Summary

  • ICP-2 addressed migration only when a new RIR was recognized for a region. Its one-region, one-RIR model protected coordination, but it gave an individual resource holder no practical route to retain number-resource continuity while changing the institution providing registration service.
  • The 2024 compliance procedures and the current RIR Governance Document draft improve institution-level failure handling. They contemplate emergency providers, successor RIRs and service handoff, yet activation depends on findings and collective decisions about the impaired RIR. A network's customers can face uncertainty long before that process finishes.
  • Number Resource Society provides a positive alternative direction. NRS can verify operator authority, maintain a portable continuity dossier, preserve decision and dispute history, certify migration readiness, coordinate qualified receiving service and measure cutover results without claiming that a second conflicting allocation has been created.
  • The safe model preserves global uniqueness, lawful restrictions, IANA coordination, authoritative technical dependencies and one effective registry state. Exit changes the service relationship; it does not erase a claim, manufacture title, bypass a court or authorize duplicate routing.
  • NRS should begin with functions it can prove now and earn wider reliance in stages. The governing test is practical: when a registry weakens, can the operator keep accurate records, reverse-DNS administration, routing-security state and customer service moving without waiting for the institution to be derecognized?

The operator experiences failure before the institution admits it

An institution rarely fails on one clean date. Service weakens by degree. A request remains unanswered. A transfer cannot be completed because authority is disputed. A board lacks quorum, but staff keep ordinary systems running. A court appoints temporary authority while litigation continues. A security control becomes fragile, yet the public directory still resolves. Each fact may be serious without proving that the institution is beyond repair.

For an operator, the relevant clock is different. Customers need addresses to remain usable, registration records to remain intelligible, reverse DNS to be administered, routing-security authorizations to remain aligned and commercial commitments to be met. The operator cannot tell a hosting customer that continuity will resume after the global governance community reaches a final view on institutional recognition. The customer bought service, not a constitutional seminar.

This timing mismatch is the central defect in the inherited design. Institution-level intervention properly requires evidence, notice, coordination and restraint. It should be difficult to replace a Regional Internet Registry on allegation alone. Customer-level continuity cannot be made equally slow. If the only exit opens after the institution is formally judged unable to recover, the supposed remedy arrives after resource holders have absorbed the uncertainty it was meant to prevent.

The answer is not a reckless right to publish competing registry states. Global uniqueness and consistent authority remain essential. The answer is to separate the continuity of a holder's verified position from the political fate of the incumbent institution. Records, authority evidence, pending restrictions and technical dependencies can be prepared for migration before a final decision about the RIR. A qualified provider can be ready before the emergency. A cutover can be narrow, reversible where safe and independently logged.

Number Resource Society is valuable because it starts from this operator boundary. Its public materials emphasize accurate registration, business continuity, accountability, portability and limits on concentrated administrative power. Those propositions become institutionally important when translated into a service: an operator should be able to prove its current state and carry that state to qualified continuity administration without first winning a campaign to abolish its regional registry.

ICP-2 designed regional succession, not customer exit

The 2001 ICP-2 criteria contain a migration concept, but it runs in one direction. A candidate RIR had to show broad support from local registries and internet service providers in the proposed region. Existing RIRs were expected to propose migration of service agreements to the new RIR, and eventually the entire region would be served by the new institution.

This made sense during regionalization. Africa and Latin America were moving from service by established registries toward their own regional bodies. The transition had to avoid duplicate authority, confused customers and fragmented address administration. A recognized candidate would receive a defined service region, and the incumbent relationship would move with the region.

ICP-2 also warned against multiple RIRs within one region. One institution under unified management was preferred because overlapping registries could fragment address space, complicate coordination and confuse the community. This concern was operational, not merely territorial. Two bodies publishing inconsistent answers about the same resource would undermine the accuracy the registry system exists to preserve.

Yet regional succession is not provider portability. The operator did not choose between qualified registration providers. Its service relationship moved because a new monopoly-like regional institution was recognized. The migration event changed the map for everyone in scope rather than offering an exit to a particular holder whose incumbent had become unreliable.

Once the five-RIR structure settled, ICP-2 provided no ordinary destination for an individual network seeking to leave its RIR relationship while keeping its registration position continuous. A holder could transfer resources where policy allowed, change corporate structure, use a sponsoring intermediary in some systems or surrender resources. None of those actions is the simple proposition at issue: the same verified holder and number-resource state, administered through another qualified service relationship.

