Sanctions compliance is often described as an external legal constraint on Internet number registries: the registry follows the law, screens restricted parties and denies actions that would violate binding measures. That description is legally tidy and economically incomplete. In a post-exhaustion IPv4 market, a registry decision is not merely a clerical step. It can affect whether an address block can be sold, financed, leased, routed with recognised origin data, certified through RPKI, supported through reverse DNS or carried through a merger. For a network operator, the practical question is not whether public law exists. It is how a private-law membership association, operating a critical ledger from one jurisdiction, converts geopolitical compliance pressure into continuity risk for firms spread across Europe, the Middle East and parts of Central Asia.

RIPE NCC is the sharpest RIR case for this problem because its service region contains both the institutional core of European sanctions policy and many of the networks most exposed to that policy's extraterritorial, banking and reputational effects. The organisation is based in the Netherlands. Its legal instruments are anchored in Dutch law. Its region includes members in the European Union, the United Kingdom's wider commercial orbit, the Balkans, the Caucasus, Turkey, the Gulf, Israel, Russia-adjacent markets, Central Asia and jurisdictions repeatedly affected by conflict, export controls, financial restrictions or sanctions lists. Its operational product is a registry ledger for scarce addresses and AS numbers. Its public culture still speaks the language of open technical coordination, member participation and community policy. The collision between these features is not a hypothetical edge case. It is a structural feature of the RIPE NCC region.

The economics start with scarcity. IPv4 addresses are no longer merely entries allocated from an abundant pool. RIPE NCC exhausted its remaining IPv4 pool in November 2019. Since then, new demand can be met only through recovered-address waiting-list allocations, transfer markets, address sharing, carrier-grade NAT, IPv6 migration or commercial arrangements such as leasing. The official run-out page records the exhaustion date and explains that eligible Local Internet Registries may receive a single /24 from recovered space, while earlier policy allowed one /22 from the final /8. That is a factual exhibit, not an economic conclusion. The conclusion comes from market behaviour: once allocation becomes rationed and transfers become the main route to larger usable blocks, the registry entry becomes a capital record.

The registry does not own the productive value of IPv4. Operators create value by using addresses in networks, customer contracts, hosting platforms, enterprise access, cloud services, peering arrangements, security products and resale markets. Yet the registry controls the recognisable record through which that value becomes liquid, financeable and reliably transferable. This is why sanctions and compliance pressure matter. A sanctions check at the registry layer is not equivalent to a bank refusing a wire transfer, nor to a vendor declining a support ticket. It can touch the title-like record on which other commercial claims rely. In a scarce market, compliance becomes a price-forming force.

The hard part is not that RIPE NCC must ignore sanctions. It plainly cannot. The hard part is that legal compliance must be separated from discretionary gatekeeping with much more precision than older stewardship language allows. A registry can be legally constrained without becoming an unaccountable capital-control institution. A registry can screen transfers without converting every compliance uncertainty into broad service interruption. A registry can respect court orders without allowing the ordinary existence of a dispute to destabilise the ledger. The institutional question is where RIPE NCC draws these lines, how much evidence members receive about those lines, and whether small operators can bear the costs created by ambiguity.

The registry ledger became an economic checkpoint

Before IPv4 exhaustion, many disputes over registry administration could be treated as questions about access to a common coordination service. Scarcity changed the character of that service. A block of IPv4 addresses may support hosting revenue, enterprise connectivity, broadband subscribers, VPN products, cloud instances, content delivery, voice infrastructure, anti-abuse systems, test platforms or migration plans. It may also be bought or sold through a broker, placed into a merger valuation, used as collateral in a business plan, or leased to another network. The block's value depends on routability and on market confidence that the holder recorded in the registry will be recognised by counterparties.

In this setting, registry recognition performs a function similar to land title, vehicle registration, securities custody or warehouse receipts, while remaining legally distinct from property ownership. The Standard Service Agreement says registration of Internet number resources does not constitute property and does not confer ownership rights. That clause limits legal claims against the registry, but it does not erase the market's reliance on the registry. Markets routinely rely on non-ownership records. A port authority's manifest, a clearing house's position record, a shipping register, a patent register, a vehicle title office and a securities settlement system may not create all underlying economic value, but they influence whether that value can move.

RIPE NCC's procedures confirm the point. Transfers must be reflected in the RIPE Database. In transfer cases, the registry update is the step that makes the market transaction visible to other parties. For mergers and acquisitions, RIPE NCC asks for recent company registrations and legal documents supporting the change, then evaluates the request under applicable policies and procedures. For transfer and merger requests, it also checks the EU sanctions list; if either party is found under sanctions, the request will not be approved. This is a concise statement with large economic consequences. A sanctions match can prevent a transfer from closing even where the economic buyer, seller, network customers and upstreams are ready to proceed.

