RIPE NCC is the cleanest mature test of a registry's temptation: a useful private membership bookkeeper becomes dangerous when it stops acting like a neutral ledger for scarce network identifiers and starts acting like a discretionary gatekeeper over operational capital.

The registry question is a question about power

RIPE NCC is not a state, a telecom regulator, a court, a competition authority or a router of last resort. It is a not-for-profit membership association based in the Netherlands and the regional Internet registry for Europe, the Middle East and parts of Central Asia. Its essential public function is narrow and real: it distributes and registers Internet number resources, maintains registration data, supports reverse DNS and related services, facilitates transfers, and operates RPKI services that help networks make route-origin decisions.

That narrow function is valuable precisely because it is not supposed to be sovereign. Networks need a common record so that two unrelated actors are not treated as the recognised holder of the same address block or autonomous system number. Buyers, sellers, lessors, banks, courts, customers, cloud platforms, access networks, data centres and routing-security systems need a place to check which organisation is registered for which resource. The value of the institution lies in reducing ambiguity. It does not lie in making the institution grand.

The danger begins when the registry record becomes commercially consequential. In the early allocation era, the registry looked like an administrative allocator of unique identifiers. After IPv4 exhaustion, the same record became the reference point for assets that networks buy, lease, route, finance, secure and build customer services around. A database entry is not the same thing as legal title in land. But in practical infrastructure economics, recognised registration can carry title-like effects. A block that cannot be cleanly transferred, certified, maintained or explained in due diligence loses value even if the packets still route today.

The distinction between ledger and gatekeeper is therefore not rhetorical decoration. A ledger records reality in a bounded way. It verifies holder identity, prevents duplicate claims, publishes data, records legitimate changes, preserves security metadata and isolates disputes. A gatekeeper decides who may receive, move, monetise, certify, keep or operationally depend on the resource. Some gatekeeping is unavoidable: fraud checks, sanctions compliance, document review and anti-hijacking controls protect the ledger. The institutional question is whether those controls remain subordinate to the record-keeping function or grow into a broad discretionary authority over capital.

RIPE NCC is the most revealing case because it is mature, documented and not visibly collapsing. AFRINIC has supplied a dramatic warning about courts, receivership, contested elections and litigation. ARIN supplies a North American test of needs assessment and legacy-resource certainty. RIPE NCC supplies a different test: what happens when a stable, sophisticated registry in a legally complex region accumulates enough ordinary power that the boundary between ledger and gatekeeper becomes harder to see?

Official RIPE NCC documents are useful here as factual exhibits. They describe charges, transfer procedures, IPv4 run-out, policy development, Assisted Registry Checks, RPKI, Trust Portal commitments and sanctions screening. They do not settle the economic interpretation. Public participant commentary from NRS, LARUS and Lu Heng is also useful only where it identifies mechanisms that can be checked against those exhibits. The harder institutional-economics question is narrower and more durable: once number resources become scarce productive capital, how much discretion can a private registry exercise before the market stops treating it as a neutral bookkeeper and starts pricing it as a risk layer?

Why RIPE NCC is a cleaner test than a crisis registry

A crisis institution can hide the structural problem behind local failure. When a registry is in court, in receivership, or unable to complete an election, critics can say the problem is that particular registry's governance. Defenders can say the problem is one unusually aggressive member, one jurisdiction, one board, one court, or one mismanaged process. The system then avoids the uncomfortable question: whether the same architecture creates quieter forms of risk even where the institution is not in obvious crisis.

RIPE NCC removes that excuse. It has a long history, extensive documentation, a large membership, regular meetings, visible policy processes, financial documents, an active registry services team, an open policy culture, and a service region containing some of the world's most institutionally sophisticated networks. It is not plausible to dismiss RIPE NCC as an obscure administrative backwater. If the ledger-versus-gatekeeper tension appears here, it is not only a problem of weak governance. It is a problem of the registry model after IPv4 scarcity.

The service region also makes RIPE NCC unusually exposed. It includes wealthy European incumbents, small ISPs, Middle Eastern operators, public-sector networks, universities, cloud providers, data centres, post-Soviet administrative histories, sanctions exposure, conflict-zone members, legacy resource holders and fast-growing markets. The same rule can have very different effects in Amsterdam, Kyiv, Istanbul, Dubai, Warsaw, Beirut, Tbilisi, Almaty and London. A flat membership charge may be trivial to one member and material to another. A sanctions check may be routine paperwork for one party and a closing condition for another. A mailing-list discussion may be easy for a policy regular and practically invisible to a small operator that lacks the staff, language confidence or procedural history to participate.

That diversity makes neutrality more valuable and more expensive. RIPE NCC must use country codes, legal documents, company records, sanctions lists, certification services and transfer procedures without becoming a geopolitical actor. It must support a region where law, markets and politics do not share one institutional centre. Its strength is that it has tried to publish many of the relevant procedures. Its risk is that procedure can look like neutrality even when the procedure gives the registry large leverage over resource mobility and operational continuity.

The registry can be defended only if its authority is narrow enough for affected parties to understand and price. A member should know what the annual fee buys, what a transfer review checks, what a 24-month restriction prevents, how a sanctions hit affects a request, what an audit can ask, how RPKI status can change, what appeal or review path exists, and when a dispute will be isolated rather than turned into service disruption. Mature paperwork is not the same as bounded power. A mature gate can still be a gate.

This is why RIPE NCC is a better test of legitimacy than a spectacular institutional scandal. In a scandal, everyone can agree that the record must be protected. In a mature registry, the harder question is whether the routine instruments used to protect the record have become instruments for controlling the market around the record. The legitimacy bargain is exacting: members tolerate a private association's privileged position because it lowers the cost of coordination around scarce identifiers. If that position begins to raise the cost of mobility, evidence, certification or continuity, the bargain changes.

