Summary
- ICP-2 made technical expertise one of ten essential recognition criteria. It required production-grade connectivity, reverse-DNS capability, suitable infrastructure and enough skilled staff, but it separately required bottom-up governance, broad support, impartiality, independent operation, public policies, auditable records and confidentiality.
- Reliable service answers a performance question: can the registry carry out defined technical functions? It does not answer the authority question: who may decide, under what rule, with whose representation, subject to what reasons, conflicts, appeal and remedy?
- Recognition should use a dual assessment. Technical capability must pass non-negotiable service and security tests, while institutional restraint must pass separate tests for scope of power, member control, equal treatment, reasoned decisions, independent review, emergency limits and restoration. Strength in one column must not compensate for failure in the other.
The green status page answers only one question
Imagine an RIR during a governance dispute. Its directory service responds. Reverse-DNS delegations continue. Route-security systems produce current material. Engineers monitor incidents, and resource holders can still authenticate to the member portal. From an operator's immediate perspective, this is valuable. Networks should not lose essential service merely because directors, members, litigants or a court disagree about the institution's control.
Now ask a different set of questions. Who authorized a contested resource decision? Which policy text controlled? Did the decision maker have a conflict? Could the affected holder inspect the evidence, answer it and obtain interim relief? Were small and large members represented under known rules? Could a governing body reverse an executive act? If the board lacked quorum, what limited authority allowed services to continue, and when did that authority expire?
No amount of uptime answers those questions. A status page measures availability. It does not measure lawful authority, fair procedure or representative control. The engineers may be excellent while the institution gives a member no effective remedy. A technically precise system can execute an institutionally arbitrary instruction more reliably than a badly run system. Competence can reduce accidental error without limiting intentional or authorized power.
This distinction matters because RIRs are not ordinary software vendors. They maintain authoritative records and perform administrative acts that affect the practical use, transfer, routing, reverse resolution and security of Internet number resources. Their service regions are non-overlapping. A dissatisfied resource holder usually cannot move to a competing registry merely by changing suppliers. Technical success therefore creates reliance, and reliance increases the need for restraint.
The question for recognition is not whether technical competence matters. It is indispensable. A registry that cannot preserve accurate records or secure its services should not receive responsibility for a region. The question is whether technical success is enough. ICP-2's own structure says no. The subsequent history of the RIR system says no more loudly. The correct standard must protect uninterrupted service while keeping the authority behind that service visible, limited and reviewable.
ICP-2 kept competence inside a ten-part settlement
The 2001 ICP-2 text describes ten criteria for recognizing a new RIR and states that their numbering is not significant because all are essential. Technical expertise appears as the fifth criterion. A candidate had to show production-grade global Internet connectivity, servers capable of supporting reverse-DNS delegation, suitable internal infrastructure and enough technically capable staff to provide appropriate service levels.
Those requirements were concrete for good reason. A new regional body could have enthusiastic political support and still be dangerous if it could not exchange registration information, maintain authoritative services or retain competent operators. Regional identity was not a substitute for reliable engineering. Recognition transferred real service responsibility from incumbent RIRs, so the candidate had to prove that the transition would not degrade the registry system.
But technical expertise was surrounded by other conditions. The candidate needed broad support from LIRs and ISPs. It needed open and transparent bottom-up policy development, fair representation, neutrality, equal treatment, not-for-profit independence, policies consistent with global goals, a community-supported activity plan, a viable funding model, proper records and confidentiality. Technical operation was one part of an institutional settlement.
The separation is analytically important. If technical competence had been intended to prove legitimacy, the other criteria would be redundant. Instead, ICP-2 asked different questions of the same candidate. Can it run the service? Does the affected community support it? Can entities shape policy? Will requestors be treated impartially? Is the body independent? Can its acts be audited? Will sensitive information be protected? A candidate could be technically capable and still fail recognition because the answers elsewhere were inadequate.
The document's statement that every criterion is essential also rules out a compensatory score. Exceptional engineering does not earn points that can be spent on unequal treatment. A highly representative association cannot compensate for insecure operations. A strong balance sheet cannot excuse missing records. Recognition is a set of minimum conditions, not an average.
That design should survive modernization. The specific technologies have changed since 2001, and mature RIRs face problems the entry document did not fully anticipate. The central insight remains sound: competence and legitimacy are distinct. Updating the service test should not collapse the surrounding restraints into it.
