Summary

  • Proportionality is a method for testing means against ends. A registry need not be a government for its board, members, contracting parties or external reviewers to require an important objective, evidentiary fit, necessity and fair balance.
  • The four steps are cumulative: define an authorized legitimate objective; show a rational connection to reliable evidence; compare less harmful measures that could achieve the objective; and balance the measure's expected benefit against direct and third-party harm.
  • Exit difficulty matters. A holder cannot obtain the same unique number range from a competing registry, so ordinary market choice may not discipline overbroad restrictions at the common recognition layer.
  • Registry remedies should be disaggregated. A warning, cure request, change freeze, limitation on new requests, temporary service restraint, transfer hold, contract termination and deregistration have different effects and should not be treated as one generic sanction.
  • Network evidence must be used for the proposition it can support. Registration records, observed BGP announcements, RPKI objects, contracts and legal orders answer different questions; one should not be stretched into proof of another.
  • Urgent temporary action can be proportionate when delay threatens uniqueness, security or third parties, provided scope is narrow, unaffected functions continue, evidence is preserved and prompt independent review follows.

Proportionality is a discipline of means, not a label for moderation

The word proportionate is often used to mean reasonable, measured or not too harsh. Those descriptions express a preference but do not reveal how a decision was made. A structured test is more demanding. It requires the institution to identify the objective, connect the measure to evidence, compare alternatives and account for effects.

That discipline matters because infrastructure institutions can confuse the importance of their mission with the necessity of a particular sanction. Protecting accurate registration is important. It does not follow that every inaccuracy justifies immediate deregistration. Preventing fraud is important. It does not follow that a suspicion affecting one requested change justifies stopping unrelated services. The objective and the remedy are separate propositions.

Proportionality also requires specificity about the affected interest. The holder may face loss of registration services, customers may face interruption, and the registry may face risks to accuracy or uniqueness. A general statement that the public interest favors stewardship cannot balance those distinct effects.

The test should be recorded at the moment of decision, not constructed after challenge. Contemporaneous analysis shows what evidence existed, which options were available and why the chosen scope was thought necessary. Later information can justify a new decision, but it should not be used to disguise the weakness of the original one.

The public-law test can be borrowed without borrowing statehood

The four-stage formulation is familiar from rights review. In Bank Mellat, the United Kingdom Supreme Court addressed whether an objective was important enough, whether the measure was rationally connected to it, whether a less intrusive measure could have been used without unacceptable compromise, and whether the severity of effects outweighed the measure's contribution to the objective.

That judgment concerned governmental action and legal rights. It does not automatically govern a membership corporation or private registry. Jurisdiction, applicable law and the legal source of review remain decisive. A court may apply contract, association, competition or another body of law rather than public-law proportionality.

Borrowing the structure is still valuable. Private institutions routinely adopt controls more exacting than the minimum a court would impose. Contracts can require proportionate enforcement. A board can instruct staff to compare alternatives. Members can approve a sanctions policy. An arbitrator can interpret an express requirement. A regulator can examine exclusionary conduct where competition law applies.

The distinction should be stated openly. Proportionality here is a governance standard supported by the characteristics of the relationship, not a claim that every registry decision is administrative action. That restraint makes the proposal more portable across jurisdictions because it does not depend on winning a preliminary argument about public status.

Hard exit creates a private-power problem

Ordinary market discipline assumes that a dissatisfied customer can leave. Number registration complicates that assumption. A globally unique IP prefix or autonomous system number cannot simply be recreated with another provider while the original record remains authoritative. Duplicate recognition would defeat the coordination function.

RFC 7020 describes the Internet Numbers Registry System and the hierarchical distribution of unique number resources. It also distinguishes registration from routing operations. A registry does not control whether networks accept a route, but its recognized record can matter to transfers, contact publication, reverse DNS and routing-security services.

