Summary
- Sanctions against a defined entity should not automatically propagate from a failed payment or restricted corporate benefit into deregistration, certificate withdrawal or route suppression. Each consequence requires its own legal basis, factual finding and proportionality analysis.
- The five relevant layers are payment, corporate membership, authoritative registration, RPKI and routing. They have different users, dependencies, reversibility and effects on third parties, so a single account status must not control all five.
- RIPE NCC transparency reports since 2022 show the practical distinction: applicable sanctions can freeze registration changes without erasing resources or terminating every existing relationship, while bank restrictions can obstruct invoicing even where the registry is not legally required to apply the foreign measure.
- False matches and unresolved ownership evidence are a major continuity risk. Temporary restrictions should be narrow, time-limited and reviewable, with clean resources and unrelated services preserved while identity questions are resolved.
- RPKI requires special restraint because certificate and repository actions can alter how many independent networks classify routes. A financial restriction is not evidence that a route authorization is false or that third-party traffic should become unreachable.
- Routing remains an operator decision governed by law, contract and risk. A number-resource institution should not convert its sanctions screening into a global routing order, and transit providers should not treat registry status as a substitute for their own legal analysis.
- A credible NRS model would keep one auditable resource record, separate service credentials and contracts, publish layer-specific decisions, support lawful exceptions and measure both over-enforcement and under-enforcement through independent review.
Sanctions become fragmentation when institutions collapse distinct powers
The usual sanctions discussion begins with a binary question: does an organization continue serving a listed customer or stop? That framing is too coarse for Internet number resources. A registry relationship is not one service. It can include invoicing, voting rights, support, allocation, transfer, public registration data, reverse-domain delegation, routing registry entries, hosted certificate creation, repository publication and security notifications. A network may use some of these functions directly while thousands of other organizations rely on the resulting public state.
Collapsing those functions creates a hidden escalation ladder. A payment processor rejects funds, so an invoice is marked unpaid. Non-payment closes a member account. Closure removes portal access. The same account controls registration data and hosted RPKI. Certificates or signed entities expire. Networks using route origin validation then classify announcements differently. What began as financial friction has acquired a routing consequence that the bank neither assessed nor intended.
The reverse mistake is also possible. An institution may describe everything as critical continuity and continue providing new allocations, discretionary transfers or premium services to a listed entity despite a clear prohibition. Technical importance is not a blanket exemption. The relevant distinction is between preserving established global uniqueness and extending a new economic benefit. Registration continuity may be necessary to prevent conflicting claims, while a new transfer may change control of a scarce asset.
Keeping current security entities available may protect third parties, while issuing a new authorization at a customer's request may require a separate analysis.
Service-layer separation prevents both errors. It asks five questions in order. Can funds lawfully move? Can the legal person retain corporate rights in the institution? What must the authoritative resource record continue to say? Which certificate and repository actions are necessary to keep routing assertions accurate? What, if anything, should network operators do with the actual routes? The answer can differ at each layer without contradiction.
This architecture also improves accountability. A registry can explain that it rejected a transfer but preserved historical registration. A bank can state that it declined a transaction without purporting to decide address rights. A certificate authority can maintain a previously valid entity for a bounded period while refusing an unsupported change. A transit provider can make its own route decision. Each actor remains responsible for the power it actually exercises.
Fragmentation is therefore not only the creation of separate national networks. It can occur through unexamined institutional coupling. If one sanctions alert silently disables several shared functions, the global network fractures by administrative cascade. The cure is not to ignore law. It is to prevent a decision at one layer from becoming an unreasoned command at all the others.
The post-2022 record shows that payment, registration and use already diverge
The RIPE NCC's public record offers the clearest sustained evidence. As an organization based in the Netherlands, it states that it must comply with applicable European Union sanctions. Its stated response is to freeze registration, not use: a sanctioned holder cannot acquire more resources or transfer existing ones, but the resources are not deregistered and an existing Standard Service Agreement is not terminated merely on that ground. This is already a form of layer separation.
The distinction did not remove difficulty. The RIPE NCC also screens alerts associated with the United States Office of Foreign Assets Control because Dutch banks consider those lists, even though the registry says it is not itself obliged to apply United States sanctions to the service. Banking practice therefore affects invoicing more broadly than the registry's direct legal duty. Iranian and Syrian members experienced payment obstacles because banks were unwilling to handle transactions, and the institution offered extensions rather than treating blocked payment as proof that the underlying resources should be removed.
