must not become the bargaining chip
When a Regional Internet Registry enters governance review, the most powerful pressure point is not the boardroom. It is the population of networks that depends on the registry. Resource holders need records updated, requests processed, reverse DNS maintained, routing-security material managed, contact authority verified, and registry information kept accurate. If those services become uncertain, operators may support whichever institution appears able to restore them, even when they have no informed view on the underlying legal or constitutional dispute.
That pressure is corrosive. It turns service continuity into a plebiscite conducted under operational duress. An incumbent can imply that outside scrutiny will disrupt the registry. Challengers can imply that only removal will make services reliable. Peer institutions can condition assistance on cooperation with their preferred institutional outcome. Governments can present continuity as a reason to accept local control. Resource holders, meanwhile, are asked to choose a side when what they need is a dependable registry.
The answer is to separate two decisions that are often placed in the wrong order. The first is whether essential services can be maintained temporarily, under a narrow and reversible mandate, if the incumbent cannot provide them. The second is whether the incumbent should remain recognized, be rehabilitated, or be replaced. Continuity should be solved first. Institutional status should be decided on its own evidence afterward.
This ordering is not a covert route to derecognition. Properly designed, interim service protects the incumbent as much as its critics. A registry suffering a cyber incident, staff-access failure, court-imposed control gap, or short-term financial paralysis could accept technical assistance without conceding that it has permanently failed. Once capability is restored and verified, the service returns. The regional membership keeps its institution while the immediate hazard passes.
The same ordering protects reviewers from urgency. If service can continue safely, ICANN and the RIRs do not need to compress a complex governance assessment into the time available before a certificate expires, a reverse-DNS request stalls, or a backlog harms operators. Courts can resolve authority, members can correct elections, auditors can test records, and competing claims can be heard without a running clock tied to network operations.
The emerging ICP-2 reforms recognize parts of this logic. The proposed Version 2 principles call for continuity procedures, redundancies, and record sharing sufficient for another RIR to perform services if necessary. The second draft governance document defines emergency continuity and an emergency operator, then requires readiness for transfer to an interim or successor entity. But the design still needs a harder sequencing rule: no final status change until an independent exercise has shown that the affected services can move without making resource holders collateral damage.
Continuity is broader than a public lookup service
An outside observer may think RIR continuity means keeping a public registration search available. That is only the visible edge. The service relationship includes authoritative records, authenticated changes, evaluation of requests, policy implementation, reverse DNS, routing-security functions, billing and membership touchpoints, abuse contacts, historical allocation evidence, inter-registry coordination, and communication with IANA. Each function has different data, authority, and recovery requirements.
The IANA number resources overview describes the hierarchy at its simplest: IANA coordinates global IP address and autonomous system number spaces and allocates pools to the RIRs, which in turn serve networks in their regions. RFC 7020 describes the Internet Numbers Registry System as a hierarchical system involving IANA, the RIRs, and downstream registries and users. That hierarchy is administratively compact, but the operational state accumulated at the regional level is extensive.
Consider an ordinary change request. The registry must know which organization holds the resource, which individuals are authorized, what prior records establish the claim, which policy applies, whether a transfer or reassignment is allowed, whether fees or contractual conditions matter, and which public and non-public fields should change. A copy of the public record is not enough. The temporary operator needs controlled access to the evidence and rules necessary to decide correctly, or it must limit itself to preserving existing state.
Reverse DNS has another dependency chain. Delegations under address-space domains must remain coherent with resource authority, and changes need reliable authentication and coordination. Routing-security services introduce still more sensitivity. Where a holder uses an RIR-hosted or delegated RPKI service, continuity may involve account authority, certificate state, publication, manifests, revocation, repository availability, and protection against contradictory issuance. A rushed transfer could cause relying parties to reject valid routing information or accept unauthorized assertions.
Even apparently non-technical functions matter. A registry may need to issue invoices, confirm membership, receive legal notices, preserve dispute records, and answer urgent requests from operators. If those functions stop, small networks can be affected first because they lack dedicated legal and registry staff. If an interim operator ignores them, service technically continues while practical access becomes unequal.
Continuity planning should therefore classify functions in three groups. Critical services must remain available or be restored within a short, tested objective. Protected-state services may be temporarily frozen because an incorrect change would be worse than delay. Discretionary or governance-dependent functions may remain with the incumbent or pause until lawful authority is clear. This classification should be agreed before a crisis. Otherwise every function becomes an improvisation, and the broadest claimant to authority tends to win.
