RIPE NCC is not a failed institution. That has to be the opening sentence, because the language of governance failure can otherwise become careless. The registry in Amsterdam remains operational, staffed, visible and comparatively transparent by the standards of internet governance. It serves a large and diverse membership across Europe, the Middle East and parts of Central Asia. Its records are used every day. Its routing-security services, reverse DNS, database, portal and transfer machinery remain part of ordinary network operations for thousands of organisations. Members still vote. Budgets are still presented. Meetings still happen. Policy work continues.

That is precisely why RIPE NCC is worth examining. The hard question is not what a regional internet registry should do after it has already fallen into open corporate crisis. The harder question is how a mature registry prevents the earlier and less theatrical forms of institutional failure: fiscal insulation, weak member control, procedural capture, legal shock, geopolitical compliance pressure, policy-market mismatch, scope creep and the gradual loss of belief that the institution is narrow, neutral and constrained.

A registry can fail economically before it fails administratively. It can keep answering tickets while members begin to price it as a risk. It can publish accounts while small operators suspect that the fee machine has drifted away from the ledger. It can run elections while the people most exposed to registry discretion doubt that voting is a strong enough check. It can operate RPKI, reverse DNS and transfer systems while resource holders quietly add a risk premium to every dependency. The institution still functions; the confidence around it becomes more expensive.

The distinction matters because a regional internet registry is not a normal membership club. RIPE NCC is a Dutch not-for-profit association, but the recognition layer it operates sits above scarce number resources, routing-adjacent trust, transfer markets, sanctions exposure, legal continuity and operational identity. Members do not merely buy a subscription to meetings and services. They pay into a monopoly-like recognition system for resources on which networks, customers, counterparties and balance sheets may depend. That does not make RIPE NCC a state. It makes its institutional design more important than the relaxed language of "community" sometimes admits.

The economic mechanism is simple. Before IPv4 exhaustion, registry governance was mainly about allocation, conservation and the orderly growth of the internet. After exhaustion, the free pool is no longer the main source of institutional power. The continuing power is recognition: who appears in the database, who can update records, who can transfer resources, who can publish routing-security assertions, who can maintain reverse DNS, who is treated as an authorised member, whose payment can be accepted, whose legal status is clean, and whose records remain dependable when politics, courts or banks intrude. Recognition is not ownership, but it is economically significant. A block whose registration is uncertain, transfer path unclear, RPKI status fragile or sanctions treatment opaque is worth less than an otherwise identical block whose administrative path is boring.

In that world, governance failure is not only scandal. It is the loss of credible constraint. It is the point at which resource holders believe the registry can expand scope without adequate consent, spend compulsory dues without sufficient cost discipline, apply policy through insiders rather than affected principals, absorb legal costs through the membership rather than through better risk allocation, or turn a technical service into bargaining leverage. Recovery, by the same logic, is not the performance of normality. It is the restoration of credible constraints: on budget, discretion, policy scope, board authority, legal exposure, operational intervention and the institution's own temptation to become larger than the ledger.

The AFRINIC crisis is the obvious warning exhibit, but it should not be pasted mechanically onto RIPE NCC. AFRINIC's path has involved allegations about historical address records, litigation, board and election disputes, receivership, court involvement, voting controversies and intense argument over resource control. It shows that registry legitimacy can fracture. It does not show that every RIR is on the same road, and it does not show that RIPE NCC is already in collapse. The more useful lesson is structural: once a registry's authority rests on belief in a recognised ledger, that belief must be continually earned. When belief weakens, the damage appears as legal cost, transfer friction, political intervention, liquidity discounts and members seeking protection outside the official process.

RIPE NCC should therefore be read as an institutional stress test. Its problem is not visible collapse. Its problem is whether a large, mature, fee-funded and policy-heavy registry can keep enough trust among heterogeneous members to absorb shocks without becoming a fiscal state, a procedural oligarchy or a compliance chokepoint. The answer depends less on official reassurance than on institutional economics: who pays, who decides, who bears risk, who can exit, who can review discretion, who benefits from spending, who suffers delay, who pays the legal bill, and how much uncertainty the registry adds or removes from scarce resource markets.

The registry is a ledger before it is a club

RIPE NCC combines two different functions. One is the ledger function: maintaining accurate registration data for internet number resources, together with associated database, reverse-DNS and routing-security services. The other is the club function: meetings, training, outreach, community support, government engagement, measurement platforms, policy support and the social machinery of the RIPE community. Both can be useful. The trouble begins when the compulsory ledger relationship is used to finance and legitimate the whole club without a clear theory of cost, consent and scope.

The official figures are useful exhibits, not the argument itself. The 2026 Charging Scheme sets an annual contribution of EUR 1,800 per Local Internet Registry account, with additional charges of EUR 75 for each independent internet number resource assignment and EUR 50 for each ASN assignment, plus a EUR 1,000 sign-up fee. The 2026 Activity Plan and Budget expects income of about EUR 41.140 million and costs of about EUR 41.125 million, and budgets for 202.1 full-time-equivalent staff. The 2025 Financial Report records a Clearing House reserve of roughly EUR 33.6 million at year end and reports a capital expense ratio of 86%. It also records a large member base: active LIR accounts fell from 20,991 at the start of 2025 to 20,647 at year end; membership fell from 19,993 to 19,863; 874 LIR accounts opened and 1,218 closed.

Those numbers do not prove abuse. A critical registry should not be run as a hobby. It needs secure systems, skilled staff, legal capacity, member support, sanctions compliance, audit controls, reliable publication services, incident response and reserve discipline. A service region stretching from Western Europe through the Middle East into parts of Central Asia creates real complexity. A Dutch association serving members in sanctioned, conflict-affected or financially constrained jurisdictions cannot operate without lawyers, finance staff, risk controls and careful payment processes.

