Summary
- The NRO was created by the regional internet registries themselves. The 2003 MoU made it a coordinating mechanism for the RIRs and required unanimous written commitment before legal obligations or undertakings could be made in the NRO's name.
- That structure gives the NRO real coordinating force among the RIR signatories, especially for global policy handling, registry-system uniqueness, accuracy, public entries and consistent service cooperation. It does not create a separate public authority over network operators, resource holders or ordinary registry customers.
- A defensible NRO claim should pass a delegation test: which RIRs delegated the act, which signatory obligation authorizes it, which affected community approved the underlying policy, and what remedy exists if coordination becomes overreach.
The contract that cannot be read upward
The Number Resource Organization is often described in language that makes it sound larger than its legal and democratic source. It appears in ICANN arrangements, global policy procedures, RIR accountability statements, public letters, registry continuity debates and technical coordination programs. It speaks for the RIR system in ways that matter to governments, operators, courts, standards bodies and ICANN. Yet the first question is still simple: who created it, and what could they give it?
The answer is unusually clear. The NRO was created by the RIRs. APNIC, ARIN, LACNIC and RIPE NCC signed the founding Memorandum of Understanding on 24 October 2003, and AFRINIC later signed after becoming the fifth RIR. The NRO history page describes the organization as established in 2003 as a coordinating body for the world's regional internet registries. The NRO MoU says the organization initially would be unincorporated, might later be incorporated only in a jurisdiction acceptable to all RIRs, and would include the RIRs that signed the document.
That is not a minor constitutional detail. A body created by five institutions can receive authority from those institutions, but it cannot automatically acquire authority over every network operator merely because operators rely on the registry system. The RIRs can commit themselves to cooperate. They can make joint promises about coordination, shared services, policy handling and public registry obligations. They can create an Executive Council, a Number Council and a Secretariat. They can agree to arbitration among themselves. They can assign costs. They can bind their own conduct within the limits of the compact.
But a compact among intermediaries is not the same as consent by every downstream user of the system.
The distinction matters because number-resource governance is layered. IANA allocates to RIRs. RIRs serve members, customers and other resource holders. Some resource holders are members; some are legacy holders; some are end-user organizations; some are local internet registries that serve further customers. The IETF's RFC 7020 describes this hierarchy as rooted in the IANA address allocation function, serving RIRs, which then serve local registries and other customers. It also says the registry system must maintain uniqueness and accurate registration information for operational needs. That hierarchy creates dependence, but dependence is not the same as delegated power.
This is the core of the NRO authority problem. The NRO has institutional weight because the RIRs need a place to act together. It also has public significance because the RIR system supports uniqueness, registration accuracy and global coordination. But public significance does not erase the source of authority. The NRO was not elected by the world's operators. It was not created by a treaty. It was not incorporated by users of address space. It was incorporated in the looser sense by its own members: the RIRs made the institution that then speaks as their coordinating layer.
That does not make the NRO illegitimate. It makes its legitimacy bounded. The correct question is not whether the NRO is real. It is real. The correct question is what kind of power it can have. The answer is coordination power, not free-standing operator power. Coordination can be strong where the RIRs have agreed unanimously, where regional policy procedures have supplied the underlying rule, or where joint registry services require common action. Coordination becomes suspect when it is presented as if the NRO itself has obtained a mandate from operators independent of the RIRs and their communities.
The best reading is therefore neither dismissive nor deferential. The NRO is not an empty brand, but it is also not a sovereign layer above the registries. It is the RIRs acting together through a documented compact. Every NRO act should be traceable back to that compact, to a later written commitment, to the ASO MoU, to a community-ratified global policy, or to a service duty that each RIR has accepted. If that chain is missing, the claim should be treated as institutional rhetoric, not authority.
The founding MoU made coordination conditional
The NRO MoU is strongest precisely where it is most careful. It does not pretend that the new body owns the registry system. It says the NRO is to serve as the coordinating mechanism of the RIRs on matters relating to RIR interests, as delegated by unanimous written agreement of the RIRs. It allows joint operational or external activities delegated by the RIRs. It allows cooperative agreements with other coordination or administrative bodies on appropriate terms. These clauses create a serious coordination tool, but they also define the tool's boundary.