AFRINIC's 2005 assessment demonstrates the separation
The IANA evaluation that supported AFRINIC's recognition followed ICP-2 criterion by criterion. Its technical section was emphatic. It found full competence in production connectivity, reverse-DNS service, internal infrastructure and staffing. It described AFRINIC's operation as impressive, well designed, well executed and staffed by highly competent technical and operational personnel.
That praise did not end the review. In separate sections, IANA assessed regional support, policy development, neutrality, impartiality, funding, records and confidentiality. On self-governance, it examined open policy procedures, public participation and annual meetings. On neutrality, it considered the not-for-profit open-membership structure and the stated commitment to equal treatment. On funding, it considered fees, incubation support and the path to independence. On records, it considered operational auditability and availability in English.
The review therefore offers a useful controlled example. The same evaluator, looking at the same candidate in the same document, treated technical excellence as proof of technical readiness and nothing more. It did not infer broad community support from the quality of the nameservers. It did not infer impartiality from accurate invoices. It did not infer member control from skilled engineers. Each proposition required its own evidence.
The file also shows the difference between technical assistance and institutional mandate. Existing RIRs trained AFRINIC staff and exchanged engineering expertise during transition. Their support helped the new registry reach the required service level. That assistance did not make those RIRs the political principals of Africa's resource holders. Operational cooperation can strengthen competence without supplying representation.
This distinction becomes more important after recognition. At entry, a candidate can be told to improve before responsibility transfers. Once a registry serves a region, operators depend on its continuing services. If governance fails, technical staff may be the people preventing broader harm. It would be perverse to treat continued service as evidence that no governance problem exists, and equally perverse to interrupt service merely to dramatize a governance problem.
The recognition standard should instead preserve the separation used in 2005. Protect the engineers and systems needed for continuity. Evaluate authority, representation and remedy on their own evidence. Technical persistence can be a reason to isolate service from conflict, not a reason to certify the conflict as legitimate.
AFRINIC later became a real-world separation test
AFRINIC's later history demonstrates that technical service and functional governance can diverge for a sustained period. The NRO's September 2023 statement welcomed the appointment of an official receiver and described restoration of a board and chief executive as necessary for functional governance. In the same statement, the NRO thanked AFRINIC staff for maintaining continued operations and services during difficult circumstances.
The NRO's October 2024 announcement again said staff had maintained operations while the institution remained on a path toward elections and restored governance. ICANN's March 2025 update referred expressly to an ongoing governance crisis, a court-appointed receiver and the task of restoring functional governance and operations. None of these official statements said that every technical service had collapsed. Their concern existed alongside service continuity.
That combination should discipline the analysis. It would be inaccurate to infer from governance crisis that every AFRINIC engineer or system failed. It would be equally inaccurate to infer from continued operations that the governing structure was healthy. Official actors themselves separated staff professionalism and reliable service from the unresolved institutional condition.
This is not unique to AFRINIC. Many critical institutions can preserve outputs during leadership vacancies, litigation or constitutional dispute. Central expertise, automation, professional norms and recurring procedures provide inertia. That inertia is a public good in the short term. Over time, however, it can hide deferred decisions, exhausted staff, unreviewed emergency power and weakened accountability.
For an RIR, persistence is especially likely because much of the daily task is specialized and repeatable. Existing registrations do not vanish when a board seat becomes vacant. Published data can remain available. A skilled team can follow established policy. Vendors continue under existing contracts. Fee relationships persist. The institution may look stable from outside because the most visible outputs change slowly.
Governance risk appears in the exceptions: a disputed revocation, a transfer with conflicting claims, access to sensitive member records, an election using institutional contact data, an emergency security change, a settlement that binds future members, or a policy interpretation that reallocates discretion. These acts require legitimate authority and review, not merely operational skill.
AFRINIC therefore supplies a valuable negative proof. A running service cannot be used as a universal proxy for institutional compliance because service continued while NRO and ICANN publicly identified governance restoration as unfinished. The two variables can move independently. Recognition must measure both.
What technical competence can prove
A serious technical assessment can prove a great deal. It can show whether the registry maintains globally reachable and appropriately redundant services. It can test the accuracy, integrity and recoverability of registration records. It can inspect reverse-DNS operations, route-security systems, access controls, incident response, change management, monitoring, capacity and staff coverage. It can measure service levels and examine whether the RIR uses interoperable standards.
