Summary
- A reasonable cap can protect a thin, low-fee registration service from open-ended claims for losses it neither caused nor controlled. The justification weakens as the institution gains exclusive authority over transfer approval, security credentials, suspension, routing intervention or disposition of scarce number resources.
- Current Regional Internet Registry agreements illustrate why contract text alone cannot settle institutional legitimacy. ARIN's August 2025 Registration Services Agreement uses an aggregate cap based on the greater of six months of fees or one hundred US dollars, while the RIPE NCC Standard Service Agreement limits liability to the relevant annual service fee and APNIC's published standard agreement states a broad exclusion to the extent law permits. Those are contractual positions, not universal measurements of fair responsibility.
- The Number Resource Society should classify each duty by control: record publication, evidence custody, transfer coordination, authoritative commit, RDAP referral, reverse DNS, RPKI issuance, emergency suspension, routing action and resource disposition. Different functions require different caps, exclusions and remedies.
- Monetary limits must not restrict correction of an inaccurate record, compliance with a valid stay, restoration of service, preservation of evidence or transfer to a successor provider. Those are performance remedies that protect continuity before damages are calculated.
- Fraud, deliberate misconduct, misuse of confidential evidence, unauthorized disposition, knowing violation of a binding stay and reckless compromise of signing authority should sit outside an ordinary service cap where governing law allows. Duplicate allocation and irreversible security failures require dedicated higher limits even without intentional conduct.
- Shared incidents need shared responsibility without forcing the holder to solve every internal allocation dispute. A claimant should be able to recover from an actor that controlled a decisive failure, while providers retain rights of contribution against one another according to documented responsibility.
- The strongest discipline is ex ante: function-specific insurance, segregated reserves, tested restoration, auditable authority, incident evidence and published aggregate exposure. A cap unsupported by assets or operational recovery is only a number in a contract.
A price term cannot substitute for a theory of responsibility
Liability clauses are often drafted at the end of a service agreement and then treated as if they reveal the nature of the institution. A six-month-fee cap suggests a subscription. A waiver of consequential loss suggests an ordinary vendor. An indemnity from the customer suggests that the customer's conduct creates most of the danger. Those choices may be defensible for some acts, but they do not prove that every act performed under the agreement has the same risk.
Internet number services combine functions that ordinary software contracts frequently separate. An institution can receive evidence about a holder, maintain the authoritative registration, publish RDAP information, approve a transfer, host resource certification, delegate reverse DNS and decide whether a disputed account remains active. A future provider might also offer route-monitoring or emergency intervention. The price paid for basic membership does not measure the value placed at risk by all of those powers.
The central question is not whether a provider charged little. It is whether the provider controlled the decisive step. Could it have prevented the error? Was it the only actor able to authorize the change? Could the holder choose an alternative at the relevant moment? Could the provider reverse the effect without cooperation from anyone else? Did outsiders rely on its signed or authoritative output?
A cap that ignores those questions rewards institutional expansion. The provider can add authority while keeping liability tied to the old, narrow fee. Control grows; responsibility does not. A legitimate Number Resource Society must make the opposite promise: every expansion of exclusive control triggers a visible reassessment of exposure, safeguards and financial capacity.
Caps exist for legitimate reasons
Unlimited liability is not a serious default for a global registry. Network losses can be immense, causation can be contested and one inaccurate public record may be cited after events that also involved operator configuration, upstream filtering, customer security, software defects and independent routing decisions. If every remote loss could be charged to the registration provider without limit, no non-profit or competitive registrar could price the service responsibly.
Caps also protect shared funds. A member-supported institution should not allow one weakly connected claim to consume reserves needed to maintain service for everyone. Predictable exposure supports insurance, continuity planning and entry by smaller providers. It prevents the market from becoming available only to a sovereign guarantor or a technology company with a vast balance sheet.
The argument for a cap is strongest when the service is thin. Suppose a registrar verifies authority under published rules, transmits a signed instruction to a common coordinator, retains evidence and publishes an accurate copy of the accepted state. It does not decide allocation policy, control the common signing authority, operate the network or prevent the holder from changing registrar. Its fee can plausibly anchor an ordinary aggregate limit, subject to meaningful minimums and misconduct carve-outs.
That is not immunity. The registrar still owes the duties it controls: secure authentication, timely transmission, accurate handling, confidentiality, notice and cooperation with review. But it should not insure all consequences of a routing decision made by autonomous networks merely because its name appears in the chain. The objective is bounded responsibility, not symbolic punishment.
Current RIR contracts show the baseline problem
The present agreements differ in wording and jurisdiction, yet each demonstrates how far ordinary contractual allocation can sit from the economic importance of a number record. ARIN's Registration Services Agreement, version 14.0 dated 15 August 2025, states an aggregate limit equal to the greater of the fees paid during the six months before the event or one hundred US dollars. It also excludes broad categories of indirect and consequential loss.
The RIPE NCC Standard Service Agreement states that its liability is limited to a maximum amount equivalent to the member's service fee for the relevant financial year, subject to the agreement and applicable law. APNIC's published Standard Membership Agreement says, to the extent permitted by law, that the company excludes liability arising from the agreement, APNIC documents or delegated resources, and it pairs that exclusion with a member indemnity.
These provisions should be read accurately, not theatrically. They arise under different laws, versions and institutional histories. A clause may be limited by mandatory law. A court may distinguish negligence, deliberate conduct, statutory duties, third-party claims and non-monetary relief. The text alone does not predict every result.