This creates dependence at a narrow layer. The holder may be able to change upstream providers, equipment or consultants. It may not be able to replace the institution responsible for the relevant registration relationship without a coordinated transfer or future portability arrangement. Threat of exit therefore supplies less restraint than in a competitive retail service.

Hard exit does not make the registry owner of the network. It creates the opposite obligation: keep enforcement tied to the function that cannot be replaced. If an institution uses control of registration to compel conduct unrelated to uniqueness, accuracy or authorized service obligations, the absence of alternatives magnifies the concern.

Step one: define an objective important enough for the consequence

The first step asks what the measure is for and whether that purpose falls within the institution's authority. Valid objectives can include preserving unique registration, verifying authority for changes, protecting registration accuracy, preventing documented fraud, enforcing payment obligations, complying with a binding legal order and containing a credible security compromise.

The objective should be expressed at the level the evidence supports. "Verify that this representative can transfer this range" is more useful than "protect the Internet." "Recover an overdue contractual fee" is clearer than "enforce community values." Precision makes it possible to judge fit and alternatives.

Importance must also match consequence. A minor formatting defect may justify correction but not loss of a long-held resource. Repeated fabricated documents can justify stronger restraint because they directly undermine authority verification. The same general category, registration accuracy, contains risks of very different gravity.

Authority must be traced to policy, agreement, corporate power or law. A worthy objective does not let staff invent a sanction outside the governing instruments. If the problem reveals a gap, the institution should use the authorized amendment route rather than stretch an individual decision into new law for the holder.

Mission statements are too broad to do the work

Stewardship, security, stability and the public interest are important institutional values. They are not self-applying powers. A mission statement can explain why an organization exists while leaving unresolved which measure it may impose on which actor.

Overbroad objectives weaken every later step. Almost any restriction can be described as contributing in some remote way to stability. If that is enough, rational connection becomes trivial and less harmful alternatives disappear from view. The institution can always say the mission is more important than one holder's loss.

A proper objective has an observable failure condition. If the aim is accurate authority data, success means the relevant identity and authorization are reliably established. If the aim is payment, success means the debt is resolved or the service relationship ends under agreed terms. If the aim is preventing an unauthorized transfer, success means the existing state is preserved while authority is examined.

The decision should also identify objectives it is not pursuing. A registry investigating false contacts should say whether it is alleging fraud, contractual non-cooperation or merely incomplete information. Those propositions carry different stigma and justify different consequences. Clear boundaries protect the holder and keep the institution from changing its theory when the first ground proves weak.

Step two: show a rational connection through evidence

A rational connection requires more than temporal association. The institution should explain how the facts indicate the identified risk and how the chosen measure reduces that risk. Evidence quality, coverage and uncertainty matter.

Suppose an organization does not answer one verification message. That fact may support a concern that the listed contact is stale. It does not by itself establish that the organization no longer exists, lacks authority over every resource or committed fraud. A targeted contact update and alternate-channel verification fit the observed problem better than immediate deregistration.

Repeated submission of materially inconsistent corporate records is stronger evidence, but the institution should still determine whether the discrepancy reflects reorganization, translation, jurisdictional naming conventions or deception. A fraud conclusion requires evidence directed to intent or fabrication, not simply administrative complexity.

The measure must address the evidence. Freezing a pending transfer can prevent an unauthorized change while verification continues. Suspending the ability to request additional resources may encourage compliance with an audit. Revoking RPKI certificates, disabling reverse DNS and deleting registration records together may add no protection if the only problem is an unpaid training fee.

Rational connection is therefore both factual and functional. It tests what the evidence proves and which service surface the remedy actually changes.

Network-resource evidence has strict boundaries

Internet number disputes attract technical evidence that appears decisive because it is machine-readable. Its meaning remains bounded. A registration record identifies a recognized status and contacts under the registry's rules. It does not necessarily settle property ownership under every law. A BGP observation shows that a route was visible from selected vantage points at a time. It does not by itself prove contractual authorization or beneficial ownership.