The scale of screening matters. The RIPE NCC's Q2 2026 sanctions transparency report recorded 2,110 investigation alerts as of 7 April 2026. Of those, 1,971 had been resolved as false positives, exempt cases, non-applicable cases or OFAC-related matters; 99 remained under investigation, 16 were on hold and 24 were confirmed as sanctioned and applicable. Those categories are not interchangeable. Most alerts did not end as findings that required a registration freeze.
This denominator is a warning against immediate technical action. Names transliterated across alphabets, common company words, subsidiaries, changes in ownership and incomplete public records can generate matches that require human investigation. If every alert suspended certificate publication or caused a route filter, false positives would become connectivity events. The harm would fall not only on the matched company but on customers, hospitals, public bodies, hosting tenants and counterparties sharing its network.
The same report says that possible matches must be treated restrictively while they are checked because sanctions law may not provide a grace period. That creates a genuine tension. An institution cannot simply wait without controls. Yet it can choose which controls are necessary. Refusing a new allocation or transfer while preserving current registration and security state is more proportionate than making an existing prefix appear unassigned.
The record also demonstrates reversibility. Entries can be unfrozen when restrictions are lifted or an exemption is established. A design that preserves the authoritative history makes restoration intelligible. A design that deletes records, lets certificates fail unpredictably and disperses customers across conflicting copies turns a temporary legal status into lasting technical disorder.
Layer one: payment is a transaction, not a verdict on connectivity
The payment layer concerns the movement of money through a particular channel, currency, institution and jurisdiction. A bank may reject a transaction because a party is listed, because ownership appears risky, because an intermediary bank applies a broader policy, or because its internal controls cannot resolve the case economically. Only some of those outcomes establish that the registry itself is prohibited from providing every associated service.
NRS should treat a failed or refused payment as evidence about that transaction. The billing record should preserve the amount, due date, attempted methods, bank response category and available lawful alternatives. It should not automatically rewrite the resource record. Where a general licence, statutory exemption or competent-authority permission covers essential communications, the institution should be able to accept payment through a compliant route or defer collection without disguising the arrangement.
Deferral must not become a private subsidy without authority. The amount remains due where law and contract permit later collection. Interest, penalties and closure rules should be adapted so that a customer is not punished for a channel the institution itself cannot make available. At the same time, a customer that can lawfully pay but refuses should not obtain indefinite free service by invoking geopolitical difficulty. Evidence should distinguish inability from unwillingness.
Bank diversity can reduce accidental exclusion, but shopping among banks is not a licence to evade controls. The institution should prequalify channels in different jurisdictions, document the legal basis for each, screen intermediaries and stop when a prohibition applies. It should avoid routing a payment through opaque entities merely to obtain acceptance. The objective is lawful resilience, not concealment.
The most important technical safeguard is decoupling. Billing status may limit chargeable support, attendance at paid events or new discretionary requests. It should not alone delete an address registration, revoke a current certificate or instruct networks to filter routes. Those actions require findings at their own layers.
Aggregate reporting should distinguish legal rejections, bank-risk rejections, customer failures and deferred obligations. Without those categories, a registry may claim sanctions compliance when the real cause is commercial risk appetite. Members and regulators need to know whether law, a bank or institutional design produced the restriction.
Layer two: corporate membership can be restricted without erasing the record
Corporate membership confers institutional rights: voting, nomination, meeting participation, access to member-only information, eligibility for committees and perhaps preferential service terms. These benefits are not identical to the authoritative record of an existing allocation. A sanctions rule may prohibit making funds or economic resources available to a listed company, or it may restrict the company's participation in a legal association. The appropriate response may therefore reach membership even while record continuity remains necessary.
NRS should specify which rights are corporate and which are stewardship obligations. Voting and candidacy can be suspended if applicable law requires it. New grants, discounts and discretionary advice can be restricted. Basic notices, access to adverse-action review and the ability to correct a dangerous factual error should remain available through a controlled channel. Denying every means of communication would make accurate compliance harder.
Suspension should not allow a listed member to influence decisions through an affiliate or nominee. Ownership and control tests must look beyond the account name. At the same time, association is not enough. A customer, minority investor, former director or similarly named company should not lose rights without evidence that satisfies the applicable standard. The institution should record which legal test it used and the date on which the ownership picture was assessed.
The rules also need a position on fees. If a member cannot pay because of bank restrictions but is not itself prohibited, preserving membership with deferred billing may be justified. If the legal person is subject to an asset freeze, continuing valuable corporate privileges could be different from preserving a public resource record for third-party safety. The decision must identify that difference rather than hide it inside one account flag.