Membership is accountability, not public authority

RIPE NCC's membership model is real accountability. Members pay fees, vote at General Meetings, elect board members and can shape the association's direction. That is better than a purely private vendor that controls a critical record without a member electorate. It is also not the same as public authority. RIPE NCC members are not the population of the service region. They are not all customers, end users, cloud tenants, public institutions, banks, hospitals, universities or enterprises whose services depend on number-resource continuity. Many affected parties sit behind an upstream provider, a sponsoring LIR, a parent company, a network service provider or a contract counterparty.

That difference matters. A member vote can legitimate an association budget. It cannot automatically legitimate every discretionary effect the registry has on a transfer market, RPKI service, audit demand, sanctions process or legacy-resource update. The more economically consequential a registry decision becomes, the more RIPE NCC must ask whether membership governance is actually disciplining the decision or merely giving institutional form to it. In institutional terms, membership is a monitoring device, not a blank cheque. It can reduce agency risk only if the monitored decisions are visible, contestable and measured in terms that affected operators can understand.

The 2026 charging scheme shows the bargain in concrete form. The RIPE NCC Charging Scheme 2026 says the model is based on an annual contribution per Local Internet Registry account, with additional charges for independent and legacy Internet resources, and a one-time sign-up fee for new members or additional LIR accounts. For 2026 the annual contribution remains EUR 1,800 per LIR account. The separate charge of EUR 75 per independent Internet number resource assignment continues, as does a separate EUR 50 per ASN assignment in the specified categories. The sign-up fee remains EUR 1,000. Members vote each year at the General Meeting on returning excess paid fees or shortages through redistribution.

These are not just invoice details. They reveal RIPE NCC's institutional economics. A flat per-LIR annual contribution simplifies administration and avoids turning every address holding into a direct resource tax. It also means that very different operators can face the same basic compulsory charge. A small regional ISP and a large enterprise LIR may pay the same base fee even though their ability to absorb it differs. That may be defensible if the fee funds a tightly defined ledger function. It becomes harder to defend when the compulsory bundle includes broader community, training, measurement, travel, events or outreach work whose benefits are unevenly distributed.

Lu Heng's September 2025 note on the cost of running RIPE NCC makes that argument directly. It claims that the core mandate is narrow: registration database, number-resource administration and RPKI. It questions whether conferences, travel, training, measurement platforms and community infrastructure should be financed through compulsory member fees, especially in a region containing conflict-affected and lower-income economies. That source is a participant argument, not neutral adjudication. Its value is that it frames the right institutional question: what part of the association is indispensable infrastructure, and what part is useful but optional institutional expansion?

RIPE NCC's own site lists a broad range of activities: the RIPE Database, LIR Portal, reverse DNS, resource transfers, RPKI, K-root, RIPE Atlas, RIPEstat, RIS, RIPE IPmap, training, meetings and community support. Many are valuable. The question is whether a private membership registry with a compulsory fee should fund them all through the same relationship members need to maintain number-resource recognition.

Membership is therefore not a magic answer to public-like power. It is one accountability mechanism, and should discipline the registry rather than license mission expansion.

Fees reveal the boundary between ledger and institution

The most honest way to understand registry fees is to ask what would fail if the fee-funded activity stopped. If uniqueness, registration accuracy, RDAP or Whois availability, reverse DNS, RPKI coherence, transfer recording, dispute notation and security publication would fail, the activity belongs close to the ledger. If the activity is a meeting, training programme, measurement product, outreach project, sponsorship stream or ecosystem service, it may be useful without being part of the minimum ledger.

This distinction matters because the membership relationship is not an ordinary market purchase. A network can choose among many upstream providers, data centres, vendors or managed-service suppliers. It cannot easily choose another regional registry for the same resources. Exit is constrained by the existing record, by policy, by transfer rules, by regional scope and by the fact that many other market actors rely on the RIPE NCC record. The fee is therefore closer to a compulsory infrastructure charge than to a normal subscription.

Compulsory charges create scope risk. An institution that collects reliable fees from a captive or semi-captive base has an incentive to broaden the meaning of its mission. It may do this sincerely. Staff, board members and active community participants can believe that more research, more meetings, more tools, more outreach and more public engagement strengthen the Internet. Often they do. But usefulness is not the same as compulsion. A registry that fails to distinguish the two weakens its claim to be a modest bookkeeper and invites members to ask whether they are funding the ledger or the institution's self-conception.

The fee debate is not a narrow accounting complaint. It is a test of whether RIPE NCC understands what kind of authority it holds. If the institution says, in effect, "we must charge what is needed to keep the ledger accurate, secure and available," the legitimacy case is strong. If it says, "we must charge what is needed to sustain our wider institutional ecosystem," the legitimacy case depends on much stronger member consent, cost transparency and proof that compulsory bundling is fair across the region.

The distributional problem is particularly serious in the RIPE NCC region. A EUR 1,800 LIR charge is not the same economic event everywhere. For a large Western European operator, it may be incidental. For a smaller operator in a currency-stressed, sanctioned, conflict-affected or lower-income market, it may be meaningful. The same is true of the time cost of member participation. A large incumbent can send staff to meetings, track mailing lists, vote in General Meetings and understand policy history. A smaller member may pay the fee and absorb the outcome without having a practical voice in the deliberation that produced it.

This is why fee discipline belongs in a ledger-versus-gatekeeper analysis. A gatekeeper can extract value from its position not only by denying transfers or services, but by expanding the compulsory bundle attached to the position. A ledger should be boring, cheap where possible, transparent about essential costs, and careful not to confuse the prestige of the institution with the reliability of the record.

RIPE NCC has the advantage of publishing charging schemes and allowing member votes. That transparency is valuable. But transparency is the start of accountability, not its completion. The harder question for members is whether the cost structure tells them that the association's centre of gravity is the ledger or the institution around the ledger.

The policy list is open, but attention is scarce

RIPE policy development is one of RIPE NCC's strongest legitimacy assets. The RIPE Policy Development page describes a long-established, open, bottom-up process of discussion and consensus-based decision-making. Policy work happens at RIPE Meetings and on RIPE Working Group mailing lists. The page says meetings and mailing lists are open to everyone, mailing lists and working-group minutes are publicly archived, policies are documented and publicly available, and a person does not need to be a RIPE NCC member or a regular at meetings to propose policy.