The assessment can also test organizational practices that directly support engineering. Are privileged actions separated and logged? Can backups be restored? Is there independent monitoring outside the registry's own network? Are key systems documented? Can another qualified team operate them under controlled conditions? Are vendor dependencies known? Does the organisation retain enough staff to avoid a single point of human failure? Are security incidents investigated and reported?
These findings are not cosmetic. They bear directly on whether resource holders can rely on the registry. An institution with perfect bylaws but corrupted records is not legitimate in practice. A beautifully representative policy forum cannot compensate for an insecure signing system. Technical failure can create arbitrary outcomes because inaccurate data and unstable tools make equal treatment impossible.
Technical evidence can also disprove some governance claims. If an executive says a contested action was compelled by system design, logs and configuration may show whether alternatives existed. If the registry says an outage was unavoidable, external monitoring can test the timeline. If a resource decision is said to follow policy, the implementation record can show which rule and version the system applied. Operational evidence makes authority auditable.
The limit is inferential. Reliable systems prove that people and controls produced reliable systems during the observed period. They do not prove that every instruction entering those systems was lawful, fair or representative. A log can show who changed a record; it does not by itself show whether that person had legitimate authority. A service-level report can show rapid completion; it does not show whether affected parties received notice or appeal. A penetration test can show resistance to intrusion; it does not show resistance to institutional capture.
The recognition file should therefore use technical evidence for the propositions it can support. It should not attach a halo of legitimacy to engineering success. Precision begins by refusing to make one form of evidence answer a different question.
What competence cannot establish
Technical competence cannot establish the boundary of power. An RIR needs authority to allocate resources, maintain records and apply policy, but the scope of that authority must come from public rules, agreements, corporate instruments and the legitimate decisions of the relevant community. Engineers can implement a boundary after it is defined. Their ability to implement does not create the boundary.
Competence cannot establish equal treatment. A system may process identical inputs consistently while the institution decides which evidence to accept, which cases receive urgency, which policy interpretation governs or which member obtains an exception. Consistent execution of a biased rule remains biased. A reviewer needs case selection, reasons, comparator data and appeal outcomes, not only service averages.
Competence cannot establish remedy. A help desk can correct a typo or restore an account. Institutional remedy asks whether an affected person can challenge the underlying decision before an independent body with authority to pause, reverse or compensate for it. Fast ticket closure is not due process. A technically elegant rollback function is not an appeal if the same official decides whether it may be used.
Competence cannot establish representation. Skilled staff may understand routing, resource policy and regional operations better than most members. Expertise gives their advice weight; it does not give them the members' vote. The same is true of ICANN staff, peer-RIR executives, consultants and emergency operators. Knowledge of how to run the service is not authorization to decide the region's institutional future.
Competence cannot establish restraint during emergency. The capacity to move records, change credentials or redirect service is precisely why emergency authority needs scope, duration, logging and review. A capable operator can do more good quickly, but can also make broader irreversible changes. The technical ability to act strengthens the case for legal controls around the act.
Finally, competence cannot establish legitimacy through outcome alone. Resource holders may continue receiving service because switching is impossible, because they fear disruption or because staff remain professional despite weak governance. Continued payment and use are evidence of reliance. They are not necessarily consent to every institutional arrangement.
These limits do not diminish engineers. They protect them from being made the constitutional cover for decisions they did not authorize. A well-designed institution lets technical staff point to a valid mandate, document their implementation and escalate questionable instructions to an independent channel.
Technical systems are also instruments of power
The separation between technology and governance should not be mistaken for a wall. RIR authority is exercised through technical systems. A registration record can affect how counterparties assess control of an address block. Route-security material can influence route acceptance. Reverse-DNS administration affects names associated with address space. Authentication systems decide who can submit requests or vote through member channels. Contact records can shape notice and participation.
Because the systems carry institutional decisions, technical design can either restrain or concentrate power. Dual authorization for sensitive changes reduces unilateral action. Immutable logs support later review. Policy-version tagging shows which rule drove a decision. Separation between case investigation, approval and implementation limits conflicts. Time-limited credentials constrain emergency access. External monitors make silent service changes harder.
Yet these controls remain incomplete without institutional rules. Two employees can jointly execute an unauthorized instruction. An immutable log can preserve evidence of an unfair act without providing a remedy. Policy-version tagging helps only if the policy was validly adopted and the interpretation is reviewable. Separation of duties within management does not substitute for oversight by a governing body and members.