Corporate suspension should have an expiry or review date. Sanctions lists change, ownership changes and courts annul listings. An institution that can impose a restriction within hours but needs months to remove it creates an asymmetric penalty not found in the law. Periodic rescreening and a direct evidence channel are necessary.
Most importantly, losing a vote must not make the network number ambiguous. The resource history should show the holder status, restrictions and permitted actions without presenting the space as free for reissue. Corporate rights can pause while stewardship continues.
Layer three: authoritative registration protects uniqueness even under restriction
The registration layer answers who currently holds recognized authority over an Internet number resource, what restrictions apply, which contacts may be published and which changes have been accepted. Its public value is the avoidance of conflicting claims. That value persists when the holder becomes sanctioned. Indeed, geopolitical conflict makes a stable record more important.
Freezing registration should mean a bounded prohibition on changes that would make a new economic resource available or transfer control. It should not mean pretending that the existing allocation never occurred. Deregistration could expose the same space to reissue, competing route claims or opportunistic seizure. Even if no responsible registry immediately reallocates it, an apparently vacant record weakens the evidence used by networks, investigators and counterparties.
Not all changes are equivalent. A transfer to a new beneficial owner is materially different from correcting an abuse contact or replacing a compromised authentication credential. The first can alter control of a scarce resource. The second may protect victims and improve accountability. NRS needs a permitted-change matrix for restricted records. Safety corrections, legally required disclosures and actions necessary to prevent hijacking should have a path even when commercial transfers are barred.
Corporate reorganizations require careful treatment. A rename after a merger can be a harmless correction, a prohibited transfer or an attempt to conceal listed ownership. The institution should examine continuity of the legal person, beneficial ownership, consideration, control and applicable exceptions. A public status should reveal that a restriction exists without publishing sensitive evidence or making an unsupported accusation.
Registration history must be append-only in effect. Earlier states, decisions and supporting categories should remain available to authorized reviewers. If a freeze is later lifted, the record should show continuity rather than a newly invented start date. This protects both enforcement and the holder: authorities can see what was prevented, while the holder can prove that its recognized resource did not vanish during the restriction.
Inter-registry transfers are especially sensitive. A sending institution cannot solve sanctions risk by exporting a case to a registry with weaker controls. The receiving institution cannot assume that a regional move cures a restriction. Both need compatible evidence, a common cutover event and a clear decision on which restrictions travel. Yet a restriction should not be expanded simply because two institutions use different terminology. The legal basis, not the label, must travel.
NRS can add value here by providing a neutral, transferable record rather than by declaring itself outside jurisdiction. A common record can preserve holder continuity, restriction provenance, review dates and permitted actions while service providers change. Neutrality means accurate bounded state, not indifference to law.
Layer four: RPKI action can affect parties far beyond the named entity
RPKI is where administrative coupling can become an immediate network-security problem. Resource certificates and route origin authorizations let relying parties determine whether an autonomous system is authorized to originate a prefix. Many networks use validated state in routing policy. Revoking a certificate, withdrawing an authorization or allowing publication to fail can therefore change route classification across organizations that were never part of the sanctions decision.
The legal identity of a company and the cryptographic authorization for a route are related but distinct. RFC 9255 is explicit that the identity represented in RPKI is not a general attestation of a real-world person or company. RPKI expresses authority over specified Internet number resources. A sanctions match against a legal name is not, by itself, evidence that an existing route authorization is technically false.
That does not make RPKI untouchable. A prohibited new allocation should not receive certification as though it were valid. A completed lawful transfer requires the old authority to end and the new one to begin. Evidence of key compromise can justify urgent replacement or revocation. A specific legal order may require a certificate action. The discipline is to connect the action to an RPKI-relevant fact or explicit legal requirement.
Hosted service creates additional risk. If the same account controls billing, registration and signing, an account suspension may stop renewal or publication without a considered certificate decision. NRS should separate credentials, status and continuity timers. A holder under financial restriction may lose access to optional hosted controls while the last known accurate signed state remains available for a bounded interval under pre-agreed rules. Any extension must be legally reviewed and visible in audit evidence.
The institution should prefer conservative continuity over invention. It must not create broader route authorizations on behalf of a restricted holder. Nor should it silently preserve an entity known to be false. The safe default is to maintain the last verified state while facts are unresolved, use short and disclosed review intervals, and provide an emergency route to correct security-critical errors.
Repository availability should be treated separately from signing. Removing access to a customer portal need not make already published entities unavailable. A repository serves relying parties globally, and its continuity protects their ability to reach a consistent view. Publication can continue while requests for new signed content are restricted.