That is a serious institutional strength. It makes the policy forum visible. It creates public archives. It lowers formal entry barriers. It allows technically competent outsiders, customers, researchers, resource holders, network operators and critics to participate without first asking the board for permission. It also helps distinguish RIPE, the open community, from RIPE NCC, the membership association and secretariat.

The weakness is that open process does not equal equal participation. Attention is scarce. Operators have networks to run. Small organisations have fewer staff. Some members lack English-language confidence or procedural memory. Some may fear speaking publicly in a politically sensitive environment. Some will not know that a mailing-list debate has economic consequences until a transfer, audit, RPKI change or fee dispute brings the rule into their business. A public archive can be complete and still fail to represent the practical exposure of absent parties.

Consensus is particularly difficult after scarcity. Before IPv4 exhaustion, a number-resource policy could be understood mainly as an allocation rule. After exhaustion, the same policy can affect asset liquidity, resource portability, capital planning, customer continuity, market entry, legacy rights, route-security posture and compliance exposure. The cost of missing a policy debate is therefore higher. Silence may mean agreement, but it may also mean ignorance, fatigue, risk aversion, language barriers or the reasonable decision not to spend scarce operational time arguing on a public list.

The RIPE policy culture should therefore be treated as evidence of openness, not as a substitute for economic impact analysis. If a rule restricts transferability, changes RPKI obligations, affects legacy resources, alters waiting-list access or creates new documentation burdens, the process should ask who will pay the cost and who is likely to be absent from the discussion. A rule can be procedurally open and economically under-analysed. Bottom-up legitimacy is strongest when it brings evidence upward; it is weakest when it converts low attendance into consent.

The 2025-02 policy implementation on delegated RPKI certificate authorities shows how policy-list decisions now reach into live operational trust. RIPE NCC's Policy Implementation Status page says the proposal was accepted by the Routing Working Group on 15 October 2025 and gives RIPE NCC a mandate to revoke resource certificates associated with long-time non-functional delegated CAs to reduce relying-party workloads. Updated certification-service terms were published on 6 May 2026 and came into effect on 8 June 2026. RIPE NCC says it will monitor and notify delegated CA operators when manifests and CRLs cannot be validated, and revoke delegation after 90 days.

That may be a technically sensible hygiene rule. It also proves the broader point. A policy discussion can become an operational change to security objects that relying parties use. A registry implementing such a rule is not merely recording who holds a prefix. It is acting in a trust chain. The more the policy process touches such chains, the more it needs evidence, notice, impact summaries and post-implementation review.

The open list remains necessary. It should not be romanticised. Mailing lists are better than closed rooms; they are not proof that every exposed operator consented.

Scarcity converted a record into a market instrument

RIPE NCC's IPv4 run-out page is one of the clearest official records of the economic shift. The IPv4 run-out page says that for most of RIPE NCC's history LIRs could receive as many IPv4 addresses as they needed if they supplied documentation such as network plans. In 2012, when RIPE NCC reached its final /8 block, community policy restricted allocations so each LIR could request one single /22, or 1,024 addresses. In November 2019, the remaining available IPv4 pool was exhausted. The current waiting-list policy allows LIRs that have not yet received an IPv4 allocation to request one /24 from addresses recovered in the future.

This was not just a technical scheduling event. It changed the economic meaning of the registry record. Before exhaustion, the registry's central problem was rationing a shrinking but still administratively allocated resource. After exhaustion, the central problem became maintaining a reliable record for resources already embedded in networks and markets. Transfers, leasing, acquisitions, address sharing, CGNAT, renumbering, IPv6 deployment and brokered transactions became part of the real economy around IPv4.

RIPE NCC's official page acknowledges that many networks mitigate scarcity by acquiring surplus addresses through the IPv4 transfer market or by deploying address-sharing technologies such as CGNAT. That statement is a factual acknowledgement of market reality. It does not mean RIPE NCC endorses every market structure or treats addresses as ordinary property. It does mean the registry's record now sits inside a commercial environment it did not create but can materially affect.

Lu Heng's broader notes describe this as a shift from technical identifiers to capital-like resources. The phrase can sound provocative because registries avoid full property language and because legal treatment varies across contracts and jurisdictions. But the economic point is difficult to deny. IPv4 blocks support revenue, customers, continuity, security posture, acquisition value and planning optionality. If a block is difficult to transfer, uncertain in registry status or exposed to discretionary review, its market value changes. If registry processes are predictable, the risk premium falls.

That risk premium is the real measure of ledger quality. A good ledger does not make an asset valuable. It makes the claim around the asset easier to trust. The market decides the value of IPv4 through use, scarcity, replacement cost, transaction demand and operational dependence. The registry should not try to become the allocator of that value. It should make recognised holdership, changes, certification and dispute status legible enough that private actors can decide what the resource is worth. In other words, the registry should lower transaction costs rather than become one of them.

The waiting list shows the remaining rationing logic. A single /24 can matter to a small operator but cannot solve the needs of a large hosting platform, carrier or cloud provider. It is a residual fairness mechanism, not a substitute for the market. Treating it as a narrow exception inside a transfer-driven scarcity environment keeps RIPE NCC closer to the ledger.

Scarcity did not make RIPE NCC illegitimate. Scarcity made RIPE NCC more consequential. Consequence is what makes discretion dangerous.

Transfers are free of charge, but not free of power

RIPE NCC's transfer pages are useful because they show the difference between an administrative fee and an economic cost. The Transfer of IP Addresses and AS Numbers page says RIPE NCC authorises and facilitates transfers of Internet number resources, such as IPv4, IPv6 addresses and AS numbers, and that all resource transfers are free of charge. That is good. A registry should not make transfer recording an expensive tollbooth.