The omission matters because institutional replacement is a poor substitute for customer choice. It asks a global system to decide that an RIR has failed before one operator can reduce its exposure. It also makes every regional dispute existential. If members cannot leave while preserving continuity, they must either win inside the institution, tolerate the risk or seek the institution's replacement.

Current compliance procedures still wait for material institutional danger

The Implementation and Assessment Procedures for ICP-2 Compliance, ratified in December 2024, improve the failure path but retain its institutional sequence. Review begins when possible non-compliance is material enough to affect stable and secure operation. The other RIRs can unanimously request review, or ICANN can act on its own when it reasonably believes secure operation of unique identifiers is at risk.

The process can result in a restoration plan. If ICANN finds no realistic path to restore operations quickly enough, it commits to work with the other RIRs toward an emergency provider. The procedures encourage emergency backups or escrow of core registration data and allow coordination toward a successor RIR.

These are important safeguards. They acknowledge that service may need to outlive the institution providing it. They also avoid an immediate leap from concern to replacement. The subject RIR can provide evidence and correct material factual errors, and restoration is preferred where realistic.

For an operator, however, the activation threshold remains late. The process is designed for a condition significant enough to threaten the identifier system. A resource holder may face commercial and technical uncertainty before the systemic threshold is met. Its service request can be trapped in disputed authority while most registry functions continue. Its customers may need a migration assurance while ICANN properly remains unwilling to declare an emergency.

The procedure also places the receiving arrangement after the finding. Only when restoration appears unavailable does emergency-provider selection become central. That sequence leaves little time to reconcile records, train a receiving team, test credentials, protect confidential data and map linked technical services. Preparation may be encouraged, but the operator has no portable service right it can exercise on its own timetable.

There is an unavoidable reason for institutional caution: a rival provider cannot simply declare the incumbent deficient and take the account. But caution about authority does not require inactivity about readiness. Verified state, operator mandate, dispute history and technical dependencies can be assembled in advance. NRS can make continuity prepared even where formal authority to complete the cutover still depends on recognized coordination.

The reform draft protects regions after failure, not holders before it

The August 2025 RIR Governance Document Version 2 goes further than the 2024 procedures. It defines RIR services broadly enough to include allocation, registration, directory and related technical services. It requires continuity and redundancy, periodic audit, dispute resolution and readiness to share sufficient information and systems with an emergency operator.

Its emergency-continuity article permits a temporary operator when an RIR cannot adequately provide all or part of its services. Its derecognition article requires handoff to a successor or interim body. The RIRs and ICANN must collectively be ready to facilitate transfer within a reasonable time. This is the right institutional direction.

Still, the trigger and decision remain collective. The published Version 2 text requires unanimous agreement of all other RIRs and ICANN to initiate emergency continuity, after discussion with the affected RIR and community where reasonably possible. Derecognition also follows a proposal and decision process involving incumbent RIRs and ICANN. Individual resource holders do not receive a direct portability election.

The Q1 2026 status report identifies the resulting pressure. It records concern that unanimity may be too high during an urgent emergency. It says transition provisions need more detail to protect resource-holder rights and maintain affected-community involvement. Those points remained under drafting.

This is the gap NRS can fill positively. The draft asks how institutions authorize emergency service. NRS asks what the operator must possess so that any authorized continuity path works. The draft protects a region through collective replacement. NRS can protect a resource holder through prepared portability. The two mechanisms can reinforce each other rather than compete.

A portable operator dossier reduces the burden on an emergency operator. Pre-verified authority reduces fraud risk during a rushed handoff. Preserved restrictions prevent exit from washing away contested claims. Standard technical-state manifests make cutover observable. If institution-level emergency authority is eventually activated, NRS-prepared members can move in controlled waves instead of presenting the successor with an undifferentiated regional database and thousands of urgent identity questions.

Exit has to be defined more carefully than departure

An exit right in number administration cannot mean the unilateral ability to announce a new truth. IP addresses and Autonomous System Numbers depend on coordinated uniqueness. Registration, routing, reverse DNS and routing-security services have related but distinct sources of authority. Moving one relationship without reconciling the others can create a nominal exit and an operational failure.