The most dangerous recognition shortcut is to treat technical control as self-justifying. If the registry has custody of the records and the ability to operate the service, it may appear to possess the authority to decide. That reverses the relationship. Custody is entrusted because authority has been established elsewhere. The custodian's competence is a condition of trust, not the origin of power.
This matters during institutional transition. A temporary operator may receive copies of records and credentials needed to preserve essential functions. Those capabilities should not grant the operator permanent control, ownership of the local entity, discretion to change regional policy or a vote over successor selection. Technical handoff and institutional succession are distinct decisions.
A modern standard should make that distinction visible in system permissions. Emergency roles should correspond to enumerated services. High-impact actions should require documented authority outside the operator. Data access should be minimized and audited. At the end of the appointment, credentials and copies should be reconciled under independent supervision. The technical design should embody the temporary nature of the mandate.
Institutional restraint is therefore not an alternative to good engineering. It is a requirement that engineering make power traceable, limited and reversible where possible.
The first restraint is a public authority map
Every recognized RIR should maintain a public map of consequential powers. The map should identify which body adopts number-resource policy, which body interprets policy in individual cases, which staff execute decisions, which organ oversees executives, which body handles conflicts, which forum reviews adverse decisions and which actor can exercise emergency authority. It should identify the legal or contractual basis for each power.
The map should distinguish routine service from exceptional action. Processing a complete request under settled policy is not the same as suspending access, revoking a registration, disclosing protected information, changing election records or moving service to another operator. Exceptional powers need a higher authorization threshold, reasons and review.
Authority maps reduce a recurring ambiguity in distributed Internet institutions. ICANN coordinates unique identifiers and recognizes RIRs; the RIRs cooperate through the NRO; each RIR is incorporated under domestic law; members elect governing bodies under regional rules; technical staff operate shared systems. Several actors may have legitimate interests, but interest is not power. A map prevents a coordination relationship from being silently converted into command.
The map must include negative space. It should say what ICANN cannot decide, what the NRO cannot decide, what an RIR executive cannot decide alone, what a temporary operator cannot change and which matters remain for domestic courts or members. Institutional restraint becomes real when actors can point not only to grants but also to exclusions.
Changes to the map should require the same level of legitimacy as the power being changed. An internal manual should not expand a power defined narrowly in public policy. A service agreement should not override member rights without a valid amendment route. Emergency correspondence should not become a permanent source of authority merely because it was issued under pressure.
Technical systems should then be reviewed against the map. Does the person who can press the button possess the stated authority? Does the system require evidence of approval? Are logs available to the reviewer? Can a privileged administrator bypass an institutional safeguard? This is where technical audit and governance audit meet productively. The authority map supplies the rule; the system supplies evidence of implementation.
Recognition should require this map because opacity about who may act is itself a continuity risk. During crisis, every minute spent disputing basic authority delays both remedy and service protection.
Reasons and comparators turn consistency into impartiality
An RIR can report that it completed requests within target times and still leave outsiders unable to judge impartiality. Speed averages conceal which cases were accepted, rejected, escalated or settled. To test institutional restraint, consequential decisions need reasons tied to a public rule and enough comparator information to identify inconsistent treatment.
Reason giving should be proportionate. Routine approvals do not need judicial essays. A decision that restricts a resource holder, rejects significant evidence, departs from prior interpretation or changes the registry record should identify the rule, material facts, conclusion, decision maker, conflicts and review route. Confidential information can be protected without reducing the public explanation to a conclusion.
Comparators are equally important. Neutral software can apply whichever classification it receives. The reviewer needs to know whether similarly situated holders received similar procedures and outcomes. That requires structured records of the decision basis, not exposure of every customer's sensitive data. An independent auditor can test samples and publish aggregate findings about variance, exceptions and reversals.
This is one place where technical competence can serve restraint. Good case systems can require a policy citation, record each approval step, flag an exception, preserve the version in force and generate privacy-preserving comparator reports. Poor systems leave decisions in email, obscure who changed the record and make equal treatment expensive to verify.
The institution must still decide what happens when inconsistency appears. A technical finding should lead to correction, notice to affected parties, review of similar cases and, where necessary, compensation or restoration. Without remedy, audit becomes historical description.
The December 2024 ICP-2 implementation and assessment procedures available through ICANN translate neutrality into equal service and impartial treatment, while treating technical capability as a separate requirement. They also preserve record keeping as the basis for operational audit. That separation is useful even where details of the wider compliance model remain contested: equality must be evidenced through decisions and records, not inferred from the availability of the service.