But a free transfer request can still be economically costly if the approval path is uncertain, the documentation burden is unclear, the timing is difficult to predict, or the rules create liquidity restrictions. On the Transfers in the RIPE NCC Service Region page, RIPE NCC says all resource holders in the region can transfer resources in accordance with RIPE policies. Transfer requests can be submitted only by the offering LIR or by the sponsoring LIR of the offering End User. The page sets out transfer scenarios among LIRs and End Users, resource types, membership or sponsorship conditions, and required documents.

The 24-month restriction is the key economic line. RIPE NCC says IPv4 addresses and 16-bit AS numbers are restricted by policy from being transferred for 24 months after they have been received from RIPE NCC, received via a transfer from another organisation, or updated after a change in business structure such as a merger or acquisition. There is an exception for consolidations among multiple LIR accounts belonging to the same organisation, where the restriction applies only once after receipt from RIPE NCC or another organisation.

This rule may prevent immediate flipping, sham transfers and short-term arbitrage around scarce resources. It may also create liquidity cost. A resource holder considering a sale, restructuring, acquisition or post-merger integration must price the restriction. A buyer may discount a block that cannot move freely for a period. A company may structure a transaction around registry timing rather than pure business efficiency. A seller may prefer leasing, corporate acquisition or indirect arrangements when outright transfer is delayed. None of this means the rule is wrong. It means the rule is market governance, not clerical recordkeeping.

Mergers and acquisitions make the point sharper. RIPE NCC's Mergers, Acquisitions or Other Change in Business Structure page says both LIRs and End Users must maintain accurate information, lists required documents such as company registrations and legal documents supporting the change, and states that RIPE NCC will evaluate requests under applicable policies and procedures. It also says RIPE NCC will check the EU sanctions list and will not approve the transfer if either party is under sanctions.

Again, the purpose is understandable. A registry cannot update high-value records on weak evidence. It cannot ignore applicable sanctions law. It must prevent fraudulent claims and protect the integrity of the record. But the economic effect is clear: registry recognition becomes a closing dependency. Parties to a transaction must satisfy a private association's documentary process and legal screening before the registry record changes. The registry may be following law and policy, but it still sits at a capital chokepoint.

The ledger test is whether RIPE NCC keeps the gate narrow. Source authority, legal continuity, sanctions compliance, anti-fraud checks and accurate record updates are legitimate ledger-protection functions. Business-model judgment, informal suspicion, policy nostalgia or moral discomfort with address-market behaviour would move the registry toward gatekeeping. The market needs to know which side of that line governs transfer review, because uncertainty around that line is itself a transfer-market friction.

Inter-RIR mobility shows that registry borders are economic borders

IP addresses route without passports, but registry records move through institutional borders. RIPE NCC's Inter-RIR Transfers page states that IP addresses and AS numbers can be transferred between the RIPE NCC service region and another Regional Internet Registry's service region, but each RIR has its own policy framework and requirements. Inter-RIR transfers must be approved by both RIPE NCC and the other RIR before processing. Resources remain subject to the policies of the RIR where they are registered until the transfer is completed, and then fall under the recipient RIR's policies.

That language describes a market fact: the same technical resource can carry different economic mobility depending on the registry pair. The RIPE NCC page lists RIPE NCC, ARIN, APNIC and LACNIC as facilitating relevant inter-RIR transfer pathways, and notes that AFRINIC does not currently have an inter-RIR policy, meaning no resources can be transferred to or from that region. For a market participant, this is not an abstract policy difference. It is a difference in asset mobility.

Inter-RIR transfer rules are often defended as regional stewardship. Registries say each region has community-developed policies and different conditions. That is true. It is also incomplete. Once IPv4 blocks have market value, incompatible policies create capital wedges. A block registered in one region may be less mobile than a comparable block registered elsewhere. A buyer may prefer one registry source over another. A holder may discount the risk of being trapped in a region with no compatible transfer path. A broker may structure deals around registry compatibility. A network may lease rather than buy because registry movement is slow or impossible.

RIPE NCC is not solely responsible for this global fragmentation and is more open to inter-RIR mobility than a region without an inter-RIR policy. But the page demonstrates why registry borders matter. The registry record is the administrative layer through which resource mobility is recognised. A registry that administers mobility administers economic opportunity.

The ledger principle suggests a restrained approach. Cross-registry transfers should verify legitimate holdership, prevent duplicate claims, respect source-policy conditions until completion, ensure recipient-policy compatibility where unavoidable, and publish clear status data. They should not become a vehicle for protecting regional stock, punishing market activity or laundering political ideas through resource movement. The thinner the cross-registry gate, the more credible the registry record becomes as global infrastructure.

AFRINIC's absence from the inter-RIR transfer table is a warning to all regions, not only to Africa. When a registry lacks mobility, resources may become administratively trapped even though the network need is global. RIPE NCC's region benefits from better mobility, but it should still ask whether its own rules make movement predictable enough. The post-exhaustion economy rewards records that travel cleanly. A record that can move only after opaque judgment carries a discount.

The global Internet depends on technical uniqueness, not on the economic immobility of number resources.

Legacy resources test whether the ledger respects history

Legacy resources are a constitutional memory of the Internet's pre-RIR and early-RIR history. They were not always issued under the same membership contracts, policy assumptions or service expectations that govern contemporary allocations. That makes them a difficult but important test of institutional humility. A registry that treats all legacy records as merely waiting to be normalised into its current authority becomes a gatekeeper over history. A registry that refuses to touch them at all risks an unreliable ledger.

RIPE NCC's Legacy Transfers page takes a relatively careful position. It says legacy resources can be transferred within the RIPE NCC service region, and that RIPE NCC can help update registration information in the RIPE Database to reflect the new holder as long as it is clear who the legitimate holder is. It says legacy resources transferred in this way retain "LEGACY" status. It also says such updates are handled on a best-effort basis because legacy-resource transfers are not covered by RIPE policies.

That is a useful ledger posture. RIPE NCC is not pretending that legacy history disappears because contemporary policy is more convenient. Nor is it treating the registry record as irrelevant. It asks for due diligence, company registration documents or identity verification, a signed transfer request letter, evidence of signing authority and, if applicable, a question about whether the receiving party wishes to enter a contractual relationship with RIPE NCC.