IANA is an anchor, not a substitute regional registry
IANA's role is indispensable but often overstated. It maintains the top-level number registries, implements global allocation policies, coordinates unallocated pools, and records the relationship between global resources and the RIRs. It does not ordinarily maintain every resource holder's complete regional account, evaluate every downstream request, collect every regional fee, or administer every member relationship. A continuity plan that says "IANA will take over" is therefore incomplete.
The top-level record still matters enormously. A disputed change in the named regional authority, an additional allocation during crisis, or an inconsistent instruction about returned resources can affect the coherence of the hierarchy. IANA should preserve a stable global reference while the interim arrangement is established. It should accept operational instructions only through an authenticated, pre-agreed authority path and should record temporary status without implying a final recognition outcome.
IANA can also support verification. The IANA RIR allocation data provides the global allocation history against which regional custody can be reconciled. The number resource request procedure shows that additional IPv6 and autonomous system number allocations depend on utilization information supplied by the RIR. During a crisis, continuity therefore includes the ability to produce trustworthy utilization summaries and submit authenticated requests. Otherwise a region may retain existing records but lose access to new global inventory when eligible.
The other RIRs supply the operational depth IANA lacks. They understand regional registry systems, policy interpretation, inter-RIR data exchange, reverse DNS, security operations, and the service expectations of number holders. One or more may be able to host defined functions temporarily. Yet peers have conflicts: they help write the rules, may recommend derecognition, may compete for influence, and may later support a successor. Their technical suitability does not erase the need for a limited mandate and transparent terms.
A qualified independent service organization might reduce institutional conflict, but it would need capabilities that cannot be assembled after an outage begins. It must understand registry policy, protect sensitive information, operate secure systems, serve multiple languages and time zones, and coordinate with IANA and all RIRs. Commercial disaster-recovery providers can host infrastructure but may not possess authority to make number-resource decisions. A court-appointed administrator may hold local legal authority but lack technical capacity.
The likely answer is a composite arrangement: lawful temporary authority, RIR technical support, IANA coordination, and independent oversight.
That division should be explicit. IANA confirms and preserves the global registry relationship. The interim operator performs only listed regional functions. Peer RIRs provide bounded technical capacity. The affected RIR supplies records and staff where possible. An independent overseer verifies scope, security, and return conditions. No entity acquires the whole institution merely because it is essential to one part of continuity.
The present order still makes handoff too dependent on the crisis
The 2024 Implementation and Assessment Procedures for ICP-2 Compliance address continuity after a severe compliance finding. If operations cannot be restored in time, ICANN commits to work with the remaining RIRs to identify an emergency provider. RIRs are encouraged to maintain emergency backups and consider escrow. If needed, ICANN coordinates with the remaining RIRs to identify a successor RIR.
That is a meaningful recognition of operational risk, but the verbs reveal the weakness. An emergency provider is to be identified after the subject RIR is found unable to recover. Backups are encouraged. Escrow is something to consider. The procedure does not require a prequalified operator, tested transfer package, measured recovery objective, or demonstrated legal authority before intervention.
The 2025 draft is stronger. It requires each RIR to maintain continuity and redundancy procedures and regularly share enough records, data, regional policy implementation material, and systems with an emergency operator, subject to escrow and data-protection controls. Emergency continuity can be initiated when all or part of RIR services cannot be provided adequately. The draft requires agreement by ICANN and all other RIRs, prompt publication of rationale and scope, community engagement, cooperation with temporary handover, a right to resume after verified restoration, a 90-day limit unless renewed, and post-event review.
Yet the same draft places the formal readiness clause near the effects of derecognition. It says the RIRs and ICANN must be collectively ready to transfer services to a successor or interim entity within a reasonable time if needed. "Collectively ready" and "reasonable time" are not operational tests. They do not establish which functions have been exercised, which records are current, who holds credentials, what law permits access, how routing-security state avoids conflict, or how a resource holder authenticates during transfer.
The Q1 2026 status report openly records the unresolved issues. It notes concern that unanimity may be too high in an urgent case, that 90 days may be limited public evidence to identify a successor, that extensions need oversight, and that transition provisions need more detail to protect resource-holder rights and community engagement. This is a valuable admission. It shows that continuity is not solved merely by naming an emergency operator.