The effect is important because address transfers are not a marginal curiosity. They are now one of the main channels through which large IPv4 demand is satisfied. Scarce resources such as IPv4 and 16-bit ASNs also carry holding-period restrictions: addresses received through the transfer market or certain other processes cannot simply be flipped without waiting out the relevant interval. Policy therefore shapes inventory, timing and price. If a registry screen can block a transfer, delay a merger or require additional evidence, sanctions compliance becomes part of transaction cost. Transaction cost is not mere paperwork. It is the difference between a liquid capital asset and a stranded balance-sheet item.

The phrase capital control can sound dramatic in a technical setting, but it is analytically precise when used carefully. RIPE NCC is not a central bank. It does not impose exchange controls, set interest rates or decide national investment policy. Yet it operates a recognition layer for a scarce productive input. If recognition is necessary for transfer, and if recognition can be delayed, refused or conditioned by legal screening, then the registry becomes a control surface for the movement of address capital. That surface may be legitimate, legally required and professionally administered. It is still a surface of economic power.

A Dutch institution in a conflicted service region

RIPE NCC's legal home matters because compliance obligations enter the registry through a specific venue. The association is based in the Netherlands. Its Standard Service Agreement is governed by Dutch law. Its service region, however, is not a Dutch or European Union telecom market. It spans countries with different sanctions exposure, banking access, corporate-documentation standards, court systems, language conventions and state relations. The broader RIPE community has long cultivated a culture of technical openness across political boundaries. That culture remains valuable. But culture does not nullify law, and law does not eliminate the economic need for neutral registry design.

The difference between legal compliance and institutional neutrality is often blurred. A registry cannot be neutral by pretending sanctions do not exist. It can be neutral only by applying binding constraints narrowly, documenting categories of decision, preserving the ledger where law permits, and giving similarly situated holders predictable treatment. Neutrality is not a mood. It is an operating discipline.

This distinction is crucial in a region where political risk is unevenly distributed. An operator in a stable EU member state may experience sanctions screening as a remote background check. A small ISP in a sanctioned or near-sanctioned jurisdiction may experience the same screen as a continuous business risk. A hosting company with customers in multiple countries may face blocked payments from banks that over-comply. A buyer of address space may worry that the seller's ownership chain, directors, shareholders or place of incorporation will create delay. A merger involving a regional network may become harder to value because the registry step is uncertain.

The risk is not limited to firms that are themselves listed. Sanctions regimes often create compliance shadows around beneficial ownership, control, payment flows, service provision, public-sector entities, military or dual-use sectors, and territories under special restrictions. Banks and professional advisers may adopt conservative interpretations. Counterparties may demand legal opinions. A registry may ask for more documents, more current company records, more proof of corporate continuity or more evidence that the parties are not subject to restrictions. Even when the final answer is approval, time has a cost.

For a registry, the temptation is to present all this as external law. That is only partly correct. Law may create the outer boundary, but internal procedures define much of the practical experience. Which lists are checked? At what stage? How is a possible match distinguished from a true match? What happens when a member cannot obtain a document because a local register is disrupted by war, sanctions or state failure? Are existing registrations preserved while a transfer is paused? Can a holder obtain a written reason for refusal? Is there a practical review path? Are affected members represented in the governance discussion that sets compliance budgets and risk appetite?

These are not philosophical questions. They determine whether a registry is a ledger with a narrow compliance module or a gatekeeper whose discretion expands under geopolitical pressure.

Transfer markets convert compliance into price

The cleanest place to observe the economics is the transfer market. A buyer wants address space. A seller has a block. They negotiate price and terms. They may use a broker, escrow provider, lawyers and technical advisers. They need to agree on payment, representations, warranties, timing and responsibility for updating network objects. In a normal asset market, title or registration transfer is a closing condition. In the IPv4 market, the registry update is the step that counterparties treat as authoritative confirmation that the block has moved.

RIPE NCC's transfer framework makes the registry's role explicit. Transfers may be permanent or temporary. They can involve IPv4, IPv6 or ASNs, including legacy resources in certain contexts. The original holder remains responsible until a transfer is complete, and in a temporary transfer the original holder re-assumes responsibility when resources return. Inter-RIR transfers require compatibility between the policies of RIPE NCC and the counterpart registry. If another RIR lacks an inter-RIR transfer policy, that path is unavailable. Each of these facts matters for liquidity. A block cannot be priced purely by prefix size and reputation; it must also be priced by transferability.