The economic tension sits in that last part. A legacy holder may want the record updated without converting a historical position into a contemporary membership or service relationship. RIPE NCC may want clearer contracts around services and responsibilities. Both interests are understandable. The line between them matters. If advanced services such as RPKI, transfer processing or portal access become practically essential, the registry may acquire leverage to pull legacy resources into terms that holders would not otherwise choose. If the registry refuses to support accurate updates unless legacy holders accept too much modern authority, the ledger is weakened. If it supports accurate updates while making optional service terms transparent, the ledger is strengthened.

Legacy resources also expose the danger of simplistic property language. RIPE NCC need not say that a legacy block is land. It does need to recognise that historical reliance exists. A business, university, public institution or network may have operated around a legacy block for decades. Customers, security rules, mail systems, routing filters, acquisitions and internal architecture may depend on it. Treating that reliance as merely an administrative favour would be economically naive.

The right standard is neither "legacy holders owe nothing to the shared record" nor "the registry can rewrite history into present-day discretion." It is clarity: who is the legitimate holder, what evidence supports the record, what services are available with or without agreement, what changes require documents, what disputes are noted, and what policy limits apply. In a market where historical resources can carry large value, certainty is part of the ledger product.

Audit power is necessary, and fear is a warning sign

Every serious registry needs audit capacity. A registry that never checks records will eventually host stale contacts, bad route objects, mismatched BGP data, lame reverse DNS delegations, fraudulent updates or disputed authority. RIPE NCC's Assisted Registry Check is presented as a cooperative way to improve data quality. The ARC page says the initiative is designed to enhance the traditional auditing process all LIRs are required to take part in, making it faster, easier and more beneficial. During an ARC review, RIPE NCC checks registry-data quality and assists where improvements are needed. It says the review generally covers registry-data accuracy, routing and BGP announcement mismatches, and reverse DNS delegations.

That is a ledger function. Accurate data, routing consistency and reverse DNS hygiene are part of the public value of the registry. The language is also deliberately non-hostile: support, assistance, improvements, accuracy and reliability. RIPE NCC should be credited for framing audit as data-quality work rather than punishment.

Yet the existence of member fear remains an institutional signal. Lu Heng's September 2025 note on RIPE NCC phishing emails described a fake "Download Review" email that demanded member confirmation within 48 hours. The email was not from RIPE NCC. The important point was that the scam exploited fear of registry authority. A fake demand works when the target believes the impersonated institution can create serious harm.

ARC is not a phishing email. The point is why the impersonation was plausible. Members know that invoices, contracts, audits, data accuracy, transfer reviews and policy compliance can affect the resources their networks rely on. If the emotional relationship with the registry is fear rather than confidence, authority and accountability are not fully aligned.

Audit power becomes gatekeeper power when its scope is uncertain, its triggers are unclear, its timelines are open-ended, or its remedies appear disproportionate. A data-quality review should correct data. A fraud investigation should isolate and prove fraud. A payment issue should be treated as a billing issue. A policy-compliance question should cite the specific rule, the specific evidence and the specific consequence. If these categories blur, members will rationally treat every registry contact as potentially existential.

RIPE NCC can reduce that risk by publishing more aggregate audit data: categories of issues found, remediation timelines, escalation paths, closure outcomes, average documentation cycles and examples of what does not trigger severe consequences. It can distinguish clearly between cooperative correction and enforcement. It can state that running-network continuity and customer collateral damage are relevant to remedy design. It can make appeal and review paths visible.

The ledger needs audits. The market needs assurance that audit power will not become a movable gate. The phishing episode matters because scams reveal the social meaning of authority. If the bookkeeper is understood as a vendor-like recordkeeper, fake threats are easier to dismiss. If the bookkeeper is understood as a private sovereign, fear becomes an attack surface.

RPKI makes the ledger a security dependency

RPKI is where the ledger becomes part of routing-security practice. RIPE NCC's RPKI page says that in 2011 it launched a community-driven system allowing LIRs to request a digital certificate listing the Internet number resources they hold. It says RPKI offers verifiable proof that a holder's resources have been registered by a Regional Internet Registry. The related BGP Origin Validation page explains that resource certificates allow network operators to create cryptographically validatable statements about which route announcements they authorise, through Route Origin Authorisations. Other network operators can then use that information in routing decisions.

This is not ordinary clerical publication. It is a trust service layered onto the registry record. RIPE NCC does not command global routers. Operators decide how to use validation states. But the more networks rely on RPKI, the more the registry record becomes part of operational security. A resource certificate, ROA, manifest, CRL or delegated CA status can affect how networks interpret an announcement. The registry's authority is therefore not only administrative. It is cryptographically represented.

That does not mean RIPE NCC should avoid RPKI. The opposite is true. RPKI is one of the strongest examples of a registry function that belongs close to the ledger. It turns recognised holdership into a verifiable signal. It helps reduce accidental or malicious mis-origination. It can improve routing security when implemented carefully. A registry that fails to operate RPKI reliably weakens the ecosystem.

The danger is that security dependency can become service leverage. If access to certification depends on member status, contract status, legacy-resource posture, policy compliance, delegated CA behaviour or staff review, then the registry's discretion can reach beyond the database into security operations. In most cases that may be necessary. The question is whether the conditions are narrow, published, technically justified and appealable.

The 2025-02 delegated-CA implementation is a good example. A long-time non-functional delegated CA can burden relying parties and degrade the usefulness of the system. Revocation after notice and 90 days of non-functionality may be proportional. But the mechanism is still policy-derived authority inside a security trust chain, legitimate only if the evidence is technical, the notice is clear, the timeline is predictable, and the remedy is no broader than needed.

RPKI also strengthens the case for continuity planning. A registry dispute must not become routing-security pollution. Certificate repositories, trust anchors, hosted and delegated CAs, ROAs, manifests and revocation data need continuity under stress. The ledger-versus-gatekeeper frame therefore does not ask RIPE NCC to be weaker on RPKI. It asks RIPE NCC to be more disciplined: the security layer should prove the holder's relationship to the resource, not become a general-purpose instrument for institutional leverage.