But the numbers do prove scale. RIPE NCC is not merely an address book in a cupboard. It is a EUR 40 million-plus annual institution, funded overwhelmingly by members who often have no meaningful substitute for the recognised registration relationship. The narrow registry activity is only part of the total institutional bundle. The same budget also covers RPKI, the LIR Portal, the RIPE Database, DNS and K-root, RIPE Atlas, RIPEstat, RIS, IT support, external engagement, community building, training, coordination, organisational sustainability, legal, finance, facilities, information security and the managing director's office. A member invoice pays for a whole ecosystem.

That creates the central fiscal question. Is the fee a charge for maintaining the ledger, a due for membership in a technical association, a contribution to regional internet development, a payment for security and data services, a reserve premium against future shocks, or a value-related levy on scarce resource recognition? The current model contains pieces of all these theories. The ambiguity is tolerable when costs are low and trust is high. It becomes dangerous when fees rise, small operators feel squeezed, reserves become politically salient, and members suspect that optional or elite-valued services are being bundled into an unavoidable relationship.

Lu Heng's public cost notes press this point in stark form. They argue that the essential registry function is narrow - registration records and RPKI - and that the broader RIR cost base has expanded through meetings, training, travel, outreach, measurement services and institutional self-maintenance. That argument comes from a market participant with his own interests and should not be treated as neutral doctrine. It is still economically useful because it asks the right question: when access to a recognised ledger is effectively compulsory, what should that compulsory charge be allowed to finance?

The answer need not be radical minimalism. RIPE Atlas, RIPEstat, training and regional engagement may create real public goods. Neutral measurement platforms can reduce dependence on private sponsors. Training can improve operational quality. Policy support can make the registry more legitimate. Government engagement can protect members from poorly designed regulation. Yet those benefits do not abolish the cross-subsidy problem. A small regional ISP that needs accurate records, RPKI and reverse DNS may not value international meetings or broad public-policy engagement in the same way as a large operator, regulator, researcher or governance insider. If everyone must pay, the burden of proof falls on the institution.

Failure in this setting would not begin with insolvency. It would begin when members stop believing that the invoice is disciplined by the function. Fiscal insulation is a governance failure because it weakens the link between compulsory payment and narrow service. Recovery would mean making that link measurable. Core registry continuity, routing-security services, optional public goods, community activity, legal reserves and strategic expansion should be separable enough that members can argue about them honestly.

A vote that settled the bill, not the question

The 2027 charging-scheme vote was more than a fee story. It was a small constitutional episode in the life of a registry club. In May 2026, members were asked to choose between two models. Option A preserved the one LIR account-one fee design, with an annual fee of EUR 1,894, a EUR 94 increase from 2026. Option B introduced a category model based on PA IPv4 and IPv6 resources held in each LIR account. The Board said both options aimed at the same EUR 42.5 million income budget, based on a 3.3% inflation increase over the 2026 income budget, assumed 20,000 active LIR accounts, maintained current services, included IT investment and contained a commitment to an overall cost reduction of 1.5%.

The Board recommended Option B. It said the category model responded to members who wanted a wider gap between the lowest and highest fees. Under the proposed model, the base fee would have been EUR 500 for LIR accounts with no PA IPv4 or with a /29 or less of IPv6 PA space, while the largest current holder would have paid more than EUR 30,000. RIPE NCC said almost 75% of LIR accounts would have paid less than under the current model.

Members chose Option A. The result was narrow: 3,049 votes were cast; Option A received 1,547, or 51.12%; Option B received 1,479, or 48.88%; 23 abstained. A valid vote settled the charging scheme. It did not settle the political economy. A fiscal design for a EUR 42.5 million income target was decided by a margin of 68 votes among non-abstaining voters. That is not failure. It is a warning that the cost-allocation question is close to the surface.

The flat model has a civic elegance. One LIR account pays one base fee. It avoids turning RIPE NCC into an asset-value tax authority. It is simple, predictable and resistant to arguments over how much address space is "worth." Large holders can reasonably say that the registry's cost of maintaining a record does not rise in proportion to the market value of a block. They can also say that a registry which denies property language should be careful about designing fees that look like resource wealth taxation.

The category model has a burden-allocation logic. Larger holders receive more economically significant recognition from the same registry. A flat fee is equal at the invoice line and unequal on the balance sheet. EUR 1,800 or EUR 1,894 is trivial for a large carrier, cloud provider or mature enterprise network; it is more meaningful for a small access network, community ISP, regional hoster or operator in a weaker currency or higher-risk jurisdiction. If the registry is a mutual association with thousands of different members, the distribution of costs matters. If the smallest members feel they subsidise a system whose value is greatest for large incumbents, legitimacy erodes.

Neither view is stupid. That is why the split matters. The vote exposed the unresolved question of what RIPE NCC is charging for. If it charges for membership equality, the flat model is coherent. If it charges for scale of recognition, differentiation is coherent. If it charges for cost causation, neither model is enough without a better map of which costs vary by member count, resource count, legal risk, support need, security function or institutional ambition. If it charges for regional public goods, redistribution should be explicit, not hidden inside a single mandatory fee.

Fee design also creates incentives. A fee per account encourages members to optimise account structures. A resource-based fee encourages optimisation around resource categories, consolidation, fragmentation or definitions of PA, PI and legacy space. Charges for ASNs or independent resources create separate marginal decisions. Multiple-LIR structures complicate the notion of equality. A category model can help small accounts but also make large holders politically defensive. A low base fee can make the institution more dependent on high-end contributors. A high flat fee can push marginal networks toward dependence on upstreams or out of direct membership altogether.

This is why member voting alone is an incomplete answer. "The members voted" is procedurally important, but it does not prove that a charging scheme is efficient, fair or resilient. A registry with monopoly-like features must ask a further question: does the chosen fee design minimise distortion while preserving broad consent and protecting the narrow ledger? The close vote says consent is present but thin. A strong recovery design would treat that thinness as data, not as defeat. It would publish cost-causation statements, incidence analysis, member-type impacts, behavioural incentives and reserve-purpose explanations before the next fee cycle. The goal is not to prevent politics. It is to make politics informed enough that losing coalitions still regard the outcome as legitimate.