The repeated word is delegation. The NRO does not start with a general power and then decide how much to leave with the RIRs. It starts with the RIRs and receives what they delegate. That is the opposite of a central authority model. A central authority would distribute rights down to regional administrators. The MoU works upward: the regional registries choose to act together for shared purposes.
The same condition appears in the MoU's legal-obligation clause. Any legal obligations incurred or undertakings made by the NRO, whether unincorporated or later incorporated, require prior written commitment of all RIRs through the signatures of all RIR chief executives. That is a powerful safeguard against accidental centralization. It means that the NRO cannot casually create obligations in its own name and then push them back onto the RIRs. It must obtain unanimous commitment before the obligation exists.
That unanimity cuts both ways. It gives the NRO credibility when all registries have truly agreed. A joint statement, joint service commitment or joint coordination position has more weight when it is backed by the institutions that operate the regional registries. But unanimity also prevents the NRO from being treated as a separate super-registry. If every undertaking requires the signatories' written commitment, the NRO is an expression of RIR agreement rather than an authority above it.
The Executive Council design reinforces the same point. The MoU says each RIR selects one person for the NRO Executive Council, and each RIR board is responsible for selecting that person. The Executive Council represents the NRO and its component entities in external interactions, but it represents the RIRs on issues specifically delegated by them. It can commit RIR resources only when unanimous agreement has been reached and only to the extent resources have been or will be made available by the RIRs.
This is not merely administrative language. It is an agency limit. A representative who can speak only on specifically delegated issues, and can commit resources only after unanimous agreement, cannot be converted into a general master of all number-resource interests. The Council can speak with authority when the RIRs have delegated the matter. It cannot transform shared convenience into general jurisdiction.
The Number Council also remains bounded. Under the NRO MoU, it advises the Executive Council on ratification of proposed global IP number resource allocation policies, consults on proposed global policies, and conducts its work through accessible, open, transparent and documented procedures. Its composition comes from one board-appointed member and two regional-policy-forum selected members from each RIR region. That structure may improve regional connection, but it still routes representation through the RIR layer. It does not create direct global operator consent.
The limitation clause is the most explicit warning against over-reading. The MoU says it does not create a partnership, agency, association or franchise arrangement. It also says the arbitration provision creates no rights for any party except the signatory RIRs and additional member RIRs. That is not an accidental disclaimer. It tells readers not to read the compact as if it created broad third-party rights or an unconstrained legal relationship among the parties.
The result is a design that can coordinate powerfully while remaining legally narrow. That is an achievement, not a defect. The problem arises only when later governance debates treat the NRO's public significance as if it automatically supplies public authority. The MoU supplies a different answer: authority must be delegated, documented and unanimous where obligations are created.
Member-created authority and operator reliance are different things
Network operators rely on the RIR system, and that reliance is not optional in any practical sense. Address uniqueness, registration records, reverse DNS, routing security services, transfer recognition and public registry data all depend on stable regional registry functions. A cloud network, enterprise, access provider, content platform, bank, university or government agency cannot easily route around the numbering system. The system's significance is therefore public in effect even when its institutions are private, nonprofit or membership-based.
That public effect can tempt institutions to speak as if reliance equals consent. If operators need the registry system, the argument goes, the institutions that coordinate the registry system must be able to act for operators. That argument is too fast. Reliance may justify duties of care, transparency, continuity and accountability. It may justify joint safeguards for uniqueness and accuracy. It does not automatically justify a new layer of command.
The difference is especially visible in the 2020 NRO Internet Numbers Registry System Joint Project Agreement Addendum. The addendum states that the Internet Numbers Registry System is a joint cooperative project operated by the RIRs on behalf of the global Internet network operator community, and it records commitments by each RIR not to violate uniqueness, to promote accuracy, to publish entries publicly for timely global operations, and to cooperate in consistent, effective registry services. Those commitments matter because they translate operator reliance into RIR duties.