The more important RPKI becomes, the less acceptable vague registry authority becomes. Cryptographic trust amplifies institutional trust. It also amplifies institutional overreach if the boundaries are not clear. Reliability is therefore not only an uptime measure. It is a promise that certification decisions will follow the record, the published terms and the technical facts, not the registry's broader institutional mood.

Sanctions and regional neutrality are not slogans

RIPE NCC operates in a legally complex region. It is based in the Netherlands, serves members across Europe, the Middle East and Central Asia, and must navigate sanctions, conflict exposure, disputed territorial language, national regulators and cross-border transactions. Neutrality in such an environment is not an emotional posture. It is a disciplined operational practice.

The M&A page makes one constraint explicit: RIPE NCC says it will check the EU sanctions list and will not approve a transfer request if either party is under sanctions. That is not a matter of community preference. A Dutch association cannot simply ignore applicable legal obligations. But the economic effect remains serious. A sanctions check can become a closing condition. A member in a sensitive jurisdiction may face uncertainty about service continuity, payments, transfers, certification or support. A buyer may discount a block or transaction because legal exposure is hard to predict.

This is where the registry must be especially careful not to overstate neutrality. A registry can be neutral in the sense that it applies published procedures, avoids geopolitical recognition claims, preserves technical records and complies with law in a transparent way. It cannot be neutral in the sense that legal jurisdiction has no effect. Dutch and EU obligations matter. Country-code handling matters. Government letters matter. Public-sector networks and national regulators may treat registry data as politically significant even when RIPE NCC describes it as operational.

Public watchdog coverage around RIPE NCC has tracked several such signals, including member visibility, accountability, Trust Portal transparency, Montenegro and Kosovo-related concerns, and registry-neutrality disputes. Those reports should not be treated as independent proof of every underlying claim. They are useful because they show where registry data becomes public governance. A national regulator that challenges how address allocation or country-code handling is presented is not only asking a technical question. It is asking who gets to define the administrative meaning of network resources in a region where law and politics do not map cleanly onto routing.

The ledger answer is restraint. Use country and territory data for operational purposes. Publish the rule. Avoid recognition theatre. Comply with sanctions law. Explain which services are affected, which are not, what documentation is needed, how affected parties can seek clarification, and how running-network continuity is protected within legal limits. Publish aggregate transparency where possible.

The gatekeeper answer is vaguer and more dangerous. It says the registry will handle sensitive cases according to its judgement, its community's values, its reading of regional interest or its desire to avoid reputational risk. That approach may feel flexible, but it creates precisely the uncertainty that markets price. Members cannot plan around institutional mood.

Sanctions and neutrality also cut against simplistic decentralisation slogans. A registry cannot solve legal fragmentation merely by announcing that it is neutral. Nor can a market participant eliminate legal exposure by saying the Internet is global. The practical goal is narrower: make the record reliable enough that law can act on facts rather than ambiguity, and make registry discretion narrow enough that law does not become a cover for avoidable private power.

Trust portals are useful, but trust is not only cybersecurity

RIPE NCC's Trust Portal is a useful transparency instrument. The RIPE NCC Trust Portal says it reflects a commitment to trust and openness by providing a high-level overview of how RIPE NCC handles confidentiality, integrity and availability. It links to information security, legal and compliance, procedures for law enforcement and competent authorities, and security-incident reporting.

That is valuable. A registry operating critical publication, portal, database and certification services should explain how it protects systems. Confidentiality, integrity and availability are not abstractions. If the LIR Portal is compromised, if registry credentials are abused, if RPKI systems fail, if Whois or RDAP publication is unreliable, or if data changes without proper control, the market suffers. Trust begins with operational security.

But trust in a registry is not only cybersecurity trust. It is also institutional trust. Members need to know who decides, what can be appealed, what metrics are published, how fees are set, how transfer delays are measured, how audits escalate, how sanctions affect requests, how legacy-resource evidence is evaluated, how policy-list outcomes become service changes, and how the institution limits its own discretion. A trust portal that answers only confidentiality, integrity and availability will not answer the full legitimacy question.

This is not a criticism of the portal as such. It is a warning against confusing one layer of trust with the whole. A registry can protect its systems and still leave members uncertain about the rules that govern economically consequential decisions.

The same point applies to official documentation more broadly. RIPE NCC publishes many procedures, and that is a strength. But the market does not need only text. It needs performance data. How long do transfer requests take by category? How many are delayed because documents are incomplete? How often do sanctions checks prevent approval? How many ARC reviews find serious issues? How often do voluntary transfer locks get requested and used? How many delegated CAs are notified, repaired or revoked under the new RPKI implementation? How many legacy transfers are completed, delayed or rejected because legitimate holdership is unclear?

Publishing such data would not require exposing sensitive member information. It would turn procedural trust into measurable trust. It would also discipline the registry internally. When an institution measures friction, it can reduce it. When it measures only activity, it may mistake workload for value.

For ledger legitimacy, the decisive question is not whether RIPE NCC can say it is trusted. It is whether the market can see why trusting it is cheaper than routing around it. Transparency that lowers uncertainty strengthens the ledger. Transparency that advertises institutional virtue without measuring member friction risks becoming another form of gatekeeper language.

Accountability disputes are price signals

Institutional disputes around RIPE NCC should not be dismissed as noise. Fee debates, policy-list criticism, transfer complaints, sanctions anxiety, phishing fear, legacy-resource questions, RPKI implementation concerns and national-regulator disputes are all price signals. They tell the market where registry authority is costly.

In ordinary politics, an institution may prefer to treat critics as unrepresentative. In infrastructure economics, criticism is data. A member who complains about fees may be revealing a distributional problem. A broker who complains about transfer friction may be revealing a liquidity problem. A legacy holder who resists contract migration may be revealing a historical-certainty problem. A small operator that stays silent may be revealing a participation-cost problem. A national regulator that challenges country-code treatment may be revealing a neutrality problem. A phishing scam that exploits RIPE NCC's name may be revealing an authority-perception problem.