Sanctions screening adds a risk premium. The premium appears in several forms. First is completion risk: the chance that the registry will refuse or delay recognition. Second is evidence risk: the chance that required documents will be difficult to obtain or will not satisfy the registry. Third is time risk: the chance that market prices, customer needs or financing conditions change while a transfer is pending. Fourth is counterparty risk: the chance that one party becomes restricted between signing and closing. Fifth is reputational risk: the chance that a buyer's upstreams, banks, insurers or customers become nervous about the provenance of an address block even if the registry approves the transfer.

These costs are not distributed evenly. A large operator can pay for specialist counsel, compliance software, address brokers and escrow arrangements. It can maintain corporate records in multiple jurisdictions and pre-clear a transaction structure. A small operator often cannot. It may depend on a narrow set of addresses for customer service, lack in-house legal staff, and lack bargaining power to shift delay risk to the other side. If a small firm in a politically exposed region wants to sell an IPv4 block to fund network upgrades or to survive a cash crisis, an uncertain registry screen can turn an asset into a distressed asset.

The transfer market therefore reveals a broader point about institutional economics. Transaction costs are not a footnote to scarcity; they are part of the scarcity regime. If two address blocks are technically identical but one is held by a company in a low-risk jurisdiction with clear corporate documents and the other by a holder exposed to sanctions ambiguity, the market may not price them equally. The difference is not in the bits. It is in the expected cost of recognition.

This also affects mergers and acquisitions. RIPE NCC's mergers-and-acquisitions process requires legal documentation supporting the change. That is sensible. The registry cannot simply accept commercial assertions that a business has changed hands. But the process also means that corporate restructuring can become a registry event. If a network operator is bought, merged, split, liquidated, rescued or reorganised, the continuity of its address registrations may depend on how the transaction is documented and whether any party triggers sanctions concerns. In ordinary corporate finance, this is already complex. In the RIPE NCC region, with cross-border ownership and geopolitically exposed jurisdictions, it can become a material deal risk.

There is a second-order effect. Where transfers are risky, leasing becomes more attractive. Leasing can allow one party to use addresses without a permanent transfer of registration. It can also create a different set of risks: abuse reputation, contractual enforceability, route authorisation, customer dependency, tax treatment, banking restrictions and end-of-term continuity. RIPE policy recognises non-permanent transfers in the registry context. Market practice may use leases, sub-allocations or commercial structures that sit around the registry record. The more difficult it becomes to move title-like registration cleanly, the more operators will search for contractual substitutes. That is not necessarily bad, but it moves risk from the registry record into private contracts where small operators often have less protection.

Refusing a transfer is not the same as interrupting a network

Sanctions pressure becomes most dangerous when a transfer question turns into a service-continuity question. A registry may be required to refuse a transaction involving a listed party. That does not automatically answer what should happen to existing records, reverse-DNS delegations, RPKI certificates, database maintainers or routine support. The law may require specific action in some cases. In others, it may prohibit new services or economic benefit without demanding immediate disruption of the ledger. The distinction between refusing a new transfer and interrupting existing registry functions is the distinction between compliance and economic destruction.

RIPE NCC's closure and deregistration procedure shows how much operational weight sits behind membership status. On termination of the Standard Service Agreement, RIPE NCC can stop services including authority to maintain resource records in the RIPE Database, access to the LIR Portal and use of RPKI services. It may deregister records and revoke RPKI certificates. For legacy-resource arrangements, termination can remove the RIPE NCC legacy maintainer and revoke certificates, leaving the holder with no more service than existed before the agreement. The procedure also states that RIPE NCC can comply with Dutch court orders for deregistration. These are not abstract administrative steps. They can affect routing security, reverse DNS management, database accuracy and the ability of counterparties to verify resource status.

This is why continuity presumptions matter. If a member is under review, if payment fails because a bank refuses a transfer, if a corporate document is delayed, or if a sanctions list creates an ambiguous match, the registry should not treat every uncertainty as a reason to degrade the ledger. The economically sound default is preservation of the last verified state unless law, court order or demonstrated fraud requires change. Preservation does not mean approval of new transactions. It means the registry distinguishes between stopping a prohibited benefit and destabilising the record on which third parties rely.

The principle is familiar in other infrastructure markets. A clearing system may freeze a new transfer but maintain historical records. A land registry may record a caution or dispute without deleting the title. A telecom regulator may block a licence assignment while ensuring that existing customers do not lose emergency access. A court may restrain a sale without shutting down an operating company. The reason is not sentimentality. It is that abrupt record disruption imposes costs on innocent third parties and can destroy value beyond the legal target.