But they still bind through the RIRs. The addendum does not say that the NRO has obtained a direct mandate to order operators, set their business models, decide their disputes or supervise every registry customer. It says the RIRs undertake responsibilities individually and collectively. That difference should shape every public reading of the NRO's role. The operator community is the beneficiary of coordinated registry duties; it is not automatically the electorate that authorized every NRO action.
This matters in disputes. Suppose the NRO issues a position about global registry-system continuity. If the position asks the RIRs to preserve uniqueness, keep public entries accurate, coordinate emergency services, or avoid contradictory allocation records, the claim fits the addendum's logic. Suppose instead the position is treated as authority to decide which network operator should hold a contested resource, which regional member faction should control a board election, or which commercial arrangement among resource holders is acceptable. That would need a different legal and community basis.
The proper test is not whether operators are affected. They are almost always affected. The proper test is what kind of effect is being asserted. A coordination act that protects uniqueness and accuracy can be justified by the RIRs' shared registry duties. A command that changes private rights, decides regional governance contests or imposes obligations on non-signatories needs a source beyond the NRO compact.
This is not a lawyerly distinction detached from operations. Overclaiming NRO authority can increase operational risk. If operators believe the NRO can suddenly convert coordination into direct control, they may distrust registry records, transfer rules, RPKI services or continuity arrangements. If courts believe the NRO has undefined public authority, they may overread letters or statements in domestic disputes. If governments believe the NRO is a hidden regulator, they may demand counter-control. Narrow authority protects the system by making joint action legible.
It also protects the RIRs. Each RIR has its own membership, regional policy forum, board, service agreements, local legal duties and operational responsibilities. The NRO allows them to coordinate without dissolving those differences. If NRO language is stretched into direct operator authority, the RIRs inherit accountability for acts they may not have authorized, and their regional communities lose clarity about where decisions are made.
The healthy reading is therefore service-centered. Operators can demand that the RIRs keep the joint registry system unique, accurate, public enough for operations, stable and coordinated. Operators can demand that NRO statements identify the RIR commitments behind them. Operators can demand transparency when coordination affects their reliance. But the NRO itself remains a member-created coordination structure unless a separate, documented source says otherwise.
The ASO link did not enlarge the NRO into a public regulator
The NRO's most consequential external role is its relationship with ICANN through the Address Supporting Organization. That relationship is often where institutional language becomes slippery. The ASO sits inside ICANN's supporting-organization structure. The NRO fulfills the ASO role. The NRO Number Council serves as the ASO Address Council. The Address Council helps with global number policy, advice to the ICANN Board, recommendations on new RIR recognition and selection of ICANN Board seats. These are consequential tasks.
But the 2004 ICANN Address Supporting Organization MoU did not transform the NRO into a regulator of operators. It stated that, under the agreement between ICANN and the NRO, the NRO would fulfill the ASO role and responsibilities as defined in ICANN's bylaws. Its purposes were to define roles and processes for global policy development, to define mechanisms for recommendations on recognition of new RIRs, and to define open documented procedures for selecting individuals to serve on ICANN bodies. The current ASO materials repeat that the ASO Address Council consists of the members of the NRO Number Council.
That architecture is significant, but it is still procedural and advisory in relevant respects. The ASO link creates a route by which the numbering community, represented through the RIR system, participates in ICANN. It does not mean the NRO can bypass regional policy development. It does not mean the ASO Address Council can write binding regional policy alone. It does not mean ICANN receives a global operator mandate through the NRO. It means that a coordination body for RIRs supplies the ASO function under a defined agreement.
The global policy procedure confirms this. The ASO MoU defines global policies as number-resource policies that have the agreement of all RIRs according to their policy development procedures and ICANN, and that require specific action by IANA or another ICANN-related body. The procedure expects proposals to move through regional policy fora, be ratified by each RIR by methods of its own choosing, be reviewed by the Address Council for process and significant viewpoints, and then be sent to ICANN for ratification. That is not a unilateral NRO lawmaking path.