Why small operators hear stress first

Small operators are the sensitive instrument in registry economics. Large operators can hire policy staff, model fee schemes, obtain legal advice, absorb delays, attend meetings and maintain relationships with registry staff. A small operator may have one engineer doing everything, one finance person watching invoices, and customers who cannot absorb cost or downtime. If that operator suspects the registry is too expensive, too procedural or too distant, the signal should be taken seriously.

RIPE NCC's service region makes this especially important. It includes wealthy markets with strong institutions, but also economies in transition, conflict-affected networks, operators exposed to banking restrictions, and small providers whose customers are not global cloud buyers. A flat fee that seems modest in Amsterdam, Frankfurt or London can feel different elsewhere. A document request that a large telecom handles as compliance overhead can feel existential to a regional ISP. A delayed transfer can be an inconvenience for one member and a financing event for another.

The phishing episode described in Lu Heng's RIPE NCC note is revealing for this reason. Members received a fake email demanding quick confirmation of information. The email did not come from RIPE NCC, but it exploited fear of RIPE NCC's perceived authority. The useful point is not that RIPE NCC behaved badly; it did not. The point is that scammers understood the psychology of dependency. Many members experience the registry as more than a vendor and less than a government: a private association whose administrative relationship feels capable, in principle, of threatening records, portal access, RPKI certificates or business continuity.

That fear may exaggerate RIPE NCC's ordinary processes. Assisted Registry Checks, for example, are described as cooperative and scheduled; legitimate registry work is not a 48-hour panic demand. But the fear is economically rational if members believe their operational identity is tied to a foreign-law association whose discretion they cannot easily exit. A small operator does not need to think in legal theory. It only needs to imagine what happens if an account, contact, payment or record problem escalates while customers are waiting.

Governance failure can therefore appear as emotional risk before it appears as legal risk. A member that treats every registry communication as a potential threat will underinvest in engagement, overpay for intermediaries, delay record updates, avoid voluntary services, or seek informal workarounds. A registry that wants trust must reduce not only actual abuse, but the structural conditions that make fear plausible.

There are practical ways to do this. Payment extensions for members affected by crisis, partial payment options through the LIR Portal, clear sanctions categorisation, predictable cure periods, plain-language closure procedures, and repeated explanations of what RIPE NCC can and cannot do all reduce fear. So do member-specific audit trails: what record is being checked, under what rule, what evidence is missing, what happens if the member responds, what happens if it cannot respond, and what services remain safe while the matter is resolved. The small operator needs procedure translated into risk boundaries.

Small-operator distrust also exposes a representation problem. RIPE NCC may have thousands of members and meaningful General Meeting participation, but the active policy and governance class is necessarily smaller. The people who join mailing lists, attend meetings, understand charging categories, read financial statements and shape policy proposals are not always the people who bear the marginal cost of the resulting rules. This is not a conspiracy. It is the ordinary economics of participation. Those with lower cost of participation, higher institutional literacy and greater professional benefit from process will dominate discussion unless design corrects for it.

Recovery design should therefore include small-operator safeguards. Every charging proposal should show effects on low-revenue and low-resource members. Every policy proposal affecting transfers, RPKI, reverse DNS, closure, sanctions or documentation should include fixed-cost analysis. Every General Meeting should make it easy for non-specialists to understand what is at stake. Member services should measure whether support reaches the organisations least able to navigate the system unaided. A registry does not preserve legitimacy by letting the most procedurally competent speak for everyone else. It preserves legitimacy by reducing the cost of voice for the members most likely to exit into silence.

The smallest members are not always right. They may misunderstand procedures, resist necessary documentation, oppose fees that are genuinely needed or understate the cost of secure operation. But they are often the first to feel when a compulsory system has become too thick for ordinary operators. In a healthy registry, that discomfort becomes design input. In an insulated registry, it becomes background noise. The difference is one of the earliest signs of governance quality.

Voice is real, but not free

In the usual theory of member associations, weak exit is balanced by voice. If members cannot easily choose another registry for the same recognised regional function, they must be able to discipline the institution through voting, board elections, budget approval, charging-scheme votes, consultation, policy process and public argument. The problem is that voice is costly. It requires attention, knowledge, timing and belief that participation changes outcomes.

RIPE NCC has more real voice than many institutions. General Meetings are not symbolic ceremonies. Members vote on charging schemes and board seats. Budget documents are detailed. Board and community materials are public. Consultation processes exist. The Trust Portal and other transparency work show an awareness that accountability must be visible. These are strengths.

They do not eliminate the agency problem. Staff and board members live inside the institution; most members touch it intermittently. Repeat participants understand the vocabulary; ordinary operators may not. Board candidates with networks in the community have advantages over outsiders. Policy insiders accumulate influence because they can spend time. Institutional narratives - stability, stewardship, community, openness, resilience - can crowd out harder questions about costs, market effects and discretion. A member may formally possess voice but practically experience inertia.

The Board's role in the charging vote shows both strengths and limits. It offered two options, explained the trade-off and recommended the differentiated model. Members chose otherwise. That is healthy. But the Board also shapes the menu, the framing, the income target, the service baseline and the pace of change. A binary vote can decide between packages; it cannot easily say which services should be separated, which reserve target is optimal, which legal costs belong to core continuity, which regional expansion is justified, or how resource-based incidence should be capped.

Board accountability therefore needs measurable questions, not only formal elections. How much of the budget funds the essential ledger and its security? How much funds optional or mixed public goods? How much legal spending is ordinary corporate governance, sanctions compliance, member disputes, litigation, external coordination or institutional expansion? How long do transfers take by category? How many transfer requests are withdrawn or refused after submission? How many closure actions affect RPKI or reverse DNS? How many members face payment-channel friction? How many sanctions reviews become actual prohibitions rather than clarification exercises? How many small operators use support channels before falling into non-payment or documentation trouble?

