The easiest way to misunderstand court risk at RIPE NCC is to look only for a lawsuit. A registry can be legally uneventful and still carry continuity risk, because the relevant exposure is not merely the probability that the registry loses a case. It is the cost created when legal venue, contractual discretion, payment status, sanctions compliance, registry records, routing-security services and membership governance all meet at the same point. RIPE NCC is not a bank, not a land registry and not a sovereign regulator. Yet in the post-exhaustion IPv4 economy it resembles all three in narrow ways: it records recognised control over scarce resources, controls the channels through which those records change, and provides operational services that other networks rely on when deciding whether traffic should route or be trusted.
RIPE NCC's public documents describe a mature institution. Its Standard Service Agreement identifies RIPE NCC as a membership association under Dutch law with a registered office in Amsterdam, and says agreements between RIPE NCC and members are governed by Dutch law. Its General Meeting page says members meet twice a year, discuss operations and activities, vote on resolutions and elect the Executive Board. Its Articles of Association give each non-suspended member one vote, limit proxy concentration, and make the General Meeting the place where the financial report, charging scheme, board vacancies, service quality and amendments to the Standard Service Agreement can be addressed. Its 2026 charging scheme sets an annual contribution of EUR 1,800 per LIR account, plus separate charges for independent assignments and ASNs. These facts are useful exhibits. They are not, by themselves, an economic conclusion about risk.
The economic conclusion begins with scarcity. RIPE NCC notes on its IPv4 run-out page that it exhausted its remaining IPv4 pool in November 2019, and that LIRs without an IPv4 allocation can request only a single /24 from recovered addresses through the waiting-list mechanism. Once a registry no longer allocates abundant new IPv4 space, the market value of existing space stops being a side effect and becomes a core condition of network production. IPv4 blocks support customers, peering plans, cloud services, broadband growth, CGNAT avoidance, abuse-management arrangements, compliance attestations and corporate transactions. The registry record is not the whole value of a block, but it is a decisive part of the value because it determines recognised control inside the registry system, transfer completion, reverse-DNS administration and RPKI certification.
Court and continuity risk is therefore not a narrow legal topic. It is a capital-market topic hidden inside a technical association. It asks whether holders can rely on the registry record during a dispute; whether an injunction or court order can change operational services before an economic claim is finally resolved; whether sanctions screening can be executed without turning the registry into a broad gatekeeper; whether a small operator can survive the delay and cost of a registry dispute; and whether the association's members can discipline these risks before courts, creditors or emergency administrators must do so.
Continuity is the economic product
The word continuity sounds administrative. In the registry economy it is a product. A network operator pays annual fees, supplies legal documents, maintains contacts, submits transfer requests and uses registry tooling because it expects a stable public record: the allocation or assignment continues to be recognised; authenticated contacts can update objects; reverse-DNS delegations continue to be produced from database records; RPKI certificates continue to list the holder's resources; transfers can complete when policy permits; and disputes do not unexpectedly become operational outages.
This product is less visible than a router, fibre pair or data-centre rack, but it is no less real. An IPv4 address block used by an ISP or hosting company produces revenue only if enough counterparties accept the holder's control. Customers must believe the operator can continue service. Upstream networks must accept route announcements. Prospective buyers or lessees must believe that rights of use can be recognised, changed or returned. Banks, restructuring advisers and insolvency practitioners must be able to value the asset-like interest even if formal property law remains unsettled or deliberately avoided. The RIPE Database, RPKI, transfer review and reverse-DNS functions turn recognition into a practical economic input.
This creates a distinction often blurred in registry debates. The registry does not need to declare that IPv4 addresses are property for IPv4 scarcity to behave like capital. A machine tool may be leased, pledged, seized, repaired, insured and sold because institutions make its control transferable and its use reliable. The same logic applies to scarce IPv4 space, though through different legal instruments. The relevant capital is not a metaphysical ownership claim over numbers. It is the combination of usable routes, recognised registry records, transferability, clean provenance, service continuity and market confidence. Remove registry recognition and the productive value of the block can collapse even if the operator still knows the numbers and can technically announce them.
That is why court risk should be evaluated from the viewpoint of the holder's balance sheet rather than the registry's mission statement. A holder does not merely worry that RIPE NCC may act unlawfully. It worries that a dispute can produce a service suspension, a database lock, a delayed transfer, a revoked RPKI certificate, a reverse-DNS interruption, a sanctions-related refusal, or a legal notice that clouds the block's liquidity. Even if the holder later wins, the economic damage may already have occurred. Network customers can churn. A transaction can fail. Reputation can decline. Financing can become more expensive. A buyer can discount the block because recognition is no longer frictionless.
RIPE NCC's contract stack acknowledges some of this operational centrality, but it also allocates much of the downside away from the registry. The Standard Service Agreement states that the member is liable for its use of RIPE NCC services and Internet number resources, excludes RIPE NCC liability for broad categories of direct and indirect damages except in cases involving wilful misconduct or gross negligence, and caps liability at an amount equivalent to the member's service fee for the relevant financial year. This may be understandable for a not-for-profit association that cannot insure itself against the full value of every network business in its region. Yet the limitation means that economic reliance on the registry far exceeds ordinary contractual recovery. The gap is filled by institutional legitimacy, careful procedure and continuity design. If those weaken, the liability cap becomes a subsidy to discretionary action.
The Dutch venue matters because the ledger is global
RIPE NCC is a regional registry serving Europe, the Middle East and parts of Central Asia, but the legal centre of gravity sits in the Netherlands. The Standard Service Agreement defines RIPE NCC as a membership association under Dutch law, with a registered office in Amsterdam, and says agreements with members are exclusively governed by Dutch law. The same document directs disputes arising from the agreement to the RIPE NCC Conflict Arbitration Procedure. The closure and deregistration procedure says explicitly that RIPE NCC is an association under Dutch law and that, if a Dutch court orders deregistration of specific Internet number resources, RIPE NCC must comply.