Internet-number registries should be held to a similar standard. If RIPE NCC is obliged to deny a transfer involving a sanctioned party, the denial should be narrow. If it is obliged to suspend services, the scope and legal basis should be clear. If a payment channel is blocked but the member is not prohibited, the registry should have procedures for alternative payment or temporary continuity. If a member cannot update documents because a local authority is dysfunctional, the registry should distinguish low-risk administrative delay from deliberate concealment. If a court order requires deregistration, the market should receive enough non-sensitive information to understand that a legal process, not ordinary discretion, caused the disruption.

The problem is not solved by saying that members accepted the Standard Service Agreement. Contracts are important, but network dependency does not vanish because a contract limits liability. The more RIPE NCC's records and services become capital infrastructure, the more important it becomes to preserve continuity before litigation, claims and complaints appear.

RPKI and reverse DNS make compliance operational

The sanctions question is often framed around transfers and payments. That is too narrow. RPKI and reverse DNS turn compliance pressure into operational risk.

RPKI lets eligible resource holders obtain certificates listing their resources and create Route Origin Authorisations used in BGP origin validation. The certificate does not route packets by itself. But as more networks rely on validation state, RPKI becomes part of the trust environment around a prefix. A buyer wants to know whether ROAs can be maintained after transfer. A lessee wants to know whether the lessor can authorise the intended origin. An operator under review wants to know whether existing authorisations will remain stable. If compliance pressure interrupts RPKI access or causes revocation, a legal or administrative issue can become a routing-confidence issue.

Reverse DNS is quieter but still economically relevant. RIPE NCC's reverse-delegation materials explain that the RIPE Database is used as the management database for producing reverse-DNS zones. Reverse DNS affects mail reputation, logs, abuse response, diagnostics, customer systems and some compliance checks. A holder may remain able to announce a prefix while losing the ability to maintain reverse delegations. A lessee may have a contract requiring reverse-DNS support but depend on a lessor whose registry access is impaired. A court or compliance action aimed at one party may unintentionally affect customers several layers away.

This is why service continuity should be separated from transaction approval. If a transfer is blocked, it does not follow that existing ROAs or reverse delegations should fail. If a member is under sanctions review, it does not follow that all operational maintenance should stop. If a payment is delayed by banking friction, it does not follow that customers should lose reverse-DNS continuity. There will be cases where law or security requires service interruption. The point is to make interruption specific, justified and documented.

The ledger-versus-gatekeeper distinction becomes practical here. A ledger preserves the last verified state, records disputes, authenticates changes and applies law narrowly. A gatekeeper uses service dependency as leverage over broader conduct. RPKI and reverse DNS are precisely the kind of services that can shift a registry from ledger to gatekeeper if their continuity is not governed by strict principles.

The market will notice. A prefix whose RPKI and reverse-DNS continuity is uncertain under compliance pressure is worth less than a prefix whose operational services are predictable. A buyer will discount it. A lessee will demand contractual protection. A broker will treat it as harder to place. A small operator will carry more risk than a large one because it has fewer substitutes. This is why compliance policy is not just legal hygiene. It is part of asset quality.

Legacy records and sanctions shadows

Legacy resources add another layer of complexity. They were allocated under older arrangements, sometimes before modern RIR contracts, transfer policies and service expectations existed. The historical holder may have changed name, merged, dissolved, privatised or been absorbed into another organisation. The records may be accurate in substance but old in form. When a legacy holder tries to transfer, prove beneficial control or request RPKI services, the registry may need to assess old records, company changes, names, addresses and legal documents. Sanctions pressure raises the stakes. A weak historical record can become a modern risk premium. A disputed chain of control can turn into a frozen market position.

Legacy status can also expose the difference between registry service and resource reliance. If a legacy holder entered a service relationship to obtain RPKI, database maintenance or other benefits, termination of that relationship can remove those services even if the underlying historical allocation is not treated like an ordinary modern allocation. In a sanctions case, the question becomes: what is the minimum continuity owed to the public record, to the routing system and to third parties that rely on that record? The answer cannot be derived solely from the old idea that legacy resources sit outside normal membership. Operational reliance has already brought many legacy records into modern infrastructure.

The economic lesson is that old records should be preserved and clarified before crisis. RIPE NCC has an interest in clean records because clean records reduce dispute cost. Holders have an interest because clean records support market value. Buyers have an interest because clean provenance reduces title-like risk. The wider Internet has an interest because accurate records support abuse response, routing security and accountability.

Yet record-cleaning must not become an occasion for opportunistic deregistration or pressure. A registry that asks for updated documents should distinguish fraud from history, administrative gaps from concealment, and survivable uncertainty from unacceptable risk. In politically exposed regions, documentation problems may reflect state instability or corporate-register limitations, not bad faith. A compliance process that ignores this reality can destroy legitimate value while claiming to protect the system.