Not every complaint is correct. Interested parties press their own interests. NRS advocates a more ownership-centred and decentralised view of number resources. LARUS frames registry exposure as a business-continuity risk and promotes first-party IPv4 leasing as a way to keep registry-layer risk upstream. Lu Heng's notes sharply criticise registries that behave as gatekeepers. These sources are not detached academic observers. But interested sources can still identify real mechanisms. The mechanisms are visible in RIPE NCC's official documents: compulsory fees, transfer approval, 24-month restrictions, sanctions checks, audit participation, legacy due diligence, RPKI certification and policy-derived revocation.

The right analytical move is not to adopt every critic's conclusion. It is to ask whether the official facts support the critic's mechanism. Fees operate like a compulsory levy for members who need the relationship. Transfers depend on registry approval. Policy can restrict mobility for 24 months. RPKI ties registered holdership to security assertions. ARC involves required LIR audit participation. Sanctions screening affects transfer approval. These facts do not prove abuse. They prove leverage.

Leverage must be matched by accountability. The registry's official language often uses stewardship, community, bottom-up process and stability. Those words may be sincere. They are not enough. Institutional economics asks who bears cost, who can exit, who decides, who sees the evidence, who can appeal, and who is liable if a decision causes disproportionate harm.

RIPE NCC's advantage is that it already has many accountability ingredients: member voting, published policies, open mailing lists, charging schemes, procedural pages, Trust Portal material, transfer statistics pages and board documentation. The challenge is to convert those ingredients into a lower risk premium around registry decisions. If members and markets still behave as though the registry is unpredictable at the moment of stress, formal transparency has not done its job. Accountability, in this setting, is not the publication of institutional material; it is the conversion of that material into predictable rights, duties, remedies and timelines.

Accountability disputes therefore should be read as stress tests. A mature registry does not prove legitimacy by avoiding criticism. It proves legitimacy by turning criticism into sharper boundaries.

What the ledger should do

A legitimate RIPE NCC ledger should make five things cheaper: recognition, correction, movement, security and dispute isolation.

Recognition means that the market can identify the registered holder without myth. RIPE NCC does not need to declare itself the owner of the resource or the sovereign of the region. It needs to maintain a reliable record of recognised holdership, the status of resources, relevant contracts or sponsorship relationships, certification availability, and known restrictions. The simpler the record's meaning, the more useful it is.

Correction means that errors can be fixed without fear. Bad contact data, stale organisation records, routing registry mismatches, lame reverse DNS and outdated authorisation should be corrected through cooperative processes wherever possible. Fraud or contested authority should be treated more seriously, but the remedy should fit the defect. A misspelled contact should not feel like a threat to a live business. A forged transfer should be stopped. A disputed claim should be noted and isolated. These distinctions preserve confidence.

Movement means that legitimate transfers, mergers, acquisitions and inter-RIR changes should be predictable. The registry should verify source authority, receiving eligibility where required, documents, signing power, sanctions status and policy restrictions. It should also publish enough aggregate friction data that parties can plan. A transfer market cannot function efficiently if the most important variable is how the gatekeeper will feel about the file.

Security means that RPKI and related services should reflect the ledger without expanding the registry's mandate unnecessarily. Certificates and ROAs are powerful because they bind the recognised resource relationship to a cryptographic signal. The registry should keep the signal reliable, revoke or repair broken delegated arrangements where policy justifies it, and maintain continuity under stress. It should not use security dependence as a general-purpose lever.

Dispute isolation means that registry conflict should not become customer harm. Where holdership, transfer authority, sanctions status, legacy evidence or contract compliance is disputed, the default should be to preserve the last verified operational state where law and security permit. The registry can block conflicting updates, annotate status, require documents or seek legal clarity. It should be slow to produce forced renumbering, broken route security, service termination or collateral damage unless the evidence and legal duty are clear.

These functions do not make the registry weak. They make it strong in the right places. A ledger that verifies, publishes, secures and isolates disputes is indispensable. A registry that tries to decide the moral or commercial destiny of the resources it records becomes easier to challenge because it asks for a mandate it does not fully possess.

The practical test is whether official channels are the safest path: easier to keep records accurate than to hide, easier to transfer openly than to use opaque structures, easier to engage with ARC than to fear it, and easier to understand sanctions or RPKI consequences than to guess.

When the official path is cheaper, the ledger wins. When the official path is slow, uncertain, broad or expensive, markets route around it. Gatekeepers create shadow economies. Ledgers reduce the need for them.

What the gatekeeper will be tempted to do

The gatekeeper temptation is subtle because it usually borrows the language of protection. It rarely says, "we want to control capital." It says, "we are stewards." It says, "the community decided." It says, "the region's resources must be protected." It says, "stability requires trust in the institution." It says, "policy must be enforced." Each sentence can be true in a narrow setting. Together they can inflate a record-keeping function into a private public authority.

The first temptation is mission expansion through fees. Useful activities become compulsory because they sit near the registry. Measurement tools, training, events, outreach and public-good projects may become part of the institutional identity. Members who object are told that the ecosystem benefits. But a compulsory fee should not be justified by usefulness alone. It should be justified by necessity to the ledger or by clear member consent to the broader bundle.

The second temptation is policy-list absolutism. Because the list is open, outcomes are treated as if all affected parties consented. Active participants become the imagined public. Silence becomes approval. Procedural history becomes legitimacy. This is dangerous after scarcity because transfer and security rules can affect parties who never joined the discussion. A gatekeeper loves open process when open process lets it say, "we merely implement community will." A ledger asks whether the will was informed, representative enough, evidence-based and proportionate to the economic effect.

The third temptation is transfer paternalism. The registry starts from fraud prevention and ends by judging whether movement is desirable. Anti-flipping rules can become capital controls. Documentation checks can become interpretive discretion. Sanctions screening can expand into general caution. Legacy due diligence can become a path to contract leverage. The market then prices not only the resource but the registry's appetite for movement.