This is not a criticism of Dutch law. Every institution needs a legal home. The point is that legal home is an economic design choice. A holder in Central Asia, a small ISP in the Middle East, a hosting company in Eastern Europe and an address broker with clients in several jurisdictions may all depend on records maintained by an Amsterdam-based association. If a dispute arises, the centre of recognised authority is not necessarily the country where the network's customers sit, nor the country where the company is incorporated, nor the country where routers announce the prefixes. The legal centre is the association and its contract.
That architecture produces advantages. A single venue avoids chaos. It helps define contractual duties. It gives courts a place to send orders. It allows the association to maintain a coherent membership register, charging scheme and service procedure. It reduces the risk of a pure race among national authorities, each asserting control over globally unique numbers from its own domestic perspective.
But the same architecture concentrates risk. A court order in one venue can have operational implications across a wide service region. A legal dispute about one holder can require the registry to lock records or refuse a transfer. A sanctions obligation shaped by European law can affect a resource used in another market. An insolvency filing by a member in one jurisdiction can interact with RIPE NCC closure rules, registry records and customer renumbering obligations elsewhere. A membership dispute may be a small civil matter on paper, but if it touches a scarce IPv4 block it can carry a large economic shadow.
The most important venue question is not whether the Netherlands is a good or bad jurisdiction. It is whether RIPE NCC's rules treat the registry record as critical infrastructure when Dutch legal duties are triggered. The answer is mixed. The procedural documents contain notice periods, warning statements, database locks and arbitration references in some circumstances. They also reserve compliance with Dutch authority orders without following normal timeframes. This is legally natural: a private association cannot ignore a competent court. Economically, however, it means the continuity system must have pre-built safeguards for orders that are narrow, broad, urgent, contested, provisional or directed at a member whose customers are not parties to the case.
A court-ready registry would make the default rule clear. Unless a competent order specifically requires operational interruption, the registry should preserve the last verified state, mark the dispute transparently, limit changes to the contested resource, maintain non-contested services, and separate legal compliance from policy preference. The burden should be on interruption, not continuity, because the social cost of interruption falls on customers, counterparties and networks that may have no role in the dispute.
IPv4 scarcity turns legal procedure into capital control
Before exhaustion, registry procedure was important but less capital-like. If an operator needed address space, the RIR system could allocate from remaining pools subject to need and policy. Scarcity existed before final exhaustion, but it did not yet dominate every marginal decision. After exhaustion, existing IPv4 space became the productive stock. RIPE NCC's run-out account records the institutional transition: remaining IPv4 addresses were exhausted in November 2019, and future allocations depend on recovered space and a waiting-list policy that can provide only a small block to eligible LIRs.
This changes the meaning of a registry decision. A delayed allocation in an abundant regime is a delay in receiving an input. A delayed transfer in a scarcity regime is a delay in moving capital from a lower-valued use to a higher-valued use. A deregistration notice is not only an administrative warning; it can become a forced destruction of marketable capacity. A database lock is not merely a technical control; it can freeze liquidity. A refusal to approve a transfer because of sanctions or insufficient documents may be legally required, but it also removes an asset-like resource from the ordinary capital market until the issue is resolved.
RIPE NCC's transfer policy makes this capital dimension visible without using capital-market language. It says legitimate holders may transfer complete or partial blocks of IPv4, IPv6 and AS numbers, subject to exclusions and restrictions. It says transfers must be reflected in the RIPE Database, can be permanent or non-permanent, and that the original holder remains responsible until the transfer is complete. It also imposes a 24-month transfer restriction on scarce resources such as IPv4 and 16-bit ASNs from the date the resource was received, including after a merger or acquisition. A transfer is therefore not simply an agreement between private parties. It is a market transaction whose completion requires registry record change.
Once registry recognition is necessary for completion, the registry controls liquidity. It may not set the market price. It may not negotiate the contract. It may not take a commission. Yet it can determine whether a buyer receives a recognised record, whether a seller can deliver cleanly, whether the block is burdened by a lock or warning, whether an address lease can be documented safely, and whether a corporate restructuring triggers a new holding period. These are capital-control functions in economic substance even if they are not capital controls in the macroeconomic sense of restricting cross-border money flows.
The same point applies to fees. The 2026 charging scheme's annual fee of EUR 1,800 per LIR account looks modest compared with the market value of even a small IPv4 allocation. That asymmetry matters. A small annual fee can sit atop a large capital value because the fee buys access to recognition and services. If a member is closed for non-payment, the amount at stake may be a few thousand euros, while the operational value affected may be many times larger. The closure procedure says non-payment can lead to termination after specified periods and requires outstanding amounts for the full year unless otherwise agreed. That is administratively rational. It is also economically severe where the consequence is loss or impairment of recognised control over scarce resources.
This does not mean fees should be optional. A registry cannot run without revenue, and free riding would undermine the association. The point is proportionality. When a payment default, documentation problem or audit non-response can affect capital-like resources, the institution needs a debt-collection posture different from an ordinary service subscription. It should distinguish inability to pay from refusal to comply, record defects from bad faith, contested resources from unrelated holdings, and temporary dispute from permanent removal. The post-exhaustion registry is not merely collecting dues; it is administering scarcity.
The contract stack is a continuity instrument
The Standard Service Agreement is often treated as background paperwork. In the economics of court and continuity risk it is the central instrument. It establishes membership, defines services by reference to the activity plan, incorporates policies, assigns fees by reference to the charging scheme, allows amendment by General Meeting resolution without re-signing, allocates liability and sets termination conditions. It is the bridge between a network operator's economic reliance and the association's legal authority.
Several features matter. First, the member obtains the right to use RIPE NCC services under the conditions of the agreement. This is a service-right framing rather than a property-right framing. It avoids treating Internet number resources as ordinary owned goods. But scarcity has made the service right much more valuable than ordinary service access. The holder's market position depends on the association continuing to recognise records and provide tools.