An RIR that publishes reasons and comparator evidence does not weaken operational authority. It shows that authority is exercised as a stewardship function rather than personal discretion.
Remedy is an operating requirement
Institutions often place dispute resolution outside operational quality. Engineers run the service; lawyers handle complaints. For an RIR, that division is misleading. An uncorrected institutional error can be as consequential as a technical fault. Remedy should therefore be designed with the same seriousness as incident response.
A credible remedy has an intake path, acknowledgment time, evidence standard, independent decision maker, power to preserve the status quo, reasoned outcome, correction mechanism and publication rule. It distinguishes urgent service restoration from final resolution. It protects confidential material while allowing the affected party to answer the case. It records reversals so the same error is not repeated.
Independence must be functional. A review panel chosen and removable at will by the executive whose decision it reviews may be independent in name only. The process needs conflict checks, protected tenure or case-specific appointment rules, transparent selection and authority to bind the operational team. Members should know whether review is internal, arbitral, corporate, judicial or some combination.
Interim relief is particularly important because technically competent execution can make harm immediate. If the registry changes a record or credential before review, the later appeal may be hollow. The remedy system should identify which actions pause automatically, which require a showing of likely harm and which cannot be paused because global security is at risk. Emergency exceptions should receive prompt retrospective review.
Remedy metrics should accompany service metrics. The organisation can publish complaint volumes, time to decision, proportion upheld or modified, categories of recurring error and completion of corrective action without revealing protected details. A zero-complaint claim should invite scrutiny if members lack a usable channel.
Technical teams need protection within this design. Staff should have a documented escalation route if an instruction appears inconsistent with policy or authority. Escalation should not require them to become public whistleblowers or decide legal questions alone. The institution should be able to pause a non-urgent consequential act while the mandate is checked.
A registry is not fully operational when it can act but cannot correct itself. Recognition should treat review and correction as part of reliable service, not as optional governance ornament.
Representation cannot be inferred from usage
RIRs often describe themselves as community driven. The phrase can conceal several different groups: voting members, resource holders, network operators, policy entities, governments, civil society, technical experts and Internet users. Technical competence does not resolve which group authorizes which decision.
Service use is a particularly weak proxy. Resource holders may continue using an RIR because regional registration is structured around one institution. Their payments show that they need service and comply with the fee arrangement. They do not necessarily show approval of an election design, an executive interpretation or an external intervention. Exit is too constrained to carry the meaning it has in an ordinary competitive market.
Meeting participation is also incomplete. People able to attend regional meetings or follow specialist mailing lists may be unusually engaged, well funded or fluent in the operating language. Their expertise is valuable, but visible participation should not silently replace the rights of the broader eligible population. The denominator and mandate matter.
Representation should be tested at each level. Policy development needs open participation, documented consensus assessment and a route for unresolved objections. Corporate governance needs an accurate voter roll, fair nomination, neutral administration, conflict controls and a lawful method for filling vacancies. Exceptional service decisions need notice and individual remedy. System-wide changes need evidence that regional and global interests were both heard without allowing peer institutions to appoint themselves as the affected community.
The technical platform can support this legitimacy through secure authentication, auditable ballots, equal access to information and preservation of participation records. It cannot decide whether the franchise is fair, whether affiliate voting is balanced or whether the governing body reflects the region. Those are institutional judgments that require public rules.
Recognition should therefore reject the argument that continued use demonstrates consent. It should ask who is entitled to participate, how authority is verified, which decisions members can influence, what participation barriers exist and how dissent is recorded. A technically excellent registry with a closed or captured representative structure remains institutionally deficient.
Emergency competence needs stronger restraint, not weaker restraint
Crises reward speed. A security incident, unavailable board, restrained account or damaged data set may require action before ordinary meetings can be held. The operator with the necessary skill should be able to preserve service. But emergency competence is the point at which authority is most likely to expand without clear consent.
A valid emergency mandate should specify the trigger, decision maker, services covered, prohibited acts, reporting duty, maximum duration and route to renewal or termination. It should distinguish preservation from transformation. Keeping directory and reverse-DNS service available is preservation. Redrawing a service region, changing substantive allocation policy or deciding permanent succession is transformation.