Nor does the comparison prove that any RIR caused a loss or that a particular cap is unenforceable. It reveals a design question. A holder may depend on a registration and related services whose operational importance exceeds the annual fee by many orders of magnitude. If a future institution adds stronger transfer, certification or intervention powers, repeating an inherited fee-based cap would preserve the old allocation of risk while changing the nature of the service.
Contract enforceability is jurisdiction-specific
No global article can declare one liability clause valid or invalid everywhere. Contract law differs on incorporation, interpretation, negligence, deliberate misconduct, public policy, standard terms, bargaining power and mandatory remedies. The status of a member, business customer, consumer, beneficiary or third party also changes the analysis.
The United Kingdom's Unfair Contract Terms Act 1977 illustrates the point without supplying a worldwide answer. It prevents exclusion of liability for death or personal injury resulting from negligence and subjects certain other negligence restrictions and standard-term limitations to a reasonableness requirement. The statutory test considers the circumstances known or contemplated when the contract was made. Other jurisdictions use different doctrines and statutory boundaries.
The Number Resource Society should not rely on the most provider-friendly possible interpretation in one chosen forum. It should publish a substantive responsibility standard that can travel across providers while acknowledging local law. The standard would state which failures are capped, which have higher dedicated limits, which remain outside the ordinary cap and which corrective obligations are not monetary claims at all.
This approach improves certainty. A provider knows the minimum risk allocation required for qualification. A holder can compare offers without parsing radically different exclusions. An independent reviewer can identify whether a dispute concerns causation, amount, a carve-out or immediate restoration. Local law still governs enforceability, but the institution does not use legal fragmentation to conceal its intended allocation.
The control test begins with five questions
Every function should be examined through five practical questions. First, who had exclusive authority to make the relevant change? A registrar that merely submits a request differs from the coordinator that can accept it as current state. A monitoring company that reports an anomaly differs from an institution that can revoke a credential.
Second, who possessed the decisive evidence? If one provider held identity records, authorization history or signing logs unavailable to the holder and other providers, it controlled the ability to establish what happened. Evidence custody creates responsibility even where another actor made the final decision.
Third, who could stop or reverse the effect? A provider that can place an immediate hold, restore a prior record or issue replacement credentials carries more control than one that can only send a support request. Failure to use an available reversal mechanism should not be treated like inability.
Fourth, how replaceable was the actor at the time of harm? A customer may have nominal provider choice yet lack an executable way to leave during a dispute. Exclusive control plus hard exit supports a higher limit.
Fifth, whose output did third parties reasonably rely on? RDAP users, counterparties and route-security systems may act on records or cryptographic statements. An authoritative assertion has a larger reliance surface than an advisory report. Together, these questions produce a functional map. Corporate form, non-profit status and low fees remain relevant, but they cannot erase actual control.
Registration service belongs at the lower end of the ladder
The lowest responsibility band covers accurate receipt, preservation and publication of registration facts under common rules. A provider checks that required fields and evidence are complete, protects confidential material, submits permitted changes, maintains history and answers holder requests. It does not decide who owns the common authority or change routing.
A reasonable cap is appropriate here because exposure must remain insurable and entry must remain possible. But a cap of almost no economic value would undermine care. NRS should require a floor expressed as the greater of a multiple of annual fees, a fixed per-incident amount and an aggregate amount tied to the provider's number of customers or managed resources. The exact figures should be reviewed with insurance evidence rather than invented as political theatre.
The provider should remain fully responsible for refunding charges for undelivered service, correcting its own record, exporting holder material and cooperating with a transfer. A fee refund alone is not an adequate answer to an inaccurate record. Monetary compensation and performance are separate.
The provider can defend itself by showing that it accurately transmitted an authorized instruction, followed required controls and had no authority over the later network event. This is where a control-sensitive model protects good registrars. It does not make every entity jointly liable merely because all touched the same resource. It asks which duty failed and which actor owned that duty.
Evidence custody raises responsibility before authority does
A registrar may claim that it did not make the final decision, yet still hold the only evidence needed to challenge that decision. Identity documents, corporate authority, transfer consent, security alerts, timestamps and communications can determine whether an act was authorized. Losing or withholding that material can turn a reversible dispute into an irreversible result.
Evidence custody therefore sits above mere publication. A provider that chooses exclusive storage must maintain integrity, access control, retention, export and legal holds. If it delegates storage, it remains answerable for selecting and supervising the custodian unless the holder knowingly contracted with the custodian as an independent service.
Liability should reflect the sensitivity and irreplaceability of the material. Ordinary clerical delay may remain within the base cap. Destruction after notice of dispute, reckless exposure of confidential evidence or refusal to provide a required record for timely review should trigger a higher band or carve-out. The distinction depends on conduct and effect, not on whether the file was called support data.
NRS should minimize collection because liability is not a substitute for restraint. A registrar should not gather commercial plans, personal documents or network detail merely to make its file look comprehensive. Collect what an identified duty requires, state the retention period and permit verified correction. The narrower the evidence holding, the easier it is to secure and transfer. Responsibility then tracks custody that is necessary rather than surveillance created by institutional appetite.
Transfer coordination needs a transaction-specific limit
A transfer changes the service provider or recognized holder relationship around a scarce resource. It can be delayed, stolen, duplicated or wrongly rejected. The coordinator may authenticate instructions, apply a dispute hold, sequence approvals and publish the final result. These are not ordinary support acts.