An RPKI Route Origin Authorization indicates that the resource holder has authorized an autonomous system to originate specified prefixes within defined limits. It does not guarantee that the route is safe, desired or accepted by every network. Absence of an ROA does not prove that the underlying registration is abandoned. Reverse DNS delegation answers another operational question.

Contracts, corporate filings, identity materials, invoices and court orders likewise support defined propositions. A corporate filing may establish legal existence but not authority of the person requesting a transfer. A contract may show an agreement between parties but not bind a third party or decide a matter reserved for a court.

Proportionality fails when one form of evidence is stretched to justify a broader conclusion. The decision record should state each proposition, the evidence supporting it, the known gaps and the reason the remedy addresses that proposition. Technical confidence cannot cure a category error.

Step three: compare less harmful effective measures

Necessity does not require the institution to imagine every theoretical alternative. It requires serious comparison with credible measures that would achieve the objective without unacceptable loss of effectiveness. The analysis must occur before the most severe option is selected.

Registry enforcement offers many gradations: information request, warning, correction period, enhanced verification, restriction on one pending change, temporary account hold, limitation on new requests, supervised transfer, escrowed evidence, partial service suspension, contract termination and deregistration. Different combinations can isolate risk.

The least harmful measure is not always the weakest. If credentials are compromised, an immediate temporary freeze may be less harmful than allowing an unauthorized transfer and trying to reverse it later. If a holder repeatedly ignores billing notices, another identical reminder may not be effective. Necessity asks for the least harmful option that still works, not endless ineffectual patience.

Alternatives should be tested against time, enforceability and evasion. A cure period may be appropriate where the defect is remediable. Independent verification may solve disputed authority. Security-sensitive evidence may be reviewed under confidentiality. A bond or staged transfer may protect competing claims. The institution should explain why rejected alternatives fail and what information could change that conclusion.

A sanction ladder must preserve distinctions

Institutions often publish one sequence from warning to termination. A ladder is useful only if it preserves the nature of each step. Suspension of new requests is not the same as suspension of maintenance for existing records. A transfer hold is not the same as a finding that the holder lacks rights. Contract termination is not identical to immediate technical deletion.

The current RIPE NCC closure and deregistration procedure separately describes grounds, termination, service consequences and deregistration. Its details operate within RIPE NCC's own agreements and documents, but the structural separation is valuable across institutions. It forces the decision maker to ask which consequence follows from which ground.

ICANN's registrar materials offer another bounded comparison. The registrar suspension explanation describes suspension as limiting new sponsorship and inbound transfers while leaving specified existing-name functions available. The termination guidance addresses transition of sponsored names after accreditation ends. Domain names and number resources are not interchangeable, but the continuity principle is relevant: discipline the intermediary without needlessly stranding users.

A registry sanctions policy should state the operative effect of every level. Labels such as suspended or closed are limited public evidence when several technical and contractual functions can change independently.

Step four: balance total benefit against total harm

The final step asks whether the expected contribution to the objective justifies the severity of effects. It is not a repetition of necessity. A measure may be the only effective means and still be too harmful relative to the benefit sought.

The benefit side should include probability and magnitude. Preventing an imminent unauthorized transfer of a large range can have high expected value. Enforcing a minor administrative preference has less weight. Claims of systemic risk should identify how the individual case contributes to that risk.

The harm side includes more than the contracting holder. Customers, downstream networks, security systems, employees, creditors and counterparties may be affected. Harm can include service interruption, inability to update contacts, transfer delay, route-validation consequences, loss of reverse DNS, reputational stigma and litigation costs.

Reversibility matters. A short hold subject to rapid review is different from permanent deregistration. Scope matters. One prefix is different from an organization's entire portfolio. Timing matters. Immediate effect is different from a phased change after customer notice.

Balancing should be candid about distribution. A registry may gain administrative convenience while thousands of users bear migration cost. Convenience can be relevant, but it rarely justifies severe infrastructure disruption by itself. The written conclusion should identify who bears each cost and why that allocation is fair.