The same logic applies to transfers of legacy space. A buyer should be able to understand whether sanctions screening affects the transaction, whether legacy status will remain, what documents prove authority, what services depend on a direct agreement, and whether operational continuity is preserved during review. "Compliance" is too broad a word to answer those questions. Markets need categories.

Payment friction is not mere accounting

Membership fees look mundane beside sanctions law, but payment is one of the places where geopolitical pressure becomes operational. RIPE NCC charges annual membership fees, independent-resource fees and ASN fees. Members must pay to maintain their service relationship. Banks, however, may block payments from certain jurisdictions, currencies, beneficial owners or correspondent routes even when the payer is not listed. A registry can find itself with a member willing to pay, a legal path that may exist, and a bank that refuses to process the transaction.

If the registry treats non-payment mechanically, banking over-compliance becomes registry deregistration pressure. That would be poor institutional design. The economically sound response is to separate unwillingness to pay from inability to move funds through normal channels. A member that refuses its obligations is different from a member whose payment is blocked by a correspondent bank or sanctions-screening system. The first case may justify ordinary enforcement. The second requires continuity options, documentation and a defined grace period if law allows.

This is particularly important for small operators. A large multinational can reroute payment through subsidiaries, counsel and banking relationships. A small ISP may have one local bank and limited currency options. If that bank's correspondent network changes policy, the operator may be unable to pay a European association even while serving customers in its home market. The registry's decision about grace periods, alternative payment channels and communication becomes a business-continuity decision.

Payment friction also affects independence. If members in some jurisdictions depend on intermediaries to pay fees, those intermediaries may gain leverage. They may bundle payment support with sponsorship, brokerage, leasing or other services. That can shift power away from the actual network operator. In a market where IPv4 addresses are scarce, dependency on intermediaries can become dependency over capital. The registry should therefore treat payment accessibility as part of institutional fairness, not merely as accounts receivable.

The association's budget process should make these pressures visible. Compliance costs, payment failures, collection risk, bad debt, alternative payment arrangements and member-support burdens are part of the economic reality of serving a wide region from a European legal base. If the charging scheme spreads costs across all members, members deserve aggregate visibility into the nature of those costs. If costs are concentrated among high-risk regions, members deserve to know how the institution prevents those regions from being priced or procedurally pushed out of the system.

Small operators face a different risk function

Many Internet-governance debates are dominated by actors that can absorb institutional complexity. Large operators have lawyers, policy staff, compliance teams, government relations, security engineers and commercial advisers. They can attend meetings, comment on drafts, prepare documentation and negotiate with brokers. Small operators face a different risk function. A single delay can block a financing round, customer expansion, data-centre migration or sale. A single misunderstood registry request can consume executive time. A single fee increase or blocked payment can threaten continuity.

In the RIPE NCC region, the small-operator problem is intensified by geography. Some small networks operate in countries where corporate registers are less digitised, English documentation is less common, banks are more cautious, political risk is higher and international counsel is expensive. These networks may nevertheless provide real connectivity to customers, businesses, public institutions and local markets. Their dependence on the registry is not an abstract governance interest; it is part of their ability to operate.

The one-member-one-vote model can obscure this dependency. Formally, a small LIR has the same vote as a large LIR. Economically, the large LIR has more capacity to participate, hedge and influence. Even where formal equality is preserved, practical equality is not automatic. Time, expertise and risk tolerance matter.

Sanctions and compliance pressure widen the gap because they reward institutional sophistication. A firm that understands beneficial ownership screening, document certification, transfer timing, escrow conditions and RPKI continuity can avoid problems. A firm that does not may discover the issue only when a transaction is urgent. The registry can mitigate this gap by publishing plain-language guidance, pre-check mechanisms, aggregate decision data and support channels for members in exposed regions. It should not require each small operator to learn the economics of sanctions through painful experience.

The small-operator lens also changes how one views abuse and compliance narratives. It is easy to say that strict controls protect the Internet from sanctioned or abusive use. Sometimes they do. But blanket suspicion of certain regions can harm legitimate local networks while pushing bad actors toward more sophisticated intermediaries. The result may be less transparency, not more. Clean, narrow, reviewable compliance rules are better for abuse control than broad suspicion because they keep legitimate holders inside the visible registry system.

Leasing, routing reputation and the search for substitutes

When transfer friction rises, markets search for substitutes. IPv4 leasing is one such substitute. It allows an address holder to monetise a block without a permanent transfer and allows a user to obtain address capacity without buying at full capital cost. Leasing can be efficient when it matches idle addresses with real demand. It can also create layered risk: who is responsible for abuse, how routes are authorised, how customers are informed, whether the lessor can terminate, how payments are screened, and what happens if either party becomes subject to sanctions.

