When the RIPE NCC made its final IPv4 allocation from its available pool on 25 November 2019, it did not cease to matter. It began to matter in a different way.

For most of its institutional life, the registry could justify itself through a relatively simple bargain. IPv4 addresses and autonomous system numbers had to be globally unique. Someone had to keep the book. Someone had to distribute new resources under rules that reduced duplicate claims, waste and routing disorder. A regional registry close to the operators it served could do that better than a distant central office, a series of national ministries or a set of incompatible private ledgers. Its legitimacy came from the practical need for a common registration system and from the discipline of allocating a scarce common resource under public rules.

That bargain did not vanish when the free pool ran out, but its center of gravity moved. The RIPE NCC still maintains the registry, supports reverse DNS, operates resource certification services, facilitates transfers, helps members correct records, administers policy outcomes, and provides a reference point that other networks, counterparties, courts, auditors and abuse desks can inspect. Those functions are not ceremonial. They remain part of the operating infrastructure of the Internet. Yet the old allocation-era mandate has largely ended for IPv4. A registry with a meaningful remaining free pool can claim legitimacy by rationing fresh supply. A registry after exhaustion must claim legitimacy by keeping a neutral, auditable and market-compatible record around resources that are already in use, already priced and already embedded in businesses.

That is a harder kind of legitimacy. Scarcity has turned the registry record into an economic instrument. The RIPE NCC does not route packets, build access networks, finance acquisitions, run cloud platforms or decide which customers need public addresses. But its recognition layer can affect whether an IPv4 block is transferable, certifiable, bankable in due diligence, safe for reverse DNS continuity, usable in a merger, clean for a lease structure and credible in a commercial transaction. A database entry is not a land title. Still, in a world where IPv4 addresses are bought, leased, valued, pledged in business planning and used to support customer revenue, recognised registration has title-like effects.

Post-exhaustion legitimacy is therefore not a ceremonial question about whether the RIPE NCC is respected. It is an institutional economics question: can a residual monopoly over recognition remain narrow enough, predictable enough and accountable enough to be trusted by a market that the registry did not create and cannot abolish?

The answer depends on whether the RIPE NCC can keep proving a distinction that is easy to state and hard to maintain. It must protect the ledger without becoming a capital-control office. It must recognise transfers without becoming a broker. It must verify authority without becoming a commercial court. It must keep security services reliable without turning RPKI or reverse DNS into leverage for unrelated goals. It must promote IPv6 without pretending that the IPv4 transition economy is already over. It must charge members enough to run essential services without treating captive resource holders as a general-purpose tax base. It must comply with law without adopting a geopolitical identity. It must support policy without letting allocation-era vocabulary smuggle old discretion into a market era.

The official materials matter here, but only as factual exhibits. They show the exhaustion date, the waiting-list mechanics, the charging scheme, the transfer procedures, the sanctions practice and the technical services. They do not settle the framing. The framing has to come from the changed economics of the registry function itself. Once allocation fades, legitimacy must be re-earned through ledger neutrality, market compatibility, transfer recognition, legacy-record confidence, RPKI and reverse-DNS continuity, fee discipline, auditability, small-operator fairness and credible constraint.

The allocation mandate has ended, not the institution

The mechanics of IPv4 exhaustion in the RIPE NCC region are now familiar. In 2012, when the region reached its final /8, each local Internet registry could receive one /22 allocation. By late 2019, the remaining pool had become fragments rather than a strategic stock. On 25 November 2019, the available IPv4 pool was exhausted. The present waiting-list regime is not a return to abundance. It allows an eligible LIR that has not previously received an IPv4 allocation to request one /24 from recovered space after processing and quarantine.

That residual distribution has value. For a small network, 256 addresses can be the difference between launching with some independence and remaining fully dependent on an upstream provider. It also gives the institution a limited fairness mechanism for new entrants. But a /24 queue cannot support the demand of a carrier, a cloud provider, a hosting network, a growing access ISP, a security platform, a merger-driven corporate group or even many ordinary regional networks. It is a queue for scraps, not a substitute for an allocation economy.

This distinction is the first discipline of post-exhaustion analysis. A waiting list preserves a thin remnant of the old mandate. It does not preserve the old mandate itself. The dominant economic reality is that IPv4 now moves through transfers, corporate reorganisations, acquisitions, leasing arrangements, carrier-grade NAT, dual-stack compromises, upstream dependency, internal reallocations and operational workarounds. The RIPE NCC can make some of that movement cleaner and more visible. It cannot make the underlying scarcity behave as if the free pool still existed.

That matters because institutional language often lags the economic shift. Before depletion, conservation meant deciding how much new supply to issue from a common stock. After depletion, the same word can become something very different: a justification for limiting the movement of resources that already sit inside networks, customer contracts and company balance sheets. The first version is rationing a pool. The second version can become capital control unless it is tied to a precise registry harm.

Not every transfer should be approved automatically. Fraud, forged authority, unresolved court restraints, sanctions exposure, stale corporate succession, broken security metadata, conflicting claims and inaccurate records are real problems. A serious registry must be able to refuse an update when the record would otherwise become false or legally impossible. But the reason for refusal should be a ledger reason. It should be connected to identity, authority, uniqueness, accuracy, service continuity, legal constraint, dispute status or security integrity. It should not be an open-ended judgment about whether the buyer's business plan, geography, customer mix, pricing behaviour or leasing strategy satisfies an allocation-era moral test.