Second, the agreement can be amended by a General Meeting resolution under the Articles of Association. This is democratic in one sense and risky in another. Members can influence the contract that governs them. But a small operator with one vote faces high participation costs relative to larger organisations that can track agendas, attend meetings, prepare arguments and monitor legal text. Article 15 of the Articles places amendments to the Standard Service Agreement on the General Meeting agenda upon proposal by the Executive Board, and allows groups holding at least 2% of possible votes to add subjects to the agenda. That is a governance channel, but it is not a low-cost channel for fragmented small holders. Contract change is both a membership right and a coordination problem.
Third, the liability provisions create an explicit asymmetry between operational dependence and monetary remedy. The member can suffer business loss if records are disrupted, but the association's exposure is heavily limited. That may be necessary for institutional survival. It also means courts and internal review cannot be treated as after-the-fact compensation mechanisms. The system must prevent avoidable disruption rather than assume damages will correct it. Where damages are capped at a service fee, continuity becomes the real remedy.
Fourth, the agreement's termination clauses include bankruptcy, moratorium, liquidation, insolvency, failure to submit registration documentation, non-compliance with obligations and circumstances beyond RIPE NCC's control. The closure document gives procedural detail. Some grounds allow notice and cure. Some allow immediate effect. If documentation is missing, there are stated notice periods; if a member fails to observe applicable law, immediate termination can occur. In insolvency, the closure document says RIPE NCC will terminate after receiving documents or public notice of bankruptcy, liquidation, suspension of payments or insolvency, but will not terminate if the relevant national authority decides operations can continue and the member fulfils the agreement's obligations.
That insolvency language is important because it reveals the registry's institutional intuition: legal distress should not automatically destroy continuity where an authority allows operations to continue. The same logic should guide other forms of court risk. If a receiver, administrator, liquidator, court or restructuring practitioner is managing a resource holder, registry continuity may be essential to preserve value for creditors, customers and employees. Deregistration may reduce value before the legal process can decide who should control it. A registry that recognises this in insolvency should extend the same continuity bias to disputes that are economically similar even if they arise under different legal labels.
Closure and deregistration are operational events
RIPE NCC's closure and deregistration document is one of the most important public exhibits for continuity analysis. It does not merely describe account administration. It describes how a registry relationship can end and what happens to the records and services connected to Internet number resources.
The document lists grounds for termination and deregistration: closure requested by the member; refusal to sign updated agreements; failure to comply with audits; bankrupcty, liquidation or suspension of payments; failure to pay invoices; failure to provide required documentation; failure to comply with RIPE policies or the Standard Service Agreement; and orders from competent Dutch authorities. Depending on the ground, RIPE NCC may send notices, allow response periods, request missing information, lock records, add warning statements, deregister resources, revoke certificates generated by the RPKI service, and require the member to stop announcing address space and arrange customer renumbering.
These are not symbolic acts. A maintainer change affects who can update records. A warning statement affects market confidence. RPKI revocation affects the routing-security layer because relying parties may treat the absence or invalidity of authorisations as relevant to routing decisions. Deregistration affects recognised control. A requirement that the member stop announcing addresses and arrange customer renumbering can be commercially traumatic. In hosting, broadband, enterprise connectivity and cloud services, renumbering is not a trivial housekeeping task. It can involve customer contracts, equipment configurations, geolocation databases, access-control lists, abuse desks, DNS, reputation systems and compliance statements.
The closure document also contains an arbitration safety valve. If a member objects within the relevant period, RIPE NCC can allow time for evidence or arbitration. If arbitration is requested, RIPE NCC will lock the relevant records and add a warning statement until the arbiter's ruling. This design is more nuanced than immediate removal. It preserves the contested record from unilateral change while signalling dispute. Yet it also creates a capital-market question: what is the liquidity value of a locked resource with a warning? For a holder seeking financing, sale, lease renewal or merger approval, a lock can be almost as damaging as a final loss, depending on duration and counterparties' risk tolerance.
The economic test is therefore not whether the procedure has steps. It is whether the steps minimise unnecessary destruction of value. A continuity-first design would publish aggregate data on how often closure notices are sent, how many proceed to lock, how many lead to RPKI revocation, how many are resolved before deregistration, median duration, categories of cause, and how many affect independent resources sponsored by another LIR. It would separate resources under dispute from resources not under dispute. It would state clearly when reverse DNS is maintained, suspended or removed. It would define emergency preservation rules for customer-impacting prefixes. It would ensure warning statements communicate procedural status without prejudicing unresolved claims.
This is where the ledger-versus-gatekeeper distinction becomes practical. A ledger preserves accurate records and records disputes. A gatekeeper decides whether economic actors may continue to use capital. Registry closure inevitably contains some gatekeeping power because inaccurate or abandoned records cannot remain indefinitely. The institutional question is whether the gatekeeping power is narrow, reviewable and continuity-preserving, or broad enough to make the registry a de facto controller of business survival.
Court exposure does not require institutional failure
It would be wrong to imply that RIPE NCC faces the same continuity crisis that another registry has faced merely because the category of risk exists. RIPE NCC is older, larger, better resourced and supported by a dense European institutional environment. It publishes extensive procedures. Its membership meetings, audited financial reporting, board elections and service infrastructure are mature. Continuity risk analysis should not be confused with a prediction of collapse.
But it would also be wrong to treat maturity as immunity. Court exposure emerges from the function, not only from institutional weakness. A registry holds unique records. Scarce IPv4 blocks have large private value. Holders operate across borders. Members can become insolvent. Governments impose sanctions. Business mergers depend on documentation. Customers depend on delegated use. Transfers and leases create economic claims that may not be fully visible to the registry. RPKI and reverse DNS attach operational services to recognised records. These conditions create disputes even in competent institutions.
Analogies from receivership, insolvency and injunction law are useful precisely because they do not require an identical fact pattern. Receivership shows what happens when a court substitutes an outside controller for ordinary governance in order to preserve an institution or asset. Insolvency shows how asset value can be destroyed if operations cannot continue while claims are sorted. Injunctions show how provisional orders can reshape bargaining power before the merits are decided. These are not accusations against RIPE NCC. They are stress tests for any registry that sits between scarce capital and legal recognition.