Sanctions pressure complicates leasing in two directions. A lessee may want to avoid buying addresses from a politically exposed holder but may still lease them through a broker. A holder unable to complete a transfer may lease instead. A broker may aggregate addresses from multiple jurisdictions, making provenance harder for downstream users to assess. Banks may treat leasing payments differently from sale proceeds. Routing systems may see only the operational origin, not the contractual structure. The registry record may remain with the original holder while commercial control is partially transferred.

This is not a reason to prohibit leasing categorically. The market's use of leasing reflects real scarcity and real demand. But it is a reason to treat registry transparency as more valuable, not less. If registry procedures make permanent transfers unpredictable, leasing will expand in less visible forms. If the registry preserves accurate records and allows clear, compliant transactions, the market has less incentive to rely on opaque substitutes.

Routing reputation also matters. Address blocks carry histories. Spam, botnet activity, bulletproof hosting, hijack claims, abandoned route objects and poor abuse response can reduce value. Sanctions exposure adds another reputational layer. A block associated with a sanctioned entity, even indirectly, may become harder to use with conservative counterparties. A buyer or lessee may need to show clean registry recognition, current route authorisations and evidence that the operational holder is not restricted. The registry cannot police all downstream reputation, but its records shape the evidence available to market participants.

RPKI can either reduce or amplify uncertainty. Properly maintained ROAs can make origin intent clearer and reduce route-hijack risk. But if RPKI service becomes entangled with membership status under compliance pressure, the cryptographic layer can become another dependency. A market participant may ask not only whether a block can be transferred, but whether certificates can be maintained without interruption. That question becomes part of price.

The public-law boundary and private discretion

The most difficult institutional task is drawing the boundary between public-law compulsion and private discretion. A sanctions regulation, court order or binding government instruction may require RIPE NCC to refuse a transaction or take a specific action. In such a case, the registry should comply and should explain the action to the extent law permits. But many practical compliance decisions occur before this hard boundary: risk classification, document requests, internal escalation, payment accommodation, timing, communication and preservation of service.

Those pre-boundary decisions are where institutional character is revealed. A registry with a ledger-first discipline will ask what minimum action is required to comply while preserving the accuracy and continuity of the record. A gatekeeper will ask what action best protects the institution from possible criticism or liability, even if it imposes wider market cost. The difference is not always visible in one case. It becomes visible across many cases through delay patterns, refusal rates, vague communications and the absence or presence of review.

Private discretion is not illegitimate by default. RIPE NCC must exercise judgment. It must decide whether documents are adequate, whether a party is the same legal person, whether a transfer fits policy, whether a member has provided accurate information, and whether a court order applies. But discretion needs economic discipline. When the subject is scarce productive capital and operational infrastructure, discretion should be bounded by predictability, proportionality, non-discrimination, continuity and auditability.

Predictability means that holders can know in advance what kinds of evidence and timing to expect. Proportionality means that the response matches the legal or procedural problem. Non-discrimination means similarly situated holders are treated alike, not that all jurisdictions are risk-identical. Continuity means the last verified state is preserved unless change is legally required or factually necessary. Auditability means that the board, members and market can examine aggregate evidence of how discretion is used.

These principles are not hostile to compliance. They make compliance more credible. A registry that cannot explain its categories invites suspicion from every side: governments may think it is too lax, affected members may think it is political, large buyers may think it is unpredictable, and small operators may think it is indifferent. A registry that can explain its boundaries reduces both legal and market risk.

Court orders, insolvency and the continuity analogy

Sanctions pressure should be viewed beside other legal-continuity risks: court orders, injunctions, insolvency, receivership and corporate disputes. RIPE NCC's procedures recognise that legal events can affect registry services. A court may order deregistration. A member may enter insolvency or liquidation. Corporate control may be disputed. Payment obligations may fail. The registry must decide when to preserve service, when to suspend, and when to deregister.

The analogy is useful because courts and insolvency systems have long wrestled with the problem of preserving value while disputes are resolved. A company in administration may continue operating because shutting it down would destroy creditor value. A court may freeze an asset without cancelling its record. A receiver may maintain services to customers while ownership is sorted out. These tools exist because abrupt interruption can be economically wasteful.

Sanctions compliance should borrow this continuity logic where law permits. If a holder is under review, preserve the record. If a transfer is blocked, leave existing operational data intact unless the block itself must be frozen or service must stop. If a payment is blocked by banks, maintain temporary service while alternative arrangements are assessed. If a corporate restructuring involves a restricted party, isolate the prohibited transaction from unrelated customer continuity. If a court order requires action, define the action precisely.