That difference sounds technical. It is constitutional. After exhaustion, the registry remains legitimate only if it can show that its residual monopoly over recognition is being used to protect the record, not to recreate the allocator role through transfer review.

The old bargain made sense because someone had to decide who could draw from the well. The new bargain is different. The well is dry. The pump still matters because everyone needs to know which pipe is connected to which operator, which certificates are valid, which reverse-DNS delegations are current, which holder can sign, which contact can respond, and which transfer has been recognised. The pump must be honest, cheap, neutral and hard to misuse. It does not need to decide whether water should have become expensive.

Recognition is now the scarce service

The RIPE NCC is not a state. It is a not-for-profit membership association based in the Netherlands and the regional Internet registry for Europe, the Middle East and parts of Central Asia. That legal modesty is part of why the system works. The institution is useful because it performs a narrow technical and administrative function across a wide service region, not because it possesses sovereign authority over number resources.

Yet scarcity makes the narrow function powerful. A holder can route a prefix without the RIPE NCC pushing packets. A buyer can sign a private contract before the RIPE NCC updates a registry entry. A lessor can provide address use to a customer without the registry becoming a party to that customer contract. But the recognised registry record remains the coordinate around which the market organises. It is what counterparties inspect. It is what many routing-security workflows depend upon. It is what transfer processes update. It is what courts, auditors, abuse desks and operators often treat as the starting point for analysis.

That is the residual monopoly. It is not a monopoly over physical operation. It is a monopoly over widely accepted recognition. In infrastructure markets, recognition is often the difference between a private claim and a claim that third parties can rely on. The value of a ledger lies in the fact that others accept it as the common reference point.

The risk is that the keeper of the ledger mistakes that recognition monopoly for a broader mandate. A land registry does not decide whether a buyer's factory is socially attractive. A company register does not decide whether a shareholder paid too much. A securities settlement system does not become an industrial-policy ministry merely because it records movements of valuable claims. A registry can be indispensable without being entitled to rule the economy around the entries it records.

That boundary is now the central test. The RIPE NCC's public transfer process says that the organisation authorises and facilitates transfers of Internet number resources, and that such transfers are processed without a transfer fee. Free processing is good. A registry should not turn every movement into a toll. But "authorises" is an economically loaded verb. If authorisation means verifying holder control, documentation, policy status, sanctions exposure, dispute position and record continuity, it is ledger work. If it means discretionary approval of the transaction's commercial desirability, it is gatekeeping.

The same problem appears in mergers and acquisitions. When companies combine, split, sell a business unit or restructure, the registry must verify legal continuity before records change. That verification protects everyone. A forged document should not move a valuable block. A dissolved company should not remain a ghost holder. A buyer should not obtain a registry update from a person with no authority to act. But the registry's ability to delay or refuse recognition also becomes a closing condition. It can affect price, timing, warranties and risk allocation in the deal. The more predictable the rule, the smaller the risk premium. The more discretionary the rule, the larger the premium captured by lawyers, brokers and insiders who know how to navigate the process.

Post-exhaustion legitimacy therefore depends less on institutional prestige than on transaction-cost reduction. A trusted ledger lowers the cost of using the market. A discretionary gatekeeper raises it. The official purpose can sound the same in both cases: protect the registry. The economic effect is opposite.

This is why auditability has to mean more than a general promise of careful administration. It should be possible for members and market participants to understand what evidence is required, how long ordinary cases take, what common defects trigger delay, which categories of refusal exist, how appeals or reviews work, how disputes are marked, and what happens to related services while a case is pending. Commercial contracts can remain private. Individual prices can remain private. The process itself should not be a black box.

The registry earns a legitimacy premium when parties prefer to disclose, correct and record because the official route reduces risk. It loses that premium when parties avoid the official route because the recordkeeper has become the largest uncertainty. In a post-exhaustion economy, uncertainty is not an abstraction. It is priced into indemnities, escrow terms, delayed closings, lease discounts, financing reluctance, broker fees and the willingness of small operators to enter the market at all.

The market is not a deviation from governance

IPv4 markets often made the registry tradition uncomfortable. That is understandable. The early regional registry model was built around technical coordination, need-based allocation, conservation and accurate registration. Address space was not supposed to be a speculative commodity. Members paid fees for services, not a price per address. Policies tried to slow waste, preserve routability and prevent a common pool from being consumed too quickly.

But a market does not disappear because official language dislikes its implications. Once a resource is finite, globally useful, operationally embedded and unavailable through ordinary allocation, economic value appears. Buyers reveal demand by paying. Sellers reveal opportunity cost by refusing to sell cheaply. Lessors reveal that some users need continuity without outright purchase. Brokers reveal that search, documentation and registry navigation have become specialised services. Financing conversations reveal that IPv4 is not merely a technical label; it is an input to revenue, customer retention and network independence.

That revealed demand is information. It does not prove that every transaction is socially beneficial. It does not prove that every broker is benign. It does not mean leasing can be ignored by policy. It does prove that the allocation channel no longer satisfies demand. Treating the market as a moral embarrassment obscures the most important fact: official scarcity and operational necessity have diverged.

The better posture is not market worship. It is market compatibility. The RIPE NCC does not need to declare IPv4 to be ordinary property in order to recognise that transfers move economically valuable operational control. It does not need to endorse speculation in order to process legitimate movements predictably. It does not need to abandon fraud control in order to distinguish fraud from commercial use. It does not need to price the asset in order to understand that delay, uncertainty and non-recognition affect price.