The chain is deliberately cumbersome because global number policy is supposed to be exceptional. A global policy must be common across all regions and require IANA or ICANN-related action. Ordinary regional registry policy remains regional. The NRO and ASO can coordinate, check process and transmit outcomes, but they cannot honestly claim that every shared RIR preference is global policy. The limitation is the legitimacy source.
ICANN's current bylaws also preserve the bounded nature of the role. Article 9 says the ASO advises the Board with respect to policy issues relating to the operation, assignment and management of internet addresses, and that the ASO shall have an Address Council consisting of the NRO Number Council.
ICANN's mission language says ICANN coordinates allocation and assignment at the top-most level of IP numbers and AS numbers, provides registration services and open access for global number registries as requested by the IETF and RIRs, and facilitates global number registry policies by the affected community and other related tasks as agreed with the RIRs. It also says ICANN shall not act outside its mission and does not hold governmentally authorized regulatory authority.
Those clauses are aligned with a narrow NRO reading. ICANN's numbering role is top-level coordination and facilitation of global policies developed by the affected community and agreed with the RIRs. The NRO's role is to let the RIRs act collectively in that relationship. Neither text supports a general NRO power over operators. If anything, both require that public authority claims be traced to policy development, RIR agreement, mission limits and documented responsibilities.
The ASO connection therefore strengthens the case for discipline. It gives the NRO a formal ICANN-facing role, so the NRO must be especially clear about when it is speaking as RIR coordinator, when the Address Council is performing ASO duties, when a matter is a global policy, and when a matter remains regional or contractual. Ambiguity in those categories can make coordination look like command.
The system does not need that ambiguity to work. It needs the opposite: a clean map of who delegated what, through which procedure, with which review route, and with which limit. The ASO link is a bridge, not a ladder to unlimited power.
Unanimity is a safeguard, not a democratic substitute
NRO governance often relies on unanimity among RIRs, especially for obligations, commitments of resources and certain Executive Council functions. Unanimity is valuable because it prevents one registry or one region from using the NRO to bind the others. It also signals that a joint act is truly system-wide rather than regional. But unanimity among institutions should not be confused with consent by all affected operators.
The difference matters because RIRs are not identical democracies. Their membership definitions, election rules, board structures, policy forums, legal forms, local jurisdictions, participation cultures and regional economics differ. A unanimous RIR agreement may therefore be institutionally strong while still being democratically indirect. It can say all registries agreed; it cannot automatically say all operators consented.
That does not make unanimous agreement useless. It may be the best practical way to coordinate a finite global registry system. A single uniqueness system cannot tolerate contradictory allocation ledgers. Public registration data cannot work if each region redefines global identifiers in isolation. RPKI coordination, global statistics, IANA policy implementation and emergency continuity all require collective RIR action. Unanimity gives these efforts stability.
But the democratic work must happen before and around unanimity. When the subject is global policy, regional policy procedures and open forums supply part of that legitimacy. When the subject is shared service obligations, public documentation, service metrics and accountability reporting supply part of it. When the subject is emergency action, time limits, evidence standards and later review supply part of it. Unanimity alone does not do all these jobs.
This point becomes practical whenever the NRO says "the RIRs agree." That sentence should trigger follow-up questions. Did the agreement create a legal obligation? If yes, was it signed as required? Did it commit resources? If yes, did the Executive Council have unanimous written approval and available resources? Did it concern global policy? If yes, did all regional processes ratify a common text? Did it affect operators directly? If yes, what notice, consultation or remedy was offered? Did it merely coordinate public registry services? If yes, what service duty was being fulfilled?
Without these questions, unanimity can become a mask. It can hide low participation, regional silence, staff-led continuity decisions, board preferences or crisis pressure behind the comforting phrase of system-wide agreement. The point is not that every NRO act must wait for universal operator approval. That would freeze the registry system. The point is that different acts require different legitimacy inputs. A routine coordination group does not need the same process as a global policy. An emergency continuity measure does not need the same process as a long-term governance reform.