The sequence should be reversed. Readiness must be a continuing condition of recognition, assessed through exercises and independent verification. Emergency continuity must be activatable without a derecognition proposal and terminable without a recognition decision. A final status decision must contain a validated service plan rather than a promise to identify one later. The crisis should trigger execution of known arrangements, not design of the arrangements themselves.
Transferability must be built during ordinary operation
Continuity begins when the registry is healthy. Every RIR should maintain a transfer package that can be validated without giving the standby operator routine control. The package is not just a backup. It is the minimum set of technical state, policy knowledge, legal authority, and operating instructions needed to perform defined services safely.
The first layer is authoritative state. Allocation and assignment records, organization and contact authority, status history, reverse-DNS delegations, routing-security account relationships, pending requests, policy decisions, and relevant audit trails need consistent export, integrity checks, versioning, and reconciliation against public and IANA-level records. The standby copy should be current enough to meet recovery objectives, but access should remain encrypted, logged, and unavailable until a valid trigger.
The second layer is interpretation. Registry data is not self-executing. The operator needs current regional policy, staff guidance that affects consistent application, documented exception authority, language capability, and a way to distinguish settled practice from discretionary judgment. Hidden institutional memory is a continuity risk. So is transferring internal custom as though it were public policy. Material necessary for temporary operation should be documented and reviewable during ordinary audits.
The third layer is authority. Contracts, bylaws, local law, data-protection duties, intellectual-property rights, employment arrangements, and court powers may all affect whether an outside body can process records or make decisions. Each RIR should obtain jurisdiction-specific legal analysis and put the necessary agreements in place before crisis. A clause that becomes effective only upon a defined trigger is more credible than an emergency demand for cooperation from a hostile or incapacitated board.
The fourth layer is access and infrastructure. Standby environments, secure communication channels, authentication recovery, cryptographic ceremonies, domain and service dependencies, vendor contacts, and incident-response roles should be exercised. The aim is not to create a shadow registry running in parallel. It is to prove that a clean, controlled environment can become authoritative for selected services without conflicting with the incumbent.
The fifth layer is people. A temporary operation needs named roles, not necessarily permanently named individuals. There must be technical leads, policy decision makers, privacy officers, security responders, communications staff, finance contacts, and a route to lawful oversight. Key-person dependency should be tested. If only one incumbent employee understands a critical function, transferability has not been established.
Exercises should vary. A tabletop can test decision authority. A technical restoration can test data integrity. A limited live exercise can process synthetic transactions in a separated environment. A communications exercise can test resource-holder verification and multilingual notice. Results should be summarized publicly without exposing vulnerabilities. Findings should produce dated remediation, and repeated failure to remediate continuity gaps should itself become an auditable operating concern.
The trigger should be functional and neutral
Emergency continuity should start because a service cannot be provided safely or reliably, not because reviewers dislike the incumbent's governance position. The trigger should identify a function, a material impairment, a harm window, and the incumbent's inability or refusal to restore within that window. This allows action without prejudging recognition.
Examples include sustained unavailability of critical registration services; loss of authoritative record integrity; inability to authenticate legitimate resource-holder changes; loss of reverse-DNS administration; compromise or unavailability of routing-security functions; a legal order that removes all effective operational authority; loss of facilities or staff beyond tested recovery capacity; or a financial event that prevents payment for critical infrastructure. A credible imminent threat may suffice when waiting for actual failure would create irreversible harm.
By contrast, a disputed election, critical public statement, governance complaint, or pending derecognition proposal is not itself a continuity trigger. It may lead to review. It may reveal a control risk worth testing. But services should move only if the functional threshold is met. This keeps emergency operation from becoming an instrument for changing the board.
The decision body must be able to act when some institutions are unavailable or conflicted. The draft's unanimity requirement protects against unilateral capture, but it may be too slow if one peer cannot decide or has an interest. A better rule would require a high threshold among non-conflicted entities, a documented technical finding from independent assessors, and prompt review by an external panel. No institution that expects to become the operator or successor should cast the decisive vote without disclosed safeguards.
The affected RIR should be consulted whenever possible, and its proposed recovery should be tested. If it can restore within the harm window, outside operation is unnecessary. If control is disputed, reviewers can consult staff, lawful representatives, a receiver, members, and courts without treating any single faction as the institution. Urgency can shorten consultation but not erase the need to record who was heard.