The relevant right is provider portability. A verified resource holder preserves its recognized resource relationship, administrative history and technical continuity while changing the qualified institution responsible for defined registration services. This is different from transferring the number resources to another holder. It is different from leasing address use to a customer. It is different from announcing routes through a new network. It is also different from moving the incorporation of the holder.

The port must preserve one effective state. During preparation, several parties may hold copies and compare them. At cutover, there must be a defined moment after which the receiving service is authoritative for the transferred functions and the former provider ceases making those changes. If recognized global systems have not yet accepted the receiving authority, NRS must describe its service as supplemental readiness rather than pretend a completed authoritative port.

Exit must also carry burdens. A pending court order, validated fraud concern, payment claim tied to a specific service or dispute about holder authority does not disappear because the account moves. The record should state the restriction, its source, scope, review route and expiry. A claim-specific hold can prevent the disputed action while unrelated continuity proceeds where lawful.

The right is therefore continuity with history, not escape from history. The operator can leave institutional dependence without destroying evidence. The incumbent can pursue a valid claim without holding every customer-facing service hostage. The receiving provider accepts duties, not merely revenue.

This precise definition makes NRS constructive. It is not an anti-registry declaration. It is a proposal to make accurate administration replaceable while preserving the coordination values registries were created to serve.

NRS can make the continuity dossier a practical operator asset

The first NRS service should be a portable continuity dossier maintained before any crisis. It would combine evidence that operators already struggle to assemble across corporate, registry and network systems. The dossier must be controlled by the operator, independently verified and exportable in a documented format.

The identity layer would record the legal holder, authorized representatives, corporate succession, beneficial-control evidence where appropriate and the people entitled to request sensitive changes. Verification would have dates, methods, assurance levels and expiry. A signature would prove who approved a request; it would not by itself prove that the underlying resource claim was valid.

The resource layer would list the relevant prefixes and ASNs, the recognized source of each registration, allocation or transfer history, current public record, account relationship and unresolved inconsistency. NRS should preserve source copies and checks rather than silently normalize conflicts. A discrepancy is a governance fact, not untidy data to delete.

The dependency layer would identify which customer services rely on each resource, which routes are ordinarily announced, which reverse-DNS zones require administration, what routing-security state exists, which abuse and geolocation contacts are active, and which vendors or upstreams need notice during migration. This turns a registry account into a continuity view without claiming that NRS controls routing.

The restriction layer would preserve disputes, locks, court measures, sanctions checks, contractual claims and pending transfer requests with their exact scope. Broad labels such as frozen are inadequate. The dossier should distinguish a bar on holder transfer from a bar on contact correction, a restriction on disposition from an obligation to preserve records, and a contested claim from a final order.

Finally, the dossier would contain a receiving-service plan: preferred and secondary providers, required credentials, target recovery times, data-protection conditions, notice contacts and a rehearsed sequence for each technical dependency. The operator would update it after material changes and NRS would issue a verifiable receipt for each version. Portability begins as preparedness before it becomes an exercised right.

Verification is where NRS earns reliance

NRS's public Charter emphasizes accurate registration, voluntary recognition, operator freedom, transparency and accountability. Those principles are attractive because they place administrative service below the networks it serves rather than above them. Their institutional value will depend on verification.

NRS can earn reliance through a layered assurance model. Basic enrollment verifies the operator and its asserted registry relationship. Enhanced verification checks references, corporate authority and technical dependencies. Continuity-ready status requires an exportable dossier, two qualified contacts, protected authentication, a receiving plan and a completed tabletop exercise. Portability-ready status requires a supervised shadow reconstruction by a qualified receiving team.

The status should never be permanent. Corporate representatives change, addresses transfer, routing arrangements evolve and disputes arise. Each claim needs a refresh rule. High-risk authority evidence may expire sooner than general contact information. Material changes should invalidate only the affected assurance layer, not erase the whole record.

Independent witnesses can reduce self-certification. The incumbent registry, where cooperative, can attest to current state. Network providers can attest to routing relationships. Auditors or counsel can verify corporate authority under bounded terms. Public records can support legal identity. No single witness should be able to manufacture a complete port.

NRS must publish the verification method, conflict rules, correction process and statistics on errors found. It should separate a verified fact from an operator assertion and an external claim. Every receiving provider must be able to inspect the provenance needed for its decision without gaining unrestricted access to confidential customer data.