Contract provides a direct route to proportionality

The cleanest basis is an express term. A service agreement or enforcement policy can require measures proportionate to the nature, severity, duration and recurrence of non-compliance, with attention to third-party continuity. It can specify notice, cure, emergency restraint and review.

Express drafting avoids debate about whether a court will imply the duty. It also gives staff an operational standard before a dispute. The clause should not merely say the registry will act reasonably. It should require the four questions and a recorded explanation for consequential measures.

Where the contract grants broad discretion, applicable law may impose limits. Braganza shows one private-law route in English law for examining the purpose and rationality of some contractual decisions that affect both parties. It does not establish a worldwide proportionality rule, and different agreements or jurisdictions can produce different outcomes.

The UNIDROIT Principles offer a non-binding transnational reference for good faith, fair dealing and inconsistent behavior where they are applicable or adopted. Proportionality can make those broad commitments observable by asking whether power was used for its granted purpose and without avoidable excess.

Competition law explains why market power matters

Competition law does not make every monopoly act unlawful. It distinguishes possession of market power from abuse and requires jurisdiction-specific analysis of market definition, dominance, conduct and effect. A registry should not be casually declared an essential facility in every legal system.

The competition perspective is nevertheless useful. The European Commission's Article 102 overview notes that a dominant undertaking has a special responsibility not to distort competition and identifies conduct such as refusal to supply an input indispensable for competition in an adjacent market. The Commission's enforcement-priorities guidance uses effects-based analysis for exclusionary conduct.

For number governance, the relevant warning is leveraging. Control of a unique registration point should not be used to force purchase of contestable adjacent services, punish criticism, favor member incumbents or block a lawful service-provider switch. A restriction tied to accurate registration may be legitimate; one tied to unrelated commercial advantage deserves harder scrutiny.

Competition analysis also values less restrictive access terms and objective criteria. Proportionality supplies an internal counterpart before legal intervention. The registry identifies the narrow coordination objective, tests whether the restriction is needed and records effects on downstream competition.

Modern private-platform regulation confirms the direction

Digital-platform regulation demonstrates that legislatures can impose proportionality duties on private service providers without converting them into governments. The European Union's Digital Services Act requires providers to apply and enforce restrictions in their terms with due regard to relevant rights and describes proportionate risk-mitigation obligations for the largest services.

The DSA does not automatically govern RIR enforcement. Hosting content, operating a platform and maintaining Internet number registrations are different activities. Its value lies in institutional design: concentrated private intermediaries can be required to state reasons, consider rights and tailor restrictions to identified risks.

Registry governance can adopt the same discipline in a function-specific way. The interests are continuity, accurate recognition, contractual fairness, non-discrimination and freedom to operate networks lawfully. The relevant evidence concerns identity, authority, resource history, service obligations and technical risk rather than content moderation.

The comparison also warns against scale as an excuse. Large private institutions can create standardized reason forms, decision categories and appeal routes. Volume supports structured proportionality because recurring cases reveal which alternatives work. It does not justify replacing judgment with the most administratively convenient penalty.

Scope should be measured by resource, account and function

A proportional decision identifies the smallest affected unit that contains the risk. The relevant unit might be one contact change, one transfer request, one prefix, one account credential, one service, one legal entity or an entire portfolio. Those levels should not be collapsed.

If authority for a transfer is disputed, freeze the transfer rather than every maintenance function. If one credential is compromised, revoke it and issue a secure replacement rather than infer that the organization has disappeared. If one resource was obtained through fabricated evidence, investigate linked holdings based on evidence rather than automatic guilt by association.

Account-wide action can be justified where the risk is account-wide: systemic identity fraud, insolvency affecting the contracting entity, pervasive fabricated records or loss of all authorized control. The reasons should show the connection. An organization-wide consequence cannot rest only on administrative convenience.

Functional scope is equally important. WHOIS or RDAP contact publication, reverse DNS, RPKI, transfer authority, new-resource requests and billing access serve different purposes. Preserving unaffected functions can reduce harm without weakening enforcement. A decision letter should list each function changed, its start time, duration and restoration condition.