Liquidity is the key word. A liquid market lets resources move from lower-valued to higher-valued use with tolerable friction. IPv4 liquidity is already imperfect because the asset is unusual, legal vocabulary differs across jurisdictions, registry regions vary, abuse history matters, routing reputation matters, legacy status matters and the Internet still relies on public coordination. Adding unnecessary institutional uncertainty compounds the problem. It pushes parties toward workarounds: leasing without clean disclosure, nominee structures, corporate acquisitions designed mainly to move addresses, private subdelegations that lag behind public records, and risk transfer to brokers or lawyers rather than to transparent registry rules.

That is bad for the registry. The official ledger should win because it is safer than the grey path. If the registry path is slow, ambiguous or moralising, the grey path becomes more attractive. A post-exhaustion registry earns legitimacy when market participants choose disclosure because the record protects them. It loses legitimacy when they avoid the record because the institution treats ordinary commercial movement as a request for permission.

Conservation remains legitimate only if it is attached to the right object. Conserving an unallocated pool before exhaustion meant slowing waste. Conserving registry confidence after exhaustion means ensuring that resources can move cleanly, records stay accurate, authority is verified, security services follow recognised holders, and disputes are visible rather than hidden. A registry that prevents waste in a free pool performs allocation discipline. A registry that immobilises already allocated resources may be conserving institutional power rather than conserving the Internet.

Liquidity can itself be a conservation tool. An address block sitting idle in a corporate shell, trapped behind weak records, hidden under unclear delegation or discounted because transfer rules are uncertain is not being conserved in any useful operational sense. It is being immobilised. If a transfer moves that block to a network that needs it, routes it, maintains contacts, signs appropriate route-origin objects and supports paying customers with it, the Internet has not lost the resource. It has made the resource more productive.

This is why post-exhaustion policy cannot simply inherit anti-hoarding and anti-speculation instincts from the allocation era. Hoarding was a valid concern when applicants could request more from a common stock at administrative cost. Speculation was a plausible worry when a party might obtain cheap addresses for resale rather than deployment. After exhaustion, the market price itself discourages frivolous acquisition. A buyer that pays real money for IPv4 is revealing demand, strategic optionality or expected revenue. A seller that releases space is revealing that the resource is worth more in the market than inside its own network. The registry should care whether the record remains true, whether abuse responsibility is traceable, whether a dispute exists and whether the transfer is legally authorised. It should be cautious about deciding that the motive is too commercial.

There is a bad version of liquidity. Fraudulent transfers, forged authority, short-term abuse operations, deliberate reputation washing, sanctions evasion and hidden control can all harm the Internet. But these are not arguments for low liquidity. They are arguments for stronger evidence, better provenance, clearer transfer history, more reliable abuse-contact accountability, continuity rules for RPKI and reverse DNS, and explicit dispute marking. A usable, market-compatible ledger is better at detecting abuse than a moralising bottleneck that drives behaviour outside the record.

The economics are familiar. If the formal market is usable, actors internalise its rules. If the formal market is punitive or unclear, actors build substitutes. Those substitutes may be less visible, less auditable and less respectful of the public-interest goals that registry policy claims to protect. A registry that wants accurate records should make accurate recording attractive. A registry that wants responsible leasing should make responsible leasing legible. A registry that wants to prevent fraud should distinguish fraud from ordinary commercial allocation of scarce capital.

Conservation after exhaustion should therefore be judged by resource productivity and record confidence, not by discomfort with price. If a rule keeps addresses idle, pushes usage into informal structures, reduces collateral value for small operators or makes transfers depend on specialised insiders, it may conserve a narrative while wasting the asset. If a rule moves addresses into visible, documented, secure and accountable use, it conserves what matters.

That is the paradox of the post-exhaustion registry. To protect the Internet's operational interest in IPv4, it must often allow movement rather than stop it. Liquidity is not the enemy of responsibility when the free pool is gone. It is one of the ways responsibility becomes real.

IPv6 is the horizon, not an answer to every present claim

Every serious discussion of IPv4 scarcity has to include IPv6. In the long run, IPv6 is the only technically clean answer to the limits of a 32-bit address space. The RIPE NCC has promoted IPv6 for years, trained operators, supported measurement and helped keep deployment in the policy conversation. That work is necessary.

It is not a substitute for post-exhaustion legitimacy.

The reason is time. IPv6 may be the destination, but the transition economy is the present. Networks still need to serve IPv4-only users, connect to IPv4-dependent systems, maintain legacy customer environments, support hosting and security workflows, interoperate with older equipment, and operate in markets where full IPv6 reachability does not eliminate the need for IPv4. Dual stack is not a slogan. It is a cost structure. Carrier-grade NAT is not a philosophy. It is an engineering compromise with performance, logging, abuse-handling, troubleshooting and customer-experience consequences.

The claim that IPv6 solves IPv4 governance becomes weakest precisely where new entrants and small operators are most exposed. A large incumbent can buy IPv4, deploy CGNAT at scale, run dual stack, hire routing-security staff, maintain policy specialists and absorb delays. A small operator may need a modest amount of IPv4 simply to launch while also deploying IPv6. Telling that operator that IPv6 is the future does not answer how it obtains enough IPv4 for customers today.

This is where transition language can become regressive. If IPv4 access is expensive, opaque or administratively uncertain, incumbents with inventory are protected. Entrants face higher fixed costs. A transfer policy that appears prudent in abstract may entrench the networks that already hold enough address space. A registry that treats IPv6 advocacy as an excuse to neglect transfer-market clarity risks turning a technical transition into an incumbency subsidy.