Consider an injunction ordering RIPE NCC not to process a transfer while ownership or authority is disputed between two private parties. The registry may be legally bound to pause the update. The economic question is what else pauses: RPKI changes, reverse-DNS updates, sub-allocations, assignments to customers, future lease arrangements, merger approvals, or unrelated resources held by the same member. A broad freeze may be easier to administer, but it destroys more value. A narrow freeze may require more operational discipline but better protects non-parties.
Consider a member entering insolvency in its home jurisdiction. The closure document recognises that if the relevant national authority allows operations to continue and the member fulfils its obligations, RIPE NCC will not terminate the agreement. That approach protects value. But the same situation can become complex if creditors disagree over resource sale, if a buyer wants a transfer approved quickly, if customers rely on leased space, or if a national administrator does not understand the registry system. RIPE NCC then becomes the institution that translates local insolvency decisions into global registry recognition. Its neutrality must be more than a slogan; it must be a defined method for preserving records while avoiding unauthorised disposal.
Consider a court order for deregistration. RIPE NCC's procedure says it must comply with Dutch court orders. If the order is specific, compliance is straightforward. If it is provisional, broad or based on incomplete information, operational consequences can be severe. A registry cannot second-guess a competent court in the way a commentator can. But it can structure its submissions, notices and implementation steps to help courts understand the economic externalities of record changes. A court-ready registry should be able to explain, in neutral terms, the difference between locking a record, marking a dispute, revoking RPKI, changing reverse DNS, approving transfer and deregistering resources. Courts should not have to learn those distinctions during an emergency hearing from whichever party has better counsel.
Sanctions compliance is necessary, but it is also a control surface
RIPE NCC sits inside European legal space and cannot ignore sanctions. Its merger and acquisition guidance says that, when evaluating a request, it will check against the EU sanctions list and that, if either party is found to be under sanctions, the transfer request will not be approved. The Trust Portal includes legal and compliance as one of its high-level themes. The Standard Service Agreement includes termination paths connected to applicable law. These facts show that legal compliance is not an external matter; it is inside ordinary registry operation.
Sanctions are often discussed as a binary: comply or do not comply. An institution under European law must comply. The economic question is how compliance is scoped, documented and insulated from broader discretion. A sanctions refusal can prevent a transfer, freeze a restructuring, delay a merger, interrupt payment, or block a resource holder in a high-risk jurisdiction from normal administrative changes. For a small operator, even an investigation delay can be a liquidity shock. For a buyer, sanctions uncertainty creates a discount. For a lessee, uncertainty about whether the lessor can maintain registry services can affect lease value.
The danger is not that RIPE NCC performs sanctions checks. The danger is that sanctions checks become an opaque all-purpose risk screen. If a transfer is refused because a party is listed, the reason is clear in principle, even if legal details limit disclosure. If a transfer is delayed because of name similarity, ownership uncertainty, bank-payment issues, beneficial-owner questions or geopolitical caution, the affected parties need a process that distinguishes legal obligation from institutional preference. Otherwise compliance becomes capital control without adequate accountability.
This matters especially in the RIPE NCC service region, which includes jurisdictions with varied political relationships to the European Union and different levels of banking access. A registry that is formally neutral can still produce unequal economic outcomes if compliance frictions fall disproportionately on operators in sanctioned, adjacent or politically exposed markets. Large operators can hire counsel, restructure entities, obtain legal opinions, maintain multiple LIR accounts or use intermediaries. Small operators often cannot. Their dependence on the official registry path is stronger precisely because they lack substitutes.
The policy answer is not to weaken sanctions compliance. It is to make it auditable without revealing sensitive details. RIPE NCC could publish aggregate counts of sanctions-related transfer refusals, delayed cases, average review time, categories of issue, reconsideration rates and the distinction between listed-party refusals and enhanced-review delays. It could state continuity presumptions for existing services where law does not require suspension. It could preserve non-contested database, reverse-DNS and RPKI services while a transfer is reviewed, unless a competent authority requires otherwise. It could make clear how payments are handled when banks reject transactions but the member remains legally entitled to service.
This is the institutional difference between compliance and gatekeeping. Compliance follows law and implements legal restrictions narrowly. Gatekeeping uses legal risk as a reason to expand discretion over market access. In the IPv4 economy, the difference is expensive.
Transfers, leases and the price of friction
RIPE NCC's transfer policy explicitly recognises permanent and non-permanent transfers. That phrase matters because it points toward the real market structure. Scarce IPv4 space moves not only through permanent sale but also through leasing, temporary transfer, sub-allocation, customer assignment, corporate restructuring and operational delegation. Much of the economic life of IPv4 occurs in arrangements that sit between pure ownership and pure internal network use.
Leasing exists because scarcity and price create a capital-rental market. An address holder may have more IPv4 space than it currently needs. Another operator may need addresses but not want or be able to buy a block. A lease can allocate use while leaving long-term control with the holder. Economically, this improves utilisation. Institutionally, it creates continuity risk because the registry record, RPKI authorisations, reverse-DNS delegations and abuse contacts must remain coherent during the lease and return cleanly at the end.
The transfer policy says the original holder remains responsible until a transfer is complete, and for temporary transfers the original holder re-assumes responsibility when the resource is returned. That responsibility principle is sensible, but it leaves practical questions. Who controls ROAs during a lease? How are reverse-DNS changes authenticated? What happens if the lessee goes bankrupt, abuses the space or refuses to stop announcing it? What if the lessor is sanctioned, enters insolvency or loses registry access for non-payment? What if a court orders the lessor's records locked while customers of the lessee are actively using the addresses? The legal relationship between lessor and lessee may not be visible to the registry, but the operational consequences may be visible to the Internet.
Friction has two faces here. Some friction is protective. It prevents hijacking, fraudulent transfers, policy evasion and dirty provenance. A registry that updates records too easily would undermine trust. Other friction is extractive or destructive. It delays legitimate transactions, raises legal costs, reduces liquidity, forces operators into informal arrangements and increases the premium for those with inside knowledge of procedure. The scarce IPv4 market needs enough registry friction to protect the ledger and little enough to let capital move to productive use.