Activation must specify scope. "Emergency continuity for the region" is too broad. A decision might authorize maintenance of existing records and urgent security changes while freezing transfers and new allocations. Another might move customer authentication and request processing while leaving member governance untouched. A third might support reverse DNS only. The authority should expire function by function as the predicate ends.
Most importantly, activation should contain no language implying that the incumbent is derecognized or that the temporary operator is its successor. The public can understand that a hospital's backup generator does not decide who owns the hospital. Registry continuity should be framed with the same clarity: service is being preserved while status remains open.
The interim operator needs a narrow constitution
A temporary operator will exercise consequential authority. Without a narrow constitution, technical assistance can become institutional takeover. The mandate should be written before activation and attached to every continuity decision.
Its purpose is preservation: maintain the accuracy, availability, security, and equal accessibility of specified services. It may process ordinary requests under existing regional policy, correct verified errors, protect records, and perform urgent actions needed to prevent harm. It should not adopt new regional policy, alter membership rights, sell or encumber assets, settle unrelated litigation, endorse candidates, reorganize the corporation, or use registry data for commercial advantage.
Discretion needs boundaries. Some requests are routine and reversible; others alter long-term resource control or create precedent. The operator can apply a risk matrix. Low-risk transactions continue under dual review. High-impact transfers, disputed legacy claims, unusual exceptions, and changes affecting contested authority may pause or go to an independent adjudicator. The aim is not to freeze the region indefinitely but to avoid irreversible decisions by a body with a temporary mandate.
The operator should apply the affected region's valid policy, not the policy of the assisting RIR. This is essential to regional autonomy. Technical systems can be hosted elsewhere while decisions remain grounded in the region's rules. Where policy meaning is genuinely unclear, the operator should publish the question and use the narrowest interpretation consistent with prior practice and equal treatment. It should not exploit emergency conditions to harmonize policy globally.
Every material action should be logged. Resource holders need confirmation of changes, reasons for refusal or delay, and a challenge route. An independent reviewer should be able to sample decisions for impartiality and security. Aggregate performance data should be published: service availability, request volumes, backlogs, incidents, high-impact actions, complaints, and corrections. Sensitive registration information remains protected.
Compensation and liability must be agreed in advance. A peer RIR should not profit from prolonged emergency operation, but it should not be forced to absorb unlimited cost or risk. Funding can come from ring-fenced incumbent reserves, shared continuity contributions, insurance, or a common facility. Fees to resource holders should remain stable unless an openly authorized temporary change is essential. Any reimbursement should be auditable.
The operator's staff and contractors should be subject to conflict, confidentiality, security, and non-solicitation duties. They should not recruit the incumbent's members, market unrelated services using accessed data, or participate in successor selection. Temporary access is a public trust. Its value lies in being capable enough to preserve service and constrained enough not to convert capability into ownership.
Data custody must preserve privacy and authority
Transferable continuity depends on data sharing, but indiscriminate replication creates another systemic risk. Regional records can include non-public organization details, authorization evidence, identity material, correspondence, payment information, security history, and commercially sensitive network plans. A standby arrangement must make the data usable in emergency without making it routinely available to peers or central institutions.
The original ICP-2 criteria place record keeping and confidentiality side by side. Records are needed for later requests and operational audit; information collected in registration is to remain confidential and used for registration purposes. Modern continuity should preserve both principles. Auditability does not authorize general access, and privacy cannot justify a continuity blind spot.
A sound escrow design separates storage, decryption authority, and activation. Data can be encrypted and replicated to a neutral custodian. Decryption material can require approval from multiple independent roles. Activation can be limited to a named service and logged. The temporary operator receives only the fields and history needed for its mandate. A privacy officer can review exceptional access, and every copy can be accounted for at the end.
Integrity is as important as confidentiality. The standby operator needs to know that records are complete, current, and untampered. Regular hashes, signed snapshots, reconciliation totals, change logs, and comparison with public and top-level allocation records can provide assurance. Any unexplained divergence should be resolved during ordinary operation rather than discovered under emergency pressure.
Authority data needs special care. If the crisis concerns a disputed member register, director list, or account administrator, simply copying the incumbent's latest state may reproduce the contested control. Continuity plans should distinguish resource authority from corporate voting authority and from user-account access. A network's registered resources should not become inaccessible because its representative voted for a particular faction. Corporate contestants should not be able to use administrative credentials to rewrite resource authority.