The ICANN Transfer Policy offers a useful comparator for provider changes in the domain market. The gaining registrar obtains authority, the registry verifies transfer information, the losing registrar has defined duties and limited denial grounds, and the shared registry changes the sponsoring registrar. The analogy is not exact, but it demonstrates that responsibility can be divided by act rather than assigned entirely to one provider.
For number resources, the gaining registrar should bear authentication and accurate submission risk. The losing registrar should bear duties around credential release, notice, evidence preservation and bounded objections. The common coordinator should bear sequencing, uniqueness, final-state accuracy and enforcement of a valid hold. If it accepts two current providers or commits a transfer despite a binding stay, its control is decisive and its limit should be materially higher than a retail registrar's.
A transaction limit should also survive low fees. A provider cannot sell transfer coordination cheaply and then use the price to define the maximum value of a resource it can misdirect. Pricing may contribute to the cap, but authority, scarcity and reversibility must carry greater weight.
Duplicate allocation is a constitutional failure, not a clerical error
RFC 7020 describes registration accuracy as a core requirement and states that uniqueness means IP addresses and AS numbers are not allocated to more than one party at the same time. That requirement gives the common coordination function its strongest justification. It also makes duplicate allocation a special liability category.
A typographical error in a public contact may be corrected with limited direct loss. Two recognized current holders for the same prefix can contaminate transfers, contracts, RDAP responses, reverse DNS and resource certification. Even if routing does not automatically follow the record, the conflict can create uncertainty across many relying parties.
The actor that controls the final uniqueness check should therefore carry a dedicated, higher limit for duplicate acceptance. It should maintain sufficient reserves and insurance for urgent investigation, notice, restoration, professional advice and directly demonstrated losses. Repeated failure should threaten qualification, not merely consume a predictable service credit.
The rule must distinguish an actual double allocation from conflicting private claims or unauthorized route announcements. Two companies may litigate control while the common record shows one current status and a dispute marker. Two autonomous systems may announce overlapping routes without any registry having allocated the prefix twice. Responsibility follows the failure that occurred. Precision protects the institution from being blamed for all conflict while ensuring that its unique duty is taken seriously.
RDAP authority creates a reliance surface
RDAP does not allocate a resource or direct packets, but it helps users locate and retrieve authoritative registration information. RFC 9224 explains how IANA-maintained bootstrap registries point clients toward authoritative services for IP space and AS numbers. For addresses, clients use longest-match logic; AS number entries map ranges to service locations.
This design separates referral from the underlying registration. An error at the bootstrap layer can send users to the wrong service. An error at the registrar can return inaccurate holder or status information. A stale cache at a client creates yet another cause. Liability should not collapse them.
NRS should define direct RDAP duties: correct authoritative scope, authenticated transport, timely updates, availability targets, clear status, preserved history and rapid correction of proven errors. The ordinary cap may cover short service interruption. A higher limit should apply where the provider knowingly serves a false authoritative scope, ignores a verified corruption or causes a persistent referral conflict.
Public reliance also supports non-monetary relief. A holder or affected network should be able to demand urgent correction or a visible dispute notice without first proving final damages. The institution should preserve the previous response and publish the time of correction. A cap cannot purchase the right to leave an authoritative error online.
RPKI moves the institution closer to routing consequence
Registration and routing are distinct. RFC 7020 states that whether addresses are announced and how they are advertised are operational considerations outside the Internet Numbers Registry System. That boundary protects registries from claims that every route leak is their act. RPKI, however, creates a closer link between resource authority and routing decisions.
RFC 6480 describes resource certificates, signed entities and repositories used to validate whether an autonomous system is authorized to originate a route to a prefix. A Route Origin Authorization expresses the holder's authorization for an origin AS. Network operators still choose validation policy and make routing decisions, but the certification hierarchy can affect whether a route is treated as valid, invalid or unknown.
An institution that hosts delegated RPKI without controlling the holder's key has less direct authority than a hosted service that can issue and revoke on the holder's behalf. A provider that merely republishes signed material differs again from a trust-anchor operator. Liability must follow these distinctions.
Hosted signing, key recovery, revocation and repository publication require a higher security band. Unauthorized revocation, wrongful certificate withdrawal, loss of signing control or failure to restore a known corruption can have direct operational effects. The provider should not insure every filtering decision made by every network. It should carry substantial responsibility for the cryptographic and publication acts only it could perform.
Direct routing control would change the bargain entirely
A Number Resource Society may be tempted to offer emergency route suppression, coordinated filtering or automated instructions to network partners. Such services could be valuable in a hijack or court-supervised emergency. They would also cross the boundary from recording authority toward changing network behavior.
If the institution can directly cause entities to reject an announcement, withdraw a route or alter a widely consumed routing feed, its ordinary registry cap cannot survive unchanged. The relevant exposure includes interruption to the holder, downstream customers and networks that relied on the instruction. The institution must define who authorizes action, what evidence threshold applies, how duration is limited, how the act is reversed and how affected parties obtain immediate review.
The higher limit should attach even when the feature is marketed as optional. Once counterparties automate reliance, the institution controls a consequential lever. A small fee does not make the lever small.
This does not require unlimited liability for all Internet reachability. Networks retain autonomy, and independent failures may break causation. Contract terms can exclude losses that are too remote or arise from operator decisions outside the institution's control. The essential rule is narrower: an institution cannot exercise route-changing authority while pricing its responsibility as if it only answered a directory query.
Resource disposition requires the highest private responsibility band
The most consequential act is deciding that one holder no longer controls a resource and another may receive it. This can occur through a transfer, merger, insolvency, abandonment, fraud finding, court order or enforcement decision. It is not the same as changing registration provider.