Every sanctions-related certificate action should have a relying-party impact assessment. The authority should estimate which prefixes and origins are affected, whether routes may become invalid or not found, how long caches may retain state, which dependent networks could be exposed and how reversal will converge. This is not a claim that impact overrides law. It ensures that the lawful action is implemented with knowledge of its external consequences.
Layer five: routing is an operator decision, not a registry sanction
Routing is performed by autonomous networks according to technical policy, contracts, security conditions and applicable law. A registry records resources and may operate certificate services, but it does not normally command every network to carry or reject a route. Preserving that boundary is essential when sanctions pressure rises.
A transit provider may be prohibited from serving a listed entity. Another operator may conclude that carrying a route is permitted because its relationship is with non-listed customers, because a communications exception applies, or because the route aggregates traffic from a wider population. Those are fact-specific decisions. A registry status can inform them, but it cannot replace their legal analysis.
Likewise, route origin validation is not a sanctions list. A route that is cryptographically valid can still violate law or contract. A route that becomes not found because an entity expires is not thereby proven unlawful. Conflating the two would corrupt a security signal with an unrelated policy meaning. Operators would no longer know whether invalidity reflected hijacking, configuration error, contested resource authority or geopolitical action.
Governments that intend route blocking should identify the responsible operators, legal scope, destination or service, duration and review mechanism. They should not rely on an opaque request to a resource institution as a global shortcut. The institution should require orders to be specific and should publish aggregate information about their reach where lawful.
Operators also need to protect unrelated customers. Shared hosting, wholesale access, cloud services and national backbones can place many legal persons behind the same origin. Blocking an autonomous system can be far broader than blocking one sanctioned service. Before acting, a provider should examine more specific technical measures, the possibility of customer migration, emergency communications and the risk of collateral disconnection.
NRS should provide accurate resource and restriction information through authenticated channels, but it should not issue a universal route verdict. Its role is to keep the evidence coherent enough that networks can make accountable decisions. The final forwarding choice remains with the operator unless a competent authority lawfully directs otherwise.
A five-layer decision table should replace the single account switch
Institutions often rely on a single customer status because it simplifies administration. Sanctions make that convenience dangerous. NRS should maintain a decision table in which each layer has its own legal question, authorized actions, continuity baseline, approver, evidence and review date.
At payment, the question is whether a specific transaction can be received or refunded. Actions include acceptance, alternative lawful routing, deferral, blocking or return. At membership, the question is whether corporate rights or benefits can continue. Actions include full participation, restricted participation, suspension or termination. At registration, the question is which changes are prohibited while uniqueness and history remain intact. At RPKI, the question is which signed state accurately reflects resource and route authority and which publication duties protect relying parties.
At routing, the question belongs to operators and competent authorities applying their own obligations.
The table should also state what does not follow. Payment refusal does not establish loss of resource authority. Membership suspension does not make a prefix unallocated. Registration freeze does not prove that existing routes are malicious. A valid route authorization does not establish that every commercial service to the holder is lawful. Route filtering does not authorize reissue of the resource.
Cross-layer escalation should require an explicit bridge. For example, a court order may both freeze an asset transfer and require a change to resource authority. A verified acquisition may change registration and then require new certification. A compromised administrator may justify credential suspension and RPKI recovery without affecting corporate voting. The decision record should identify the fact that connects the layers.
This design is more work than an account switch, but the burden is proportionate to institutional power. Automation can still handle routine checks, timers and notices. Human judgment should focus on ambiguous ownership, exceptions, external impact and irreversible actions. The system should make the narrow lawful decision easier than the broad accidental one.
Identity resolution is the central operational risk
Sanctions lists identify legal subjects through names, aliases, dates, registration numbers, addresses, ownership and control. Registry records may contain trading names, old addresses, sponsors and technical contacts. The match problem is therefore structural. A string similarity score cannot decide whether a network customer is the listed entity.
NRS should use layered identity evidence. Strong identifiers include official company numbers, jurisdiction, incorporation records and verified beneficial ownership. Names and addresses help but can be stale or shared. Technical contacts and email domains are weak evidence of ownership. Route announcements and RPKI objects identify network authority, not necessarily the natural persons controlling a company.
Possible matches should be triaged by consequence. A request for a new transfer can pause while evidence is gathered. An action that would interrupt security publication demands faster review and a higher evidentiary threshold. The institution should contact the holder through more than one established channel and explain what documents can resolve the match without disclosing sensitive detection details.