A public statement does not need the same process as an obligation that changes service expectations.
The NRO MoU itself invites this differentiation. It separates Executive Council representation, Number Council advice, Secretariat support, global policy handling, arbitration, finance, technical activities and recognition criteria. Those are different functions. Treating them as a single blob of "NRO authority" is a category error.
The most defensible approach is to make unanimity visible but not magical. A public NRO act should say whether it reflects unanimous RIR agreement, whether it is advisory, whether it follows regional policy development, whether it commits resources, whether it affects services, and whether affected parties have a challenge route. That disclosure would not slow most work. It would make the chain of authority harder to exaggerate.
For operators, this distinction matters because their reliance often turns on predictable boundaries. A network operator may accept that the RIRs must coordinate to keep uniqueness intact. It may not accept that an unreviewable coordinating body can decide private resource disputes. A lender may accept NRO statistics as a system-wide view. It may not accept an NRO statement as evidence of transfer title. A court may respect NRO continuity concerns. It should not treat them as domestic corporate orders. The more precise the authority label, the lower the risk of misuse.
Agency language must stay narrow
The most dangerous over-reading of the NRO is agency. If the NRO represents the RIRs externally, and the RIRs serve operators, does the NRO represent operators? The answer should be no unless a specific mandate says otherwise. The NRO can represent the RIRs on delegated issues. It can speak about the RIR system. It can explain shared duties. It can coordinate with ICANN. It cannot casually become the agent of every operator whose resources are recorded in a regional registry.
The founding MoU is careful on this point. It says the Executive Council represents the NRO and its suborganizations externally. It says the Council is empowered to represent the RIRs on issues specifically delegated by the RIRs to the NRO. It also says the MoU does not create an agency or similar arrangement. Read together, these clauses support a limited representative function: the NRO can represent the signatory institutions within delegated scope, not an undefined universe of affected parties.
That narrow reading protects everyone. It protects operators from being bound by statements they did not authorize. It protects RIRs from being treated as if every NRO act creates liability or duty to every operator. It protects the NRO from demands that it solve disputes it was not created to decide. It protects ICANN from mistaking a coordination partner for a direct global electorate.
The line is easiest to see in policy. When a global policy is developed through regional policy fora and accepted through the ASO process, the NRO and Address Council can transmit and review the result because the relevant process supplies legitimacy. But if an NRO body simply expresses a preference on an operator-facing issue, that preference does not become policy. The difference between policy and position must remain visible.
The same line appears in litigation-sensitive contexts. If an operator is in a dispute with a registry, another operator or a creditor, the NRO may have an interest in registry-system continuity. It may be able to explain why uniqueness, public entries or service continuity matter. But it should not be assumed to represent the operator, the regional membership, or the court's parties. A continuity view is not a party mandate.
It also appears in public accountability. Operators and users may criticize the NRO because its acts affect them. The NRO should answer those criticisms transparently. But the fact that operators can criticize does not mean the NRO can claim to have been elected by them. Accountability to affected parties and representation of affected parties are related but not identical. A hospital is accountable to patients in many ways; that does not mean it is legally appointed by every patient to speak for them. The RIR system has the same kind of distinction.
This is why the language of "on behalf of" must be handled carefully. The 2020 addendum's phrase about operating the Internet Numbers Registry System on behalf of the global Internet network operator community is best read as a stewardship duty. It describes whose operational interest the registry system serves. It should not be inflated into a direct agency clause. If it were, the NRO would need mechanisms for operator authorization, revocation, conflicts, standing and remedy that the MoU does not provide.
A narrow agency reading also prevents capture. If a small set of active insiders can claim that the NRO speaks for all operators, then low-participation governance becomes easier to launder upward. If instead the NRO must identify the RIR delegation, the regional policy source or the service duty behind each claim, insiders cannot rely on abstraction alone. They must show the chain.
The phrase to remember is this: the NRO speaks from the RIRs, not over them; it serves the operator community, but does not automatically speak as the operator community. That sentence should guide every interpretation of the MoU, the ASO link and later joint commitments.