This work is useful even before formal provider portability is adopted. An operator with a current dossier can answer an emergency provider more quickly, prove authority after staff turnover, correct stale contacts and identify the customer services exposed by a registry dispute. NRS becomes valuable through readiness, not through an unsupported claim to replace IANA or an RIR overnight.

The receiving side needs qualification, duties and an exit of its own

Portability fails if NRS verifies the departing operator but treats the receiving provider as an empty destination. The recipient must be capable, accountable and replaceable.

Qualification should cover secure registration systems, accurate change controls, reverse-DNS administration, appropriate routing-security support, privacy, incident response, financial continuity and enough trained staff. The provider must demonstrate restoration and accept independent audit. It must carry professional liability appropriate to the services it assumes without promising to insure every routing outcome.

The receiving provider should sign a standard continuity undertaking. It agrees to import the full authorized history, preserve restrictions, publish reasoned decisions, maintain exportability and cooperate with later lawful transfer. It cannot use the migration to rewrite disputed facts in favor of the incoming customer. Nor can it trap the customer through a proprietary record format.

Conflict rules are essential. A receiving provider with a financial interest in a resource transfer, lease or downstream customer should disclose that interest. High-risk ports may require a second independent verifier. NRS itself should not both adjudicate a contested entitlement and profit from the outcome without institutional separation.

There should be more than one qualified destination. A single NRS-affiliated provider would reproduce the dependency the model seeks to reduce. Open technical specifications, portable evidence and reciprocal testing should allow diverse nonprofit, cooperative or commercial providers to qualify under common rules. NRS's strongest position is coordinator and rights institution, not permanent exclusive operator.

Every receiving provider must also maintain its own succession package. Portability is not credible if exit ends at the first new destination. An operator should be able to move again under the same evidence and restriction rules. Replaceability is the discipline that converts a provider's promise into an enforceable service condition.

IANA should anchor uniqueness without choosing every customer relationship

The Internet Assigned Numbers Authority remains central because global number administration needs a coherent top-level allocation record. The Internet Numbers Registry System described in RFC 7020 is hierarchical and coordinated, with IANA allocating number resources to RIRs and RIRs managing regional distribution and registration. Registration accuracy and uniqueness are system requirements; routing decisions remain outside direct registry control.

Provider portability does not require IANA to adjudicate every member complaint. It does require an authoritative way to recognize which provider is responsible for defined services after a valid port. Without that anchor, NRS can preserve and verify evidence but cannot make every public system treat the receiving provider as authoritative.

A future IANA interface could record a service-responsibility pointer for a portable resource relationship, signed under an approved process by the current and receiving authorities or by an independent executor after a final decision. The pointer would not reallocate the address block or decide legal ownership. It would identify the recognized administrative service path and effective time.

The change must be atomic at the coordination layer. IANA, relevant RIR systems, authoritative RDAP discovery, reverse-DNS parent administration and applicable routing-security trust relationships need a reconciled sequence. Not every component must switch in the same second, but the plan must identify temporary states and prevent contradictory valid instructions.

IANA's role should therefore be narrow and evidentiary. It verifies that the approved portability procedure produced a valid instruction, records the service change and preserves history. It does not decide whether an operator's business model is desirable or whether leaving the incumbent was politically wise. If the evidence is incomplete, it refuses the change with reasons subject to review.

Until such an interface exists, NRS should be exact about limits. Its dossier can be authoritative for NRS membership and continuity preparation while remaining supplemental to recognized RIR registration. Precision about present authority is a strength. It creates the trust needed to negotiate future recognition.

A safe port needs a single state machine

The migration process should be defined as a state machine rather than a collection of emails. Each state determines who may act, what evidence is required, which services are affected and how the process can stop or reverse.

In the ready state, the operator maintains its verified dossier and receiving plan. No authority has changed. In the notice state, the operator requests a port, identifies the reason and authorizes NRS to obtain current state from the incumbent. The incumbent receives a bounded period to confirm, correct or state a specific objection.

In the reconciled state, the parties compare holder identity, resources, contacts, restrictions and technical dependencies. Differences are not resolved by majority vote. Each is classified: clerical mismatch, stale public record, disputed authority, technical-state divergence or lawful restraint. Uncontested components can proceed while a claim-specific issue follows the review track.