The correct balance is more exacting. The RIPE NCC should continue to support IPv6. It should also treat IPv4 transfer recognition, legacy-record confidence, RPKI and reverse-DNS continuity, fee discipline and small-operator access as active governance responsibilities during the transition. A bridge that lasts decades becomes infrastructure. It cannot be governed as if everyone will stop using it next quarter.

The best IPv6 policy is a credible IPv4 transition economy. Operators are more likely to trust a registry's long-term advice if they see that the same registry is disciplined about present scarcity. A registry that is practical about IPv4 is not betraying IPv6. It is acknowledging the operating conditions under which IPv6 adoption actually proceeds.

That practical posture also prevents a subtle shift in accountability. If every IPv4 problem is answered with "deploy IPv6", then registry decisions about IPv4 become harder to scrutinise. Delays, ambiguous documentation requirements, weak leasing visibility, legacy uncertainty and fee burden can be dismissed as transitional discomfort. But for an operator trying to keep customers online, the transition is not a debating point. It is the environment in which capital is spent and risk is carried. The registry's legitimacy must be judged in that environment, not in a completed future.

The language of care needs credible constraint

The word often used for registry responsibility is "stewardship". It is useful, and it is dangerous.

In the allocation era, it expressed a real duty. A finite pool of globally unique identifiers needed disciplined management. Giving out too much too fast would shorten the pool's life. Issuing fragments without attention to aggregation could impose routing costs. Letting records decay would harm troubleshooting and coordination. In that setting, the vocabulary of care matched the activity: allocate cautiously, record accurately, preserve uniqueness and support the running network.

After exhaustion, the word needs a narrower definition. If it means uniqueness, accuracy, contactability, secure publication, fraud resistance, lawful processing and service continuity, it remains legitimate. If it means continuing discretion over the economic use of already allocated IPv4, it becomes suspect.

The difference is not semantic. It changes who bears risk. Under a thin definition, the registry records and verifies. Operators bear market risk, deployment risk, customer risk and investment risk. Under a thick definition, the registry also shapes transferability, leasing legitimacy, business-model acceptability and sometimes the conditions under which an operator can continue to rely on a resource. Yet the registry usually does not bear proportionate downside if its judgment is wrong. That asymmetry is the political economy behind post-exhaustion legitimacy.

A membership association is not a public legislature. A policy mailing list is not a court. A regional service area is not a political people. A claim to care for the Internet does not by itself create authority to control capital movement. The more valuable IPv4 becomes, the more dangerous it is to let a broad institutional word do work that should be done by precise rules.

The RIPE NCC is better positioned than more troubled institutions because it publishes procedures, charging schemes, policy pages, technical documentation and sanctions transparency material. It also operates in an ecosystem that distinguishes RIPE, the open technical community, from the RIPE NCC, the membership association that implements and administers registry services. These are real strengths. But transparency does not remove the problem of scope. It simply makes the boundary easier to inspect.

The post-exhaustion question is not whether the RIPE NCC can describe itself as caring for the registry. It is care for what? The public record? The certification service? The accuracy of reverse DNS? The ability of recovered space to be distributed under a waiting-list rule? The integrity of transfer documentation? All of those are defensible. Care for the market value of IPv4? Care for whether a holder should lease? Care for whether a buyer's need is sufficiently pure? Care for a region's capital stock? Those claims require a different authority, a different accountability structure and a different theory of consent.

The safest legitimacy rule is simple: the thicker the claimed discretion, the stronger the required accountability. If the institution wants low liability and private-association status, its discretion should remain narrow. If it wants public-regulator-like discretion, it cannot rely on bookkeeper-level accountability. The RIPE NCC's legitimacy is maximised not by grander language, but by refusing unnecessary grandeur.

Credible constraint is not weakness. It is the discipline that lets others trust the institution. A registry that can show exactly why it acted, what evidence it required, which rule it applied, what alternatives were considered and how a party can challenge the result will be trusted even when it says no. A registry that relies on broad vocabulary may be tolerated when outcomes are easy, but it will lose confidence when scarcity makes outcomes expensive.

Ledger neutrality is active, not passive

Neutrality in this context does not mean indifference. A registry that ignores false records is not neutral. It is negligent. A registry that accepts forged documents is not neutral. It corrupts the ledger. A registry that lets RPKI objects decay, reverse-DNS delegations fail or member-authority records become stale without process is not neutral. It degrades infrastructure.

Ledger neutrality is active. It means similar cases are treated similarly. It means requirements are tied to defined harms. It means evidence standards are knowable. It means decisions are documented. It means conflicts are marked rather than hidden. It means technical services are not used as leverage for unrelated institutional goals. It means the registry resists pressure to become a court, a regulator, a sanctions actor beyond legal necessity, a fiscal club or a market gatekeeper.

This is hard because modern registry services are no longer just a text database. RDAP, Whois, reverse DNS, RPKI, routing registry data, portal workflows, transfer forms, sanctions checks, audits, API keys and member contacts interact. A change in one layer can affect trust in another. RPKI is especially sensitive because route-origin validation converts registry-derived certification into real operational choices by third-party networks. The RIPE NCC offers hosted and delegated certification models, and any defined ability to revoke or alter certification arrangements under certain conditions gives the registry operational influence beyond a static record.

That influence may be necessary. A non-functional delegated certificate authority can create problems for the trust chain. A hijacked account can create route-security risk. A transfer that changes holder control may require certificate continuity planning. A dispute may require a pause before new objects are issued. But necessity is not the same as unlimited discretion. If certification action is required, the trigger, notice period, cure path and effect on existing routing should be precise. RPKI must remain a security service, not a pressure tool.