If NRS claims only a thin registration role, it should not possess unilateral disposition authority. A disputed change should require verified holder consent, a competent external order or an independent decision under clearly accepted rules. The institution can record and implement the result without pretending to own the address space.
Where the institution nevertheless controls the decisive commit, it should face the highest cap, rapid interim relief and broad carve-outs. An unauthorized disposition can deprive a network of a scarce operational resource, disrupt contracts and create a competing claim that is costly to unwind. The loss is not fairly measured by a year's membership fee.
The highest band should cover reasonable restoration costs, directly proven interruption, professional expenses needed to recover control and other loss recognized by governing law. Fraud, deliberate conversion of authority, knowing disregard of a stay and collusion should fall outside ordinary limits where lawful. A qualification body should also be able to suspend personnel or providers independently of compensation. Money after the event cannot be the only discipline on power over scarce resources.
Consequential-loss exclusions need a functional boundary
Providers often exclude lost profits, goodwill and indirect, special or consequential damages because remote network effects can be difficult to predict and quantify. Some boundary is necessary. Without it, a minor delay could produce claims based on every contract a holder says it might have won.
The difficulty is that the direct purpose of continuity services is to prevent interruption. If a provider wrongfully revokes hosted RPKI material or commits an unauthorized transfer, loss of service may be the most foreseeable result, not a remote surprise. Calling every operational effect consequential would empty the core duty.
NRS contracts should define recoverable heads by function. For thin registration, direct correction, reauthentication and transfer costs may be central. For a portability service, restoration, duplicate transaction reversal and the agreed continuity guarantee may be direct. For hosted RPKI, emergency certificate restoration and reasonable incident response may be direct. Wider lost opportunity and reputational claims can remain restricted unless deliberate conduct or mandatory law says otherwise.
This drafting is more honest than a universal label. It tells providers what to insure and holders what evidence to retain. It also helps reviewers distinguish an inflated claim from a contract that promised continuity while excluding every consequence of losing it.
Service credits are not enough for high-control functions
Service credits work when harm roughly tracks subscription value. A delayed dashboard or short support interruption can be answered by reducing the fee. The credit is easy to administer and avoids litigation over trivial loss.
A registry error can be different. The annual fee may be hundreds or thousands while the affected network supports hospitals, public services, commercial platforms or regional connectivity. A credit does not restore a transfer, correct a false holder entry or repair a revoked security authorization.
NRS can retain credits for availability misses that do not alter authoritative state. It should not make them the exclusive remedy for wrongful suspension, duplicate allocation, unauthorized transfer, breach of a stay, loss of signing authority or refusal to release portable records. Those incidents require restoration first and compensation under the applicable band second.
The contract should also prevent a provider from labeling every failure an availability event. If the service technically answered requests while returning corrupted authoritative data, uptime was not the relevant duty. Performance measures must follow function: accuracy for records, timeliness for transfers, integrity for signatures, compliance for holds and restoration time for continuity.
Corrective relief must sit outside the monetary cap
A damages limit should not limit the duty to do the right thing. If a provider holds an inaccurate record, it must correct or mark it. If it received a valid transfer before failure, a successor must be able to complete the change. If a reviewer orders a temporary stay, the common coordinator must preserve the status. If credentials were wrongly revoked, the responsible actor must restore them safely.
These duties are forms of performance, not claims to a pot of money. A contract that lets the provider pay a small cap and retain the wrongful state would convert liability into a purchase price for control. That is incompatible with a registration institution whose authority depends on accuracy and continuity.
NRS should expressly place record correction, evidence preservation, export, portability cooperation, compliance with binding decisions and emergency restoration outside the aggregate damages cap. Costs incurred by the provider to perform those duties should not reduce the amount available for a valid monetary claim.
Courts and arbitral bodies differ in the remedies they can grant. The institutional rule can still state the intended priority. Preserve continuity, stop ongoing harm, establish the authoritative state and only then determine compensation. This sequence reduces loss for every party and prevents a cap dispute from delaying technical repair.
Carve-outs should be narrow, serious and visible
An ordinary cap should not disappear whenever a claimant uses an alarming adjective. Overbroad carve-outs destroy predictability and invite every negligence claim to be pleaded as gross negligence. The categories should be tied to identifiable conduct and functions.
The strongest candidates are fraud; deliberate misconduct; knowing misuse of confidential evidence; knowing violation of a binding court or independent-review stay; unauthorized personal use of signing credentials; deliberate duplicate recognition; and collusion in resource diversion. Governing law may already restrict exclusion of some conduct.
Gross negligence or reckless disregard may also justify a carve-out, but the contract should define the relationship to applicable law. A failure to patch one system late is not automatically reckless. Ignoring repeated verified compromise warnings while continuing to sign authoritative entities may be.
Some events deserve a super-cap rather than unlimited exposure. An accidental duplicate allocation, a failed bulk migration or a security-control defect can create correlated harm without intentional conduct. A dedicated limit, supported by insurance and reserves, can provide more realistic recovery than a nominal base cap while preserving institutional solvency.
The schedule should be public and readable. Holders should not discover after an incident that a carve-out exists only in a private provider addendum. Providers may offer higher optional coverage, but qualification must include a common minimum that no retail term can reduce.