Court risk changes the optimal level of friction. In a low-dispute environment, strict documents and deliberate review may be tolerable. In a litigation or sanctions-sensitive environment, every additional ambiguity becomes a bargaining chip. A party seeking to block a transfer can exploit procedural uncertainty. A party seeking leverage in a lease dispute can threaten a registry complaint. A creditor can overstate control. A buyer can demand a discount for risk that the registry will not process the update quickly. The result is not merely slower administration; it is a higher cost of capital for IPv4-dependent networks.
RIPE NCC's role should be to reduce uncertainty by making the narrow registry effect of private arrangements clearer. The registry does not need to adjudicate every lease contract. But it should define what it recognises, what it does not recognise, what changes require holder authentication, how temporary transfers return, how locks affect associated services, and how non-party customers are protected where feasible. A ledger can remain neutral only if market participants know what the ledger will do when private law becomes messy.
RPKI turns legal continuity into routing policy
RPKI changes the consequences of registry disruption. RIPE NCC's RPKI page states that the system allows LIRs to request digital certificates listing the Internet number resources they hold, and that RPKI offers verifiable proof that resources have been registered by an RIR. It also connects RPKI to BGP origin validation and Route Origin Authorisations. This makes registry recognition machine-readable. Networks around the world can configure routing policy based on signed attestations derived from the registry hierarchy.
That is the point of RPKI: to reduce route hijacking risk and improve routing decisions. But a security mechanism that relies on registry certification also imports registry legal risk into routing. If a certificate is revoked because a member is being deregistered, the effect can propagate through validators and network policy. If records are locked during arbitration but existing ROAs remain valid, continuity is preserved. If ROAs cannot be updated during a business transition, legitimate routing changes may become difficult. If a court order requires deregistration but does not understand RPKI consequences, a legal decision can become a routing-security event.
The closure procedure makes this explicit. During deregistration periods for allocations and independent resources, RIPE NCC can revoke any certificates generated by the RIPE NCC Certification Service. For legacy resources, termination for non-compliance can also lead to revocation of certificates. These revocation steps may be necessary if the registry no longer recognises the holder. But they should be treated as high-impact operational actions, not mere follow-through. In a world where more networks reject RPKI-invalid routes, certificate changes can affect reachability.
The economics are subtle. RPKI increases the value of accurate registry records by making them more useful. It also increases the cost of mistaken, premature or overly broad registry actions. A paper record error might have mattered mainly to due diligence and correspondence. A certificate or ROA error can affect routing policy. This is the classic institutional problem of automation: when a human rule becomes machine-enforced, the quality of governance upstream becomes more important, not less.
This creates a continuity principle for RPKI. Where a dispute concerns control but not obvious hijack or abandonment, the default should be preservation of last valid authorisations until a clear decision requires change, with appropriate warnings and limits on new authorisations if necessary. Where security risk requires urgent action, the action should be documented as security action, not smuggled in as administrative convenience. Where a court order touches resources, RIPE NCC should be prepared to explain the difference between revoking existing certificates, refusing new ROAs, freezing changes and marking records as disputed.
The 2025 policy implementation record for delegated RPKI CA revocation, later reflected in updated certification terms, shows that RPKI governance is still evolving. Delegated CA models can increase holder autonomy, but they also create continuity questions: when can a delegated CA be revoked, what notice is required, how does non-functionality get assessed, and how do relying parties distinguish operational failure from legal dispute? As RPKI adoption grows, these questions move from technical footnotes to capital-risk variables.
Reverse DNS and database authority are part of the same control stack
Reverse DNS is often treated as less strategic than RPKI. That underrates its continuity role. RIPE NCC's reverse delegation page says it registers only reverse delegations, not forward domains; that reverse delegation uses in-addr.arpa and ip6.arpa; and that the RIPE Database is used as the management database for producing DNS zones. Domain objects in the RIPE Database define officially delegated nameservers through nserver attributes. RIPEstat data may lag by up to 24 hours.
This means reverse DNS is another operational service whose reliability depends on registry database authority. Reverse DNS affects mail reputation, logging, abuse response, enterprise allowlists, some customer compliance checks and operational diagnostics. It is not usually the main determinant of reachability, but disruption can create real business costs. In address leasing, reverse DNS often matters to the lessee's customers. In hosting, reverse records may be tied to service quality. In security response, stale or wrong records can complicate attribution and remediation.
Court and continuity risk enter because reverse DNS can be disrupted by the same events that disrupt database control: closure, maintainer changes, record locks, loss of portal access, disputed authority and court-ordered deregistration. A holder may retain the technical ability to announce a prefix while losing the ability to update reverse-DNS domain objects. A lessee may be contractually entitled to reverse-DNS changes but dependent on a lessor whose registry access is impaired. A court may order a record freeze without intending to prevent routine reverse-DNS maintenance for active customers.
The continuity challenge is to distinguish protective locks from business interruption. If records are locked to prevent unauthorised transfer, some limited operational updates may still be safe under controlled procedure. If a member is being deregistered, customer renumbering may need time, and reverse-DNS continuity during that period may reduce collateral damage. If a court order is narrow, implementation should not accidentally suppress unrelated DNS functions.
The ledger-versus-gatekeeper distinction is again useful. A ledger should show who is responsible for reverse delegations, preserve historical state, allow authenticated routine maintenance where it does not change contested control, and mark disputes. A gatekeeper uses dispute status to halt broad categories of service because that is simpler. Simplicity is attractive to institutions but costly to markets. In the IPv4 economy, small operational services are part of the productive capital bundle. A block with unstable reverse DNS, uncertain ROA control and locked database records is worth less than a clean block, even if no one has changed the numbers themselves.