The same is true of reverse DNS. Delegations are part of the operational identity of networks. Broken or disputed delegations can affect mail systems, reputation, abuse handling and customer expectations. During a transfer, merger, dispute, audit or sanctions hold, continuity matters. The ledger must preserve last verified states where appropriate, transition records cleanly when authority changes, and avoid using infrastructure dependencies as bargaining tools.

Legacy resources show the same principle from a different angle. They are the memory of an earlier Internet. They may have been distributed before the current contractual vocabulary existed, or outside the present hierarchical registry structure. They may be held by universities, enterprises, public bodies or companies whose original allocation history predates modern membership relationships. In the RIPE NCC region, legacy holders can obtain services through direct or sponsored arrangements, and the registry can update records where legitimate holdership is shown.

Legacy space is not a footnote. It is where post-exhaustion legitimacy meets historical reliance. A holder may have used a block for decades. A company may have acquired another company partly because of its network assets. Customers may depend on addresses that no one originally acquired under today's forms. Security practice may now require RPKI, better contact accuracy and clearer reverse-DNS arrangements. The public ledger needs clean records. The holder needs confidence that modernisation will not become a trap.

A heavy-handed registry approach would say that all history must be normalised into present authority. A negligent approach would say that history is too messy and should be left alone. A legitimate ledger does neither. It asks what evidence supports current holdership, what services are requested, what contractual relationship exists or is needed for those services, what disputes are known, and what the public record should say without rewriting history.

The economic value of legacy certainty is high. A clean legacy block is easier to transfer, lease, value, finance and secure. A messy one is discounted. If the registry makes cleanup predictable, it creates value for the market and for the Internet. If cleanup is uncertain or perceived as a path into unwanted obligations, holders may keep records stale. That harms the public record and increases risk for everyone.

Here too, the legitimacy test is narrowness. The RIPE NCC can ask for documentation of holdership and signing authority. It can require accurate contacts. It can define which services require a contractual relationship. It can support RPKI under specified terms. It should not use legacy uncertainty to expand discretion over the holder's business model, transfer choices or economic motives. The point of legacy engagement is confidence, not conquest.

The same principle applies to transfers of legacy resources. The market needs to know whether legacy status continues, what documents are required, how long an update ordinarily takes, what happens if evidence is incomplete, what services remain available and how disputes are marked. A registry that provides those answers creates a legitimacy premium. A registry that leaves them to case-by-case discretion creates a discount.

Legacy records are therefore not a conservative exception to the post-exhaustion market. They are central to it. They show whether the registry understands that the ledger's authority partly comes from respecting reliance created before the registry's current language existed.

Law, sanctions and disputes should narrow the registry role

The RIPE NCC's geography makes sanctions unavoidable. A Dutch association serving parts of Europe, the Middle East and Central Asia cannot ignore EU sanctions, banking restrictions, conflict-related legal exposure or the difference between a registration freeze and operational disconnection. The organisation's sanctions transparency reporting is an important attempt to make this visible. It identifies affected statuses and makes clear that legal constraints can affect registry services.

The crucial distinction is that the RIPE NCC freezes registration movement, not the use of resources, when applicable sanctions affect its services. That line deserves emphasis. It prevents the registry from turning legal compliance into a private kill switch. It also reveals the post-exhaustion dilemma. A registration freeze can still be economically severe. It can stop transfer, acquisition or certain updates. It can make financing harder. It can affect a sale. It can trap capital. But it preserves the running network and avoids deregistration as a first response.

That is how a registry should handle public-law constraints: comply narrowly, document clearly and preserve continuity unless the law requires more. The danger is institutional identity drift. A registry that frequently administers sanctions may begin to see itself as a compliance authority rather than a ledger subject to compliance obligations. The difference is subtle but important. In the first model, the registry asks what the law requires and how to minimise collateral harm. In the second, it builds a broader compliance posture that may exceed the narrow legal requirement.

US sanctions illustrate the indirect version of the problem. The RIPE NCC has stated that it is not generally bound by US sanctions in the same way it must comply with applicable EU law, but that US lists can affect Dutch banking relationships and therefore payment and invoicing. This is a real operational constraint. It is also a reminder that financial infrastructure can convert foreign policy into registry risk even when the registry is not the sovereign actor. Members experience the result as dependency: their ability to maintain a registration relationship may be affected by a sanctions and banking environment far beyond their network operations.

Legitimacy requires humility here. The RIPE NCC should not pretend it can make sanctions irrelevant. It should also not convert sanctions administration into a broader discretionary role. Reports should remain regular, granular and careful about the difference between frozen registration movement and operational use. Affected parties should have a route to provide documentation. Non-cooperation should be defined carefully. On-hold status should not become a vague category where resources sit indefinitely without review. The boundary between frozen registration movement and operational preservation should remain bright.

Sanctions are a preview of a broader risk. Once a registry becomes the point where law, banking, market transactions and network recognition meet, other actors will try to use it as a lever. States may demand influence. Courts may issue orders. Banks may refuse payments. Insolvency officers may contest authority. Complainants may seek freezes. Competitors may file objections. Buyers and sellers may try to pressure staff into validating their preferred interpretation of a contract. The registry's defence is not to become powerful enough to decide everything. It is to be narrow enough that its decisions remain recognisably ledger decisions.

