Summary

  • Registry enforcement usually treats the resource holder or member as the only respondent, even when customers have distinct evidence about migration time, critical services and the likely cost of a sanction.
  • Customer participation should be calibrated: foreseeable, materially affected parties need verified notice and a channel for continuity evidence, not a veto over findings against their provider.
  • The most useful remedies separate adjudication of the provider's breach from protection of downstream service through transition windows, ring-fencing, technical maintenance and confidential submissions.
  • Number Resource Society can place operator and user dependency inside the design of number-resource administration, making third-party continuity a routine governance question rather than an emergency afterthought.

The formal respondent is not the whole affected system

A registry opens a case against a local Internet registry, hosting provider or network operator. The notice goes to the account contact. The provider answers. The registry decides. On paper, the parties are complete. In operation, they may be only the top line of a much larger dependency chain.

The provider may serve business customers, public institutions, access networks, cloud tenants or smaller resellers. Some use addresses assigned from the provider's allocation. Some depend on routing-security and reverse-DNS functions controlled through the provider's registry account. Others have contractual transitions that require weeks or months. They did not make the filing that triggered the case, and they may have no access to the provider's correspondence. Yet the sanction can alter their continuity.

The procedural gap is easy to miss because the registry does not contract with most downstream users. Its rules identify the member or holder. That boundary is administratively efficient and often legally significant. It is not a complete account of governance incidence. A decision-maker who can foresee concentrated third-party harm cannot treat it as irrelevant merely because the affected party is absent from the membership database.

The customer never received the hearing because the system defined the case before counting who would bear it. The answer is not to make every end user a party to every compliance dispute. It is to create a proportionate way for materially affected customers to receive notice, supply continuity evidence and obtain protections that do not erase the provider's responsibility.

Hearing rights should follow material effect, not just contractual privity

Contractual privity is a sensible starting point. The registry can identify the organisation with which it deals, and that organisation is responsible for its customers. Expanding full party rights to everyone downstream could make enforcement unmanageable. But an all-or-nothing choice between full party and complete stranger is unnecessary.

Procedure can recognise levels of participation. The provider remains the respondent on breach, authority and cure. A directly affected customer can submit evidence about its own dependency and transition requirements. A reseller representing many users may receive verified notice and propose a continuity plan. A public-interest body may provide technical information without gaining access to confidential corporate records. Each role can be bounded.

Material effect should be defined rather than assumed. The relevant questions include whether the sanction changes a registry function on which the customer currently relies, whether the customer can migrate within the proposed period, whether service is critical, whether substitutes exist and whether the provider can protect continuity without undermining enforcement. A general fear of market disruption is not enough.

This approach avoids turning customer status into immunity. The holder cannot defeat sanctions simply by adding downstream contracts. Customers do not acquire the right to decide whether the provider breached. They acquire a channel to show how the remedy will land and what narrower design can protect them. Hearing follows the consequence that the institution can reasonably anticipate, while adjudicative control remains with the body responsible for the case.

Notice is valuable only if it arrives before the dependency changes

A customer notice delivered after account restrictions begin may explain history but cannot protect continuity. Effective notice must arrive while the customer can still verify exposure, contact the provider, arrange alternatives and submit evidence. The required time depends on the measure. A transfer restriction may permit a longer process; an imminent change affecting routing-security maintenance may require rapid direct contact.

Registries face a practical problem: they may not know the customers. The provider may hold the list, and confidentiality or competition concerns may make broad disclosure inappropriate. That limitation should shape a notice protocol rather than justify silence. The registry can require the provider to distribute a standard notice to materially affected customers, use an independent notifier, publish a case-specific continuity notice or permit customers to register confidentially for updates.

Verification matters. Public notices can attract competitors, campaigners and people with no operational exposure. A customer seeking protected participation should show a contract, assignment, routing relationship or other credible dependency. The registry can receive evidence under confidentiality and disclose only what is needed for the decision.

Notice should also say what it is not. It should not declare the provider guilty before decision or imply that routes will disappear when the actual measure is narrower. It should describe the function at risk, the expected timetable, the submission channel and available protections. Accurate notice reduces panic; vague warnings may create the very customer flight the continuity process was meant to avoid.

The provider cannot be the sole narrator of customer harm

An upstream provider has strong incentives when facing sanction. It may minimise customer numbers to protect confidential business information, or inflate them to make enforcement appear impossible. It may promise a migration it cannot deliver. It may withhold the case from customers to avoid reputational damage. None of these possibilities proves bad faith. They show why the provider should not be the only source of downstream evidence.