Membership governance is not holder protection
RIPE NCC's governance is built around membership. Members attend General Meetings, vote on resolutions, elect the Executive Board and approve charging schemes. The Articles give each non-suspended member one vote and cap proxy voting at 1% of possible votes. Members holding at least 2% of possible votes can add agenda subjects if they meet timing and text requirements. Members holding at least 10% can require a General Meeting to be convened. These are real accountability channels.
But membership accountability and resource-holder protection are not identical. First, not every economically affected party is a member. End users with independent resources may depend on sponsoring LIRs. Lessees may depend on holders. Customers may depend on ISPs. Creditors may depend on resource value during insolvency. Second, members are heterogeneous. A small access provider, a national telecom operator, a cloud platform, a broker, an enterprise legacy holder and a hosting company do not face the same costs or incentives. Third, voting rights do not automatically translate into procedural influence. Reading draft contract amendments, understanding sanctions implications, monitoring RPKI certification terms and coordinating a 2% agenda request require time and expertise.
This matters because court and continuity risk often harms the less organised party first. A large operator can survive a delayed transfer, hire Dutch counsel, obtain external legal opinions, maintain redundant address holdings and attend meetings. A small operator may have a small engineering team, limited legal budget, high customer dependence on a few prefixes and little practical ability to influence agenda design. Annual fees that appear modest at the association level can still be meaningful when combined with legal, compliance and transaction costs.
Membership governance also has a structural conflict. The association must protect the collective ledger from inaccurate records, fraud and abandonment. It must also protect individual holders from excessive discretion. The majority may prefer strict enforcement because it preserves registry integrity and keeps fees stable. A minority facing closure or sanctions review may prefer flexibility. Both positions can be rational. The institution's legitimacy depends on procedures that prevent the majority's administrative convenience from becoming uncompensated capital destruction for the minority.
The General Meeting can approve the charging scheme and discuss service quality, but court-risk resilience requires more granular accountability. Members should know not only the fee level but also how enforcement affects continuity. How many members were suspended for non-payment? How many resources were locked due to arbitration? How many court orders were received? How many transfers were refused for sanctions? How often did RPKI revocation occur as part of deregistration? How many independent resource holders were affected by sponsoring-LIR failures? Without those metrics, members cannot price the risk they are being asked to bear.
The board's role is similarly important. A board is not expected to adjudicate every operational dispute. It is expected to ensure that management has procedures, controls and reporting that preserve legitimacy. In a post-exhaustion economy, legitimacy is not only whether meetings are held and accounts are audited. It is whether scarce resource holders believe that the registry can be trusted not to convert legal complexity into avoidable market harm.
Insolvency analogies and the preservation of value
Insolvency law offers one of the clearest analogies for registry continuity. When a company enters insolvency, the law often tries to preserve going-concern value while claims are sorted. A factory is not always shut the day a creditor files. A telecom network is not always switched off the day a restructuring begins. Administrators may continue operations to protect customers and maximise creditor recovery. The same logic applies to IPv4 resources recognised by a registry.
The RIPE closure document partly recognises this. It says that if RIPE NCC receives evidence of bankruptcy, liquidation, suspension of payments or insolvency, it will terminate the Standard Service Agreement; but if the relevant national authority decides that the member's operations can continue, and the member fulfils the agreement's obligations, RIPE NCC will not terminate. This is a pragmatic bridge between registry rules and local legal process. It says, in effect, that formal distress is not always the end of operational legitimacy.
That principle should be extended into a broader preservation standard. If a member is in court but still operating, preserve records unless the court orders otherwise. If a receiver or administrator controls the company, define what documentation proves authority to manage registry records. If creditors dispute resource sale, lock transfer while permitting necessary service maintenance. If a buyer is acquiring the business through a court-supervised process, define how transfer review and sanctions screening can proceed without unnecessary delay. If customers must renumber, provide realistic time and clear status messaging.
The value-preservation problem is especially acute for IPv4 because addresses are not easily replaced. A data-centre tenant can move racks, though painfully. A fibre customer can migrate providers, though slowly. A network that loses a recognised IPv4 block may have no equivalent input available at any reasonable price. The waiting list cannot replace large holdings. CGNAT can mitigate but not eliminate the cost. IPv6 deployment is necessary in the long run but does not solve immediate compatibility, customer and market requirements. An insolvency or injunction that disrupts registry recognition can destroy value rather than merely redistribute it.
There is also a creditor-protection angle. If IPv4 resources support enterprise value, then broad deregistration during insolvency can reduce recoveries for creditors and employees. Courts may not always appreciate this unless the registry explains it. A registry should avoid becoming an advocate for one creditor or shareholder. It should be an expert institution explaining how different registry actions affect value. Locking transfer may preserve the asset-like interest. Revoking RPKI may impair operations. Deregistering may destroy value. Continuing last verified records may keep customers connected while legal claims are resolved. These distinctions are economic facts that courts need.
This is not a call for registry exceptionalism above law. It is the opposite: a call for registry literacy inside legal process. A court-ready registry should make it easier for ordinary courts to issue precise orders, for administrators to prove authority, for holders to preserve value, and for customers to avoid collateral damage.
Injunctions and provisional power
Injunction risk is different from final judgment risk. A final judgment may reflect a developed record and legal findings. An interim injunction often reflects urgency, potential harm and a provisional view. In capital markets, provisional orders can decide outcomes by freezing a transaction long enough for financing to fail or a buyer to walk away. In the registry market, provisional orders can decide outcomes by blocking a transfer, locking a record, preventing RPKI updates or creating uncertainty that counterparties cannot tolerate.
RIPE NCC's public procedure anticipates some interim-like states: warnings, locks, evidence periods and arbitration. But court orders can bypass normal timeframes if a Dutch authority orders deregistration. This is legally unavoidable in some circumstances. The institutional design question is whether RIPE NCC has a well-developed menu of narrower implementation options to present to courts before the broadest operational action is taken.