Data location and applicable law must be planned. Cross-border replication may trigger privacy, secrecy, discovery, cybersecurity, or sector rules. The answer is not to abandon escrow. It is to choose lawful locations, minimize data, use binding agreements, and define which competent authority can order access. If one jurisdiction becomes unavailable, the arrangement may need a second lawful site with independent controls.
At termination, data handling must be provable. The interim operator should return current authoritative state, transfer complete action logs, delete or archive copies according to law, revoke access, and certify completion. The incumbent or successor should be able to reconcile every transaction conducted during the interim period. Continuity is successful only if the institution that resumes service inherits a trustworthy record, not a second dispute over hidden copies and unexplained changes.
RPKI continuity requires an especially conservative hand
Routing-security services make continuity technically delicate. The Resource Public Key Infrastructure connects certificates and signed entities to number-resource holdings. Operators and relying parties use that material to evaluate route-origin claims. A mistake during emergency transfer can have effects beyond a customer portal: valid announcements may appear invalid, unauthorized origins may seem acceptable, or conflicting publication states may persist.
RFC 6480 describes the RPKI architecture and its relationship to address and autonomous system number allocations. In practice, RIRs offer different combinations of hosted and delegated service, repositories, publication support, and account controls. A continuity plan must map the actual regional implementation rather than assume one uniform system.
The first objective is to avoid contradictory authority. The incumbent and interim operator must not both issue valid but inconsistent material for the same resources. Activation needs a controlled authority transition, and relying parties need a stable publication path. If safe transfer cannot be established immediately, preserving existing valid state for a bounded period may be preferable to accepting high-impact changes.
The second objective is key and credential security. Continuity planning should determine which cryptographic functions can be restored from protected backup, which require ceremonies, which remain under resource-holder control, and which should be re-established through a transparent procedure. The operator should never receive more signing capability than its service scope requires. Access should be multiparty, logged, and reviewed.
The third objective is resource-holder notice. A holder using hosted service may need to know whether its existing route-origin authorizations remain valid, whether changes are temporarily restricted, and how urgent revocation or creation will be handled. A holder using delegated service may depend more on publication and parent-certificate functions. Notices should be operationally precise and free of institutional campaigning.
The fourth objective is validation monitoring. Before, during, and after transition, independent observers should monitor repository availability, entity freshness, manifest consistency, invalid-state changes, and unexpected route-origin effects. Restoration is not complete merely because a service endpoint responds. The resulting trust material must be coherent from the perspective of relying parties.
Because consequences can propagate quickly, the trigger for moving RPKI functions should require direct technical evidence and a tested transition path. A governance review alone should never rotate authority or republish material. If a security compromise demands immediate action, the measure should be bounded and followed by a public technical account once disclosure is safe. Routing security should not be turned into bargaining power in a recognition contest.
Resource holders need a continuity bill of rights
The people and organizations served by an RIR are often discussed collectively, but their practical needs vary. A large carrier may have experienced registry staff and redundant contacts. A small provider, university, public network, or remote operator may rely on one account and one person. Emergency design must work for the least institutionally equipped holder, not only those already close to regional governance.
First, existing registrations should remain presumptively valid. A review of the RIR is not a review of every holder. Resources should not be frozen, revoked, reclassified, or made conditional on support for the incumbent or challenger. Any action against a specific registration must rest on the same policy and evidence that would apply outside the crisis.
Second, access should be continuous and neutral. Valid account contacts need a secure path to urgent service. If authentication must be reset, the replacement procedure should use verified resource authority rather than political or membership status. No faction should control the help desk, voter list, or credential recovery in a way that pressures holders.
Third, pending requests deserve preservation and fair sequencing. The interim operator should record when each request arrived, which rule applies, what evidence was submitted, and whether the crisis caused delay. It should avoid favoring well-connected applicants. Where a request cannot safely be decided, the holder should receive a reason and a review route.
Fourth, fees and contracts should not become coercive. Ordinary fees may continue to fund service, but emergency surcharges, new waivers, debt acceleration, or contract amendments should require explicit lawful authority. A holder should not have to sign support for a new institution to retain service. Payments should go to a ring-fenced and auditable account if control of incumbent funds is disputed.
Fifth, privacy and security rights continue. Resource-holder information should be used only for temporary service and legal compliance. It should not be provided to political actors, bidders, governments, or commercial partners outside a valid basis. Holders should be told which entity processes their data, under what authority, in which jurisdiction, and how to raise a concern.