Customers often know facts the provider does not. A hospital can explain why its transition requires validation and maintenance windows. A bank can identify regulatory approvals. A small reseller can show that it lacks direct registry access and depends on the upstream provider for changes. A cloud tenant can describe address allowlists embedded across suppliers. These facts affect remedy design even if they do not affect the finding of breach.

Direct submissions also test the provider's claims. If the provider says every customer can migrate within thirty days, selected verified customers can confirm or contradict the estimate. The registry need not contact thousands of users. It can use representative sampling, sworn statements, technical data and an independent continuity adviser.

A process that hears only the provider invites a false binary. Either the registry trusts the provider's account of catastrophe or dismisses it as self-serving. Customer evidence creates a third position: measure the dependency separately from the provider's merits. That separation protects enforcement from hostage-taking and customers from institutional disbelief.

The hearing should concern continuity, not relitigate the breach

Scope is the key to manageable participation. Downstream customers should not ordinarily receive the provider's confidential compliance file or acquire the right to cross-examine every witness. Their hearing concerns the aspects of the remedy that affect them: timing, technical maintenance, migration, notification, preservation and reversibility.

This limitation respects both fairness and capacity. The provider remains responsible for answering allegations about fees, corporate authority, data accuracy, fraud or policy compliance. Customers may know little about those matters and may have commercial reasons to defend the provider. Allowing them to relitigate breach could multiply the case without improving the evidence.

Continuity submissions can use a structured form. What service depends on the resources? Which registry-controlled function matters? How many users or systems are exposed? What is the minimum safe transition? What alternative provider or addressing plan exists? Which facts can be independently verified? What confidentiality is required? These questions produce decision-relevant information.

The registry should be able to reject cumulative or irrelevant submissions with reasons. It should also be able to appoint a representative where many customers share the same issue. A bounded hearing is not a lesser form of fairness. It is a way to recognise third-party consequence without converting a bilateral enforcement process into an unlimited public inquiry.

Customer evidence belongs in proportionality, not guilt

The distinction between liability and remedy is essential. A provider does not become compliant because its customers are important. A false document is not less false because a hospital relies on the network. Customer dependency belongs mainly in the proportionality of the response: which measure is necessary, how quickly it should take effect and what protections should accompany it.

This separation reduces moral hazard. Providers cannot purchase immunity by building a large customer base. They remain subject to findings, monitoring, financial consequences, restrictions on new business and eventual termination where necessary. What changes is the pathway from finding to operational consequence.

The registry may, for example, prohibit new assignments, freeze transfers, require independent administration or impose a monitored cure while preserving existing technical maintenance. It can set a migration period and require regular reporting. If the provider refuses to cooperate with customer protection, that refusal becomes relevant to escalation. Enforcement remains credible because the institution can constrain the wrongdoer without using customers as leverage.

The decision record should state this logic openly. It should explain that customer submissions did not determine whether the provider breached, but did influence duration, scope or transition. That transparency protects customers from being dismissed as lobbyists and protects the registry from claims that commercial pressure erased the rule.

Critical services require a priority rule that can be audited

Not every customer dependency has the same urgency. A gaming service, a payroll processor, a hospital and a national emergency communications provider may all suffer loss, but their risks differ. Registry procedure needs a priority rule that does not depend on public relations or the size of the customer's legal team.

Useful criteria include risk to life or safety, legal service obligations, scale of dependent users, availability of substitutes, transition time, concentration and the likelihood that registry action will actually affect service. Criticality should be evidenced. A company calling itself essential is not enough; the registry should ask what function is provided and why alternatives cannot protect it.

Priority need not mean permanent exemption. It can mean earlier notice, a longer or staged transition, preserved maintenance, direct technical coordination or appointment of a continuity manager. The protection should last only as long as needed to remove the dependency or complete a lawful transition.

Publishing aggregate information about critical-service accommodations can reduce suspicion. The registry can explain the categories and safeguards without naming sensitive customers. Reviewers can then test whether similar dependencies receive similar treatment. An auditable priority rule is preferable to emergency improvisation, where the best-connected customer receives attention and quieter users discover the sanction after the fact.