If the dispute is about whether a seller had authority to transfer a block, the least destructive order may be to prohibit transfer completion while preserving existing database, RPKI and reverse-DNS services. If the dispute is about unauthorised record changes, a lock on maintainer attributes may be sufficient. If the dispute is about hijacking or fraudulent control, more urgent certificate and record action may be needed. If the dispute is about payment or contractual default, operational suspension may be disproportionate relative to the amount unless there is persistent non-compliance. The court's choice depends on the registry's ability to explain the operational ladder.
This ladder should be public enough for market participants to price. A buyer should know what happens if a transfer is challenged. A lender should know whether a pledge-like commercial arrangement has any registry effect. A lessee should know whether reverse DNS can continue if the lessor is in dispute. A member should know whether arbitration protects existing ROAs. Without predictable intermediate states, parties assume the worst and price it in.
The key economic danger of injunctions is bargaining distortion. A party that can create uncertainty over a scarce block can extract concessions unrelated to the merits. If registry procedures are opaque, the threat is stronger. If the registry's response is predictable and narrow, the threat is weaker. Continuity design is therefore not only defensive; it improves the fairness of private bargaining by reducing the value of procedural ambush.
Fees and reserves are continuity infrastructure
Court and continuity risk also has a financial side. RIPE NCC's Activity Plan and Budget 2026 sets out a substantial operating institution with registry, information-services, community, security, compliance, software and governance responsibilities. The charging scheme translates those responsibilities into fees. In ordinary association politics, fees are about fairness among members. In continuity economics, fees and reserves are also insurance against legal and operational shocks.
A registry that lacks reserves may be forced into bad choices during litigation or sudden revenue stress. It may underinvest in legal defence, settlement capacity, security controls, audit staff or dispute review. It may increase fees sharply, squeezing small operators. It may delay service improvements. It may become more conservative in transfer review because staff cannot absorb the cost of complex cases. Conversely, a registry with healthy reserves can preserve continuity during shocks, but only if members trust that reserves are tied to defined risks rather than institutional accumulation for its own sake.
The fixed-fee structure raises a distribution issue. A small LIR and a larger holder may pay the same base annual contribution per LIR account, while the market value of their IPv4 holdings and ability to absorb legal friction differ greatly. Separate charges for independent assignments and ASNs add some granularity, but the central model remains association funding rather than capital-risk pricing. Members therefore need to see how much legal and compliance work is driven by sanctions, court orders, arbitration, transfer disputes, audits and closures; whether complex cases affect ordinary service; and whether reserves are sized for cyber incidents, litigation, business continuity, RPKI resilience, database recovery or revenue shocks.
The economic legitimacy of fees depends on the service being bought. If members are buying only routine administration, high reserves and compliance budgets may look excessive. If members are buying continuity of a scarce capital ledger in a legally fragmented service region, then robust funding is more defensible. The association should make the second case with evidence rather than rely on trust. The post-exhaustion registry is a continuity utility. Utilities need resilience budgets, and users need to know what resilience they are paying for.
Small operators bear the steepest continuity premium
Court risk is regressive. It falls hardest on those who cannot manage it. A large cloud platform can diversify addresses, legal entities, jurisdictions and counsel. A national carrier can sustain a long dispute without losing core customers. A small ISP, hosting provider, regional enterprise network or specialised service provider may depend on a narrow set of IPv4 resources and a small technical team. For them, uncertainty over registry recognition is not an abstract governance issue; it is a survival issue.
Small operators face several distinct costs. They must track policies, fee changes, meeting agendas, sanctions notices, RPKI terms and transfer procedures. They must maintain company registration documents, authority records, contact data and agreements with sponsoring LIRs or customers. They must respond to audits, complaints, transfer challenges or legal notices quickly enough to avoid default consequences. They may need to buy or lease IPv4 space at high prices because the waiting list cannot meet growth needs. Management time spent on registry compliance is time not spent on customers or network upgrades.
The post-exhaustion environment multiplies these costs. When IPv4 was more available, a small operator could treat registry procedure as periodic administration. Now every IPv4 decision interacts with market price. A delay in obtaining addresses can block customer growth. A transfer restriction can affect financing. A failed lease can interrupt service. A sanctions review can make counterparties nervous. A closure notice can force expensive emergency counsel. The registry becomes a fixed overhead attached to productive capital.
This is why a member-voting model is not enough. One member, one vote is politically egalitarian, but legal and procedural capacity is not equally distributed. If the cost of participating effectively is high, formal equality produces unequal practical influence. The remedy is not to give small operators special control over the registry. It is to reduce the need for bespoke participation by making ordinary continuity protections automatic. Clear notices, predictable intermediate states, plain-language legal effect summaries, independent review, aggregate reporting and narrow implementation of disputes all help small operators more than large ones because large ones can buy substitutes.
Small-operator dependency also argues against excessive moralising about market use. Leasing and transfers may be the only realistic way for small networks to obtain IPv4 capacity. If the official path is slow or legally fragile, activity moves into less transparent forms. A continuity-oriented registry should prefer visible, recordable, policy-compliant transactions and treat liquidity as a legitimate operational need.
The ledger should not become a discretionary gatekeeper
The central institutional question is whether RIPE NCC is best understood as a ledger or a gatekeeper. It is plainly both in some respects. It keeps records, but it also enforces rules. It registers resources, but it also approves transfers. It provides services, but it can suspend them. It follows community policy, but it also applies contractual, legal and compliance judgments. The economic risk lies in allowing the gatekeeper function to expand faster than the ledger discipline.
A ledger institution has several characteristics. It records the last verified state. It authenticates changes. It preserves history. It marks disputes without deciding more than necessary. It applies court orders precisely. It separates contested and uncontested assets. It protects non-parties where possible. It publishes enough aggregate data for users to understand risk. It treats interruptions as exceptional because the ledger's value comes from reliability.
A gatekeeper institution has different incentives. It may prefer broad discretion to reduce institutional risk. It may suspend first and sort later because that is safer for staff. It may use vague compliance concerns to avoid hard explanations. It may over-apply sanctions caution to cases that are legally uncertain. It may treat a member's procedural default as a reason to impair unrelated resources. It may rely on liability limits rather than prevent harm. It may describe every decision as neutral implementation, even when market effects are significant.