Time is part of proportionality

The same restriction can be proportionate for forty-eight hours and excessive for six months. Temporary holds are often justified by uncertainty; prolonged holds require progress, evidence and review. An institution should never allow temporary to mean indefinite until the holder gives up.

Every interim measure needs a clock. State the initial duration, evidence being sought, responsible reviewer and next decision date. If more time is needed, give reasons and reassess scope. Repetition of the original concern is not enough if the institution has not advanced the inquiry.

Cure periods should reflect what cure requires. Updating a contact can be quick. Obtaining certified succession documents across jurisdictions can take longer. A deadline should not be designed so that compliance is formally available but practically impossible.

Expiry can also protect the institution. A hold that ends automatically unless renewed forces active ownership and prevents forgotten restrictions from corrupting records. A severe measure should have a scheduled post-action assessment to confirm whether the predicted benefit occurred and whether collateral harm requires remediation.

Reversibility lowers risk but does not erase it

Interim restraints are often defended as reversible. That is relevant, but commercial and technical time cannot always be restored. A delayed transfer can cause a transaction to fail. A public suspension notice can damage reputation. A missed customer migration window can create lasting cost.

The institution should assess practical reversibility, not merely its ability to click an undo control. Can records be restored exactly? Will RPKI relying parties receive the corrected state promptly? Can a third party that acted on the temporary status be notified? Will the holder recover access and transaction timing?

Where full restoration is impossible, safeguards should be stronger. The institution can use confidential status, preserve outgoing services, avoid public allegations before findings, or require expedited review. Security needs may limit disclosure, but they do not eliminate the need to minimize irreversible effects.

Post-decision correction also matters. If a restraint proves unfounded, the institution should correct public records, notify known recipients of the adverse status where feasible and examine why the evidence was misread. Reversibility becomes credible only when restoration is designed before restriction.

Non-payment should not silently become resource adjudication

Payment enforcement is necessary for a membership or service institution. Persistent non-payment can justify suspension or termination under the agreement. The proportionality question is how financial default interacts with unique registration and third-party continuity.

The institution should distinguish disputed invoice, temporary hardship, administrative error and deliberate refusal. It should identify notices sent, amounts due, cure options and the consequence authorized by the agreement. A billing dispute should not be described as evidence that the holder lacks historical authority over a resource.

Termination may end access to services, but the treatment of registration records should be explicit. If deregistration follows under governing documents, the institution should state timing, preserve evidence and account for downstream users. A structured transfer or successor arrangement may protect continuity without giving the defaulting party indefinite free service.

The strongest measure should not be chosen merely because it is easy to administer. Fees support the institution, while unique records support the wider Internet. Proportional design respects both by escalating predictably, separating debt from fraud and preserving a route to cure before irreversible effects where circumstances allow.

False information requires a culpability distinction

Incorrect information can result from mistake, stale contacts, translation, corporate reorganization, disputed succession or fabrication. A policy that treats every inconsistency as fraud will overreach. A policy that ignores deliberate deception will fail.

The initial measure should preserve the status quo where change risk is immediate and seek clarification through secure channels. The institution can compare authoritative records, request an explanation and isolate the disputed act. It should disclose the material inconsistency unless doing so would compromise a legitimate investigation.

Culpability affects consequence. A good-faith holder that corrects an outdated address presents a different risk from an applicant that submits forged documents after warning. Repetition, concealment and materiality matter. So does the relationship between the false statement and the resource decision.

Even proven fraud should not produce automatic portfolio-wide deregistration without analysis. The institution should identify which decisions were induced, which records remain reliable and which third parties are innocent. Severe sanctions may be warranted, but their scope should follow demonstrated contamination rather than moral outrage.

Security emergencies justify speed, not unlimited scope

Credential theft, unauthorized access or imminent duplicate registration can require immediate action. The objective is containment. A temporary lock on changes, revocation of a compromised credential and out-of-band verification may be rationally connected and necessary before ordinary notice.