Causation protects both accountability and fairness
Control-sensitive liability is not strict responsibility for everything that follows. The claimant must still connect the breached duty to a recognized loss. A false RDAP record may be embarrassing yet unrelated to a routing outage caused by a leaked BGP announcement. A delayed transfer may coincide with equipment failure. A valid ROA may be ignored by networks that do not perform route-origin validation.
The institution should preserve evidence that makes causation testable: request and commit times, authorization results, status changes, credential events, publication history, notices and restoration actions. A claimant should provide network observations, contracts, mitigation steps and other material relevant to loss. Neither side should control the only account.
Where multiple failures combine, responsibility can be divided. A registrar may mishandle authentication, the coordinator may ignore an anomaly and an operator may fail to secure its account. The damages assessment should reflect comparative responsibility where the governing law permits.
The model therefore rejects two extremes. It rejects registry immunity based on the claim that routing is always somebody else's act. It also rejects automatic registry liability whenever a resource appears in a network incident. Function, breach, causal connection, foreseeability and mitigation remain necessary. Moving caps with control makes those inquiries more precise, not less.
Shared services need claimant protection and provider recourse
Number services will involve chains: the holder, retail registrar, identity specialist, common coordinator, RDAP operator, key custodian, cloud host and independent reviewer. A failure may cross several contracts. Requiring the holder to sue each actor in a different country before receiving restoration would make formal responsibility useless.
The European Union's General Data Protection Regulation, Article 82, offers a bounded analogy. It links controller and processor liability to their respective responsibilities, protects effective compensation where several responsible actors are involved, and allows an actor that paid full compensation to seek contribution corresponding to another actor's share. Internet number services are not data-protection claims by analogy, and the article does not automatically govern them. The allocation principle is useful.
NRS should give the holder one claim route for a defined shared incident. An actor that controlled a decisive failure can restore service and meet the valid claim, then use contribution rules against subcontractors or peer providers. Contracts among providers should include compatible evidence, insurance and dispute terms so internal allocation does not delay the holder.
This protection must not turn every provider into a guarantor of every other provider. Qualification rules should identify when joint responsibility applies: common delivery of one indivisible function, shared control of a decisive act or failure to meet an express supervisory duty. Mere interoperability is not enough.
Outsourcing cannot erase the authority that remains
A provider may outsource hosting, identity checks, customer support or key custody. It may do so for expertise and resilience. It should not be able to outsource the activity while retaining customer authority and then claim that no one is responsible.
The European Banking Authority's Guidelines on outsourcing arrangements use criticality to require stronger governance for important outsourced functions and emphasize that the regulated institution's management body remains responsible. Banking rules do not govern NRS by analogy. They demonstrate a mature response to responsibility laundering: critical functions require explicit rights, access, audit, continuity and exit.
An NRS registrar that appoints a vendor should remain responsible to the holder for duties the registrar promised, while retaining recourse against the vendor. If the vendor independently contracts with the holder for a separate optional service, responsibility can be separated clearly. The deciding factor is who selected the vendor, controlled the instruction and presented the service as part of the registrar's obligation.
Subcontracting of signing or authoritative state deserves special scrutiny. The common coordinator must know where keys and replicas reside, how control is divided, how a replacement is activated and whether contract limits match the function. A low vendor cap cannot become the de facto maximum recovery for a high-control institutional failure.
Portability law shows that compensation can follow switching control
The European Electronic Communications Code provides a direct sector comparator. Article 106 protects provider switching and number portability, limits service loss, prohibits delay and abuse, and requires Member States to establish easy and timely compensation rules for failures, delays, abuses and missed appointments.
The lesson is not that IP addresses are telephone numbers or that EU communications law governs a global number registry. It is that a right to switch is incomplete if the parties controlling the switch face no consequence for delay or abuse. The receiving provider, transferring provider and portability administration each control different steps.
NRS should pair portability deadlines with responsibility. A gaining registrar that submits false authority, a losing registrar that withholds a required credential and a coordinator that commits a duplicate state should not share one undifferentiated cap. Each failure should have a defined remedy and limit. The holder should receive automatic minimum compensation for clear delay, without losing the right to prove a larger covered loss.
Automatic amounts can reduce dispute cost. They should be modest enough to administer and significant enough to change behavior. High-consequence incidents remain subject to higher bands and evidence. This combination makes ordinary service failures easy to remedy while preserving serious review for rare events.
Insurance should follow functions, not corporate labels
Qualification should require evidence that promised limits can be paid. A provider with a generous contract and no insurance or reserve may offer less protection than a modestly capped provider with reliable backing. The policy should therefore specify coverage by function.
A thin registrar needs professional indemnity, cyber coverage and resources for correction and transfer cooperation. A transfer coordinator needs coverage for authentication, duplicate commit, wrongful hold and bulk migration. A hosted RPKI provider needs cyber and technology cover that does not exclude the very signing and publication risks it controls. An institution with disposition authority needs a much stronger reserve and coverage arrangement.
Policies should be examined for exclusions, territorial scope, aggregation, subcontractors, key compromise, deliberate acts by personnel and continuity after provider failure. The mere existence of a certificate of insurance is not enough. NRS should receive confidential details and publish a safe summary of coverage bands and renewal status.
Self-insurance can be legitimate for a well-capitalized institution, but the reserve should be segregated and measured against modeled incidents. Member funds needed for ordinary operations should not be counted twice as both continuity reserve and claims capacity. The objective is credible payment without exposing sensitive policy terms.
Aggregate caps must account for correlated incidents
An annual aggregate cap can be exhausted by the first claimant after a shared failure. That creates a race among holders even where one corrupted update affected hundreds of resources. It also allows the provider to treat a correlated incident as many unrelated small events or, conversely, as one event subject to one tiny limit.