Resellers reveal how quickly standing fragments

The hardest cases often involve multiple layers. A registry recognises a member. The member serves a reseller. The reseller serves hosting companies. Those companies serve end users. Which customer should be heard? If every layer receives full rights, the case becomes impossible. If only the member counts, the actual exposure may be hidden several contracts away.

Procedure should follow functional representation. A reseller that aggregates many dependent customers can submit on their behalf if it identifies the relationship and shows authority to represent common continuity interests. End users with distinct critical needs can submit separately. The registry can group duplicative claims and appoint a liaison for technical communication.

The chain also affects evidence quality. The direct member may know which addresses are assigned to the reseller but not which services rely on them. The end user may know its service but not the registry function. Connecting the layers allows a credible causal account. It prevents claims that every customer loss is registry-caused while avoiding the opposite assumption that downstream consequences are too remote to count.

Reseller chains are not an exception to number-resource governance; they are a common expression of it. A hearing model built only around the top account is institutionally neat and economically incomplete. The goal is not universal standing. It is enough representation to make the dependency visible before the remedy hardens.

Confidentiality must protect customers without making evidence secret

Customer submissions can contain contracts, network diagrams, security arrangements, business volumes and regulated-service details. Public disclosure may create commercial or security risk. Yet a registry cannot rely on secret claims that the provider or reviewer cannot test.

A tiered record can solve much of the problem. The customer submits a confidential version and a usable summary. The registry identifies which facts support the continuity decision. The provider can challenge the substance without necessarily receiving every sensitive detail. An independent reviewer can inspect the full material under appropriate safeguards. The public decision explains the category and weight of evidence.

Confidentiality requests should be reasoned and reviewable. “Commercially sensitive” cannot conceal everything. Customer count ranges, estimated migration time and the nature of dependency may often be disclosed without naming contracts. Where even a summary creates risk, the reviewer should state that protected evidence was considered and why a less transparent process was necessary.

This design avoids two failures. Total publication discourages candid customer participation. Total secrecy allows the registry to invoke invisible dependencies selectively. The hearing must preserve enough adversarial testing and public explanation to remain accountable while protecting information unrelated to the community's legitimate interest.

A continuity representative can solve collective-action failure

Thousands of customers may share the same risk but lack time, knowledge or incentive to coordinate. Each expects the provider to defend continuity. The provider may be conflicted or failing. By the time customers organise, the registry decision may be final. This is a collective-action problem, not evidence that no one cares.

For severe cases, the registry or independent reviewer should be able to appoint a customer-continuity representative. The representative's task would be narrow: identify affected classes, gather representative evidence, test migration estimates, propose protections and report conflicts. It would not defend the provider on the merits.

Appointment criteria should be public. The representative should be independent of the registry, provider and major competitors. Funding should not depend on producing a preferred conclusion. Communications and evidence should enter the case record. Customers should be able to contact the representative securely.

This role can improve efficiency. Instead of processing hundreds of repetitive submissions, the institution receives a tested dependency analysis. The provider cannot monopolise customer information, and the registry gains a practical partner for transition. The expense is justified only where the expected harm and number of affected parties are substantial. In smaller cases, direct notice and a structured submission channel should suffice.

Continuity protection should begin before final decision

Waiting for a final decision can make customer protection useless. A provider may lose access during an investigation, counterparties may react to a public dispute or the registry may impose an interim restriction. Continuity planning should begin when a severe measure becomes reasonably possible.

Early planning does not prejudge the case. The registry can ask the provider for a dependency map, preserve existing technical functions, identify a notifier and establish a confidential customer channel. It can tell customers that no final finding has been made. These steps are analogous to preserving evidence: they keep options open.

The provider may resist because notice could alarm customers. That concern is real. Premature broad publication can cause avoidable flight. The answer is staged notice. Directly critical customers may be contacted first under confidentiality. Wider notice can follow if the probability or timing of disruption increases. The institution should record why it selected each stage.

Early continuity work also tests the provider's competence. A cooperative holder that supplies accurate customer and migration information may justify a managed cure. A holder that conceals dependencies or threatens customers may require independent administration. The planning process generates evidence relevant to remedy without contaminating the finding of the original breach.

Ring-fencing can separate customers from the sanctioned provider

Ring-fencing preserves specified functions for existing customers while limiting the provider's ability to expand, transfer or alter disputed resources. It is not always technically or legally available, but it should be part of the remedy toolkit.