Without such metrics, board accountability risks becoming narrative accountability. Members are asked to trust that the institution is resilient, transparent and member-driven. They may do so while times are calm. Under stress, narrative will not be enough. A legal shock, sanctions dispute, RPKI incident, contested transfer or fee revolt will force members to ask whether the Board has governed the risk or merely described it.

The recovery design is straightforward in principle. The Board should supervise categories of decision, not individual cases. It should ensure that high-consequence actions are measured, audited, explained and reviewable. It should publish enough aggregate data to let members distinguish ordinary workload from institutional drift. It should separate legal necessity from internal risk appetite. It should require post-implementation review of policies that affect liquidity, continuity or fixed costs. It should make committee and nomination processes contestable enough that organised opposition can lawfully win, not merely comment.

Voice is credible only when members believe it can impose constraints. That does not mean every unhappy member must get its way. It means the institution must be able to show that member control reaches budget, scope, discretion and risk, not only the outer layer of association procedure. In a registry, weak voice and weak exit are a dangerous combination. Strong voice is cheaper than litigation.

When open process becomes thin consent

The RIPE community is older than RIPE NCC and has a strong technical culture. Its openness is one of the reasons the region has avoided some forms of institutional crisis. The policy process is public. Working groups debate text. Mailing lists preserve arguments. Technical people who care about operational reality can participate without needing a government mandate. This is a genuine asset.

But openness is not the same as representativeness. A public meeting can be dominated by those with time to attend. A mailing list can be open while most affected operators remain absent. A consensus process can be procedurally correct while the distribution of costs falls on people who were not in the room. That is the classic procedural-capture problem. It does not require corruption. It arises whenever specialised participation becomes the main currency of authority.

The risk grows after IPv4 exhaustion because policies are no longer only technical hygiene. Transfer restrictions, waiting-list rules, documentation standards, legacy-resource treatment, sanctions handling, RPKI requirements, reverse-DNS procedures, closure effects and database accuracy obligations all have economic consequences. They affect liquidity, transaction timing, collateral value, customer continuity and bargaining power. A rule written as neutral process can behave like capital control if it restricts transferability or creates uncertainty around recognised records.

The "Policy Mirror" idea in Lu Heng's public notes is polemical, but useful: a policy manual reveals what an institution imagines itself to be. A narrow registry writes rules about uniqueness, accurate records, proof of authority, dispute status and security metadata. A thicker registry writes rules that begin to judge proper use, regional virtue, business models, continuing need, commercial morality or the legitimacy of market movement. RIPE NCC is not AFRINIC, and its policy environment is not the same. Still, the test is worth applying. Every policy should be asked: does running code require this, or does institutional preference require it?

This test is especially important for transfer policy. RIPE NCC exhausted its remaining IPv4 pool in November 2019. Eligible LIRs can receive a /24 from recovered space through the waiting-list path. Transfers are now an ordinary part of resource movement. Scarce resources such as IPv4 and 16-bit ASNs face a 24-month restriction after certain receipt events. Inter-RIR transfers require compatible policy and approval by both registries. Merger and acquisition updates require legal documentation and sanctions checks. These rules may have good reasons. They also alter liquidity.

Policy-market mismatch appears when a rule designed to prevent speculation, preserve fairness or maintain data quality traps legitimate supply, increases leasing through informal channels, raises due-diligence costs, or makes small operators less able to acquire resources. A 24-month restriction may deter gaming of the waiting list; it may also reduce flexibility for a distressed holder. Documentation requirements may prevent fraud; they may also freeze old corporate histories that cannot be reconstructed neatly. Sanctions checks may be legally necessary; vague compliance categories may deter lawful counterparties. Each rule should be measured not only by its intention, but by its market effects.

The answer is not to turn the registry into a market servant. RIPE NCC should not abandon uniqueness, accuracy, anti-fraud controls or legal compliance. The answer is to make policy economically literate. Proposals affecting scarce resources should include an impact note: which holders are affected, what fixed costs are imposed, how liquidity may change, whether small operators face disproportionate burden, what metrics will be reviewed after implementation, and whether the rule is prospective or retroactive. Post-implementation review should be normal. If a rule was adopted to reduce abuse, speculation or operational risk, the community should later see whether it did so and at what cost.

Procedural capture is cured by evidence, not by denunciation. Open process remains valuable. It becomes more credible when affected principals can see the costs, the data and the limits of what policy is allowed to decide. Thin consent is still consent, but it is fragile. Thick consent is built when people who lost the argument can still understand the evidence, the trade-off and the boundary around institutional power.

Neutral recordkeeping under sanctions pressure

RIPE NCC's region includes jurisdictions that make sanctions compliance more than an occasional legal check. As a Dutch association, RIPE NCC must operate within applicable European legal constraints. It also serves members whose networks may be in countries affected by sanctions, conflict, banking restrictions, payment-channel failure or political sensitivity. That makes sanctions one of the most difficult governance surfaces for a registry that wants to remain neutral.

The problem is not whether RIPE NCC should comply with law. It must. The problem is how to keep legal compliance narrow, auditable and operationally proportionate. A confirmed listed-party prohibition is one thing. A possible name match requiring clarification is another. A payment blocked by a bank is another. A beneficial-ownership concern is another. A country-level reputational concern without a specific legal prohibition is another. If all of these are hidden under the same word - compliance - members cannot price risk and the registry cannot prove restraint.

Sanctions pressure can create governance failure in several ways. First, it can reduce liquidity by making buyers, sellers and counterparties avoid whole categories of resources or jurisdictions even where transactions might be lawful. Second, it can create payment risk: a member may be willing and legally able to pay but unable to route money through ordinary banking channels. Third, it can politicise database accuracy: a registry action that is legally required may be read as political discrimination if the category is not explained. Fourth, it can make small operators in exposed regions feel that they are funding an institution that might not be able to protect their continuity when external politics turns against them.