What the NRO can do well
The bounded reading should not be mistaken for hostility to the NRO. A coordination structure among RIRs is necessary. Five independent registries serving a single global address and ASN system need ways to prevent contradiction, share evidence, coordinate with ICANN, handle global policies, publish statistics, cooperate on RPKI and registration services, and speak to external institutions. Without a joint mechanism, every cross-regional issue would require improvised bilateral bargaining.
The NRO can do several things well because those things match its source of authority. It can coordinate joint RIR activities and projects. The NRO's own description names resource certification, global statistics reports, internet-governance activities and global policy coordination as examples of coordination efforts, while also saying the NRO does not manage or perform these activities directly and instead facilitates coordination groups. That distinction is healthy: facilitation is different from direct operation.
It can provide a focal point for RIR-system input. Governments, ICANN, the IETF, technical communities and other institutions often need a single place to understand how RIRs view a shared problem. The NRO can reduce confusion by collecting RIR positions, explaining shared principles and pointing to regional processes. This is especially useful when an external institution might otherwise approach one RIR and mistake that answer for a global rule.
It can support global policy handling. When a policy truly requires common regional agreement and IANA or ICANN-related action, the NRO and ASO machinery can help ensure that each region considered the matter, that a common text exists, and that ICANN receives a proposal with process assurance. That is coordination in the strongest sense because it channels multiple regional procedures into one global outcome.
It can help preserve registry-system continuity. The 2020 addendum's commitments on uniqueness, accuracy, public entries and consistent effective services are central. These are not abstract values. If registry entries conflict, routing and transfer reliance suffer. If public entries are unreliable, abuse response, due diligence, contactability and operational troubleshooting degrade. If RIRs provide inconsistent global services in ways that threaten uniqueness or accuracy, operators pay the cost. Joint commitments are appropriate here because the system's benefits depend on consistency.
It can also help establish common accountability expectations among RIRs. The NRO does not need to become a supervisor to say that each registry should keep transparent policy procedures, reliable records, continuity plans and public reporting. Peer coordination can raise the floor without centralizing every decision. The key is to keep the mechanism in the open and connect it to accepted commitments rather than informal pressure.
Finally, the NRO can give ICANN a coherent counterpart for the narrow numbering functions in ICANN's mission. ICANN should not have to negotiate global number-policy mechanics separately with five registries every time a common procedure is required. The NRO and ASO arrangements make that relationship workable. They also protect the RIRs by ensuring ICANN deals with them collectively where the matter is global.
These strengths are real precisely because the scope is narrow. A coordination body that stays within delegated tasks can act with confidence. It does not need to pretend to be a regulator. It can say: the RIRs have agreed to this; here is the document; here is the service duty; here is the policy path; here is the review route; here is what remains regional. That kind of authority is harder to attack because it is easier to verify.
The NRO becomes weaker when it is overclaimed. If every joint statement is treated as constitutional power, every external critic can attack the whole structure as a closed club. If every coordination effort is framed as operator representation, every low-turnout or insider-heavy regional forum becomes a global legitimacy problem. If every ASO duty is treated as a mandate over operators, ICANN's mission limits become harder to respect. The NRO's best defense is precision.
What it cannot do without a stronger source
There are also things the NRO should not be presumed able to do. It should not be presumed able to bind operators directly to new obligations merely because all RIRs signed a document among themselves. A new obligation on operators must come through service agreements, regional policy, applicable law, or another valid relationship. The NRO can recommend and coordinate, but the binding route matters.
It should not be presumed able to decide private disputes over number resources. Registry records are operationally consequential, and RIRs may have processes for transfers, disputes, revocation, fraud prevention and account authority. But a dispute among operators, creditors, purchasers, bankrupt estates or successors requires the appropriate regional registry process, contract, court order or policy. The NRO may care about consistency; it does not become a global court.
It should not be presumed able to override regional policy development. The RIR system is built on regional policy procedures. A global policy route exists only for a defined class of policies requiring common RIR agreement and external ICANN-related action. If the NRO could override regional policy whenever coordination seemed easier, the bottom-up model would become decorative. The ASO MoU's global policy steps are a safeguard against that.
