Summary
- The NRO's public continuity architecture is not one complete AFRINIC takeover plan. It is a collection of mutual-aid commitments, a Stability Fund, ICP-2 assessment procedures, technical expectations and a still-unadopted draft governance document.
- Backups, escrow, peer staffing and emergency funding are necessary safeguards. They preserve options and reduce outage risk. They do not automatically confer authority to alter resource records, revoke certificates, assume contracts, collect fees or decide disputed entitlements.
- The 2024 ICP-2 procedures allow ICANN and the remaining registries to identify an emergency service provider if an RIR cannot be restored, but ICANN's ratification record expressly says formal derecognition and transition procedures were not yet covered.
- “Operator consent” should not mean that every resource holder can veto a narrowly necessary failover. It should mean that the authority, triggers, data uses, temporary powers, notice, correction, appeal, portability and return conditions were accepted through a valid instrument before the crisis, or supplied by a competent legal process during it.
- The next governance text should preserve fast technical activation while preventing mandate drift: separate read-only continuity from discretionary registry power, publish the trigger and scope, protect confidential data, maintain operator-level audit trails, and require a timed path back to AFRINIC or to a lawfully recognized successor.
The contingency “plan” is really a stack of partial instruments
Public discussion often refers to an NRO contingency plan as if the five regional Internet registries had adopted one complete document specifying what happens when AFRINIC fails. The public record is more fragmented. There is an NRO memorandum allocating collective responsibilities. There is a Joint RIR Stability Fund for financial and in-kind support. There are ICANN's 2024 procedures for assessing continuing ICP-2 compliance. There are expectations about records, backups and confidentiality.
There is also a 2025 draft governance document that proposes an emergency operator and more explicit transition rules, but remains under development in 2026.
Each element solves part of the problem. The fund can pay for recovery. Peer registries can provide experienced staff and technical capacity. Backups can preserve records. An assessment can establish that an RIR is unable to comply. A temporary operator can keep critical functions available. None of those elements, alone, answers every authority question raised by activation.
Who decides that AFRINIC cannot continue? Is the decision technical, corporate, judicial or recognition-based? Which services may the substitute perform? Can it make new allocations, change an organization's contacts, revoke a Resource Public Key Infrastructure certificate, alter reverse-DNS delegation, invoice customers or terminate a relationship? Which data may be copied, and for what purpose? How does an operator challenge an error? When and how does service return?
Calling the stack a plan can hide those gaps. The better approach is to identify each function, its instrument and its decision-maker. Continuity engineering is necessary. Mandate engineering is equally necessary because a technically capable substitute can still lack authority to make a contested decision.
Backup is prudent because number administration cannot improvise after failure
AFRINIC's records connect organizations to Internet number resources, contacts, route-authorisation material and service history. A sudden loss of access, staff or infrastructure could obstruct legitimate updates and weaken confidence in who may act for a resource holder. It is therefore entirely reasonable for the regional registry system to maintain replicated data, tested recovery procedures, emergency funding and peer assistance.
The 2005 IANA recognition report for AFRINIC already treated technical robustness and disaster recovery as recognition considerations. It recorded backup arrangements and the planned migration of existing service relationships from the incumbent regional registries. Continuity was not invented in response to recent litigation; it was part of the institution's design.
The lesson from that history is not that transfers are forbidden. It is that a transition is more than copying files. The original migration involved recognized organizations, regional outreach, communications with affected parties and an agreed change from existing service providers to AFRINIC. It combined technical readiness with institutional authorization.
Today, a backup that cannot be activated under pressure is of limited value. But activation should be designed before pressure arrives. The authorization can be written into a valid service agreement, a membership compact, a recognized governance standard or a court-supervised arrangement. What should be avoided is a choice between two bad extremes: no preparation at all, or a prepared substitute whose powers are defined only after it takes control.
Support and succession are different legal events
Mutual aid can preserve the identity and authority of the affected registry. A peer can lend engineers, fund payroll, host a secondary system or advise a receiver while AFRINIC remains the service provider and decision-maker. The peer acts in support of AFRINIC, under AFRINIC's lawful instruction or another defined mandate.
Succession is different. A successor or temporary emergency provider may become the institution that authenticates users, interprets entitlement, changes authoritative records, issues or revokes credentials, enters contracts, collects payment and resolves disputes. Even if the transfer is temporary, the substitute exercises power over operators rather than merely helping AFRINIC exercise its own.
The distinction can be expressed as a test. If AFRINIC remains accountable for the decision and the peer supplies capacity, the arrangement is support. If the peer decides in its own name or under a new authority, the arrangement is substitution. The technical interface may look identical to the user, but the legal relationship is not.