Non-cooperation presents a hard case. A customer that ignores reasonable requests cannot demand unrestricted new benefits. Yet silence may reflect war, detention, damaged infrastructure, language barriers or inaccessible corporate records. An on-hold status should therefore restrict discretionary change while preserving safe current state. It should not mature automatically into technical erasure after an arbitrary interval.
Reviewers need cultural and jurisdictional competence. Transliteration conventions, patronymics, state enterprise forms and corporate registers differ. A false match rate as high as the RIPE NCC figures imply cannot be treated as noise. It is evidence that screening is a preliminary signal, not a final decision.
The institution should measure precision and correction time. How many alerts become confirmed cases? How long do false positives remain restricted? Which source generated repeated errors? Do certain countries or scripts face longer resolution? Accountability must include the people incorrectly constrained, not only the cases successfully frozen.
Exceptions and banking reality require separate legal maps
Sanctions regimes often contain exceptions, general licences or authorization paths for telecommunications and Internet communications. The United States Treasury, for example, has explained that Russia-related General License 25D authorizes specified transactions ordinarily incident to telecommunications and certain services, software, hardware and technology incident to Internet communications, subject to exclusions. European Union measures also contain communications-related exceptions in defined settings.
These provisions do not automatically cover every registry service, but they show that legislators recognize collateral communication risk.
NRS should maintain a jurisdiction-specific legal map for each layer. The map should identify the governing instrument, listed party, ownership threshold, covered service, exception, competent authority, reporting duty and expiry. It should not reduce different regimes to one global blacklist. A service may be permitted under one law, prohibited under another and commercially refused by a bank applying its own policy.
When a legal exception appears available but the bank still refuses payment, the institution should record that distinction. It can seek a written explanation, use another compliant bank, request regulatory comfort or defer the amount. It should not tell the public that law required an outage if commercial caution produced it.
Conversely, a banking channel that accepts funds does not prove the service is lawful. The registry remains responsible for its own obligations. Separation prevents outsourcing legal judgment upward to the strictest intermediary or downward to the most permissive one.
The legal map must be maintained by accountable counsel and exposed to independent review in a form that protects privileged advice. Members should at least see the operative rule, service category, decision date and route to challenge. Secret interpretations accumulate unchecked power.
Exceptions also need expiry control. A general licence can be amended or withdrawn. A temporary authorization may cover only wind-down. The institution should alert before an authorization ends and prepare continuity choices rather than letting a certificate or registration service fail at midnight.
Continuity should protect third parties without enriching the target
The strongest objection to continuity is that any maintained service benefits the sanctioned entity. Sometimes it does. The answer is not to deny the issue but to distinguish the benefit retained by the target from the harm avoided for others.
Keeping an address record visible prevents conflicting claims by everyone. Maintaining repository availability lets unrelated relying parties validate a consistent state. Preserving an abuse contact can help victims. Allowing a hospital customer time to migrate from a sanctioned carrier protects public health. These actions may incidentally help the listed network, but their primary and measurable purpose can be wider stability.
The continuity measure should therefore be minimum, bounded and non-expansive. No new resources, broader authorizations or preferential support should be added unless clearly permitted. Existing state should be preserved only as long as necessary to resolve status, migrate dependants or comply with an exception. Fees and deferred obligations should be recorded. Decision-makers should disclose conflicts.
Where possible, service should be directed to third parties rather than the target. A repository can continue serving public entities without giving the holder new portal powers. A registry can accept a safety correction through an independent administrator. A continuity provider can move critical downstream customers while commercial service to the listed parent remains restricted.
This approach is not perfect. Shared infrastructure makes incidental benefit unavoidable. Sanctions law itself often confronts this through licences and proportionality. NRS should seek competent-authority guidance for ambiguous high-impact cases instead of improvising broad exemptions.
Continuity must also stop when it no longer protects the stated interest. If all unrelated customers have moved and a specific prohibition covers the remaining service, the institution should act. A continuity rationale without milestones becomes evasion. The record should state the protected population, permitted actions, review interval and closure condition.
Emergency measures need narrow authority and rapid independent review
War and rapidly changing sanctions create pressure for immediate decisions. A new listing can appear outside business hours. Banks can block accounts without warning. A certificate may approach expiry while ownership evidence is disputed. NRS needs emergency authority, but its shape determines whether urgency becomes permanent discretion.