The registry's official materials around transfers and mergers describe sanctions checks as part of approval. That is a necessary factual exhibit, but not the full governance answer. The economic question is whether RIPE NCC can separate sanctions review of new actions from continuity of existing records and services where law permits. A blocked transfer should not automatically mean broader uncertainty about unrelated resources. A payment-channel problem should not automatically become service termination if there is a lawful cure path. A possible match should not be treated as a confirmed prohibition. A court order should affect what it orders, not become an invitation to freeze a member's whole operational identity.

Continuity matters because the downstream parties are often not the sanctioned actor, the policy participant or the voting member. Customers, schools, hospitals, public agencies, hosting users, banks and small businesses may rely on networks whose registry relationship passes through a sanctions-sensitive environment. If registry action is too broad, collateral damage travels down the customer chain. If registry action is too vague, counterparties punish lawful actors through overcompliance.

Recovery design here means category transparency and last-verified-state discipline. RIPE NCC should publish aggregate sanctions and payment-friction categories: confirmed legal prohibition, possible match resolved, ownership clarification, payment-channel issue, court-related action, service preserved, service paused, service terminated. Individual identities may need confidentiality, but the categories need not. Members should know whether compliance is a narrow legal function or a broad risk screen. The Board should know where legal necessity ends and internal caution begins.

This is also where official internet-governance rhetoric can fail. "Neutrality" is not a declaration. It is an operating method. A registry remains neutral under sanctions pressure when it proves that every restriction is legally grounded, narrowly applied, recorded, reviewable where possible and separated from unrelated services. It loses neutrality when members cannot tell whether law, institutional risk appetite or political mood is driving the result.

The legal burden on RIPE NCC is real. That is why sanctions transparency should be part of resilience, not an attack on it. A registry that can show narrow compliance will have more credibility with members, courts and counterparties when hard cases arise.

Transfers price governance in real time

IPv4 transfers are where registry trust becomes a market price. RIPE NCC does not set the market price of addresses. It does not route packets. It does not own the productive value created by operators. But its recognition helps convert a private transaction into a record the market accepts. A buyer wants the registry to recognise the transfer. A seller wants completion. A broker wants timing predictability. A lender or acquirer wants confidence that address holdings can be moved, defended or valued. A customer wants continuity without learning the mechanics.

A transfer market therefore prices not only scarcity, but administration. If the official path is clear, fast and consistent, counterparties can focus on commercial terms. If it is opaque, they spend more on legal review, escrow extensions, indemnities, fallback clauses and broker knowledge. Some transactions never enter the formal path because participants expect difficulty. Some shift into leasing or operational delegation that may be less visible. Some blocks sit idle because holders do not want the paperwork or fear the registry relationship. All of this is a cost.

RIPE NCC publishes completed transfer information, which is valuable. But a market needs the denominator as well as the numerator. How many requests were opened? How many were approved, withdrawn, refused or closed for non-response? How many were paused by the 24-month restriction? How many involved legacy-resource evidence problems? How many depended on another RIR? How many encountered sanctions clarification? How long did each category take from complete submission to decision? How often did RPKI or reverse-DNS state require correction after transfer?

This is not a demand to publish private deal terms. It is a demand for aggregate process evidence. A failed transfer because of forged authority is evidence that the registry protected the ledger. A withdrawn transfer because a party could not prove succession is useful market information. A refusal because of sanctions is legal information. A delay because of inter-RIR incompatibility identifies a system bottleneck. When these categories are hidden, the market treats all uncertainty alike.

Administrative uncertainty is especially costly for small holders and legacy resources. Old corporate histories are messy. Names change. Entities merge, dissolve, sell assets, split divisions or lose records. A registry must prevent fraud, but it also must avoid turning history into a permanent discount. Clear evidence pathways for legacy updates and transfers reduce both fraud risk and liquidity discounts. "Best effort" may be operationally honest; markets need to know what it usually means.

Transfer liquidity is not a speculative luxury. It is how scarce addresses move from lower-valued to higher-valued uses. It helps a growing network obtain capacity. It lets a shrinking or reorganising holder monetise unused resources. It supports mergers and acquisitions. It reduces pressure on waiting lists. It can make formal records more accurate by giving parties a reason to bring old information up to date. If official transfer channels are too slow or unpredictable, the result is not moral purity. It is side arrangements and risk.

The registry should remain a ledger, not a market promoter. That distinction is important. It should verify authority, prevent duplicate claims, apply adopted restrictions, comply with law, preserve accuracy and record transfers. It should not behave as though every market transaction is suspect by default or as though administrative discretion is a substitute for price signals. Once IPv4 is scarce and traded, the economically disciplined registry reduces friction without pretending there is no market.

Recovery design would make transfer performance a board-level and member-visible indicator. Median timing is not enough; tail risk matters. A transaction that usually closes quickly but sometimes disappears into months of unclear document cycles is expensive to insure. Publishing category-specific percentiles, delay reasons and outcome counts would lower the risk premium without weakening due diligence. It would also protect RIPE NCC from unfair criticism by showing where friction is caused by fraud, law, counterpart registries or member inaction rather than staff discretion.

Trust in transfers is trust in the ledger's economic usefulness. A registry that cannot make its transfer machinery legible invites markets to price around it.

Continuity is a layered promise

Registry continuity is often discussed as if it meant keeping a database online. It means more than that. RIPE NCC's records are connected to reverse-DNS delegation, RPKI certificates, Route Origin Authorisations, the LIR Portal, public database updates, account authority and operational support. These services are not administrative decorations. They shape routing trust, troubleshooting, mail deliverability, security automation, customer assurance and transfer execution.

RPKI raises the stakes because it turns registry recognition into cryptographic material used by networks. A correct ROA can help operators validate whether a route origin is authorised. A wrong, missing or unexpectedly revoked object can have operational consequences where route origin validation is enforced. Reverse DNS is less dramatic but commercially important: mail systems, logging, abuse handling and customer expectations often depend on it. The LIR Portal is a management surface. Database authority is an operational asset. These services can become leverage if governance is poorly designed.