The same discipline applies to ordinary disputes. Disputes over corporate control, fraud, transfers, payment, insolvency, customer relationships, historical allocations and authority will keep appearing. The registry must sometimes decide whether evidence is sufficient to update a record. But it should avoid becoming the final adjudicator of commercial rights where courts, arbitration, insolvency processes or independent review are better suited. In many hard cases the correct registry move is to preserve the last verified state, mark the dispute, block conflicting updates and wait for an independent decision.

This is not passivity. It is role discipline. A registry that leaps to decide private rights can damage the losing party and expose itself to claims it is not designed to bear. A registry that refuses to decide anything can let false records persist. The narrow middle is to determine what can be verified for registry purposes, what remains contested, and what independent process is needed before recognition changes.

In institutional economics, this is the difference between a ledger and a tribunal. A ledger needs rules for evidence, authority and correction. A tribunal needs jurisdiction, procedure, remedies, liability and appeal. The RIPE NCC's legitimacy depends on not confusing the first with the second.

Fees and audits expose the captive-member problem

The RIPE NCC's 2026 charging scheme keeps the annual contribution at EUR 1,800 per LIR account, with a EUR 75 charge per independent Internet number resource assignment and a EUR 50 charge per ASN assignment in defined categories. The sign-up fee remains EUR 1,000. Legacy resource holders that enter a direct agreement pay a fee equal to the annual fee per LIR account for that year.

Those figures are modest for some members and meaningful for others. A multinational operator can treat them as overhead. A small ISP, research network, local hosting company, community provider or operator in a weaker currency environment may not. The RIPE NCC service region is not uniformly rich. It includes wealthy Western European markets, lower-income economies, conflict-affected members, sanctioned jurisdictions and networks facing high costs for power, transit, equipment and capital.

The legitimacy issue is not whether any single number is too high in isolation. It is what the fee funds and how the compulsory bundle is justified. A member that needs stable registry recognition has limited practical exit. It cannot easily move its existing resources to a different recognition system. It pays into a membership association whose activities include essential ledger functions and broader community, training, measurement, meeting and outreach work. Many broader activities may be useful. Usefulness is not the same as compulsory necessity.

A post-exhaustion registry should be fiscally boring. Its mandatory fees should be tied as closely as possible to functions that resource holders cannot reasonably obtain elsewhere: registration accuracy, secure publication, transfer recognition, reverse DNS, RPKI, fraud resistance, member-authority verification, legal compliance, continuity planning and reliable service operations. Optional ecosystem work should be justified separately and, where possible, funded separately. If members want a broader institution, they can vote for it. But the vote should expose scope, beneficiaries and distributional burden clearly.

The danger is the captive tax base. Resource holders pay because they need the ledger. The institution then becomes tempted to fund a wider identity from that base. This can happen without bad faith. Staff and members may sincerely believe that training, measurement, outreach and meetings serve the Internet. They often do. But post-exhaustion legitimacy requires a sharper separation between essential infrastructure and institutional ambition.

Fee discipline is also market compatibility. High or unpredictable charges reduce the value of holding resources, especially for small operators. Compulsory charges that rise faster than the cost of essential ledger functions become a form of rent capture. In a world where IPv4 scarcity already creates rents and inequalities, the registry should avoid adding an institutional rent of its own.

Audits belong in the same category of discipline. A registry must be able to verify that records are accurate, contacts work, membership authority is real, resources are not being claimed through fraud, and policy conditions are satisfied. But audits can also become a channel through which vague institutional preferences are imposed. The difference is proportionality. A legitimate audit asks for information tied to a defined registry concern and gives the member a clear cure path. An illegitimate audit becomes a fishing expedition into business choices that do not threaten uniqueness, accuracy, legal compliance or service continuity.

Small operators feel this most sharply. A large network can assign staff to respond to a registry query. A small provider may treat the same email as an existential threat. A cooperative correction process can feel like enforcement if the member does not understand the scope, timeline or consequence. Auditability therefore requires plain language, predictable steps, documentation checklists, escalation paths and a clear distinction between error correction, non-cooperation, fraud suspicion and policy violation.

The fiscal rule and the audit rule are really the same rule: mandatory burdens should be traceable to essential registry needs. Charge what is necessary to keep the ledger accurate, secure, lawful and continuous; make everything else transparent, contestable and as voluntary as possible. Ask for what is necessary to verify the record; do not use verification to expand the institution's economic authority.

Small operators are the legitimacy test

Large operators can live with friction. They may dislike it, but they can hire staff, counsel, brokers, consultants and policy specialists. They can maintain multiple LIR accounts, attend meetings, vote, track mailing lists and structure transactions around registry timelines. They can absorb delays and paperwork in a way a small entrant cannot.

Small operators are therefore the true test of post-exhaustion legitimacy. A registry that works only for those with institutional familiarity is not open in practice, even if every mailing list is public. A transfer process that is free of charge but costly to understand is still costly. An audit that is cooperative but frightening to a resource-poor member still imposes a burden. A flat fee that funds valuable services may still be regressive. A policy process open to all may still be dominated by those who can afford attention.

This is especially important after exhaustion because entrants no longer receive meaningful IPv4 supply through normal allocation. A new ISP may need a small amount of IPv4 to launch, but a /24 waiting-list allocation cannot support much growth. It must buy, lease, obtain addresses through a sponsor, depend on an upstream provider, use address sharing or build a service model around scarcity. Each path carries dependency. The registry cannot solve every dependency, but it can make the official parts predictable and fair.