An emergency officer should be able to pause new allocations and transfers, protect credentials, preserve records and maintain last known safe publication for a short period. The officer should not be able to deregister resources, create new route authority or impose indefinite corporate exclusion alone. High-impact actions should require a second approver and review by an independent panel within a fixed number of hours or days.
Every emergency measure needs a written proposition: the suspected legal restriction, the affected entity, the layers touched, the evidence available, the collateral risk, the expiry and the person responsible. If facts are incomplete, that uncertainty should be explicit. Review should decide whether to confirm, narrow, replace or reverse the measure.
Notice should normally reach the holder and affected service providers through established channels. A short delay may be justified if notice would facilitate prohibited transfer or credential abuse, but secrecy should itself expire. Unrelated customers facing connectivity risk need practical information without exposure of protected sanctions evidence.
Reversal must be rehearsed. Restoring portal access is not enough if repository state, contacts and provider credentials remain inconsistent. NRS should test the return from each layer-specific restriction and measure how long public state takes to converge. A temporary freeze that cannot be cleanly lifted is not temporary in practice.
Due process improves enforcement rather than weakening it
Sanctions administration is sometimes presented as incompatible with ordinary review because assets can move quickly. That concern supports immediate preservation measures, not unreviewable final decisions. Accurate identity, ownership and service classification are essential to enforcement. A structured challenge can reveal false matches, sham transfers and hidden controllers more reliably than silence.
The holder should receive the non-sensitive basis for action, the affected layers, permitted activities, evidence needed for correction, review deadline and escalation route. The institution should not disclose intelligence that law protects, but it should avoid empty formulations that make response impossible. Where a government authority owns the decisive evidence, the notice should identify the authority and available legal route.
Independent review should include sanctions expertise, number-resource operations and routing security. A purely legal panel may underestimate certificate consequences. A purely technical panel may treat criticality as a legal exemption. Mixed competence is necessary.
The reviewer should have power to order narrower treatment. It may preserve a payment block but restore a safety contact, uphold a transfer freeze but require repository continuity, or clear an affiliate while maintaining restrictions on the listed parent. Binary affirm-or-reverse review would reproduce the original design error.
Publication should protect privacy while revealing institutional behavior. Aggregate reports can show alerts, confirmed cases, false positives, time to decision, layer-specific restrictions, reversals, bank-caused failures, exception use and collateral incidents. Significant cases can receive anonymized or delayed explanations.
Review outcomes should improve screening criteria. Repeated false positives from one source, long delays in one jurisdiction and frequent overbroad account suspensions are governance defects. Enforcement credibility depends on correcting them.
Hard cases test whether separation is principled
Consider a sanctioned parent company whose subsidiary operates emergency communications but is not itself listed and is not controlled under the applicable threshold. Payment from the parent may be blocked and corporate rights suspended. The subsidiary's registration and accurate route-security state should not be removed merely because systems share a billing account. NRS should separate credentials and require evidence of the subsidiary's control.
Consider a non-sanctioned network whose bank refuses payment because its name resembles a listed company. New discretionary requests can pause briefly, but the institution should prioritize identity resolution, preserve registration and avoid certificate disruption. If the match proves false, restrictions should end immediately and the delay should appear in accuracy metrics.
Consider a listed telecommunications operator carrying traffic for millions of people, including public services. A prohibition may prevent new resources and transfers. Existing registration may remain frozen, and repository publication may continue where lawful to avoid misclassification of routes. Transit providers and authorities must separately assess carriage, customer migration and communications exceptions. The registry should not make that decision for the world.
Consider a listed entity attempting to transfer scarce IPv4 space to an affiliate for payment. Registration continuity does not justify approval. The transfer is a new control event and likely an economic benefit. NRS should freeze it, preserve the evidence and prevent contradictory claims in another region.
Consider a certificate key compromise at a frozen holder. Doing nothing could enable route hijacking. NRS should permit a narrowly authenticated replacement that restores the same bounded authorization without enlarging resources or origins, subject to legal review. Security correction is not equivalent to a new commercial grant.
These cases show why principles must be defined before crisis. Separation is not leniency. It can produce a stricter transfer decision and a more protective continuity decision at the same time.
The NRS institutional design should make coupling difficult
NRS should begin with separate service identities. One legal person can have linked but distinct billing, membership, registration and certificate credentials. A restriction on one credential should not disable another unless a recorded rule connects them. Routing information remains public evidence rather than a customer-controlled service switch.
Contracts should mirror the architecture. The base stewardship agreement covers authoritative registration and continuity duties. Corporate membership terms govern voice and institutional benefits. Payment terms define lawful channels and deferral. Certificate terms govern keys, signing and publication. Optional support remains separable. This prevents a default clause in one agreement from terminating everything.