RIPE NCC's closure procedures and service terms therefore matter. Termination of a service relationship can affect authority to maintain records in the database, LIR Portal access and use of RPKI; in some circumstances records may be deregistered or certificates revoked. There may be good reasons for this in cases of fraud, prolonged non-payment, legal prohibition or failure to cooperate with essential accuracy checks. But the economic consequence is high enough that every severe action needs a firewall around it.

The firewall principle is simple: service disruption should be the last resort, not a routine compliance tool. Existing records, reverse DNS and RPKI should be preserved wherever law and safety permit while a payment, documentation, sanctions or governance dispute is being resolved. Fraud correction and duplicate-claim prevention are different from using operational services to discipline a member. A registry can be firm without being destructive.

Continuity metrics would make this real. How often are RPKI certificates revoked for closure, transfer, technical non-functionality, administrative status, member request or court order? How many reverse-DNS changes are delayed in transfer cases? How often do service suspensions affect operational publication rather than only account access? How many members cure payment or documentation issues before any service change? How often are closure actions isolated to the affected resource rather than spreading across unrelated records?

The Trust Portal is a useful floor for this kind of thinking. It signals that confidentiality, integrity, availability, legal compliance and security processes are part of RIPE NCC's public trust surface. But system security is not the same as institutional trust. Availability figures do not answer whether authorised changes are narrow, reviewable and economically proportionate. A service can be technically secure while governance decisions around the service are opaque. The next trust layer should connect security commitments with decision metrics.

This is where the phrase "protect the ledger, not the gatekeeper" is analytically useful. It should not be read as an attack on RIPE NCC's existence. It is a continuity principle. The records, publication services, security chain, update authority and running networks deserve strong protection. The institution's discretionary convenience does not deserve the same protection. During legal, budgetary, board or policy stress, members need confidence that the operational layer will not be used as the bargaining chip.

AFRINIC shows the danger of failing to separate these layers. Once courts, receivers, elections, board authority and registry records all become entangled, continuity becomes a political word. Every actor says it is protecting the registry. The better question is: which continuity? Corporate continuity, board continuity, policy continuity, ledger continuity, RPKI continuity, customer continuity and member-rights continuity are not identical. RIPE NCC can avoid that trap by defining the separations before they are needed.

Reserves are useful only when their purpose is bounded

A mature registry needs reserves. It needs legal capacity. It needs insurance, risk management, information security, staff continuity and the ability to operate through crisis. The question is not whether RIPE NCC should be resilient. The question is how resilience is governed so that it does not become a justification for unlimited institutional appetite.

Legal shock is one of the most plausible routes to governance failure. It may come from sanctions, a disputed transfer, a legacy-resource claim, a member lawsuit, a court order, an employment or governance dispute, a data incident, an external regulatory demand or a conflict involving another RIR. Legal cost can accumulate quickly. AFRINIC's crisis shows how litigation can consume management attention, finances and legitimacy. The lesson is not that RIPE NCC is facing the same facts. It is that a registry's legal architecture must be designed for shocks before they arrive.

Reserves can absorb shocks, but reserves also weaken immediate fee discipline if members cannot see their purpose. The 2025 Financial Report's Clearing House reserve of roughly EUR 33.6 million is an asset for continuity. It may reassure members that RIPE NCC can survive revenue fluctuation, legal expense or operational investment. It may also invite questions: how large should the reserve be; what risks does it cover; what part protects core services; what part supports broader institutional projects; when should surplus be returned; when should fees be cut; when should reserves fund temporary relief for members in crisis?

These are governance questions, not accounting footnotes. Fiscal insulation appears when reserves and legal capacity make management less sensitive to member dissatisfaction. A registry that can absorb cost without immediate pain may continue spending patterns long after members have lost confidence. Conversely, too little reserve could make the registry fragile in exactly the moment members need it to resist political or legal pressure. The design problem is balance.

Liability asymmetry sharpens the issue. Regional registries often have limitation-of-liability clauses typical of service associations, while the practical consequences of registry decisions may be much larger than annual fees. Lu Heng's note on registry power detaching from liability makes the general argument: the legal shell remains clerical while the economic substance has become strategic. In RIPE NCC's case, that does not mean unlimited liability is the answer. Unlimited liability could make the registry uninsurable or excessively defensive. But limited liability increases the need for procedural discipline, independent review and operational firewalls. If financial remedies are limited, due process has to carry more of the burden.

Legal spending should therefore be categorised in member-facing ways. Ordinary corporate advice, sanctions compliance, member disputes, litigation, policy support, external governance work, data protection, employment, office expansion and emergency continuity planning are different things. Members may willingly fund defence of the ledger, compliance with law and service continuity. They may be less willing to fund institutional expansion, discretionary enforcement or reputation management disguised as legal necessity. Without categories, every legal line becomes a trust problem.

The Dubai entity illustrates the broader scope question. RIPE NCC Middle East FZ-LLC began operating in 2025, with work on banking, employment, office space, tax, legislation and a legal entity fully owned by the Dutch association. The 2025 report notes an AED 5 million loan and a negative exchange result on AED of about EUR 60,000. This may be a rational adaptation to member support needs in the Middle East. It is also institutional expansion, with currency, reporting, banking and legal implications. A fee-funded monopoly ledger should subject such expansion to a clear test: what member problem does it solve, what continuity risk does it reduce, what recurring cost does it create, and what would happen if it were not done?

Recovery from legal shock depends on the answers. A registry that can show reserves tied to defined risks, legal costs tied to defined categories and expansion tied to member need will look prudent. A registry that asks members to trust broad resilience language will look insulated. Resilience without accountability becomes a blank cheque. Accountability without resilience becomes fragility. RIPE NCC's task is to hold both.

AFRINIC belongs in the margin, not in the script

AFRINIC should be used carefully. It is not a morality play that proves one region is uniquely flawed. It is not a ready-made accusation against RIPE NCC. It is an exhibit in what happens when registry legitimacy, legal authority, member confidence, address scarcity and political intervention become entangled.