Emergency power needs predefined triggers. Staff should identify the observed event, confidence, affected surface and maximum initial duration. The holder should receive notice as soon as disclosure no longer worsens the threat. A second decision maker should review continuation.

Unaffected operations should continue where safe. A transfer freeze need not disable route-authority maintenance if the credential paths are separate and secure. If all credentials are compromised, the institution may need broader restraint, but it should explain the dependency.

The emergency record should survive the event. After containment, the institution should determine whether the measure was accurate, whether duration was justified and whether restoration succeeded. An emergency that reveals a general weakness may support later reform through the authorized route; it should not silently create permanent discretionary power.

Legal orders must be read for exact effect

A registry may receive an order from a court or competent authority. Compliance with binding law is a legitimate objective, but proportionality still requires careful interpretation of scope. The institution should identify the entity, resource, act, effective time and any permission to seek clarification or review.

An order to preserve records is not necessarily an order to transfer them. An injunction against one party may not decide the rights of another. A request for information is not deregistration authority. Cross-border effect may depend on recognition and governing law. The registry should obtain appropriate legal analysis rather than expand the order through caution.

Where the order leaves discretion, the institution should protect continuity and third parties. It can preserve the existing state, mark a dispute internally, prevent destructive changes or notify affected parties as legally permitted. Confidentiality requirements should be recorded and reviewed rather than assumed permanent.

The registry should not present obedience to an exact command as its own discretionary finding. Conversely, it should not attribute voluntary extra restrictions to the court. Clear attribution allows the holder to challenge the correct actor and prevents institutional power from hiding behind legal language.

Transfer disputes call for preservation, not premature victory

Competing transfer claims create pressure to choose a winner quickly. The registry's first responsibility is usually to prevent an unauthorized or duplicate change while evidence is examined. A neutral hold can be proportionate if it is focused, time-limited and paired with an effective decision route.

The institution should define the proposition it can decide: whether the request satisfies registry requirements and presents authenticated authority. It may not be competent to determine beneficial ownership, contractual breach, insolvency priority or fraud liability conclusively. Those questions may belong to arbitration or court.

Necessity favors preservation where reversal would be difficult. Balance favors allowing unaffected registration maintenance and network operation while the disputed transfer remains frozen. Reasons should identify what evidence each claimant must provide and what happens if external litigation continues.

A hold becomes disproportionate when it drifts without milestones, blocks unrelated services or lets one party win through delay. The institution should schedule review, require progress and permit a competent external order to resolve questions beyond its authority. Neutrality is an active design, not indefinite inaction.

RPKI measures require special care

RPKI can influence routing decisions made by relying networks, so changes to certificates and Route Origin Authorizations can have effects beyond the registry account. The exact outcome depends on publication, validation and network policy, but revocation can contribute to routes becoming invalid or not found from the perspective of relying systems.

That consequence makes purpose critical. If an RPKI credential is compromised, targeted revocation and reissuance may be necessary. If the dispute concerns an unpaid invoice or pending corporate document, revoking valid routing-security material may not advance the objective and can harm third parties.

Registration status, certification service eligibility and routing authorization should be analyzed separately even where governing documents link them. The institution should identify the dependency, expected relying-party effect and restoration plan. It should avoid claiming that a certificate decision directly commands global routing.

Where urgent revocation is necessary, notice and staged publication may be limited by security, but post-action review remains essential. The measure should cover only the affected resources and credentials. A broad portfolio revocation needs evidence that compromise or authority failure reaches the whole portfolio.

Reasons make proportionality review possible

A statement that a measure is proportionate proves nothing. The decision letter should show the four steps. It should name the objective and authority, summarize material facts, explain the evidence connection, list serious alternatives, describe direct and collateral effects, and state why the balance favors the chosen measure.