Sixth, reasons and review must remain available. An interim operator can make mistakes, and urgency can amplify them. A rapid independent challenge mechanism should exist for high-impact decisions. It should be capable of ordering correction without deciding the wider recognition dispute.
Finally, resource holders should receive clear notice that service use is not institutional consent. Logging in, paying a fee, submitting a request, or accepting support from the temporary operator must not be counted as endorsement of derecognition or a successor. That protection is central to the whole design. Operators should be free to keep their networks functioning while withholding judgment on who should govern the regional institution.
Courts and registry coordination need a boundary agreement
An RIR is incorporated somewhere. Its staff, contracts, accounts, equipment, and records are subject to law. A court may appoint a receiver, restrain directors, preserve assets, order an election, recognize an administrator, or decide claims affecting control. Global registry coordination cannot treat those orders as background noise. Nor can a local order alone establish technical authority across the Internet Numbers Registry System.
The continuity arrangement should anticipate this dual authority. Before a crisis, the RIR and its peers should identify which actions require domestic legal authority and which belong to global coordination. Access to local premises, employment direction, bank accounts, and corporate records may require a court-recognized actor. Temporary performance of cross-RIR technical services may require acceptance by ICANN, IANA, and the other RIRs. Neither side should pretend its authority automatically supplies the other.
Where possible, the parties should seek a boundary order or agreement. It can authorize preservation and limited service transfer without deciding final ownership or recognition. It can identify the local representative, protect data, preserve assets, permit staff cooperation, and require reporting. The global bodies can then define technical scope, authentication, IANA coordination, and return conditions. This division respects local law while preventing a corporate stalemate from stopping regional service.
Conflicting orders or instructions need a pre-agreed escalation route. The temporary operator should not choose a side secretly. It should pause the disputed action if safe, preserve current state, seek clarification, and publish a non-sensitive explanation. If immediate technical harm is likely, a narrowly necessary protective step can be taken under documented authority, followed by urgent review.
Judicial delay is not automatically registry failure. Courts may move slowly for legitimate reasons, and parties may have appeal rights. Continuity buys the time needed for lawful resolution. Conversely, global reviewers should not use interim service to make judicial proceedings irrelevant by transferring every asset and relationship before the court can act. Temporary operation must remain temporary in substance.
The same restraint applies to a receiver or administrator. Such an officer may be the lawful local controller but should not be presumed to understand number-resource policy or global technical dependencies. The officer can authorize cooperation and protect assets while qualified registry personnel perform bounded functions. A cooperative model is safer than asking either legal or technical authority to impersonate the other.
This boundary is not institutional weakness. It is a realistic account of how an RIR exists. Recognition does not float above law, and a corporation does not own the global hierarchy. Continuity succeeds when both systems can protect their legitimate interests without making operators wait for a jurisdictional victory.
Rehabilitation should be easier because service is safe
The draft governance document creates a presumption in favor of helping a non-compliant RIR cure its problems and describes derecognition as last resort. That principle becomes more credible when continuity is already secure. Reviewers can offer rehabilitation without fearing that every additional week exposes operators. The incumbent can accept assistance without presenting itself as the sole barrier against outage.
A rehabilitation plan should identify which capacities return to the RIR and when. Technical services may be restored after integrity and security tests. High-impact decisions may return after governance authority is clarified. Financial control may return after independent review and safeguarding. Each milestone should have evidence, a date, and an appeal route. Partial success should produce partial return rather than an all-or-nothing judgment.
Staff are essential to this effort. An interim operator should preserve employment and institutional knowledge where lawful, not treat the crisis as an opportunity to replace the workforce. Incumbent employees may know policies, languages, customer histories, and technical dependencies that no external team can reproduce quickly. They should receive clear reporting lines, protection against factional retaliation, and secure ways to report risks.
Members also need a meaningful role. Community consultation should address service impact, rehabilitation tests, and return conditions without turning operational access into a vote on personalities. A verified member process may be required to restore the board, but resource-holder service cannot depend on election participation. The two tracks can proceed in parallel.
The temporary operator should not grade its own success. Independent assessors can verify data integrity, service levels, security, policy consistency, privacy, and the incumbent's restored capability. The affected RIR should be able to challenge test results and rerun failed tests. Public summaries can show progress while protecting sensitive details.
Return must be the default when the trigger ends. The incumbent should not have to prove perfection; it should prove the capacity required by the governing commitments. The temporary operator may be operationally stronger, but comparative excellence is not authority. If the recognized RIR can again provide stable, secure, accurate, and accountable service under lawful governance, convenience cannot justify continued displacement.