RIPE NCC has strong reasons to resist becoming a broad gatekeeper. Its legitimacy depends on being trusted by members across a politically diverse service region. It is not elected by Internet users at large. It is not a court. It is not a prudential regulator. Its strongest claim is operational competence and neutral registry stewardship. The more it controls market access through opaque compliance or discretionary continuity decisions, the more it invites legal challenge and political suspicion.
The ledger model does not mean passive recordkeeping. Fraud, hijacking, false documents, sanctions violations, abandoned resources and court orders require action. But action should be framed as protecting the ledger rather than controlling the market. That distinction changes procedure. Protecting the ledger asks: what is the least disruptive action needed to preserve accuracy and comply with law? Controlling the market asks: should this party be allowed to transact? The first is the natural role of an RIR. The second is a dangerous expansion unless law or explicit policy requires it.
What a court-ready registry would publish
The practical test of continuity legitimacy is not how reassuring the institution sounds in normal times. It is what can be known before a shock. A court-ready RIPE NCC would publish enough information to let members, resource holders, courts, creditors and counterparties understand the operational consequences of legal events. This does not require exposing private case details or sensitive security information. It requires publishing the categories, thresholds and aggregate outcomes that shape economic expectations.
Court-order reporting should show how many court orders, injunctions or competent-authority demands affected registry records in a given period; how many required deregistration, record lock, transfer pause, disclosure of information or other action; how often RIPE NCC sought clarification or narrow implementation; and whether operational services were preserved where the order allowed. This would show whether court risk is theoretical or active.
Sanctions and compliance reporting should distinguish listed-party refusals from enhanced-review uncertainty. Members and market participants should know how many transfer or merger requests were refused because a party was listed under EU sanctions, how many were delayed for further review, how long review took, and how many cases were later cleared. Such reporting would not name private parties, but it would show the cost of compliance friction.
Closure and deregistration reporting should show how many closure notices were issued for non-payment, documentation failure, audit non-response, insolvency, applicable-law issues and other grounds; how many resulted in suspension, database locks, warning statements, RPKI revocation and final deregistration; how often members cured; and how long each stage took. Without these data, members cannot assess whether closure powers are exceptional or routine.
RPKI continuity reporting should show how often certificates were revoked for administrative, security, non-functionality, transfer, closure or court-related reasons; how often delegated CAs were revoked or suspended; what notice periods applied; and how RIPE NCC protected existing routing authorisations during disputes. RPKI is too important to be reported only as adoption and uptime.
Transfer-friction reporting should show how many permanent and non-permanent transfers completed, median processing times, causes of delay or failure, sanctions or restriction-period effects, merger-and-acquisition cases and locks during contested transfer review. Liquidity cannot be evaluated without friction data.
Small-operator impact should be measured directly. Members should know how many independent resource holders were affected by sponsoring-LIR closure or contractual relationship changes, how often end users received direct notice, how often customer-renumbering periods were used, and how much compliance burden falls on small members. That would convert anecdotal dependency into measurable institutional risk.
Such reporting would not weaken RIPE NCC. It would reduce surprise, show members what their fees fund, let markets price risk with facts and reduce the incentive to use litigation threats as bargaining tools.
Analysis and watchpoints
The economics of court and continuity risk at RIPE NCC should be watched through operational signals rather than institutional slogans. The relevant question is not whether RIPE NCC is stable today. It is whether the legal and governance design preserves the productive value of scarce resources when stress appears.
The first signal is court-order implementation. A continuity-minded registry will distinguish record lock, transfer pause, RPKI action, reverse-DNS action and deregistration. It will not turn a narrow order into broad operational interruption unless the order requires it. If future cases show broad implementation of narrow orders, the ledger will have drifted toward gatekeeping.
The second signal is closure practice. Non-payment, documentation failure, audit non-response and legal distress should produce proportionate cure periods and preservation of uncontested services, especially where small operators or independent resource holders are affected. If closure becomes a routine debt-collection or compliance weapon rather than a last-resort integrity measure, continuity risk will rise.
The third signal is insolvency handling. RIPE NCC's own procedure recognises that court-supervised continuation can preserve membership and services where obligations are met. That principle should be visible in restructuring, receivership and administration situations. A registry that destroys value before courts allocate it is not protecting neutrality; it is changing the economic outcome.
The fourth signal is sanctions friction. Refusals and delays should remain tied to identifiable legal obligations. Aggregate data should distinguish listed-party refusals from enhanced-review uncertainty. If compliance becomes too opaque to price, market actors will treat it as political discretion even when the underlying legal duty is real.
The fifth signal is transfer and leasing continuity. Permanent and non-permanent transfers should remain predictable despite 24-month restrictions, sanctions checks and merger documentation. Leasing should be treated as a normal scarcity response whose operational facts need clarity, not as a suspect workaround by default. Rising delay without transparent category would be a capital-control signal.
The sixth signal is RPKI and reverse-DNS handling. Certificate revocation should be used only when necessary to protect accuracy or comply with law, and last valid authorisations should be preserved during ordinary disputes where security does not require immediate action. Database locks and closure steps should not unnecessarily prevent routine reverse-DNS continuity for active networks and customers.
The seventh signal is governance reporting. General Meetings should receive enough data on court orders, arbitration, sanctions, closures, transfer failures, RPKI actions and small-operator impact to evaluate continuity risk, not merely budgets and election results. A member association cannot discipline risks it cannot see.
The durable risk is not a single lawsuit. It is the gradual conversion of a registry ledger into an institution that can freeze liquidity, impair routing security, interrupt reverse DNS and determine the practical value of scarce IPv4 capital through opaque legal and administrative discretion. RIPE NCC's strongest continuity position is to make the opposite commitment visible: preserve the last verified state unless law clearly requires otherwise; mark disputes rather than destroy value; keep uncontested services running; publish aggregate friction; and treat court exposure as an operational design problem before it becomes a court-driven emergency.