This matters because many continuity documents are strongest on support. They specify money, staffing and coordination. They are thinner on succession: contract transfer, data-controller status, applicable law, appeals, liability and return. A contingency architecture should say clearly where assistance ends and substituted authority begins.
The Stability Fund is a recovery tool, not a transfer charter
The NRO's Joint RIR Stability Fund is a serious and useful commitment. The participating registries pledge financial and in-kind support to help an RIR restore stability. Support can include operational staff, and the rules expect a concrete plan, budgeting, reporting and approval by the NRO Executive Council.
The fund's ordinary trigger is revealing. A formal request is expected from the governing board of the affected registry, explaining the reasons and the support sought. The affected registry's governing body is expected to decide the recovery direction. That structure respects autonomy: the peers assist because the affected RIR asks.
AFRINIC's crisis exposed the edge case. What happens when the board whose request legitimizes assistance does not exist, lacks quorum or is itself contested? A receiver may possess local authority to request help, but the public fund rules do not fully explain how that authority maps onto every registry function. The other registries may unanimously approve funding, yet unanimous willingness to help is not the same as authorization from the organization whose contracts and records are involved.
The fund therefore solves capacity better than mandate. That is not a criticism of the fund's existence. It is a reason to supplement it. A modern contingency instrument should identify substitute requestors when the board is unavailable, specify how their authority is verified, and distinguish support expenditures from activation of a replacement service provider.
The 2022 public position promised help without announcing a takeover
In July 2022, the regional registries published a message to the AFRINIC community. It expressed concern, offered support and emphasized that regional registry activity and policy remained in the hands of the regional community. The message said, in effect, that AFRINIC remained Africa's RIR.
That statement was an institutional position, not a binding adjudication. Still, it provides a useful benchmark for interpreting later contingency measures. Support was publicly framed as preserving the regional institution, not replacing it. Any later emergency transfer should therefore identify the event that changed the posture, the instrument permitting the change and the conditions under which the regional institution resumes service.
The same month, the NRO wrote to the Mauritian government about AFRINIC's circumstances and the importance of continuity. That advocacy demonstrated the peers' concern, but a letter to government did not itself assign AFRINIC's obligations to another registry. It sought help from the authority capable of acting under local law.
The public baseline thus contained a healthy restraint: the peers could prepare, support and advocate while recognizing that AFRINIC and its community retained a distinct institutional position. A credible emergency design should preserve that restraint even when rapid action is necessary.
The NRO memorandum permits coordination but rejects implied agency
The NRO memorandum is the constitutional compact among the regional registries. It allows collective operational and external activity on matters delegated under the agreement. Important commitments depend on written or unanimous agreement among the participating registries. Technical tasks can be assigned, and the Executive Council can represent the registries on specifically delegated subjects.
The limits are as important as the grants. The memorandum says the arrangement does not create a partnership, agency, association or franchise among the signatories. It also restricts transfer or assignment of interests, rights and obligations without the signatories' prior written consent.
Those clauses prevent a casual inference that one registry automatically speaks for or succeeds another. The NRO can coordinate common activity. Its Executive Council can commit collective resources under the agreed rules. But the memorandum is not a universal power of attorney over AFRINIC's customer relationships.
AFRINIC's 2005 joinder to the NRO arrangement confirms participation in the collective structure. It does not identify individual resource holders as having assigned their contractual rights to the NRO or to the other four registries. Nor does it specify that a peer can exercise every AFRINIC function during receivership.
The mandate for a failover must therefore come from something more specific: advance consent in the relevant arrangements, an authorized request from AFRINIC, a lawful receiver or court order, a valid recognition-transition rule, or a combination. Collective technical readiness is not that missing instrument.
The ASO relationship does not fill the operator-consent gap
The 2019 ASO memorandum makes the NRO the vehicle through which the regional registries perform the Address Supporting Organization role inside ICANN. It establishes global policy responsibilities, recognition recommendations, appointments and coordination.
That relationship matters if AFRINIC's continued recognition is questioned. It also matters when the remaining registries advise ICANN or request an assessment. But it is not written as a direct service agreement with African network operators. It does not tell an operator which law governs a transferred account, who bears liability for a mistaken revocation, or how a disputed allocation request is appealed after failover.
The ASO arrangement therefore helps answer who participates in global recognition decisions. It does not fully answer who may take over downstream service relationships. This is a recurring design problem: system-level institutions can decide that a recognized node is failing, while the legal mechanics of moving that node's customers remain under-specified.
The solution is not to deny system-level authority. It is to connect it to operator-level rights. A recognition or emergency determination should activate a pre-agreed service-continuity protocol that operators can inspect. The protocol should name the substitute, define its powers and preserve challenge and return rights. Without that bridge, a valid global decision can still produce uncertain local relationships.