It should not be presumed able to supervise RIR boards generally. The NRO Executive Council is composed of representatives selected by RIR boards. That makes it a peer coordination layer, not an external independence monitor. Peer accountability can be useful, especially for system-wide commitments, but it is structurally limited. A council of institutions should be cautious about claiming disciplinary authority over those same institutions unless a clear rule provides it.
It should not be presumed able to speak for governments or the public. The RIRs operate in regions that include many states, economies and legal systems. The NRO can engage public-sector bodies and coordinate RIR positions, but it cannot replace governmental authority or public law. Nor can governments treat the NRO as if it holds a treaty mandate. The system is private-sector and community-developed in key respects, but that model depends on restraint.
It should not be presumed able to define operator interests without evidence. Operators differ sharply. A large cloud provider, small access network, legacy holder, academic network, government network, national registry, IPv4 broker, content delivery network and enterprise holder may have different concerns. The NRO can identify shared registry-system needs such as uniqueness and accuracy. It should not claim a single operator preference on contested economic or governance issues unless the claim is backed by a legitimate process.
It should not be presumed able to hide behind technical necessity. Many registry questions are technical, but technical dependence can be used to avoid accountability. A statement that uniqueness requires coordination may be true. A statement that a particular governance outcome is technically necessary may need evidence. The line between technical requirement and institutional preference should be documented.
These limits are not obstacles to stability. They are the conditions under which stability remains trusted. Operators are more likely to rely on registry coordination when they know it cannot be turned into undefined command. Courts are more likely to respect NRO evidence when they know what kind of evidence it is. ICANN is more likely to maintain mission discipline when the NRO states the source of its claim. Governments are less likely to intervene bluntly when the private coordination layer demonstrates internal limits.
The NRO can therefore be powerful in the right way: powerful enough to coordinate the RIR system, not powerful enough to dissolve the accountability of the RIRs that created it.
A delegation test for NRO claims
The practical answer is a delegation test. Any significant NRO act should be explainable through a short chain. The first link is the acting capacity. Is the NRO acting through its Executive Council, Number Council, Secretariat, ASO Address Council function, a coordination group, or a joint RIR commitment? The answer matters because each has different authority.
The second link is the authorizing document. Is the claim grounded in the NRO MoU, the ASO MoU, ICANN bylaws, a global policy, the 2020 addendum, a regional policy, a service agreement or a later written RIR commitment? If the source is only custom or convenience, the claim should be described as such. Custom can help coordinate; it should not be dressed as law.
The third link is the signatory or community path. Did all RIRs agree? Did regional policy fora approve a common text? Did an RIR board appoint a representative? Did a regional community select Number Council members? Did a particular RIR adopt a rule through its own procedure? This link prevents the phrase "the NRO" from hiding the actual source of consent.
The fourth link is the affected interest. Does the act affect only RIR coordination, or does it affect operator services, resource-holder rights, public records, registry accuracy, technical continuity, market reliance or ICANN governance? The deeper the effect on non-signatories, the stronger the need for notice, reasons and remedy.
The fifth link is review. If an affected party believes the NRO or RIRs exceeded authority, what can it do? The NRO MoU includes an advisory appeals panel for complaints about failure to follow documented policy development process concerning global policies, and arbitration provisions for defined disputes among RIRs or eligible new RIR candidates. Those are narrow remedies. If an NRO action affects operators more directly, the relevant review route may need to come from regional registry processes, ICANN accountability, contract, court or a new written mechanism.
This test would improve public communication. Instead of saying "the NRO position is," a statement could say: "The five RIRs, acting through the NRO Executive Council under the NRO MoU and the 2020 addendum, have agreed to coordinate on registry-system accuracy; this statement does not create direct obligations for resource holders; affected regional service issues remain with the relevant RIR." That kind of statement is longer, but it is far clearer.