A registry might permit authenticated maintenance of existing routing-security entities while requiring dual approval for other changes. It might freeze new assignments while allowing customer records to remain stable. It might appoint a temporary technical contact, require escrow of credentials or monitor changes. The goal is to prevent the provider from using customers as bargaining power while avoiding unnecessary harm to those customers.

Ring-fencing must have governance controls. Who chooses the temporary operator? What authority does that person possess? Who pays? How are conflicts handled? When does the arrangement end? A badly designed continuity regime can become an unaccountable receivership. The registry should not assume powers over customer contracts or network operation that its mandate does not provide.

The tool is most credible when consent, court authority or clear contractual rules support it. Even where formal ring-fencing is unavailable, the concept helps decision-makers separate functions. Broad account suspension may be convenient; granular continuity controls may be fairer and safer. System design should evolve to make those controls possible.

Migration time must be demonstrated, not guessed

Registries and providers often argue about how quickly customers can move. The registry may say addresses can be replaced; the provider may say renumbering is impossible. Both claims are too general. Migration time depends on network architecture, contractual dependencies, security controls, hardware, customer support, regulatory approval and substitute supply.

A credible plan identifies phases: inventory, alternative resources or provider, route and DNS changes, certificate and allowlist updates, customer testing, parallel operation and rollback. It includes the bottleneck and evidence for the duration. It distinguishes inconvenience from risks that can cause serious outage.

The registry need not guarantee a costless migration. Some disruption may be the unavoidable consequence of enforcing valid rules. Proportionality requires a feasible transition where one can be provided without defeating the objective. It does not require indefinite continuation because migration is expensive.

Independent technical review is useful where estimates diverge sharply. The reviewer can test a sample, compare industry practice and identify tasks that can run in parallel. A reasoned migration period is more defensible than a standard deadline copied from unrelated cases. Customer hearings supply the facts that make the estimate real.

Public status language can itself harm customers

Registry status labels are signals. Counterparties may read “suspended,” “revoked,” “under investigation” or “non-compliant” as evidence about operational legitimacy. If the label is broader than the actual measure, customers may lose service through market reaction rather than through a technical registry change.

Status design should distinguish allegation, interim preservation, final finding and continuity arrangement. It should state which functions are affected. A transfer lock is not a routing withdrawal. A fee dispute is not proof of fraudulent control. Accurate labels help transit providers, customers and buyers make proportionate decisions.

The registry should also coordinate timing. Publishing a severe label before customer notice can create panic. Delaying material information indefinitely can mislead counterparties. The right sequence is to prepare continuity channels, notify directly affected parties where feasible and publish an accurate status with enough explanation to prevent over-inference.

If the decision is reversed, the registry should correct the public record visibly. Quiet deletion may leave cached reports and commercial suspicion. A correction notice should identify the restored status without exposing confidential case details. Customers bear reputational effects as well as technical ones; fair procedure must recognise both.

Internal appeal does not automatically represent customers

The provider may appeal a sanction, but its interests can diverge from those of customers. It may seek full vindication while customers prefer a rapid managed transition. It may settle on terms that protect the company but leave users little time. It may become insolvent or stop participating. Treating the provider's appeal as sufficient customer representation is therefore unsafe.

Customers should have a limited route to challenge continuity aspects of the decision. They need not appeal the finding against the provider. They might ask for a stay, longer transition, preservation of a technical function or correction of a public statement. The reviewer should require proof of material effect and consider whether the provider already represents the issue adequately.

This participation must not delay every case. Deadlines can be short, submissions focused and remedies temporary. Where customer evidence is cumulative, the reviewer can consolidate it. Where urgent harm is shown, the reviewer needs power to issue interim protection before deciding the full appeal.

The distinction between provider and customer appeal also improves settlements. The registry and provider know that they cannot trade away third-party continuity without scrutiny. Customers know they cannot veto a lawful sanction. Each interest receives a defined place rather than being smuggled into the provider's claim.

The cost of participation should not select who is heard

Large customers can hire counsel, technical experts and public-relations teams. Small customers may not even recognise the registry's name. If participation depends on formal legal submissions, the record will overrepresent institutions able to convert dependency into advocacy.

A usable process needs plain notice, a structured evidence form, translation where material and a channel that does not require counsel. The registry can publish guidance on relevant evidence and provide a neutral contact. Representatives or associations may aggregate small-customer claims, subject to proof that they actually speak for them.