Fair treatment of small operators means more than lower fees. It means plain-language transfer requirements, predictable service levels, visible review paths, proportional documentation, clear status definitions, workable sponsoring relationships and policy impact analysis that asks who has to spend time complying. It means not assuming that absence from a mailing list equals consent. It means recognising that a rule framed as anti-speculation may also block a small operator from obtaining the resources it needs through the only market available.

It also means treating leasing realism carefully. Many small operators lease addresses or obtain address use through contractual arrangements because purchase is expensive or unnecessary. Leasing can create record-accuracy problems if it hides operational control, abuse contacts, routing responsibility or customer delegation. But pretending leasing is marginal does not improve accuracy. A legitimate registry should prefer disclosed, accountable operational delegation to hidden dependency. The holder of record can remain responsible while the ledger records enough information to support abuse handling, routing context and continuity.

If leasing is forced into ambiguity, small operators lose. They either rely on opaque upstream arrangements, accept weak documentation or overpay for transfers they cannot afford. A market-compatible registry should make lawful, transparent, responsible use easier than avoidance. That is not a subsidy. It is better record design.

Small operators also expose the difference between formal equality and practical equality. A rule that applies equally to every member may burden a small network more heavily because the small network has less staff, less cash, less legal capacity and less tolerance for delay. A fee that looks flat may be progressive for administrative simplicity but regressive in effect. A policy discussion that is open may still be inaccessible if it assumes long-term familiarity with mailing-list conventions and English-language technical shorthand.

The practical remedies are not dramatic. Publish checklists. Use examples. Explain common transfer problems. Provide service-level ranges. Mark when documentation is missing rather than leaving parties uncertain. Separate suspected fraud from ordinary correction. Make appeal or review mechanisms visible. Provide clearer guidance for sponsored resources, legacy-resource services, reverse-DNS continuity and RPKI transitions. Assess whether policy changes impose fixed compliance costs that fall hardest on small networks.

In institutional economics, legitimacy is often measured by whether weaker parties can use the system without special access. The RIPE NCC's strongest post-exhaustion claim will not be that large incumbents accept it. Large incumbents often accept whatever system preserves continuity. The stronger claim will be that small members and entrants can navigate the registry without treating it as an unpredictable authority.

Policy consent after scarcity must be more explicit

RIPE's open policy culture is one of the strongest features of the RIPE NCC environment. Policies are discussed in working groups, mailing lists are public, meetings are open and participation is not limited to members. This architecture reflects an older source of technical legitimacy: public discussion, operational competence and rough consensus.

After exhaustion, openness remains necessary but becomes insufficient. The economic weight of policy has changed. A policy on transfers, RPKI, waiting-list access, audit scope, legacy resources, sanctions handling or resource certification can affect asset value, market liquidity, customer continuity and entry barriers. That does not make the policy illegitimate. It does require more than procedural openness.

Attention is unequal. The people most affected by a policy may not be present when it is discussed. A small operator may not have time to follow list traffic. A non-native English speaker may hesitate to intervene. A company may not realise that a technical term will later affect a transaction. A legacy holder may not track RIPE process until it needs RPKI or a transfer. Meanwhile, repeat participants, large networks, brokers, consultants and institutional insiders can shape language in small but consequential ways.

This is not an argument against the RIPE process. It is an argument for supplementing it with economic impact discipline. Policy proposals that affect already allocated resources should identify who bears cost, who gains liquidity, who loses mobility, whether the rule is retrospective, whether small holders face disproportionate burdens, how disputes will be handled and which alternatives were rejected. Consensus should include evidence of affected-principal awareness, not only list silence.

The distinction between RIPE and the RIPE NCC helps but does not solve the problem. RIPE is the open community; the RIPE NCC implements and administers registry services. But once implemented, a rule becomes part of the environment in which resources are valued and moved. A transfer restriction, certification condition or documentation requirement is not softened because it emerged from an open process. It still affects market participants.

Post-exhaustion policy should also be wary of moral compression. Words such as "speculation", "hoarding", "proper use", "community interest" and "stewardship" can hide economic choices. They may be appropriate in some free-pool contexts. They are dangerous when applied broadly to already allocated resources. A policy that restricts transfers to prevent flipping should define the measurable harm. A policy that protects route security should identify the technical failure it prevents. A policy that burdens legacy holders should explain why the burden is necessary for the ledger, not merely for institutional neatness.

The post-exhaustion policy rule should match the transfer rule, the fee rule and the audit rule: narrow constraint. Policy should constrain only what must be constrained to protect uniqueness, accuracy, security, legal compliance, continuity, fair process and usable entry. Scarcity is not a licence for policy sprawl. It is a reason to be more precise.

There is also a feedback problem. If policy becomes too complex, the market develops around the people who understand it. Brokers, consultants and repeat participants gain an information advantage. Some of that specialisation is inevitable. IPv4 transactions are unusual and document-heavy. But the registry should not add avoidable complexity that converts public policy into private expertise. The more valuable IPv4 becomes, the more important it is that rules be readable by ordinary operators, not only by institutional regulars.

Policy legitimacy after scarcity therefore requires a different evidentiary habit. Before exhaustion, a policy could ask whether the pool would last longer or whether allocation practice would be fairer. After exhaustion, a policy should ask whether it improves record confidence, lowers transaction risk, protects security services, reduces fraud, keeps small operators able to participate and preserves the distinction between recognition and control. If it cannot answer those questions, it may be borrowing authority from a mandate that has expired.