Data architecture should preserve one authoritative resource history with layer-specific status. Reviewers need to see that payment is deferred, membership is suspended, registration changes are frozen, current certificate publication is maintained and no routing instruction has been issued. Public views should reveal only what users need to understand authority and restrictions.
Service providers should be replaceable. If one bank, certificate host or support company cannot lawfully serve a customer, another qualified provider may take the permitted layer without moving the resource itself. Transferability reduces the chance that one intermediary's risk policy becomes a global technical outcome.
Governance should prohibit mandate laundering. NRS cannot claim that a bank forced deregistration when the bank only rejected funds. A certificate operator cannot call a portal closure a legal revocation. A transit provider cannot cite an NRS freeze as an automatic routing ban. Each actor must name its own authority.
The Society should also resist the opposite temptation: presenting neutral records as a way to preserve every service for every listed entity. Its neutrality is bounded accuracy. New allocations, transfers, corporate privileges and paid support remain subject to law. Separation clarifies where restriction belongs.
Metrics should expose both excess and deficiency
A credible sanctions report should not count only frozen entities. It should show the full funnel: alerts received, unique subjects, false matches, ownership investigations, applicable listings, exemptions, bank-only restrictions, average resolution time and cases reversed. It should separate members, sponsored users, legacy holders and inter-registry transfers where those relationships affect authority.
Layer metrics are equally important. How many payments were refused, deferred or rerouted lawfully? How many corporate rights were suspended? How many registration changes were frozen? How many safety corrections were allowed? How many certificates or signed entities changed because of sanctions? How many routing incidents were reported by third parties?
Collateral impact should be measured. The institution can record dependent public services, downstream customers given migration time, validation changes observed by monitors and false-positive restriction days. It need not publish customer secrets to disclose aggregate harm.
Speed has two directions. Fast freezing can be necessary, but fast clearing is equally important. NRS should publish median and worst-case times to initial restriction, identity resolution, independent review, restoration and public-state convergence. A mature institution does not treat correction as secondary.
Quality measures should examine specificity. What percentage of actions named a governing rule, legal subject, layer and expiry? How many broad account closures were narrowed on review? How often did a bank refusal get misclassified as a legal prohibition? These figures reveal whether separation is actually used.
External auditors should sample both confirmed and cleared cases. Reviewing only successful freezes rewards confirmation bias. Cleared cases show where data and judgment fail. Auditors should also test a simulated listing, payment block, certificate emergency and delisting from beginning to end.
The strongest objections do not justify a single switch
One objection is complexity. Five layers, legal maps and independent review cost money. The comparison, however, is not with a simple harmless alternative. A single switch hides complexity until it becomes an outage, wrongful freeze or unlawful service. Separation makes the real decision visible earlier.
A second objection is evasion. A sanctioned entity may exploit gaps between layers, using continued registration or certificate publication to retain value. This risk supports strict limits on new benefits, beneficial-ownership checks and explicit continuity purposes. It does not prove that deregistration or route suppression is always lawful or effective.
A third objection is inconsistency across jurisdictions. The same entity may face different rules in Europe, the United States and elsewhere. NRS cannot erase that conflict. It can record which rule governs each provider, preserve one resource history and prevent one jurisdiction's bank policy from masquerading as universal law.
A fourth objection is reputational risk. Institutions may fear criticism for serving any listed network. Public layer-specific reasoning is the answer. It is more defensible to show that transfers stopped while safety-critical registration continued than to hide behind generic openness or generic compliance.
A fifth objection is operational security. Allowing changes on a frozen record can create a theft path. Permitted safety changes should use enhanced authentication, separation of duties and independent confirmation. A total freeze can also create security risk when contacts or keys are compromised.
A final objection is that routing continuity indirectly supports a hostile state. Sometimes restrictions are intended to reduce that support. The decision then belongs to competent authorities and operators applying a specific measure. Corrupting registration or RPKI signals is a poor substitute because it spreads effects unpredictably and can strike unrelated users first.
What should be in place by 2027
By 2027, every major number-resource institution should be able to publish a service-layer sanctions policy. The policy should state which actions occur at payment, membership, registration and RPKI, and should affirm that routing decisions are not silently encoded into registry status. It should identify exceptions, emergency powers, review times and restoration duties.
Accounts should be technically decoupled. A bank failure should not expire a certificate by accident. A membership suspension should not remove abuse contacts. A registration freeze should not prevent an urgent credential recovery. Providers should demonstrate these outcomes in controlled exercises.