Fee waivers may be necessary if a filing charge applies. Customer continuity is not an optional commercial dispute added to the case; it is evidence about the registry's own remedy. Charging high fees to supply that evidence distorts the decision. Frivolous or abusive submissions can be controlled through verification and scope rules rather than price alone.

Accessibility also includes time zones, language and technical literacy. A short emergency window announced only on a specialist mailing list will not reach ordinary customers. The institution should judge notice by realistic receipt, not by the fact that a web page existed.

Courts see customers when internal procedure does not

If a registry process excludes customers, they may appear later in court through affidavits, injunction applications, contract claims or public-interest interventions. The external dispute then contains an evidentiary record the registry never considered. That is a costly way to discover dependency.

Courts apply different standing and remedy rules across jurisdictions. Some customers may have no direct claim against the registry. Others may persuade a provider, receiver or public authority to act. The uncertainty itself favours parties with money and access. A large customer can obtain urgent representation; a small one may simply lose service.

Internal customer participation does not replace courts or create rights that governing law denies. It gives the registry better facts before choosing a measure and offers continuity protections within its own competence. A court reviewing the decision can then see that affected parties had a meaningful channel rather than being noticed only after harm.

The institutional benefit is substantial. Customer evidence heard early can support a narrower order, a realistic transition or a settlement. Ignored evidence returns as emergency litigation, where deadlines are shorter and remedies blunter. Hearing is cheaper than surprise.

Aggregate reporting should show whose interests entered the record

A registry can claim to consider users without demonstrating how. Annual accountability reporting should therefore include anonymised information about sanctions with downstream effects: number of customer notices, submissions received, critical-service claims, continuity measures, migration periods, appeals and reported disruptions.

The data should distinguish provider claims from direct customer evidence. It should indicate whether customer participation changed the remedy. This does not require publishing confidential identities or case files. It provides a denominator for evaluating whether the hearing channel exists in practice.

Patterns may expose bias. Perhaps only large enterprise customers receive direct engagement. Perhaps customer submissions routinely arrive after decisions. Perhaps continuity arrangements are common in one class of cases and absent in another without explanation. Aggregate evidence gives members and reviewers a basis for reform.

Reporting can also show the limits of causation. If a sanction produced no measurable technical disruption despite alarming claims, future decisions can calibrate risk better. If small administrative changes repeatedly caused customer flight, status and notice design need attention. Accountability improves when the institution studies effects rather than defending intentions.

The customer hearing needs an independent chair in contested cases

Registry staff investigating the provider may also receive customer submissions. That is efficient for ordinary cases, but severe disputes can create confirmation bias. Staff who believe the provider has exaggerated may discount every customer statement. Staff worried about criticism may overprotect prominent users. An independent chair or reviewer can stabilise the process.

The chair's mandate should be narrow: verify participation, protect confidentiality, organise common issues, test continuity evidence and recommend safeguards. The chair should not decide the provider's breach unless separately appointed to that role. Separation preserves focus and avoids duplicating the main case.

Conflicts are especially important in small technical communities. A proposed chair may advise the registry, the provider, a competitor or a large customer. Disclosure and challenge rules should apply. Compensation should not vary with whether the recommendation favours institutional convenience.

Independence does not require an elaborate tribunal for every sanction. A standing roster and expedited procedure can be activated only when thresholds are met: likely severe continuity effect, large downstream population, critical services or disputed migration evidence. The architecture should exist before crisis so that customers are not asked to trust an improvised representative selected by the institution they seek to influence.

Customers also have duties in the continuity process

Fair procedure does not mean accepting every claim. Customers seeking protection should provide truthful, timely and proportionate evidence. They should identify substitutes, cooperate with migration and avoid using confidentiality to hide commercially convenient delay. A customer that can move safely but refuses because the old arrangement is cheaper should not dictate an indefinite extension.

Large customers may have contributed to concentration by demanding dedicated resources or resisting portable designs. That history may inform the transition, though it does not erase immediate safety needs. The process should encourage shared responsibility: registry restraint, provider cooperation and customer preparation.

Continuity orders can include conditions. Customers may need to complete inventories, test alternatives, report progress and accept a final date. The provider may need to fund migration or provide technical support. The registry may preserve specific functions while monitoring that no new dependency is added.

These duties prevent third-party hearing from becoming a one-way entitlement. The aim is not to freeze the existing commercial arrangement. It is to prevent avoidable harm while moving the system toward a lawful and sustainable state.