NRS should define aggregation by cause and function. Claims arising from one compromised signing key may form one security event, but the dedicated aggregate must reflect the number and scale of affected resources. A provider-wide migration error may require a separate catastrophe layer. Ordinary unrelated clerical mistakes can remain under the annual base aggregate.
The contract should state how claims are prioritized, whether restoration expenses sit outside the pot and how late-discovered claims are handled. Essential public-service operators should not secretly receive all compensation ahead of others, though continuity actions may properly prioritize immediate human impact under published emergency criteria.
Aggregate exposure should be stress-tested. Models should include simultaneous transfer corruption, loss of a key custodian, false RDAP scope, provider insolvency and a court dispute during migration. The result should influence reserves, coverage and provider concentration. If one vendor supports most registrars, nominally separate caps may conceal one correlated dependency.
Claims windows must respect delayed discovery
Registries need finality, and evidence cannot be kept forever. Yet some failures are discovered months later, especially unauthorized changes hidden by a compromised account or historical evidence loss exposed only during a transfer. An extremely short claim window would reward concealment and weaken review.
The ordinary window should run from when the holder knew or reasonably should have known of the event, subject to a longer final limit permitted by law. Fraud and deliberate concealment may require different treatment. Requests for immediate correction should not be rejected merely because a damages notice was late; authoritative accuracy remains a continuing duty.
Providers should send notices to multiple verified roles for consequential changes. A silent record update should not start time against a holder that received no effective notice. The notice should identify the resource, action, time, authority category and challenge route without exposing confidential material.
NRS should also preserve tamper-evident event history long enough to evaluate claims. Retention periods need a reason tied to transfer, security and legal risk. Indefinite storage of personal documents is not necessary. Durable proofs of what changed can outlast more sensitive evidence through cryptographic commitments and independent witness records.
Holders and operators retain duties of care
Responsibility moving with institutional control does not relieve holders of their own duties. An operator controls account administrators, contact accuracy, credential security, route configuration, ROA content, monitoring and timely response to alerts. A holder that ignores repeated compromise notices may contribute to the loss.
Contracts should identify reasonable security duties without making them impossible warranties. Multi-factor authentication, role separation, prompt contact updates, protection of transfer credentials, confirmation of consequential changes and incident cooperation are appropriate. The standard should account for small networks and emergency conditions rather than assuming every holder has a bank-scale security team.
Failure by the holder should reduce recovery only where it is connected to the event. An outdated billing contact should not excuse a coordinator's duplicate allocation. A weak password may matter to account takeover, but not if the provider bypassed required approval through an internal privilege.
Network operators also retain routing autonomy. A registry statement does not force every BGP decision. Operators decide whether and how to use route-origin validation, filters and alerts. Claims should examine those choices while recognizing that an authoritative security error can still be a substantial cause.
Emergency authority needs a short clock and a high duty
Emergencies tempt institutions to combine control. A suspected hijack, compromised key, sanctions order or fraud allegation may lead a provider to freeze transfers, suspend credentials or publish warnings. Delay can magnify harm, yet an incorrect emergency act can interrupt a legitimate network.
NRS should define emergency authority narrowly. The actor must record the legal or technical basis, identify the authorized decision maker, limit duration, notify affected parties where lawful and obtain independent review within a short period. A temporary hold is not a final disposition.
Liability should distinguish a good-faith, evidence-based temporary act from careless or strategic abuse. Ordinary urgent action under the standard can receive a protected cap because decision makers must be able to act. Continuing the restriction after evidence collapses, ignoring mandatory review or using emergency power for commercial leverage should trigger a higher band or carve-out.
The strongest remedy during the incident is rapid review. A damages claim years later cannot restore a network during an unjustified suspension. The institution should maintain an always-available reviewer capable of preserving state, ordering limited restoration and protecting confidential evidence.
Court orders do not remove the need for accurate execution
Registries will receive orders from courts and lawful authorities. The institution is not liable merely because compliance affects a holder when the order is valid and binding. It still controls interpretation, scope, timing and technical execution.
The provider should verify authenticity and jurisdiction with qualified advice, implement no more than the order requires, preserve evidence and seek clarification where the target is ambiguous. A direction concerning one organization should not silently affect unrelated resources. If notice is prohibited, the restriction and its expiry should be tracked.
An agreement may protect good-faith compliance, but it should not excuse execution against the wrong resource, action after an order expired or knowing disregard of a stay. Those failures arise from institutional control, not judicial command.
Cross-border conflicts require a published route to independent review. NRS cannot promise that every jurisdiction will agree. It can promise that one provider will not privately convert the broadest possible interpretation into permanent global effect without scrutiny. Liability and corrective relief then attach to the provider's execution duty rather than to the court's authority.
A control matrix makes the bargain inspectable
Each qualified provider should publish a control matrix with one row for every function. The row should identify the actor that authorizes the act, the actor that executes it, who can reverse it, the expected effect, dependencies, base cap, higher limit, carve-outs, restoration duty, insurance and review route.
For registration publication, the registrar may authorize and execute correction under a moderate cap. For provider portability, the gaining registrar authenticates, the common coordinator commits and both have separate limits. For hosted RPKI, the holder authorizes while the signing provider executes, and the trust-anchor operator may control revocation. For resource disposition, an external decision may authorize while the coordinator executes under the highest band.