IANA's role shows why technical hierarchy is not contractual succession
The IANA number-services page explains the allocation hierarchy. IANA allocates unallocated pools of Internet number resources to the regional registries. The registries then distribute and administer resources under regional policy. IANA does not ordinarily manage the accounts of African operators.
This hierarchy is crucial to continuity. If AFRINIC cannot receive or administer number resources, ICANN's IANA functions and the peer registries must know how the global registry remains coherent. IANA can preserve top-level uniqueness and coordinate with a recognized or emergency provider.
But hierarchy does not equal contractual privity. An operator's day-to-day rights, fees, contacts and resource history arise through AFRINIC's policies, membership structure and service terms. IANA's ability to coordinate top-level pools does not automatically transfer those relationships to another registry.
The IANA informational booklet also describes IANA as implementing rather than making policy. Regional policy and regional service remain distinct layers. A contingency that keeps the top-level registry correct may still leave unresolved who can make a disputed regional decision.
The architecture should therefore separate the minimum global function from the full regional function. Preserving uniqueness and read access may require immediate action. Changing entitlement, contracts or policy-based outcomes requires a stronger mandate and more procedure.
A useful service map begins with five distinct layers
“Registry service” is too broad a term for emergency design. At least five layers should be distinguished.
The first is preservation: maintaining complete, immutable and tested copies of public and protected records. This can occur before failure and should involve strict custody, encryption and audit controls.
The second is availability: keeping public directory information, routing-security repositories and essential lookup functions reachable. Some availability measures can be automated and read-only.
The third is authenticated maintenance: allowing a known resource holder to update contacts, route objects, certificates or reverse-DNS information. This requires reliable identity proofing and a record of authority.
The fourth is discretionary administration: approving a new allocation, interpreting policy, resolving competing claims, reclaiming resources or sanctioning noncompliance. These acts affect substantive rights and often require judgment.
The fifth is commercial and corporate relationship: invoicing, handling deposits or fees, changing contractual terms, admitting members, processing votes and accepting legal service.
A contingency can activate these layers in stages. Preservation should be continuous. Read-only availability can have a low activation threshold. Authenticated maintenance may require verified inability by AFRINIC and stronger authority. Discretionary and commercial acts should require the clearest mandate, explicit procedure and review. Treating all five as one technical switch makes it too easy for backup custody to become unexamined governance power.
Public records, confidential records and decision authority are not interchangeable
Some number-resource information is intended to be public. Other material includes personal contacts, account credentials, contracts, invoices, identity documents, security data and internal decision histories. A mirror that lawfully holds public records does not necessarily have permission to use confidential records for a new purpose.
The 2024 ICP-2 assessment procedures contain a notable confidentiality rule. Registration information is to be used for registration purposes and may be transmitted to another RIR or IANA on request; other transmission generally requires written resource-holder consent. The text gives the registry system an important basis for controlled peer custody. It also ties the data to purpose.
That rule supports backup and continuity more strongly than critics sometimes admit. Individual permission is not necessarily required each time protected registration data is securely mirrored to an authorized peer for the stated registry purpose. Yet the rule does not answer every activation question. Possessing the data is not the same as becoming the contracting provider. Using it to maintain an existing registration is not necessarily the same as using it to adjudicate a dispute, market a new service, alter fees or expose it under a different legal regime.
The contingency instrument should therefore define roles: custodian, processor, temporary service operator, decision-maker and successor. It should also define permitted purposes and deletion or return duties. Consent to custody should not be stretched into consent to every future exercise of discretion.
The 2024 procedures authorize assessment and point toward emergency service
The 2024 procedures give ICANN and the other registries a clearer role than the older ICP-2 text. The remaining RIRs may unanimously request a review. ICANN may initiate a limited review if it reasonably believes secure and stable coordination of unique identifiers is at risk. The procedure provides for information gathering, draft findings, factual correction and, in critical cases, expedited treatment.
If compliance cannot be restored, the procedures say ICANN will work transparently with the remaining RIRs to identify an emergency service provider. They also encourage sufficient backups or escrow. This is a real contingency mandate at the recognition-system level. It is not merely an informal promise among engineers.
Its limits remain material. Identification of a provider does not by itself specify all functions that provider may perform. The text does not set out a complete operator notice regime, contract-transfer mechanism, liability allocation or appeal route. It does not fully define when temporary service becomes permanent succession.
The procedures also allow emergency action where delay would be unsafe, but they require the review to stay connected to the identifier risk. That connection should determine the scope of activation. If the risk is loss of records, preserve records. If the risk is unavailability of authenticated updates, activate that service. A full transfer of discretionary and commercial authority needs additional justification.
ICANN's ratification record expressly left transition unfinished
The ICANN Board's December 2024 ratification notice said the implementation procedures did not add new substantive obligations. It also stated that formal derecognition and transition procedures were outside the adopted text and required further policy development.