The public record is enough to establish the institutional lesson without pretending to resolve every contested claim. Reporting in 2019 raised allegations about manipulation or misappropriation of African IPv4 records by a former insider. Court and public materials later showed board-validity disputes, executive and governance paralysis, receivership and a court-supervised path back toward elections. The NRO welcomed the appointment of an official receiver in 2023 to preserve the value of AFRINIC's business, maintain status quo assets, oversee elections, facilitate formation of a proper board and enable appointment of a chief executive. Later reporting described suspended or annulled election processes, claims around voting authority, renewed elections, strategy and budget recovery efforts, and further ICANN involvement in court contexts.

Those facts show that registry continuity can become a multi-layer crisis. Record trust, board authority, member voting, court power, external recognition, legal cost and resource-holder confidence all interact. A receiver can preserve a bridge, but not by itself rebuild market trust. An election can restore corporate organs, but not by itself prove that transfers, records and member authority are now dependable. ICANN or NRO statements can explain why the registry function matters, but they do not by themselves settle whether the incumbent institution has constrained its discretion.

The useful AFRINIC lesson for RIPE NCC is not "collapse is coming." It is the arithmetic of legitimacy. A registry's authority rests on collective acceptance that its database is the legitimate record. That acceptance is stable when the registry is accurate, narrow, predictable, accountable and cheaper to use than to avoid. It weakens when members see the registry as discretionary, politicised, expensive, legally fragile or insulated. Once weakened, belief does not return because official actors say the registry is important. It returns when counterparties can rely on records, members can verify authority, courts can isolate disputes, operators can preserve services, and the official path is less costly than workarounds.

AFRINIC also shows that "continuity" can be a dangerous word. Everyone claims it. A board claims continuity of institution. A receiver claims continuity of business. ICANN or the NRO claims continuity of the RIR system. Resource holders claim continuity of records and networks. Customers claim continuity of service. Courts claim continuity of legal order. These claims can conflict. A recovery design must specify which continuity is being protected in each case.

For RIPE NCC, the priority order should be explicit. Number uniqueness comes first. Accurate records and dispute metadata come next. Publication services such as RDAP, Whois, reverse DNS and RPKI must continue. Running networks and customers should not become collateral damage. Member rights and due process must remain usable during stress. Corporate and board continuity matter because they support these functions, not because they are ends in themselves.

That hierarchy is easier to adopt before crisis. Once a court, sanctions dispute, contested board election or severe service incident arrives, every actor will argue from immediate interest. RIPE NCC has the advantage of stability. It can design continuity architecture while no one is forced to improvise. That is the lesson a mature registry should take from AFRINIC: not fear, but pre-commitment.

What recovery would actually have to prove

If RIPE NCC suffered a serious trust shock, what would recovery require? Not a press release. Not a listening tour alone. Not a promise that services are available. Recovery would require restoring the belief that the registry is constrained in the right places.

The first constraint is fiscal. Members should be able to see a clean separation between the core ledger, security services, optional public-good services, community activities, legal reserves and strategic expansion. The annual budget should not merely list activities; it should map them to the theory of compulsory funding. If an activity is funded through mandatory dues, members should know why voluntary funding, sponsorship, usage-based charges or separate approval would not be appropriate. Reserve targets should be tied to defined risk scenarios. Surplus handling should be rule-bound enough to avoid annual political theatre.

The second constraint is member voice. Charging votes, board elections and General Meetings should remain meaningful, but recovery would require deeper member reconstruction. Participation should be easier for small and remote operators. Fee proposals should include incidence reports. Candidate processes should be transparent and contestable. Conflict disclosures should be standardised. Member communications should explain not only what is being voted on, but what economic consequences follow. A lawful vote is necessary. A vote whose losers trust the process is more valuable.

The third constraint is policy scope. The policy community should continue to develop rules, but policies affecting scarce-resource liquidity, operational continuity or member costs should pass a scope test. Does the rule protect uniqueness, accurate records, security metadata, fraud prevention, legal compliance or service continuity? Or does it express institutional preference about commercial behaviour? If the latter, the burden of justification should be much higher. Prospective rules should be preferred. Retroactive disturbance of reliance interests should be treated as exceptional.

The fourth constraint is decision auditability. Transfers, closures, sanctions reviews, RPKI changes, reverse-DNS effects, Assisted Registry Checks, legacy updates and account terminations should be logged in categories that can be reported in aggregate. Members do not need private files exposed. They need enough evidence to distinguish ordinary administration from discretionary gatekeeping. Board oversight should focus on the categories where harm can occur.

The fifth constraint is operational neutrality. RPKI, reverse DNS, database authority and portal access should not be casually weaponised. Severe service effects should require defined triggers, notice, cure periods, independent review where practicable and preservation of the last verified operational state where law permits. A registry that can disrupt too cheaply will not be trusted even if it rarely does so.

The sixth constraint is legal proportionality. Sanctions compliance, court orders and regulatory obligations must be obeyed. But compliance should be narrow, categorised and separated from broader institutional risk appetite. Legal costs should be transparent by class. Liability limitations should be balanced by stronger process. Members should not be asked to accept high-consequence discretion merely because the association's legal exposure is limited.

The seventh constraint is continuity planning beyond the corporate shell. RIPE NCC should be able to explain how registry data, publication services, RPKI repositories, reverse DNS, update authority, member communications and pending disputes would be handled during board incapacity, executive turnover, litigation, sanctions shock, bank disruption, cyber incident or an extreme governance failure. Such planning does not undermine the institution. It proves that the ledger is more important than any one governance cycle.

These constraints would not make RIPE NCC weak. They would make it more credible. A constrained registry is easier to defend because its authority is legible. It can tell a court what function must be preserved. It can tell members why a fee is needed. It can tell a buyer why a transfer delayed. It can tell a sanctioned-region member which services remain safe. It can tell the community what a policy achieved. It can tell critics where power ends.