The fourth temptation is security leverage. As RPKI becomes more important, certificate access and status become operationally significant. A registry that controls certification can be tempted to attach broader behaviour to the security layer. The correct discipline is to keep RPKI conditions tied to resource registration, technical validity and published terms, not to vague institutional comfort.

The fifth temptation is moral vocabulary. Scarcity makes old allocation ideals emotionally powerful. A registry can speak of fairness, conservation and community in ways that obscure the market reality of already-held resources. The result is mandate laundering: a narrow technical role enters a process of rhetoric, meetings, policies and institutional habit, and emerges as a broader claim to decide what resource holders may do with high-value operational inputs.

RIPE NCC is not uniquely guilty of these temptations. They are temptations inherent to the RIR model. The reason to name them in the RIPE NCC case is that RIPE NCC has the institutional capacity to resist them. A weak registry may overreach because it cannot manage uncertainty. A mature registry should narrow itself because it can.

The watchdog standard for RIPE NCC

The standard should be strict but fair. RIPE NCC should be judged neither by anti-registry suspicion nor by official self-description. It should be judged by whether its actions reduce the risk premium around number-resource reliance.

The first watchpoint is fee scope. The 2026 scheme keeps the annual LIR contribution at EUR 1,800, plus independent-resource and ASN charges. Members should watch whether future charging debates separate essential ledger services from optional institutional services. A charging scheme that funds a disciplined core strengthens legitimacy. A scheme that treats all valuable ecosystem work as compulsory weakens it, even when the work is good.

The second watchpoint is transfer friction. RIPE NCC publishes transfer pages and statistics. The missing question is how much uncertainty remains inside the process. Watch timing, documentation cycles, sanctions-screening outcomes, 24-month restriction effects, inter-RIR compatibility, legacy-transfer treatment and whether members can plan transactions without relying on informal expectation.

The third watchpoint is policy-list representativeness. Open mailing lists must remain central, but the post-exhaustion economy needs more economic impact analysis. Watch whether proposals affecting transferability, RPKI, legacy status, audit consequences or fees include plain-language impact notes, absent-party analysis and post-implementation review.

The fourth watchpoint is ARC and data-quality enforcement. Cooperative reviews strengthen the ledger. Vague audit anxiety strengthens the gatekeeper. Watch whether RIPE NCC publishes aggregate review categories, escalation patterns, remediation time and clear distinctions between correction, fraud and enforcement.

The fifth watchpoint is RPKI discretion. The 2025-02 implementation on non-functional delegated CAs may be technically sensible. Watch how notices, monitoring, revocations and restorations are handled. If RPKI remains a technical trust service with clear rules, the ledger strengthens. If certification becomes a broad lever, gatekeeper risk rises.

The sixth watchpoint is sanctions and neutrality. RIPE NCC cannot ignore law. It can publish enough process and aggregate transparency to reduce uncertainty. Watch whether legal constraints are communicated as narrow obligations or absorbed into broader discretionary caution.

The seventh watchpoint is legacy-resource humility. The best-effort language around legacy transfers recognises historical complexity. Watch whether legacy holders can maintain accurate records without being pressured into unnecessary modern authority, and whether the registry can distinguish record accuracy from institutional consolidation.

The eighth watchpoint is member fear. Scams exploiting RIPE NCC's name, angry fee debates or reluctance to engage with audit and transfer processes are not mere public-relations annoyances. They are evidence about how the institution is experienced. A legitimate ledger should make members calmer. A gatekeeper makes them anxious even before it acts.

The conclusion: RIPE NCC's safest future is institutional modesty

RIPE NCC matters because it is useful. The Internet does need registries, or at least registry functions: uniqueness, registration, publication, security metadata, reverse DNS, transfer recording, accurate contacts and dispute isolation. The ledger must continue. The error is to assume that continuity of the ledger requires growth in the gatekeeper.

The mature registry's temptation is not collapse. It is enlargement. Because the record is relied upon, the institution begins to feel indispensable. Because the institution is treated as indispensable, its procedures acquire moral weight. Because procedures acquire moral weight, criticism looks like destabilisation. Because criticism looks like destabilisation, discretion becomes easier to defend. That is how a bookkeeper becomes a gatekeeper without announcing the transition.

RIPE NCC can avoid that path. It can make the compulsory fee narrower and more legible. It can treat policy-list openness as a platform for evidence rather than as a substitute for evidence. It can publish more friction data around transfers, audits, legacy updates and RPKI changes. It can keep sanctions compliance narrow and transparent. It can make legacy-resource treatment historically respectful. It can keep RPKI as a security expression of the record, not an instrument of institutional leverage. It can design every process so that the official path is cheaper than the shadow path.

That would not make RIPE NCC less important. It would make it harder to replace. The safest infrastructure institutions are those that know exactly what they are for. A ledger that is accurate, cheap, narrow, secure and predictable becomes invisible in the best sense. It lets others build, route, trade, finance and serve customers without fearing the bookkeeper. A gatekeeper, by contrast, makes itself visible at the moment of dependency. It forces markets to ask not only whether a resource is useful, but whether the institution around the resource might change the rules, delay the movement, reinterpret the status or attach new conditions.

The institutional economics of RIPE NCC therefore point to a simple conclusion. The registry's legitimacy does not come from the grandeur of stewardship language, the size of its meetings, the thickness of its process, or the age of its community. It comes from lowering the cost of trust around scarce number resources. If RIPE NCC behaves as a disciplined ledger, the region benefits from a reliable public-reference function operated through a private membership association. If it behaves as a gatekeeper, the same membership association becomes a risk layer over operational capital, and every operator dependent on the record has to insure against the recordkeeper.

The Internet does not need an Olympian registry. It needs a record that knows it is a record. RIPE NCC's future legitimacy depends on choosing that modesty before scarcity, security dependence and regional complexity make the choice for it.