The practical watchpoints

Post-exhaustion legitimacy can be measured by evidence rather than slogans. The RIPE NCC does not need to prove that it is important. Scarcity already makes it important. It needs to prove that its importance reduces uncertainty rather than adding to it.

The first watchpoint is transfer transparency. The registry should publish enough aggregate data for members and market participants to understand ordinary processing times, documentation defects, deferral reasons, rejection categories and review outcomes. Prices and private contracts can remain confidential. The process should not. If legitimate transfers close predictably, the ledger earns trust. If unexplained delays accumulate, the market will price registry uncertainty.

The second watchpoint is the boundary between transfer verification and transaction approval. Verification should ask whether the parties have authority, whether the resource can be moved, whether the record will remain accurate, whether services will continue and whether legal constraints apply. It should not become a judgment on the economic attractiveness of the buyer, the price, the buyer's geography or the buyer's business model unless those facts create a defined registry harm.

The third watchpoint is legacy-record confidence. Legacy holders should be able to understand what they can update, what services require a contractual relationship, how sponsored arrangements work, what evidence is needed for holdership, what happens after transfer and how disputes are marked. The aim should be to draw legacy space into higher confidence because confidence is valuable, not because history must be absorbed into present institutional authority.

The fourth watchpoint is RPKI and reverse-DNS continuity. Transfers, sanctions holds, disputes, audits and legacy updates should not casually break dependent services. Where certification action is necessary, the trigger, notice period, cure path and operational effect should be precise. Security services must not become enforcement weapons for unrelated goals.

The fifth watchpoint is fee discipline. Charging schemes and financial documents should separate essential ledger services from optional ecosystem activity more sharply. Members can choose to fund broader work. They should see the choice in terms that reveal who pays, who benefits and what part of the bundle is unavoidable for stable recognition.

The sixth watchpoint is audit proportionality. The registry should remain able to correct records and prevent fraud, but member reviews should be tied to defined registry concerns. The difference between routine correction, non-cooperation, suspected fraud and policy violation should be explicit. A small operator should not have to infer whether an administrative query is a service request, a warning or an existential threat.

The seventh watchpoint is small-operator access. A /24 waiting-list system is a fairness gesture, not a growth model. Transfer, leasing, sponsoring, legacy-service and certification processes should be readable and affordable for small networks. If only large incumbents and specialist brokers can navigate the system comfortably, formal openness is not enough.

The eighth watchpoint is leasing visibility. The registry does not need to become a party to every commercial delegation, but it should prefer disclosed, accountable operational use over hidden dependency. Abuse contacts, routing context, holder responsibility and service continuity matter. Pretending that leasing is marginal will not make records more accurate.

The ninth watchpoint is sanctions and legal restraint. Reports should remain regular, detailed and careful about the difference between frozen registration movement and operational use. On-hold categories should have review paths. Banking constraints should be described candidly without expanding into discretionary geopolitical governance.

The tenth watchpoint is policy impact. Proposals with market effects should identify affected classes, fixed compliance costs, retrospective effects, small-operator burden, liquidity consequences, security gains and alternatives. Silence on a mailing list should not be overread as consent when scarce operational capital is affected.

The eleventh watchpoint is member authority. Voting contacts, transfer authority, sponsoring LIR relationships, corporate-control evidence and portal permissions are not administrative details. They are the security layer around the ledger. A post-exhaustion registry should harden this layer before a crisis proves why it mattered.

None of these watchpoints is revolutionary. They are the ordinary disciplines of an institution whose environment has changed from allocation to recognition. They are also the difference between a registry that the market trusts and a registry that the market merely endures.

A trusted post-exhaustion registry creates a legitimacy premium. Blocks registered under it are easier to value because the record is reliable. Transfers are less risky because the process is predictable. Legacy space is less discounted because holdership is clearer. RPKI and reverse-DNS services are more useful because continuity is planned. Members participate because policy effects are visible. Courts and counterparties trust the registry because disputes are isolated rather than converted into institutional self-help. Small operators use the official path because it is safer than avoidance.

A weak post-exhaustion registry creates a discount. Buyers demand indemnities. Sellers accept lower prices. Lessors avoid disclosure. Operators route around the record. Lawyers become routine transaction infrastructure. Members fear ordinary emails. Policy becomes an insider sport. Fees feel like a tax rather than a service charge. Sanctions, audits and transfer reviews become generalised anxiety. The registry still exists, but it no longer reduces uncertainty as effectively as it should.

The RIPE NCC has many of the ingredients of the stronger model: documentation, process, technical competence, visible transparency work and an ecosystem that still values open discussion. But legitimacy after scarcity is not inherited. It is re-earned each time the institution chooses ledger over gatekeeper, recognition over control, continuity over leverage and constraint over institutional self-expansion.

The allocation-era mandate was to distribute scarcity under community rules. That mandate is mostly over for IPv4. The post-exhaustion mandate is different: maintain a neutral ledger for scarce operational capital without becoming the capital controller; recognise market reality without surrendering record integrity; promote IPv6 without evading IPv4 transition economics; comply with law without becoming a geopolitical actor; fund essential services without treating resource holders as a captive tax base; and constrain policy to what the running Internet actually requires.

The RIPE NCC does not need to be grand to be legitimate. It needs to be boring in the most valuable sense of the word: predictable, auditable, narrow, technically competent and difficult to misuse. In the allocation era, legitimacy came from deciding who could draw from the well. After the well runs dry, legitimacy comes from keeping the pump honest, cheap and neutral while the water moves through markets the old system never expected to govern.