The mandate should follow least authority. Give the temporary actor the smallest set of powers that can prevent the identified harm. Credentials should expire automatically. Material changes should be logged and independently reviewed. Where the emergency actor is another RIR, procurement and strategic conflicts should be disclosed; technical solidarity should not become an unreviewed path to institutional consolidation.
Exit is part of the design. The temporary operator must be able to return records, reconcile changes, close privileged access and explain unresolved cases. The restored institution or lawful successor should receive a verified state, not an opaque service that has evolved under exceptional control. Members should know who determines that the emergency has ended.
The NRO's draft RIR Governance Document Version 2 separates performance and continuity from corporate governance, member-elected control, transparency, impartiality and controls against disproportionate influence. It also describes an emergency operator and transfer readiness. That structure correctly rejects the idea that the ability to run service confers every other institutional quality.
The document remains a draft. The NRO's review overview records Version 2 as the current draft and shows further work in 2026. Its value here is conceptual: modern continuity needs explicit powers and limits because technical capacity alone cannot supply them.
Emergency arrangements should be judged by a paradoxical standard. They must be technically strong enough to act immediately and institutionally weak enough not to become a permanent sovereign.
Recognition needs two non-compensating ledgers
A mature recognition assessment should keep two ledgers. The technical ledger measures service capability. The institutional ledger measures restraint. Both must pass. Neither should be reduced to a single score that can offset failure in the other.
The technical ledger should cover service availability, security, data accuracy, reversibility, redundancy, incident response, staff depth, external dependencies, continuity exercises and controlled transfer capability. Evidence should include tests and observed results, not only policies. The assessor should know whether backup restoration, privilege separation and temporary operation work in practice.
The institutional ledger should cover the authority map, member control, policy legitimacy, neutrality, reasons, conflicts, record auditability, complaint handling, independent review, interim remedy, emergency limits and restoration of ordinary governance. Evidence should include bylaws, decisions, election records, review outcomes, samples of case treatment and proof that corrective actions were completed.
Some failures should be disqualifying until cured. A candidate unable to maintain accurate authoritative records cannot be recognized on the strength of inclusive meetings. A candidate whose governing body is controlled by an undisclosed private sponsor cannot be recognized because its systems are excellent. A mature RIR with a temporary deficiency may receive a remediation period, but continuity support should not be presented as proof that the deficiency is immaterial.
The two-ledger model also improves diagnosis. If services fail while governance remains valid, the response may focus on technical assistance, staffing and infrastructure. If governance fails while services remain reliable, the response can isolate operations and repair authority without disrupting resource holders. If both fail, emergency continuity becomes more urgent, but the operator's limited mandate must remain clear.
Review frequency should reflect the evidence. External service monitoring can be continuous. Security and restore tests can be periodic. Elections and policy processes can be reviewed when they occur. Institutional controls can be recertified on a schedule and after material change. The objective is not permanent external management; it is timely evidence that the conditions of recognition still exist.
Publication should preserve the distinction. A public report should never say merely that an RIR is "compliant" because the statement hides the basis. It should state which technical and institutional areas were tested, the evidence period, material limitations, findings, remediation and review route. A reader should be able to see excellent service and deficient governance at the same time without forcing one label to erase the other.
The evaluator also needs restraint
An institutional-restraint test can become a source of overreach if ICANN or the peer RIRs define every disagreement as non-compliance. Recognition does not authorize an evaluator to replace regional policy choice with its own preferences. The power to assess limits must itself be limited.
The December 2024 assessment procedures state that an ICANN-initiated review should concern risk to the secure operation of unique identifier systems, should be limited in scope and should not become a broad general compliance role. They contemplate notice, supporting information, access to records, draft findings in ordinary cases and an opportunity to correct material factual errors. Those are useful restraints, though the authority and final form of any lifecycle regime still require clear settlement.
A modern rule should add defined standing, evidentiary thresholds, conflict disclosure, independent expertise and appeal. Peer RIRs may possess valuable operational knowledge, but they can also have institutional interests in preserving the existing model or influencing a successor. Their evidence should be tested rather than treated as neutral by status. ICANN can coordinate, but its mission does not dissolve the domestic legal identity or member rights of an RIR.
The technical test should also resist mission expansion. An assessor can require secure, interoperable and reliable service without prescribing a preferred software stack. It can test whether a transfer works without deciding that transfer must occur. It can identify a severe vulnerability without taking permanent control of the system. Outcomes, controls and risk boundaries matter more than managerial taste.