The test would also help in crises. If one RIR faces governance disruption, the NRO may need to coordinate continuity support. A delegation test would separate peer support from control. It would ask whether all RIRs authorized the action, whether the action protects registry-system duties, whether it changes regional governance, whether local law is implicated, whether ordinary resource holders are protected, and whether the affected registry and members have a route to respond. That is the difference between emergency coordination and institutional seizure.
The test would help with global policy too. A proposed policy can be checked for whether it truly requires IANA or ICANN-related action, whether every region considered it, whether the Address Council reviewed process rather than substance beyond its role, and whether ICANN's Board acted within the defined ratification choices. That prevents global policy from becoming a shortcut around regional dissent.
Finally, the test would help with public legitimacy. The RIR system often asks outsiders to trust private coordination because the internet needs stable identifiers. Trust is easier when authority is auditable. The NRO should welcome that audit. Its founding documents are public. Its constraints are public. Its best claim is not that everyone should trust it because the system is technical. Its best claim is that every serious action can be traced to a documented source.
The member-created institution should remain visibly member-created
The NRO's origin is not an embarrassment. It is the reason the institution can function without pretending to be a government. The regional registries, each embedded in its own community and legal setting, needed a mechanism for joint action. They created one. The compact's legitimacy comes from that limited purpose. It should remain visible.
When the NRO speaks to ICANN, it should be clear whether it speaks as the ASO function, as the Executive Council, or as a coordination point for RIRs. When it speaks to governments, it should distinguish public registry-system interests from private operator mandates. When it speaks about global policy, it should show the regional process chain. When it speaks about service continuity, it should identify the service duty and the affected parties. When it speaks about crisis, it should avoid implying supervisory powers that the MoU did not create.
This precision matters more as the registry system evolves. IPv4 scarcity, leasing, transfers, RPKI, sanctions screening, court disputes, receivership risk, registry accuracy, cyber abuse, public-sector reliance and market finance all put more pressure on number-resource institutions. The more valuable the records become, the more tempting it is to turn coordination bodies into authorities by implication. That would be a mistake. Scarcity increases the need for accountable authority; it does not erase the need to prove where authority comes from.
The NRO can meet that moment by strengthening documentation rather than enlarging rhetoric. It can publish clearer capacity labels for statements. It can identify whether statements are advisory, binding among RIRs, service commitments, global-policy transmissions or public explanations. It can map operator-facing impacts and remedies. It can explain when a matter remains regional. It can maintain public archives of joint commitments and their authority source. None of that weakens coordination. It makes coordination bankable.
The same discipline should apply to readers. Operators, courts, governments and commentators should stop treating the NRO as either a meaningless club or a hidden regulator. Both readings miss the actual design. It is a member-created coordination structure for institutions that administer a globally relied-upon registry system. That makes it consequential, but consequential within limits.
The phrase "incorporated by its own members" captures the tension. The NRO was made by the institutions that needed it. That origin gives it a strong internal mandate for shared RIR work. It also means its external authority must be earned through delegation, policy process, service commitments and transparent accountability. The NRO can bind the RIRs when the RIRs have bound themselves. It can coordinate the registry system when coordination is delegated. It can fulfill the ASO role when the ASO MoU and ICANN bylaws define that role.
It cannot create new authority over operators merely by existing at the center of an indispensable system.
That is the line worth defending. A narrow NRO is not a weak NRO. It is a trustworthy NRO. It can protect uniqueness without claiming ownership of the internet. It can coordinate accuracy without becoming a court. It can support ICANN's numbering role without expanding ICANN's mission. It can serve operators without pretending operators appointed it as their agent. In a governance system built on private coordination and public reliance, that restraint is the source of legitimacy.
Sources
- NRO, NRO Memorandum of Understanding.
- NRO, About the NRO.
- NRO, History of the NRO.
- NRO, Internet Numbers Registry System Joint Project Agreement Addendum.
- NRO, ICANN Address Supporting Organization MoU, 21 October 2004.
- ICANN, Bylaws, Article 1 and Article 9.
- IETF RFC 7020, The Internet Numbers Registry System.