In the prepared state, the receiving provider reconstructs the account in shadow form. Credentials are created but not activated. Reverse-DNS, directory, routing-security and contact changes are staged. Independent checks confirm that the receiving outputs match the agreed state and that no conflicting public authority has been introduced.

In the committed state, authorized coordinators issue a signed cutover instruction with an effective time. The former provider loses change authority for the ported functions, the new provider activates service, and the historical record receives linked before-and-after receipts. A short controlled rollback window may exist for technical failure, but rollback cannot be used to erase valid intervening transactions.

In the settled state, all dependencies are reconciled, confidential staging data are deleted where no longer needed, fees are closed, customers receive required notice and unresolved claims continue in the identified forum. An after-action report measures the result. This discipline prevents the dangerous interval in which everyone believes someone else is authoritative.

The operator should not need to prove total registry collapse

A usable exit right needs triggers below institutional death. Requiring proof that an RIR cannot be restored simply reproduces the emergency regime at customer scale. NRS can define several routes with different safeguards.

Ordinary voluntary portability would allow an operator to move after notice and reconciliation, subject to applicable recognized rules. This is the long-term competitive model. It creates the strongest discipline because the operator need not allege wrongdoing.

Service-failure portability would apply after a defined essential request remains unresolved beyond a published period or a promised service is repeatedly unavailable. The remedy should be tied to the affected function. A delayed invoice dispute should not authorize a complete emergency cutover, while inability to administer reverse DNS may justify moving that service quickly if the architecture permits separation.

Governance-risk portability would apply when objective events threaten continuity: prolonged absence of lawful authority, inaccessible records, material conflict over signatories or a failed restoration exercise. The operator need not show that the entire RIR deserves derecognition. It must show that its continuity exposure is real and that the prepared port reduces risk without creating a conflicting state.

Emergency portability would protect imminent customer harm. It would use a pre-verified dossier and receiving plan, narrow the first cutover to essential services, and allow a rapid independent order. The incumbent would receive prompt notice and a post-action review. Emergency treatment must not become a routine shortcut.

Each trigger should be evidence based, and refusal should come with reasons. NRS can make the right enforceable by offering an independent review process and publishing anonymized outcome statistics. Operators gain more than a promise of sympathy; they gain a defined path, clock and remedy.

Disputes must travel so exit cannot become evasion

The strongest objection to portability is that a resource holder will leave when the incumbent begins enforcing a valid rule. A safe design answers this by making relevant claims portable.

The incumbent can lodge a specific objection supported by evidence during the notice period. It must identify the action restrained, legal or contractual source, affected resources, duration and review route. A general assertion that the operator is non-compliant should not freeze every service indefinitely.

NRS or an independent adjudicator can then separate continuity from disposition. The receiving provider may maintain accurate registration and essential technical administration while a transfer to a new holder remains blocked. A disputed contact can be preserved while an emergency security contact is updated under dual control. A payment claim can follow ordinary recovery without disabling unrelated customer service unless the contract lawfully makes that consequence proportionate.

Final orders bind the receiving provider to the extent applicable. If a competent court directs preservation, correction or restraint, the portability record should show execution. If jurisdictions conflict, NRS should not invent universal law. It should identify the conflict, protect the current state against irreversible change and route the issue to the agreed forum.

Fraud controls must be strong because a prepared port is attractive to attackers. High-risk requests need independent published contact points, cooling periods where safe, corporate-authority verification, protected keys and alerts to known representatives. Emergency process should accelerate institutional action, not reduce identity assurance.

By preserving claims and review, NRS can argue for exit without asking incumbents to surrender legitimate enforcement. The model changes the remedy from total dependency to scoped restraint. That is a more defensible balance for both operator and registry.

Customer continuity is the reason to move before derecognition

The public NRS business-continuity analysis makes the commercial boundary clear. Registry uncertainty can affect routing legitimacy, administrative authority, reverse DNS, geolocation, abuse handling, customer trust and revenue even when the operator's own network remains competently managed. Customers hold their provider responsible for service regardless of which institutional layer caused the problem.