Confidential evidence can be handled through a usable gist, protected annex or independent reviewer. The holder needs enough to understand the case and propose a safer alternative. Security does not require empty reasons.

The letter should list each operative effect: resource ranges, services, credentials, transactions, start time, duration, cure conditions and appeal route. Precision prevents staff and external actors from treating a narrow restriction as a complete loss of status.

Reasons also improve consistency. Reviewers can compare whether similar defects received similar measures and whether differences follow evidence. Boards can see when staff repeatedly encounter a policy gap. Members can assess aggregate enforcement without learning protected case details.

Independent review needs power to preserve continuity

Review is meaningful only if the reviewer can examine the proportionality chain and prevent irreversible harm. It should have access to the governing documents, evidence, alternative analysis and effect map. It should be able to require clarification and, where authorized, pause or narrow the measure.

Independence is relative to the decision. A separate manager may correct a routine error. A standing panel can review consequential institutional judgments. Arbitration or court may be needed for contractual and legal rights. Competition authorities can address exclusionary conduct within their jurisdiction.

The standard of review should be explicit. Technical expertise may justify respect for evidence assessment, but not blind deference. Policy choices may allow a range of reasonable balances. Factual errors, improper purpose, unexplained inconsistency and failure to consider an obvious less harmful measure deserve closer correction.

Urgent review should be available before the practical point of no return. A remedy delivered after customers renumber or a transaction collapses may be formally successful and operationally empty. Time limits, interim authority and notice rules should be designed around actual infrastructure effects.

A decision form can operationalize the four steps

Before imposing a consequential measure, the institution should complete a concise decision record:

  1. Objective: What exact harm or obligation is being addressed, and where does authority come from?
  2. Evidence: Which facts are established, what uncertainty remains and what proposition does each source support?
  3. Connection: How will each proposed restriction reduce the identified risk?
  4. Alternatives: Which narrower measures were considered, and why would they be limited public evidence?
  5. Scope: Which resources, accounts, people, services and technical functions are affected?
  6. Time: When does the measure begin, expire or receive mandatory reconsideration?
  7. Third parties: Which customers, counterparties or relying networks may be harmed, and what continuity protection applies?
  8. Balance: Why does the expected benefit justify the residual harm?
  9. Restoration: What must occur for restriction to end, and how will records and services be restored?
  10. Review: Who can inspect the facts, reasons and proportionality, with what interim power?

The form should scale. A minor warning can be brief. Deregistration or broad certificate revocation requires detail. Standardization reduces omissions without turning judgment into a checkbox exercise.

A remedy matrix is better than one linear escalation

A single ladder assumes that every problem grows along one dimension from minor to severe. Registry disputes are multidimensional. A low-confidence but high-impact security alert may justify an immediate narrow hold. A high-confidence but low-impact billing error may justify a cure notice. Repeated misconduct may increase duration without expanding technical scope.

A remedy matrix should classify at least five dimensions: gravity of the objective, confidence in the facts, breadth of affected resources, urgency and reversibility. It should then map those dimensions to available functions. Change authority can be frozen while ordinary maintenance continues. New requests can be paused while existing records remain intact. A credential can be replaced without ending membership. A disputed transfer can be held without prejudging ownership.

The matrix should include escalation and de-escalation triggers. Additional verified evidence may justify broader restraint. Successful cure, reduced uncertainty or independent confirmation should narrow it. A restriction should not remain severe merely because it began severe.

Published categories improve predictability, but they should not become automatic penalties. The decision maker must still explain why the selected cell fits the case. Exceptional measures should be identified as exceptional, with a reason they do not create a general precedent.

This design also exposes missing tools. If the only available options are warning and complete deregistration, the institution has created its own proportionality problem. Boards and members should authorize intermediate remedies before a crisis forces improvisation.

Membership accountability must examine concentrated harm

Member participation can legitimate general rules, but majority support does not prove that every application is proportionate. A broadly beneficial reform may place severe costs on a small class of legacy holders, small networks or organizations operating across difficult legal environments. Those costs should be identified rather than averaged away.