The matrix prevents ambiguous bundling. A provider cannot describe itself as a mere intermediary when seeking to avoid responsibility and as the authoritative guardian when seeking deference. Its role is stated before the incident.
Changes to the matrix should require notice and independent review. Adding an automated route-control feature, centralizing key custody or taking final transfer authority would trigger new coverage and reserve requirements before launch. Responsibility moves when control moves, not after the first claimant proves the institution had quietly changed.
Scenario one: an ordinary registrar error
Consider a registrar that transposes a non-public contact field while onboarding a holder. The common authoritative state remains correct, no transfer occurs, RDAP public output is unaffected and the registrar corrects the field within hours after notice. The holder proves staff time but no interrupted service.
This belongs under the base service cap. The registrar should correct the error, document it, improve validation and reimburse any agreed direct amount. Unlimited exposure would not improve the result. The institution neither changed resource control nor caused routing impact.
Now change one fact. The same registrar uses the wrong organization identifier when submitting a transfer, despite receiving contradictory evidence. The common coordinator catches the mismatch and rejects the request. The holder suffers a short delay. Authentication and submission were the registrar's duties, so the transfer band and automatic delay remedy apply. The coordinator is not liable for refusing an inconsistent instruction.
The scenario shows why incident labels are limited public evidence. Both began as data errors. Their responsibility differs because the second touched a consequential transaction. Function and control, not vocabulary, set the band.
Scenario two: a common coordinator accepts incompatible states
A holder changes registration provider. The gaining registrar authenticates the authorized officers, and the losing registrar sends a bounded objection that expires after review. The common coordinator commits the new provider but fails to retire the former provider's authority token. Both can submit changes, and conflicting RDAP and RPKI actions follow.
This is not two ordinary registrar mistakes. The coordinator controlled serialization and token retirement. The duplicate authority is a constitutional failure of the common layer. A dedicated higher limit applies, along with immediate freeze, restoration to the last uncontested state, notices to relying parties, preservation of every event and independent review.
The gaining registrar remains responsible if it exploits the duplicate token after detecting it. The losing registrar remains responsible if it submits unauthorized changes. Contribution can divide the monetary result, but the coordinator cannot reduce its responsibility to a low service fee because only it could ensure one current authority.
The holder should not need to wait for three companies to decide which contract responds. The common claims route restores state and pays the valid amount. Internal recourse follows the evidence.
Scenario three: hosted RPKI revocation
A provider operates hosted RPKI for an operator. A security alert falsely marks the holder account as compromised. An automated rule revokes resource certificates without the required second approval, and route-origin authorizations become unusable. Some networks reject the operator's announcements while others continue carrying them.
The provider did not command every routing decision, so it is not automatically responsible for all traffic loss. It did control the revocation, automation rule and restoration. The higher security band applies. Direct restoration, incident support and covered operational loss are available. The provider may contest remote or speculative claims and show which networks did not rely on validation.
If the provider had required two-person approval and the holder's own authorized officers confirmed the revocation using compromised credentials that the holder failed to protect, responsibility could be shared. If an employee deliberately revoked the certificates to pressure the holder in a fee dispute, the ordinary cap should not protect the act.
The same feature therefore supports several outcomes. A control matrix, event evidence and clear conduct carve-outs allow a reviewer to distinguish them without pretending that RPKI either controls all routing or has no routing consequence.
Scenario four: an order targets the wrong prefix
A court order identifies a company and a disputed resource. The institution's legal team validates the order, but an operator selects an adjacent prefix during execution. The error is visible in the event record. The institution then delays restoration because its contract excludes losses arising from legal compliance.
The exclusion should not apply. The court did not order action against the adjacent prefix. The institution controlled the mapping and execution. Immediate restoration sits outside the cap, and the high-control band applies to covered loss. If staff knew of the mismatch and continued, a carve-out may apply.
This result does not challenge judicial authority. It protects accurate implementation. A provider should be able to comply with lawful orders without becoming insurer of the dispute, but it must remain responsible for the technical acts it alone performs.
The scenario also demonstrates why reasoning and event history matter. A vague record saying only that legal action occurred would obscure whether the order or the implementation caused harm. Precise authority, scope and execution evidence protect the court, institution and holder.
Governance should review caps before incidents, not after them
NRS should establish an independent responsibility committee with actuarial, network, security, insurance, contract and operator expertise. It should review function bands annually and after material changes. Providers should not control the body that judges whether their own new authority deserves a higher cap.
The committee should examine claims experience without exposing private parties, near misses, coverage exclusions, restoration tests, concentration and changes in the economic value of managed resources. It should publish reasons for altering minimum limits. Member vote alone is not enough where smaller holders and third-party users bear consequences.
Stress tests should include provider insolvency and institutional failure. A high limit is meaningless if the provider disappears. Escrowed evidence, portable credentials, successor arrangements and segregated reserves reduce both harm and claims. Liability design and continuity design reinforce each other.
The committee should also guard against overcorrection. Excessive limits can eliminate small registrars, increase concentration and make the common coordinator the only viable provider. The objective is not maximum nominal exposure. It is the lowest limit consistent with the authority, consequence, insurance market and credible recovery for each function.
Liability does not prove ownership
An institution may argue that carrying liability implies ownership or sovereign control over number resources. It does not. Responsibility follows the acts the institution performs, not a claim that it owns the prefix or ASN.
A port authority can be responsible for negligent handling without owning cargo. A securities intermediary can be responsible for settlement errors without owning the investor's asset. A registrar can be responsible for an unauthorized change without becoming the holder. Number-resource institutions should embrace the same distinction.