That observation gives portability its urgency. A cloud provider may have hundreds of customers using services associated with a block. An internet service provider may depend on timely reverse-DNS delegation and accurate contacts. A security service may require routing-security changes under a strict incident clock. Waiting for regional replacement externalizes the governance delay onto parties that did not choose it.

The continuity dossier should therefore map customer impact, not merely registry fields. It should identify critical blocks, services, recovery priorities and communication obligations. During a port, the operator can sequence high-dependency resources first and explain temporary states to customers without exposing confidential disputes.

NRS can also establish continuity service levels. Time to acknowledge a port, time to reconcile records, time to decide an objection, recovery time for essential administration and time to publish a corrected state should all be measured. Failure to meet the service level creates an escalation right. The operator does not depend on discretionary urgency.

This customer focus differentiates NRS from an institution-replacement project. Its success is not measured by whether an RIR loses recognition or whether a new body gains prestige. It is measured by whether services remain stable, records remain accurate, disputes remain enforceable and the operator can continue serving customers through institutional stress.

NRS can start with proof before formal authority changes

The positive NRS direction does not depend on winning immediate global recognition as an alternative RIR. It can begin with functions that improve continuity under the current architecture.

First, NRS can enroll operators and verify authority. It can issue exportable continuity dossiers, change receipts and expiry notices. Second, it can provide preparedness reviews that identify missing corporate records, stale registry contacts, untested credential recovery and unmapped technical dependencies. Third, it can run shadow migration exercises with qualified service teams without altering live authority.

Fourth, NRS can represent member continuity interests in an institutional emergency. Instead of each operator assembling evidence from scratch, NRS can provide standardized claims, impact categories and receiving-readiness data to ICANN, IANA, RIRs, courts or an emergency operator. This is concrete leverage grounded in evidence rather than volume.

Fifth, NRS can support ordinary transfers and corrections that already fit current policy, reducing delay through complete documentation while recording where rules block provider-level portability. The resulting data will show actual bottlenecks: identity verification, record inconsistency, incumbent response, technical dependency or lack of recognized destination.

Sixth, NRS can publish an open portability specification and qualify independent implementations. The specification should cover data fields, signatures, restrictions, state transitions, audit logs, privacy and error correction. Open test vectors allow critics to find defects before live authority depends on the system.

These services make NRS a continuity institution now and a candidate coordination layer later. They also discipline its own claims. If operators do not maintain dossiers, shadow migrations fail or independent providers cannot interoperate, NRS learns before asking IANA or RIRs to recognize a cutover protocol. Positive reform is strongest when it can be tested in increments.

A staged recognition path avoids both paralysis and premature authority

NRS should seek reliance by function. Stage one is verified continuity membership. NRS proves identity, mandate and record preservation for its members. Its statements remain supplemental and clearly sourced.

Stage two is interoperable readiness. Independent providers can import the same dossier, reproduce a shadow account and return matching checks. NRS publishes success rates, discrepancies and correction times. No live registry authority changes.

Stage three is recognized assistance. Existing RIRs, IANA or emergency operators agree to accept NRS evidence as one input for identity, continuity and handoff. They remain the decision makers under current authority, but preparation time falls and member rights become more visible.

Stage four is bounded service portability. Agreements permit selected administrative functions or defined resource relationships to move under the common state machine. The scope can begin with low-conflict cases and expand only after independent review. One effective state remains mandatory.

Stage five is full provider choice among qualified services, with IANA-level coordination, authoritative discovery, reverse-DNS and routing-security transitions integrated into the protocol. At this point, the operator can exercise ordinary exit without alleging institutional failure.

Each stage should have entry and exit criteria. NRS should not declare progress based on membership totals alone. It should show successful verification, reproducible imports, independent audits, dispute handling, no duplicate states, technical continuity and provider substitutability. A stage can be paused or narrowed if evidence reveals risk.

This graduated model is more credible than demanding immediate replacement of the regional system, and more useful than waiting for perfect consensus before doing any preparation. It turns portability from a slogan into a series of observable institutional capabilities.

The portability authority must itself be portable

NRS will fail its own argument if operators become dependent on NRS in the same way they were dependent on an RIR. Every record, mandate and decision must therefore be exportable. Verification formats should be open. Critical history should be preserved through independent custody or witnessed commitments. Members should be able to leave while retaining proof of prior NRS decisions.