Impact analysis should show the number and type of affected holders, the services at risk, expected compliance cost, third-party dependencies and available alternatives. The institution should solicit evidence from actors unlikely to dominate meetings: smaller operators, downstream customers, public institutions and technical teams responsible for migration.

Members should also receive aggregate enforcement information. Counts of warnings, holds, suspensions, terminations, restorations and successful appeals can reveal whether the sanction policy behaves as promised. Distribution by ground and duration is more informative than one total. Protected identities and security details need not be exposed.

Accountability works in both directions. Members should not pressure staff to spare influential organizations from ordinary controls. Nor should they use a general vote to target an unpopular holder through a measure unrelated to the stated objective. Conflict rules, recorded reasons and independent review protect the institution from both forms of capture.

The governing body should revisit the remedy matrix when appeals repeatedly identify excess or when staff repeatedly need emergency exceptions. Persistent mismatch suggests that the authorized tools no longer fit the risks.

Metrics should measure prevented harm and imposed harm

Institutions often measure enforcement by cases closed, debts recovered or records corrected. Those figures show activity, not proportionality. A complete assessment measures the benefit achieved and the harm imposed.

Benefit metrics can include unauthorized changes prevented, verified contact corrections, restored compliance, reduced recurrence and time to contain credential compromise. Harm metrics can include duration of holds, number of unaffected services interrupted, customer incidents, reversals on review, failed restoration and transactions lost because a decision exceeded its deadline.

Metrics need context. A high reversal rate may signal poor initial decisions, but it may also reflect a healthy review body and new evidence. Long holds may be justified in complex litigation, but the institution should identify who controlled delay. Quantitative results should be paired with short explanations of outliers and uncertainty.

The institution should compare alternatives retrospectively. Did targeted restrictions work as well as broad suspensions? Did cure periods improve records? Were emergency holds narrowed promptly? Evidence from completed cases improves later necessity analysis and prevents convenience from hardening into tradition.

Public reporting can remain aggregate. Independent reviewers should have access to case-level material under appropriate confidentiality. The purpose is not to rank staff. It is to learn whether the remedy actually advanced the objective at an acceptable cost. Proportionality becomes credible when the institution is willing to test its predictions against outcomes.

Proportionality should govern future portability too

If number-registration services become more portable, competition may improve at the service layer while one reconciled state still protects uniqueness. Proportionality will remain necessary because a provider could use credentials, holds or exit conditions to obstruct switching.

A provider should restrict portability only for a defined risk such as disputed authority, unpaid agreed charges directly connected to exit, a binding order or a credible security event. The restriction should be narrow, timed and reviewable. It should not force purchase of unrelated services or erase completed rights.

The common coordinator also needs proportional limits. It can verify that a switch will not duplicate a resource and that both sides authenticate the change. It should not use reconciliation power to select the operator's commercial model or routing policy. Provider failure should trigger continuity and succession rather than mass loss of registration.

Competition does not eliminate governance. It changes where power sits. A four-step test should follow every non-substitutable control point so that portability does not replace one opaque gatekeeper with several interlocking ones.

The private label does not answer the merits

Private institutions can coordinate essential infrastructure legitimately. They can set conditions, investigate defects and impose serious consequences. Their legal authority depends on governing documents and applicable law, not on an analogy alone. But when exit is hard and collateral harm is predictable, they should be able to explain why a particular measure is no broader, longer or harsher than its objective requires.

The four-step test provides that explanation. Define an authorized and sufficiently important aim. Connect it to reliable, proposition-specific evidence. Compare less harmful effective alternatives. Balance expected benefit against all direct and third-party effects. Then state scope, time, restoration and review.

This standard protects institutional capacity as much as holder continuity. A registry that can demonstrate proportionate enforcement is better positioned to act quickly against real fraud, defend difficult decisions and resist pressure for indiscriminate external control. Restraint is not weakness. It is proof that power remains attached to purpose.