The institutional test should focus on recognizable harms: unauthorized power, unequal treatment, captured governance, missing review, unreliable records, inability to restore representative control or material danger to service. It should not punish an RIR merely because its members choose a different fee structure, meeting format or policy outcome from another region.
Remedy should remain proportionate. A missing reasons policy can be corrected. A compromised election may need independent administration. A security failure may need urgent technical support. Derecognition should require a stronger finding and a service-protection plan. The evaluator should not use the dependence of resource holders as leverage for institutional conformity.
Restraint is reciprocal. RIR power needs boundaries, and the power to judge an RIR needs boundaries too.
A better recognition question
The familiar question, "Is the service running?" should be replaced by four linked questions.
First, can the institution perform the service accurately, securely and continuously? This is the core competence test. It requires observed technical evidence and skilled staff.
Second, is each consequential power grounded in a public and valid authority? This is the mandate test. It prevents custody and capability from becoming self-authorization.
Third, can affected members and resource holders understand, challenge and obtain correction of an adverse act? This is the remedy test. It distinguishes customer support from accountable administration.
Fourth, can essential service persist while disputed authority is repaired without allowing a temporary operator to acquire permanent power? This is the restraint-under-stress test. It joins continuity with institutional limits.
An RIR deserves recognition only when the answers fit together. Technical competence makes its decisions effective. Authority makes them legitimate. Remedy makes them corrigible. Representation connects the institution to the community whose reliance sustains it. Emergency limits preserve those qualities when ordinary governance is weakest.
This model does not demand that engineers become judges or that every service request become a hearing. It assigns each function to the right institution and requires clean interfaces. Operators receive valid instructions and produce auditable implementation. Decision makers give reasons. Reviewers can pause or correct consequential error. Members can restore governing authority. Temporary actors can preserve service without inheriting the constitution.
The practical benefit is not theoretical purity. Clear boundaries reduce operational uncertainty. Staff know who can authorize exceptional action. Resource holders know where to challenge it. Courts can distinguish core continuity from disputed corporate control. ICANN and peer RIRs can offer technical aid without silently claiming regional mandate. A successor or restored board can reconstruct what occurred.
The model also changes how failure is communicated. A technically stable institution should be able to acknowledge a governance deficiency without implying that the network is about to fail. Conversely, an institution should not cite stable services as a complete answer to a documented authority or remedy problem. Separate findings make proportionate action possible: continuity can be protected, a disputed power can be paused, an election can be repaired, and an appeal mechanism can be installed without manufacturing a false choice between institutional accountability and operational stability.
That clarity benefits external actors as well. A court considering urgent relief can see which acts preserve service and which decide contested rights. A peer RIR offering assistance can define the exact technical function it will perform and the point at which it will stop. ICANN can identify the criterion under review without treating every weakness as a system-wide emergency. Members can support continuity while continuing to contest governance. The institution becomes easier to repair because the service, authority and remedy questions are no longer forced into one binary label.
The RIR system has long valued technical professionalism, and rightly so. The next recognition standard should preserve that culture by refusing to burden it with claims it cannot prove. A running service is evidence of competence. It is not a plebiscite, a judgment, an appeal or a constitution.
Evidence and analytical limits
The original ICP-2 document supports the distinction between technical expertise and the other essential recognition criteria. Its technical requirements are specific, while support, bottom-up governance, neutrality, funding, records and confidentiality are assessed separately. The article does not treat the 2001 list as a complete modern accountability code.
The 2005 IANA report supports the account of AFRINIC's technical assessment and the criterion-by-criterion recognition method. Its positive conclusion concerned the evidence available during entry and does not determine every later question about the institution.
The NRO statements from September 2023 and October 2024, together with ICANN's March 2025 update, support the limited observation that staff maintained services while official actors described functional governance as requiring restoration. They are not used to decide contested litigation, election allegations or the merits of any individual resource dispute.
The December 2024 implementation and assessment procedures support discussion of separate technical, neutrality, record and review concepts and the stated limit against a broad ICANN compliance role. The analysis does not assume that every procedural detail is a final or uncontested source of authority.
The NRO Version 2 draft supports the modern separation of performance, continuity, governance, member control, transparency, impartiality and anti-capture controls. The NRO review page and published timeline show that further drafting and formal adoption remained pending in 2026. The two-ledger assessment proposed here is an analytical recommendation, not a claim that a final global rule has already adopted it.