Governance must prevent concentrated control. The body that sets verification rules should not secretly favor one receiving provider. Appeals should be independent of the initial decision. Material conflicts and funding sources should be disclosed. Operators, technical experts, customer-dependent businesses and public-interest entities need defined roles without allowing any constituency to convert participation into private control of records.

NRS also needs its own continuity test. Another qualified body should be able to restore the membership ledger, verify receipts, honor restrictions and continue the appeal docket. Keys need succession arrangements. Privacy obligations must survive institutional change. Financial reserves should protect service rather than management discretion.

The NRS public governance advocacy links exit rights, redundancy and portability to resilience. Applying that proposition inward would be a powerful demonstration. NRS would not merely ask incumbents to accept competition; it would prove that its own authority is technically and institutionally replaceable.

This self-binding feature is positive, not defensive. A provider confident in its value should not need captivity. Open exit encourages NRS to improve verification, service and adjudication because members can take their records elsewhere. It also gives ICANN, IANA and RIR communities a reason to rely on NRS evidence without fearing the creation of another permanent gatekeeper.

Objections can be answered through procedure rather than denial

Incumbent RIRs may argue that provider portability fragments the registry system. The answer is one authoritative state, coordinated cutover and qualification. Fragmentation comes from conflicting valid answers, not from replaceable service under a common ledger.

Security specialists may argue that portability creates an account-takeover path. The answer is stronger pre-verification, independent contacts, signed state transitions, cooling periods, scoped emergency rules and full audit history. The current model also faces identity and credential risk; immobility does not eliminate it.

Communities may fear policy shopping. A holder could move to escape a regional rule it dislikes. The protocol should specify which policies follow the resource, which duties attach to the provider and which choices are legitimately part of service competition. Portability cannot mean that conservation, accurate registration, lawful restraints or globally applicable policy vanish at the border of a provider.

Governments may fear jurisdictional evasion. The port should preserve applicable orders and identify the receiving provider's jurisdiction. Cross-border conflicts need agreed rules and independent review. A hidden provider is not a qualified provider.

Smaller operators may fear that only large networks can prepare. NRS can standardize the dossier, offer tiered assistance and publish simple readiness requirements. The service should not require a litigation budget. Common formats and clocks are particularly valuable to entities without permanent governance staff.

Finally, critics may say NRS has not yet proved a global portability system. That is correct as an evidentiary boundary and irrelevant as a veto on preparation. The proposal is to build and test the missing capability in stages. Present limits define the next proof; they do not justify permanent dependence.

A practical NRS continuity pilot

A pilot should avoid the easiest ceremonial test and the most dangerous live leap. It can enroll a diverse group of consenting operators from more than one region while leaving recognized RIR authority unchanged.

Each entity would build a continuity dossier covering identity, number resources, references, technical dependencies, restrictions and receiving preferences. Independent reviewers would verify a sample. Two separate receiving teams would import the package into isolated environments and identify missing information. NRS would measure the time and manual intervention needed to reconstruct the account.

The pilot would then run several scenarios: loss of the primary registry contact, unavailability of the ordinary portal, a disputed corporate representative, a reverse-DNS change during institutional delay and a pending holder transfer that must remain blocked while other administration continues. No live unauthorized change would be made. The teams would produce signed proposed transitions and compare results.

Success metrics would include identity-verification time, percentage of fields with source evidence, number of unreconciled discrepancies, time to reconstruct technical state, proportion of restrictions represented with precise scope, receiving-provider agreement and ability to export the completed record to a third implementation. Security and privacy incidents would be reported, not excluded from the denominator.

An independent report would state which parts of a future port could be executed under existing authority and which require RIR, IANA, parent-zone or routing-security coordination. This boundary map would be one of the pilot's most valuable products. It prevents NRS from confusing preparedness with recognition and shows incumbents exactly where agreement is needed.

The next phase could test live assisted changes already permitted under current rules. Only after those results should the parties consider a bounded provider-portability agreement. Evidence, not institutional enthusiasm, determines expansion.

Exit changes the incentives before anyone uses it

A credible exit option affects governance even when most operators stay. An RIR that knows members can preserve continuity elsewhere has stronger reason to answer requests, maintain accurate records, explain restrictions and keep fees connected to service. NRS and receiving providers face the same discipline because their own records must remain portable.