By making service separable, continuity lowers the political temperature. Rehabilitation can be judged on facts. Derecognition, if eventually proposed, cannot be defended as the only way to stop immediate service pain. This is exactly why the sequence matters: safe operators create room for fair institutions.
Derecognition needs a completed continuity record
A final derecognition decision should never say that transfer arrangements will be developed afterward. It should include a completed continuity record, tested before the status change becomes effective. The record is evidence that the decision protects the numbering community rather than merely condemns the incumbent.
At minimum, it should identify the interim or successor service entity; legal authority in relevant jurisdictions; functions to be performed; authoritative data snapshot and reconciliation; security assessment; identity and access plan; reverse-DNS plan; routing-security plan; IANA coordination; staffing; languages and service hours; funding; privacy controls; vendor dependencies; communications; complaint and appeal mechanisms; recovery objectives; and a cutover and rollback test.
The record should also distinguish interim operation from successor recognition. An emergency operator may be the best body to preserve services and the wrong body to become the permanent regional registry. It may be a peer RIR whose permanent role would undermine regional autonomy. It may be a technical consortium with no member governance. It may be a short-lived entity created under court authority. Performance during emergency can inform future assessment, but it should not confer an automatic claim.
Resource-holder testing is essential. Selected operators of different sizes, languages, jurisdictions, and service types should verify that they can authenticate, view correct records, submit representative requests, receive notices, and challenge errors. Synthetic testing alone misses real authority problems. Participation must not be presented as endorsement of the status decision.
Cutover should be staged where possible. Read-only services and mirrored public information can be validated first. Low-risk transactions can follow. High-impact authority changes should move only after reconciliation. A rollback path should exist until the new operation is proven stable. If parallel operation creates conflicting authority, the plan should use shadow validation rather than simultaneous issuance.
The decision should price the risk of transition. How many requests may be delayed? Which functions may be temporarily restricted? What failure would trigger rollback? Who compensates for operational error? What uncertainty remains in local litigation? A claim of "smooth transfer" is not analysis. Measured residual risk is.
Only after this record is approved should recognition status take effect. If the continuity test fails, the status decision may still be substantively justified, but implementation must wait or use a narrower emergency measure. Resource holders cannot be asked to absorb a preventable outage to demonstrate institutional resolve. The legitimacy of derecognition depends partly on the competence with which service is preserved.
Renewal and return need stronger oversight than activation
Temporary arrangements tend to persist. The operator builds knowledge, contracts are extended, staff reporting changes, and the emergency becomes normal. Oversight should therefore intensify over time rather than fade after a dramatic activation decision.
The initial term can be short because the factual predicate is urgent and the mandate narrow. Renewal should require a fresh record: which services remain impaired, what the incumbent did to restore them, whether the operator stayed within scope, what incidents occurred, how resource holders were affected, what costs accrued, and what return or transition work remains. A renewal cannot rely only on the original crisis.
Different functions may have different dates. Public information might return quickly while high-impact account recovery remains temporary. Routing-security operations might require additional validation. Financial administration might stay under local supervision. The decision should shrink the mandate whenever possible. A single all-service renewal conceals progress and encourages institutional drift.
The affected community should be heard, but consultation must be designed against coercion and capture. Feedback should accept confidential operational evidence, disclose affiliations where relevant, and avoid treating raw comment counts as authorization. Small resource holders and operators outside the main meeting circuit need accessible channels. Service complaints should be distinguished from views on recognition.
An independent continuity reviewer should issue periodic public findings. The reviewer can examine action logs, security, privacy, fees, impartiality, policy fidelity, complaints, and restoration work. It should have power to require correction and recommend narrowing, return, or replacement of the temporary operator. It should not be controlled by the operator or by an institutional faction.
Return is a decision with its own test, not a favor. Once the incumbent demonstrates lawful authority and adequate capability for a service, that service should revert on a defined date. The temporary operator transfers current state and withdraws access. If reviewers refuse return, they must identify the unmet requirement and evidence. Vague references to trust are limited public evidence.
If derecognition becomes final, the interim period transitions into a separately authorized handoff. The legal basis, duration, and destination change. The temporary operator should not simply continue under emergency authority forever. A clean change in mandate protects everyone: the incumbent can challenge the status decision, the successor can establish legitimate governance, and resource holders can understand who is responsible for what.