The holder remains the recognized party under the applicable allocation and transfer framework. Networks retain routing autonomy. IANA retains its top-level numbering role as defined by applicable arrangements. NRS and registrars provide bounded services. When they make consequential mistakes within those services, liability marks accountability for conduct, not title to the underlying resource.
This distinction is important politically. An institution should not use stewardship language to demand deference while using vendor language to avoid responsibility. It can be a narrow service provider and still owe strong duties for its exclusive acts. It can carry significant liability without claiming political sovereignty.
The contract should contain a responsibility schedule
The operative terms should attach a schedule rather than bury all events in one paragraph. The schedule should define at least six bands: ordinary registration; sensitive evidence custody; provider transfer; authoritative coordination and uniqueness; hosted security authority; and resource disposition or direct routing intervention.
Each band should state a per-incident minimum, annual aggregate, catastrophe aggregate, excluded loss, direct-loss definition, automatic remedy, restoration obligation, carve-outs, claim window, evidence duties and insurance requirement. It should name the responsible entity when multiple NRS affiliates or vendors are involved.
The schedule should state that the highest applicable band governs a mixed incident. A provider cannot split one high-control act into several low-control subtasks. At the same time, unrelated losses should not be pulled into a higher band merely because the provider offers that function elsewhere.
Terms should be symmetrical only where control is symmetrical. The holder may indemnify a registrar for false information or unlawful instructions it supplies. The registrar should not receive an indemnity for its own unauthorized transfer or security failure. Mutual wording can look fair while masking radically different control.
The future NRS promise is narrow responsibility with no responsibility gaps
The Number Resource Society should begin with a modest role: verifiable registration, portable service, continuity and one globally coherent view of current control. That narrow mission supports bounded liability. It does not support an empty cap.
As NRS adds functions, the responsibility schedule must change. Evidence custody creates confidentiality and preservation duties. Transfer coordination creates authentication and timing duties. Common state creates a uniqueness duty. Hosted RPKI creates signing and publication duties. Emergency route action creates interruption risk. Resource disposition creates the highest duty because the institution can alter who is recognized as controlling a scarce resource.
The principle can be stated simply: no actor should bear losses it could not prevent, and no actor should escape losses arising from a lever only it controlled. Fees, insurance and non-profit status inform the amount. They do not define the function.
This model protects registrars from impossible claims while protecting holders from institutional impunity. It encourages role separation because authority carries cost. It makes outsourcing transparent because retained control retains responsibility. It favors restoration over litigation and evidence over accusation. Most importantly, it prevents a future NRS from inheriting broad power and a thin-service cap as if the two naturally belonged together.
Evidence and analytical limits
This analysis uses official RIR agreements to show current contractual approaches, not to adjudicate a dispute or assert that a particular provision is invalid. Contract versions change, governing law matters and mandatory rights may alter the effect of exclusions. The ARIN, RIPE NCC and APNIC texts should be read with their complete terms and any later amendments.
RFC 7020 supplies the technical distinction between registration accuracy, uniqueness and routing operations. RFC 6480 supplies the architecture of resource certification and route-origin authorization. RFC 9224 explains authoritative RDAP discovery. None of those documents creates a civil damages code for NRS.
The GDPR, EBA outsourcing guidance, ICANN domain-transfer rules, UK Unfair Contract Terms Act and European communications rules are comparators. Their direct legal application depends on subject matter, jurisdiction and parties. The proposed responsibility ladder is an institutional design derived from common questions of control, criticality, switching and effective remedy; it is not a statement that number registries are banks, telecommunications providers, domain registrars or data controllers in every case.
The article does not assign monetary amounts because credible limits require claims data, insurance quotations, provider concentration, resource scale and jurisdictional review. It specifies how amounts should move. Any future NRS schedule should be independently reviewed and tested before providers or holders rely on it.
Sources
- RFC 7020, The Internet Numbers Registry System - global uniqueness, registration accuracy, registry structure and the boundary between registration and routing operations.
- RFC 6480, An Infrastructure to Support Secure Internet Routing - resource certificates, Route Origin Authorizations, repositories and the relationship between allocation authority and route-origin validation.
- RFC 9224, Finding the Authoritative RDAP Service - IANA bootstrap registries and authoritative RDAP referral for IP address space and AS numbers.
- ARIN Registration Services Agreement, version 14.0 - current contractual services, exclusions, aggregate liability limit, suspension, termination and dispute terms as dated 15 August 2025.
- RIPE NCC Standard Service Agreement - member obligations, services, termination and fee-linked limitation language.
- APNIC Standard Membership Agreement - published membership duties, liability exclusion, member indemnity and governing-law terms.
- ICANN Transfer Policy - allocation of transfer duties among the holder, gaining registrar, registrar of record and registry operator.
- European Electronic Communications Code, Article 106 - switching continuity, number portability, consent, anti-abuse duties and compensation requirements.
- General Data Protection Regulation, Article 82 - responsibility-based compensation and recourse among multiple responsible actors in its own statutory field.
- European Banking Authority, Guidelines on outsourcing arrangements - criticality, retained management responsibility, access, audit, continuity and exit expectations for outsourced functions in regulated finance.
- Unfair Contract Terms Act 1977 - United Kingdom statutory controls on specified exclusions and restrictions, including the reasonableness requirement in its defined scope.
- ICANN, Service Level Agreement for the IANA Numbering Services - performance expectations, escalation, dispute resolution, renewal and successor-operator continuity for the IANA numbering role.