This does not reduce governance to a market transaction. Number administration has public coordination duties that ordinary vendors do not. Policy processes, impartiality, confidentiality and global uniqueness remain collective concerns. Exit complements voice by limiting the institution's ability to make the exercise of voice existential.

The effect is especially important during crisis. Without portability, every side knows that customers are trapped. Incumbents may resist intervention because handoff threatens institutional survival. External actors may delay because replacement risks service. Operators may support factions based on fear of losing access. A prepared exit path lowers the stakes. Service can move in bounded form while governance and legal questions continue.

NRS's positive contribution is therefore institutional option value. It gives operators a prepared alternative, gives emergency coordinators cleaner evidence, gives courts a way to preserve service without deciding every technical detail and gives incumbent registries a reason to maintain replaceable administration. The system becomes less dependent on heroic crisis management.

The ultimate measure is not how many institutions are displaced. A successful portability regime may produce few exits because the possibility of exit improves service. Its legitimacy comes from enforceable readiness, not a high migration count.

The future settlement should protect the operator first

ICP-2 solved the expansion problem of its time. It enabled a new regional institution to be assessed, recognized and supplied with migrating service relationships. The current reform draft addresses the later problem of an RIR that needs rehabilitation, emergency operation or derecognition. Both work at institution scale.

The missing layer is the operator that cannot wait for the institutional verdict. Its customers, routes, reverse DNS, security posture and contracts continue while the governance process moves carefully. A durable system must allow that operator to preserve one accurate state and move defined service without creating a competing allocation.

NRS provides the right direction because it treats portability as an enforceable continuity practice. Verify the holder. Preserve source evidence. Map dependencies. Carry disputes. Qualify the receiver. Rehearse the handoff. Coordinate the authoritative cutover. Measure the result. Keep NRS itself replaceable. These are concrete institutional acts, not a demand for trust in a new label.

IANA and the RIRs remain necessary entities where recognized authority, global uniqueness, reverse-DNS delegation and routing-security trust are involved. Their role should make a valid port coherent, not make exit impossible until they agree that the entire incumbent institution has failed. Collective recognition can remain difficult while prepared customer continuity becomes ordinary.

That sequence protects due process on both sides. The RIR is not condemned merely because one operator leaves. The operator is not detained merely because the RIR remains recognized. Claims survive, services continue and the system can decide institutional questions without using customer dependency as leverage.

The exit option ICP-2 forgot is not abandonment of coordination. It is coordination that follows the resource holder through institutional change. NRS can make that option real by proving, stage by stage, that accurate administration can be portable without making the Internet's number space ambiguous.

Evidence and analytical limits

The ICP-2 criteria support the account of regional recognition, migration from incumbent RIR service to a new RIR and the concern about multiple overlapping registries. They do not grant an individual resource holder provider portability or define an NRS role.

The 2024 ICP-2 compliance procedures support the description of materiality-triggered review, restoration, emergency-provider coordination, backup or escrow encouragement and successor identification. They do not create routine customer-elected migration before a finding about the RIR.

The RIR Governance Document Version 2 supports the description of draft emergency continuity, emergency operators, handoff, transfer readiness and service obligations. The Q1 2026 status report supports the narrower claims that unanimity for emergency action drew concern and that transition detail and resource-holder protection remained under drafting. The draft is not treated as final adopted authority.

RFC 7020 supports the account of the coordinated IANA-RIR registry hierarchy, uniqueness and registration accuracy. It does not endorse NRS, define provider portability, create ordinary property title in number resources or make registry administration responsible for routing decisions.

The NRS Charter, NRS governance article and NRS business-continuity article are used as positive first-party evidence of NRS's direction: accurate registration, operator rights, accountability, portability, redundancy and customer continuity. They do not prove that NRS currently operates the verification, provider-qualification, IANA interface, state machine, adjudication system or live portability service proposed here.

The continuity dossier, qualification regime, IANA pointer, staged recognition path and pilot are analytical proposals. The article does not claim an operator can currently compel IANA, an RIR, a reverse-DNS parent or a routing-security authority to accept an NRS-directed cutover. It does not treat portability as permission to evade a court, sanctions obligation, fraud investigation, valid policy, contract or final correction. Its claim is narrower: NRS can build and prove customer-level readiness now, and that capability should become the positive continuity layer future ICP-2 governance still lacks.