Readiness should be auditable across all five regions
Continuity requirements lose legitimacy if they are written for one troubled registry and treated as optional elsewhere. Every RIR should face the same readiness standard, adjusted only for lawful regional differences. The point is not to predict which region will fail. It is to remove single-institution dependency from a globally coordinated system.
An audit should test outcomes rather than collect plans. Can a current authoritative snapshot be restored? Can it be reconciled with IANA and public records? Can selected service functions run in a separated environment? Can resource holders authenticate without incumbent political approval? Can reverse-DNS and routing-security dependencies be protected? Can the standby operator apply the correct regional policy? Can privacy and legal requirements be met? Can authority return cleanly?
The summary result should be public. It can report recovery objectives, exercise scope, material deficiencies, remediation dates, and whether readiness was independently verified. Security-sensitive architecture and personal information remain confidential. Repeated failure should lead first to required remediation and support, not immediate status threat. But an RIR that refuses continuity testing leaves its resource holders exposed and should face a formal operating-compliance finding.
Peer readiness matters too. A plan naming another RIR is worthless if that RIR lacks capacity, legal permission, language support, or isolated infrastructure. Collective exercises should test cross-RIR coordination and IANA authentication. Conflicts and recusals should be simulated. The system should know how to act if one peer is itself impaired or if two crises overlap.
Funding should be permanent enough to avoid emergency appropriation. A shared continuity facility could support escrow, exercises, independent review, and surge capacity while leaving regional operations decentralized. Contributions and governance should prevent the largest institution from controlling activation. Insurance may cover some costs but cannot replace technical readiness.
The audit should also examine incumbent incentives. Continuity can feel like preparation for replacement, encouraging minimal cooperation. The rule should make clear that tested transferability is evidence of responsible governance, not weakness. Strong institutions plan for fire, cyberattack, court interruption, disaster, and leadership loss. The ability to hand off temporarily is part of maintaining trust.
Uniform readiness changes the politics of crisis. No region is singled out; no operator can claim that continuity review is a disguised attack; no peer can demand from another what it has not prepared itself to do. The standard becomes ordinary infrastructure, available when needed and otherwise unobtrusive.
Service first, status second
The central principle can be written as a sequence. Detect and define the service risk. Preserve records and authority. Activate only the functions that cannot be safely restored by the incumbent. Keep regional policy and resource-holder rights intact. Test rehabilitation. Return services when capability returns. Decide recognition only on a separate, complete record. If derecognition is ultimately necessary, implement it through a continuity arrangement that has already proved itself.
This sequence gives IANA a clear role without turning it into a regional operator. It gives peer RIRs a way to provide technical depth without acquiring the institution. It gives courts space to determine lawful corporate authority. It gives reviewers time to distinguish incapacity from conflict. Most importantly, it gives network operators reliable service without demanding political allegiance.
The reform record already points in this direction. The 2024 compliance procedures acknowledge emergency providers and backups. The Version 2 principles require continuity and record sharing. The 2025 draft defines temporary operation, publication, community feedback, return, review, rehabilitation, handoff, and collective readiness. The 2026 status report identifies the remaining problems of initiation, extension, transition detail, and resource-holder protection.
The next step is not another broad promise of smooth transfer. It is a verifiable precondition. Before any final derecognition can take effect, the decision makers should demonstrate that the exact affected services can be maintained under lawful, secure, neutral, funded, and reversible arrangements. If they cannot, they are not ready to change institutional status.
Resource holders did not create the recognition framework, and they should not carry its design risk. Their allocations and operational needs should not become pressure applied to an incumbent, a challenger, a court, or a region. Continuity removes that pressure. It makes emergency service less political, rehabilitation more credible, and derecognition more accountable.
The order is therefore not a technical detail. It is a constitutional safeguard for the numbering system: interim service before derecognition, transferable capacity before institutional judgment, and uninterrupted rights for the operators whose networks make the system matter.
Sources
- ICANN, Implementation and Assessment Procedures for ICP-2 Compliance, ratified 24 December 2024
- NRO, Proposed ICP-2 Version 2 Principles
- NRO, Second Draft of the RIR Governance Document
- NRO NC, RIR Governance Document Version 2 Status Report, Q1 2026
- IANA, Number Resources
- IANA, RIR Allocation Data
- IETF, RFC 7020: The Internet Numbers Registry System
- IETF, RFC 6480: An Infrastructure to Support Secure Internet Routing