This approach also protects the registry. By preserving the last verified state, RIPE NCC reduces the risk that its own action causes avoidable harm. By documenting legal triggers separately from discretionary risk controls, it can show members and courts that it acted proportionately. By using continuity presumptions, it can avoid becoming a tool for commercial pressure in disputes where one party tries to use registry uncertainty to weaken another.

The point is especially relevant to IPv4 because addresses are not easily replaced. A company can switch some vendors, banks or hosting providers. It cannot easily replace a large block of clean, routed IPv4 space at short notice. A registry action that destabilises address control can therefore have consequences out of proportion to the administrative issue that triggered it.

Formal process is not the same as legitimacy

RIPE NCC's public documents are valuable factual exhibits. They tell members what the association says it will do, what fees apply, how transfers are processed, how sanctions are checked, what services may stop after termination, and how governance meetings operate. They are not sufficient to settle the legitimacy question. Legitimacy in a scarce registry market is not created by publishing rules alone. It is created when rules distribute risk in a way that members and counterparties can understand, challenge and price.

This distinction matters because Internet governance often treats official process as evidence of fairness. A document exists; therefore the process is accountable. A meeting was held; therefore members consented. A mailing list was open; therefore the community approved. A contract was signed; therefore the holder accepted the risk. Each statement contains a fact. None is a full economic answer.

Consider a small operator whose transfer is delayed because of a sanctions-related ownership query. The existence of a transfer procedure does not tell the operator whether the delay is typical. The existence of a General Meeting does not tell the operator whether similarly exposed members can participate. The existence of a service agreement does not tell customers whether their reverse DNS and RPKI will remain stable. The existence of a Trust Portal does not tell buyers how many transactions are refused or how long reviews take. Public documents define the surface. Operational statistics and institutional behaviour reveal the market reality.

An economics-grade assessment therefore asks for evidence that goes beyond formal compliance. It asks whether the registry measures the effects of its own processes. It asks whether members can see those effects without breaching confidentiality. It asks whether small operators have practical paths for help. It asks whether transfer-market participants can price risk without relying on rumour. It asks whether the board treats sanctions pressure as a strategic continuity issue rather than a narrow legal file.

The answer may be better than critics assume in some areas and weaker in others. The point is not to presume failure. It is to insist that the institution's economic importance requires a higher standard than "the rule exists."

A ledger-first compliance model

A registry facing sanctions pressure needs a compliance model that begins with the ledger. The ledger-first model does not deny law. It starts from the fact that the registry's public value is the stability, accuracy and neutrality of its records. Every compliance action should be designed to protect that value while obeying binding obligations.

The first feature is a strong preservation presumption. Existing records, RPKI status, reverse-DNS delegations and database authority should remain in place during review unless there is a specific legal requirement, verified fraud, security emergency or court order requiring action. This presumption should be stated clearly. It would reassure holders that a review is not automatically an operational crisis.

The second feature is category transparency. RIPE NCC need not publish names or sensitive details to report the number of sanctions-related reviews, refusals, approvals after extra documentation, payment-continuity cases, court-order actions and service interruptions. It can report median and range timings. It can identify whether reviews concern transfers, mergers, legacy resources, payments, membership status, RPKI or reverse DNS. Such reporting would allow members to distinguish rare hard cases from systemic friction.

The third feature is written reasons at the right level. A member denied a transfer or service should receive a reason specific enough to understand the category of problem and potential remedies, subject to legal limits. Compliance is not enough as an explanation. A possible list match requiring beneficial-ownership clarification is different from a confirmed listed-party refusal. A blocked bank transfer is different from a member refusing to pay. Precision reduces waste.

The fourth feature is review that does not require public exposure. Affected members should have a confidential path to challenge factual errors, provide documents and obtain senior review. This is especially important for members in sensitive jurisdictions that may not safely argue on public lists. The review path should have target timelines and should preserve existing service while it operates where law permits.

The fifth feature is payment-continuity design. If bank friction prevents payment, the registry should have documented alternatives, grace periods and evidence requirements. It should distinguish prohibited payments from payments blocked by intermediaries. It should report aggregate cases to members because payment access is part of the cost of serving the region.

The sixth feature is board-level accountability. Sanctions and compliance should not be treated as a purely staff-level legal matter. The board should receive and publish non-sensitive metrics, approve continuity principles and explain risk appetite in the activity plan or annual reporting. Members cannot supervise what they cannot see.