Number Resource Society can treat dependency as a design fact

Number Resource Society provides a future direction because its governance premise can begin with operating networks and the users who depend on them. Instead of adding customer protection after a holder dispute becomes public, it can design notice, representation and continuity into the service relationship.

Operators participating in such a system could maintain confidential dependency contacts, designate reseller representatives and agree to staged-notice rules before trouble. Standard continuity plans could separate technical maintenance from transfers and new allocations. Independent reviewers could hear customer-impact submissions through a standing process. These are practical institutional features, not promotional claims.

The model would still enforce accuracy, payment and anti-fraud duties. Customer dependence would not immunise an operator. It would constrain how the system converts a breach into consequences for parties who neither authorised nor could cure it. That is a credible balance between accountability and continuity.

Existing registries can adopt the same direction. The value of Number Resource Society is to make the principle explicit: the administrative account is not the whole network. A number-resource institution serves an ecosystem of operators and users, and its procedure should be able to see beyond the name on the contract.

A hearing is meaningful only if it can alter protection

Inviting customer submissions after the remedy is fixed is consultation theatre. A meaningful hearing must occur before avoidable harm and must give the decision-maker power to change scope, timing or safeguards. Customers should receive reasons explaining how material evidence was treated.

The registry need not accept the requested outcome. It may conclude that the risk is too urgent, the migration estimate is inflated or the proposed ring-fence cannot be operated safely. The obligation is to engage with the evidence. A decision can say why thirty days is sufficient, why maintenance cannot continue or why a claimed critical service has a substitute. That reasoning makes disagreement reviewable.

Implementation should be monitored. If a transition order promises preserved routing-security maintenance, the institution should verify that systems and staff deliver it. If customers report unexpected disruption, an emergency channel should exist. A hearing that produces protections no one operationalises is not effective process.

The final measure of success is not how many customers filed. It is whether the institution learned enough to enforce against the provider without carelessly transferring the penalty to outsiders. The customer does not need to own the case. The customer needs a door into the part of the decision that will otherwise arrive as a service failure, a failed migration or a public status it never had a chance to explain.

Registry accountability ends where unexamined dependency begins

An institution can follow every bilateral step and still make an unjust decision if the procedure excludes foreseeable third-party consequence. Notice to the provider, reasons to the provider and appeal by the provider do not automatically account for customers whose evidence and interests differ.

The remedy is calibrated participation. Identify material dependencies, verify affected customers, hear continuity evidence, protect confidential information, prioritise critical services and separate the provider's breach from the customer's transition. Give reviewers power to adjust protection without turning customers into judges of the provider.

This design is demanding because layered network markets are complex. Administrative simplicity is not neutrality when it systematically places the cost on absent parties. The registry already benefits from the provider hierarchy when collecting records and fees. It must also recognise the hierarchy when its own action sends risk downward.

The customer never received the hearing because older procedures assumed that the account holder could speak for the entire chain. Modern number-resource governance should stop making that assumption. A narrow, timely and evidence-based customer channel preserves enforcement while making continuity harm visible before it becomes irreversible. That is not a concession to commercial pressure. It is the minimum procedure required when an administrative decision at the top of the chain can be felt by users who never knew the registry case existed.

A standing protocol is better than sympathy after disruption

Institutions are often sympathetic once a customer appears with evidence of harm. Sympathy is not a substitute for a protocol. By that stage, a public status may have changed, a migration deadline may be running and counterparties may already have acted. Ad hoc accommodation then looks like favouritism because no one knows why this customer received attention while another did not.

A standing protocol should define the trigger for customer notice, the evidence required for protected participation, the person responsible for receiving submissions, the available continuity measures and the route to expedited review. It should explain how resellers aggregate claims, how critical-service priority is tested and how confidentiality is maintained. The protocol should also set limits so that customer participation does not become a general delay tactic.

Periodic exercises can test whether the channel works. A registry can simulate a provider sanction, verify that notices reach dependency contacts, confirm that technical maintenance can be ring-fenced and measure how quickly an independent reviewer can act. Exercises expose missing contacts and system permissions before a real case makes them consequential.

The result is procedural equality. Customers do not depend on institutional improvisation, public influence or an emergency lawyer. The registry does not need to invent a remedy while defending its decision. Everyone knows in advance that downstream evidence has a defined place—and that the place is limited to protecting continuity, not excusing the upstream breach.