Recovery is therefore not the opposite of governance. It is governance made believable again. A registry recovers every year by making the invoice more credible, the Board more accountable, the policy process more representative, the transfer path more legible, sanctions more categorical, RPKI more neutral, reverse DNS more protected, reserves more explainable and operational continuity less dependent on institutional pride.

Early warning signals worth watching

Because RIPE NCC is operational, the relevant failure indicators are early and subtle. They would not necessarily show up as downtime. They would show up as rising friction around the institution's interfaces with money, voice, law and trust.

The first watchpoint is fee legitimacy. The next charging cycle should be judged not only by the amount approved, but by whether members receive a credible cost-causation map: what part of the fee funds the ledger, what part funds security services, what part funds public-good activity, what part funds legal and compliance resilience, what part funds regional expansion, and what assumptions drive the income target. A persistent pattern of close votes, resentment of reserves, small-operator payment stress or demands for service separation would be a fiscal warning.

The second watchpoint is transfer denominator data. Completed transfers are not enough. Members and markets should be able to see aggregate counts for requests opened, approved, withdrawn, refused, paused, closed for non-response, delayed by sanctions clarification, delayed by inter-RIR coordination, delayed by legacy evidence and delayed by member documentation. Category-specific timing percentiles matter more than broad averages. If buyers, sellers and brokers start treating RIPE NCC-administered resources as administratively uncertain, the market will show it in escrow terms, indemnities, discounts and quiet avoidance.

The third watchpoint is sanctions and payment fog. If members cannot distinguish confirmed legal prohibition from possible-match review, payment-channel failure, ownership clarification, court action or institutional caution, overcompliance will spread. Lawful actors in sensitive jurisdictions will pay higher risk costs. Payment friction will become a legitimacy issue. Compliance will feel political even when it is legal. The registry should publish aggregate categories that let members understand how often each kind of case occurs and how often services remain preserved while the issue is resolved.

The fourth watchpoint is operational-service anxiety. If members believe that RPKI, reverse DNS, database access or portal authority can be affected by ordinary disputes without strong safeguards, they may avoid deeper reliance on registry-dependent services. That would be a bad result for routing security and data accuracy. The relevant metrics are not only uptime. They are the number and category of severe service effects, the cure periods offered, the use of last-verified-state preservation, the separation between account access and publication services, and the review path for high-consequence decisions.

The fifth watchpoint is policy participation. If mailing lists remain active but affected holders organise elsewhere - through private groups, legal counsel, trade associations, governments or market intermediaries - the official process has lost some ability to clear conflict. The symptom is not criticism. Criticism is healthy. The symptom is migration of serious economic voice away from the formal community. Impact notes and post-implementation reviews would help bring those arguments back into the open.

The sixth watchpoint is reserve discipline. A large reserve can be prudent or insulating. The difference is whether members know the target range, risk scenarios, drawdown triggers and surplus-return logic. Legal spending should be categorised in the same spirit. If every legal or resilience cost is treated as self-justifying, the institution will look like it is using risk to escape cost discipline. If every reserve is attacked as waste, the institution becomes fragile. The useful question is narrower: which risk is this money protecting, and why is mandatory member funding the right instrument?

The seventh watchpoint is scope expansion. New entities, offices, banking arrangements, engagement programmes, measurement services and external initiatives may be justified. They should be tested against member need, ledger continuity, recurring cost and alternative funding. A registry can grow for good reasons, but growth financed through a compulsory recognition relationship needs a higher burden of explanation than ordinary association activity.

The eighth watchpoint is externalisation of governance. Courts, regulators, ICANN, the NRO, national authorities or large market coalitions may be asked to intervene not because RIPE NCC has collapsed, but because members no longer believe internal discipline is enough. External intervention can be necessary in a severe crisis. It is also expensive because it reduces the autonomy that the RIR model claims as its virtue. The best way to preserve autonomy is to make internal constraints credible before outsiders are invited in.

None of these signals requires fraud. Governance failure is often mundane: costs drift, rules thicken, insiders dominate, legal language becomes defensive, member trust becomes shallow, and quiet operators stop believing that official process is worth their time. The registry still functions. The risk premium rises.

RIPE NCC's strongest position is that it still has time. It is not trying to rebuild trust from receivership. It is not asking members to accept a board after years of legal paralysis. It is not defending a collapsed election process. Its challenge is subtler and therefore easier to underestimate: to keep a mature, expensive, policy-rich institution from drifting away from the economic discipline that makes members believe in it.

The discipline is not austerity for its own sake. It is scope clarity. Critical services should be funded and protected. Security should improve. RPKI should be reliable. Reverse DNS should be stable. Transfer processing should be accurate. Sanctions compliance should be lawful. Member support should be serious. Small operators should not be abandoned. Community and measurement services should be justified honestly. Reserves should be adequate. Legal capacity should exist. But each of these claims should be tied to a visible theory of cost, risk and authority.

The sober lesson from AFRINIC, without the false analogy, is that a registry's legitimacy can break through layers: first belief, then cooperation, then liquidity, then law, then formal authority. RIPE NCC is far from that endpoint. The point of a stress test is not to predict that the bridge will fall. It is to find which bolts carry the load before the storm.

The bolts are visible. The close charging vote shows fiscal tension. The broad budget shows scope tension. Sanctions exposure shows geopolitical tension. IPv4 transfers show liquidity tension. RPKI and reverse DNS show continuity tension. The policy community shows representation tension. Small-operator fear shows dependency tension. The AFRINIC crisis shows that the system cannot assume a registry's legitimacy is permanent merely because the function is necessary.

The most credible registry in the scarcity era will not be the one with the grandest claims about community. It will be the one that can prove, repeatedly, that it is a disciplined recordkeeper with enough resilience to protect the ledger and enough humility not to confuse the ledger with itself. RIPE NCC has the institutional capacity to be that registry. The economics of governance failure and recovery ask whether it will choose the constraints that make that capacity believable.