The seventh feature is market education. Transfer participants, brokers, buyers and small operators need practical guidance on documentation, timing, sanctions categories, RPKI continuity and reverse-DNS implications. Guidance should be factual and practical, not reassuring boilerplate. The aim is to reduce transaction costs by making expectations clear before a deal is signed.

These features would not remove geopolitical risk. They would convert opaque discretion into priced, bounded and reviewable institutional risk. That is the difference between a registry that merely complies and one that sustains market confidence.

The regional stakes are larger than RIPE NCC

Although this analysis focuses on RIPE NCC, the stakes are broader. The global RIR system depends on the assumption that each regional registry can maintain a stable ledger for its service region while coordinating with the others. Inter-RIR transfers, routing security, registry data, address markets and legacy records all cross regional boundaries. If one registry's legal environment creates uncertainty, the effect can spill into other markets.

The RIPE NCC region is especially important because many cross-border operators and address-market participants touch Europe in some way. A company incorporated outside the EU may have banking ties, customers, directors or assets inside Europe. A transfer into or out of the RIPE NCC region may require approval by another RIR. A sanctions issue in one venue can therefore affect global address liquidity. If an address block cannot move between regions because one side lacks a compatible policy or one party triggers compliance concerns, the block's market value changes.

The same is true for routing security. RPKI is global in effect even when certificates are issued through regional systems. A disruption in one region can influence route acceptance by networks elsewhere. Reverse-DNS delegations and registry data are queried internationally. Abuse desks, cloud providers, network filters and compliance teams use regional registry data to make decisions. The registry's local legal obligations therefore have global operational consequences.

This is why the language of community self-governance is insufficient. The affected community is not only the set of people posting on a mailing list or voting in a General Meeting. It includes customers whose connectivity depends on an ISP's address space, buyers and sellers in the IPv4 market, networks using RPKI validation, banks screening payments, hosting firms managing abuse risk, and other registries processing inter-regional transfers. RIPE NCC's legitimacy is part of market infrastructure, not merely internal association politics.

The organisation's challenge is to act locally under Dutch and European legal constraints while maintaining confidence across a politically fragmented service region. That requires more than good intentions. It requires institutional design that assumes pressure will increase.

Watchpoints for sanctions pressure

The central watchpoint is whether sanctions screening remains a narrow legal function or becomes a broad discretionary filter over address capital. The market should watch the transfer queue, not merely public statements. Delays, additional-document requests, refused transfers, aborted mergers and broker risk premiums will reveal more than general claims about compliance. If blocks from certain jurisdictions trade at persistent discounts, the discount may be pricing registry-recognition risk as much as political risk.

Payment continuity deserves equal attention. A rise in member closures, suspended services or urgent support cases tied to blocked bank payments would signal that financial-sector over-compliance is leaking into the registry ledger. RIPE NCC should be expected to distinguish non-payment from blocked payment and to preserve service where law permits. Members should ask for aggregate reporting on payment-friction cases, alternative arrangements and service outcomes.

RPKI and reverse DNS are the operational indicators most likely to show whether compliance pressure is being contained. A transfer refusal is commercially painful, but a certificate revocation or loss of reverse-DNS control can become a routing and customer-impact event. Any sanctions-related action affecting certificates, ROAs, reverse delegations or database maintainers should be treated as a high-consequence event requiring clear legal basis and post-event explanation at an aggregate level.

Board accountability is another watchpoint. Compliance budgets, legal-risk posture and continuity principles should appear in governance materials in a form members can evaluate. If sanctions pressure is handled only as confidential legal administration, members will be asked to fund and live with a risk system they cannot supervise. The board should be measured by whether it turns legal complexity into understandable member-level oversight without exposing sensitive case details.

Small-operator impact is the final and most important test. A compliance regime that works for large carriers, brokers and well-lawyered buyers may still fail the region if small networks in exposed jurisdictions lose liquidity, payment access or service continuity. The registry's legitimacy will not be determined by whether every rule can be defended in isolation. It will be determined by whether the system preserves accurate records, lawful continuity and practical access for the members whose dependence on the ledger is greatest and whose capacity to absorb uncertainty is smallest.

For RIPE NCC, sanctions and compliance pressure is therefore not an external nuisance attached to an otherwise technical registry. It is a core economic stress test. IPv4 scarcity turned registration into a capital-confidence layer. RPKI and reverse DNS turned membership status into operational dependency. Transfers and mergers turned recognition into a closing condition. A wide service region and a Dutch legal home turned geopolitical compliance into a distributional problem. The next phase will show whether RIPE NCC can remain a reliable ledger under pressure, or whether the boundary between lawful compliance and gatekeeping continues to blur where the market can least afford ambiguity.