Institutions should coordinate interoperable restriction evidence for transfers without building a universal political blacklist. A receiving provider needs the legal basis, affected resource, action, date and review status. It does not need every confidential document. Common semantics can stop prohibited transfers while limiting overreach.
RPKI continuity rules should be explicit. They should define last-known-safe state, actions that count as new benefits, key-compromise treatment, publication obligations, relying-party impact assessment and time limits. Independent monitors should verify what validators actually observe.
Banks and regulators should participate in exercises. A registry cannot solve payment resilience alone. Competent authorities should clarify whether essential number registration and route-security publication fall within communications exceptions. Banks should distinguish legal prohibition from internal risk refusal. The evidence should be recorded without exposing protected customer information.
NRS should use its neutral record to support provider substitution. If one payment or certificate provider withdraws, another can perform the lawful function without changing resource identity. This is the positive case for NRS: not freedom from sanctions, but resilience against accidental cross-layer contagion.
The 2027 test should be concrete. Take a simulated entity with a listed parent, non-listed customers, a rejected bank payment, an active transfer request and a certificate nearing renewal. The institution should restrict exactly what law requires, preserve unrelated continuity, publish accurate state, complete review and reverse cleared restrictions without a routing incident. If it cannot, its claimed separation remains theoretical.
Sanctions compliance needs a narrower form of power
The Internet's shared identifiers do not make their holders immune from national law. Nor does sanctions law turn every institution into a global network controller. The governance task is to keep those propositions true at the same time.
The post-2022 evidence shows that the difficult cases are not solved by choosing connectivity or compliance as an absolute. Banks can refuse payments beyond a registry's direct obligations. Most screening alerts can prove false or inapplicable. Registration can be frozen without declaring resources unused. Communications exceptions can preserve defined services. RPKI actions can reach relying parties that have no relationship with the listed entity.
Five-layer separation converts those facts into an institutional discipline. Payment follows transaction law. Corporate membership follows rules on benefits and participation. Registration preserves uniqueness while restricting prohibited change. RPKI maintains accurate, bounded route authority and repository continuity. Routing remains a decision for autonomous networks and competent authorities.
NRS should not promise a politics-free registry. That would be implausible. It should promise that political and legal decisions will not travel farther than their authority and evidence justify. A neutral, transferable record, replaceable service providers and independent review can make that promise testable.
The measure of success is not whether every sanctioned network remains reachable or whether every alert produces a freeze. It is whether the institution can explain each action, protect unrelated customers, stop prohibited benefits, correct errors and preserve one coherent history. Fragmentation begins when a narrow restriction becomes a silent command to the whole network. Service-layer separation is how governance keeps the command narrow.
Sources
- RIPE NCC Quarterly Sanctions Transparency Report, Q2 2026 - current figures for alerts, investigations, false or non-applicable cases, on-hold cases, confirmed applicable sanctions and the distinction between freezing registration and deregistering resources.
- The RIPE NCC and Ukraine/Russia - the institution's position on critical services, payment difficulty, applicable restrictions, transfers and continued registration after the 2022 invasion.
- RIPE NCC Quarterly Sanctions Transparency Report, Q4 2022 - early post-invasion evidence on investigation volume, frozen registration, Iranian and Syrian invoicing obstacles and continued agreements.
- RIPE NCC Annual Report 2024 - evidence on sanctions screening, bank hesitancy, payment extensions and the search for a broader Internet-number-resource exemption.
- RIPE NCC Executive Board Resolution on Provision of Critical Services - the board's commitment to undisrupted critical services across its service region and the wider Internet community.
- OFAC FAQ 1122 on Russia-related General Licenses 25D and 65 - the United States Treasury's explanation of authorizations for specified telecommunications and Internet-communications transactions.
- Council Regulation (EU) No 833/2014, consolidated text - current European Union restrictions and defined treatment of electronic communications, payment services and related exceptions.
- RFC 7020, The Internet Numbers Registry System - the registry hierarchy, stewardship role and global uniqueness objective for Internet number resources.
- RFC 6480, An Infrastructure to Support Secure Internet Routing - the architecture connecting resource certificates, route authorization and relying-party validation.
- RFC 8211, Adverse Actions by a Certification Authority or Repository Manager in the RPKI - analysis of how certificate-authority and repository actions or errors can affect routing security.
- RFC 9255, The 'I' in RPKI Does Not Stand for Identity - the boundary between authority over Internet number resources and claims about real-world identity.