That acknowledgment is the clearest evidence of the mandate gap. The system had a method for reviewing an RIR and a direction to identify emergency service if restoration failed, but it did not yet have a complete adopted code for derecognition and transition.
The gap does not mean emergency support is illegitimate. An existing contract, court order, receiver instruction or other lawful arrangement may authorize particular acts. Necessity may also justify narrowly protective measures in some legal systems. But the public ICP-2 procedure should not be described as resolving questions its ratification record says were left for later policy.
This is why operator consent matters. When the global instrument stops before contract and service transition, the affected relationships do not vanish. The missing authority must be found in another valid source or built into the next governance text.
ICANN's AFRINIC letters focused correctly on backup, but not yet on activation rights
ICANN's 7 March 2025 letter asked the AFRINIC receiver about proper records, protected customer information, ICP-2 alignment and regular backups. Its 3 July letter returned to recordkeeping, backups and escrow while preserving the possibility of a compliance review.
Those questions were appropriate. Before any emergency provider can operate, the system must know that a complete, current and trustworthy record exists. Escrow should be tested rather than assumed. Access should not depend on one disputed officeholder or one failing site.
The public correspondence did not provide an equally detailed activation compact. Who could release escrow? Which event constituted failure? Could the substitute make changes or only serve a copy? What would happen to credentials and signing keys? Which privacy terms governed? How would the receiver, members and operators be notified? Who would correct a bad record?
Those omissions may reflect confidential arrangements not visible publicly. They should therefore be treated as unanswered questions, not proof that no preparation existed. But public legitimacy requires more than private technical confidence once activation affects third-party rights. The trigger, scope and redress architecture should be publishable even if sensitive implementation details remain protected.
The 2025 draft governance document improves the trigger architecture
The NRO's draft RIR Governance Document, version 2, published in August 2025, attempts to fill several gaps. It requires continuity preparation, including sharing relevant records, procedures and systems with an emergency operator subject to escrow and data-protection conditions. It proposes that the other registries and ICANN may unanimously authorize a temporary emergency operator when an RIR cannot provide service.
The draft also proposes consultation with the affected RIR and regional community where reasonably possible, publication of rationale and scope, community engagement, a right for the affected RIR to resume service and a 90-day emergency period. It calls for a post-event report, evaluation and feedback. These are substantial improvements over an undefined failover.
As of 13 July 2026, however, the published NRO process timetable still described further updating in the third quarter of 2026 and planned adoption in the fourth quarter. The draft should therefore be analyzed as a proposal, not cited as already binding.
Even as a proposal, it demonstrates institutional recognition that continuity needs rules. It supplies activation, disclosure and time-limit concepts that were missing from the earlier public framework. The remaining task is to connect those concepts more directly to operator rights and the legal mechanics of service substitution.
The draft's 90-day limit is valuable but not sufficient
A short emergency period reduces the risk that a temporary measure becomes permanent through inertia. Ninety days creates pressure to restore the affected registry, renew authority transparently or begin a formal transition. A post-event report can expose whether the emergency operator stayed within scope.
Time alone does not define power. A temporary provider can make an irreversible mistake on day one. It can revoke a certificate, reject a transfer, disclose private data or alter an authoritative record. The governance text should therefore combine the time limit with a function limit.
During the initial period, the emergency provider might be authorized to preserve records, maintain existing public services, process low-risk authenticated changes and prevent expiry. High-impact discretionary acts could require a second approval, independent review or court validation. New allocations, involuntary reclamation, major fee changes and contested credential revocation could be paused unless essential to prevent immediate harm.
The return condition also needs precision. “The RIR can resume” should mean that records, logs, keys, pending requests and legal responsibility can be handed back without gaps. The emergency provider should not become the only institution capable of explaining what happened during the interval.
Missing operator consent is not a demand for 10,000 individual vetoes
The phrase “operator consent” can sound impractical. An emergency cannot wait for every network to sign a new form. One malicious or unreachable resource holder should not be able to block a measure needed to preserve the regional registry.
That is not the consent model required. Mature infrastructure uses advance, constitutional consent. Operators agree through published service terms, membership rules and recognized policies that specified functions may fail over when objective conditions are met. The instrument identifies the substitute class, permitted data uses, powers, duration, notice and challenge rights. A competent court or statutory receiver can supply authority where advance arrangements fail, subject to local law and review.
Consent in this sense is a mandate architecture. It tells the operator, before the crisis, what can happen to its account and records. It tells the substitute what it may not do. It gives an operator a route to correct an error without vetoing continuity for everyone else.
The public record does not yet show a complete operator-facing compact of that kind for AFRINIC. The NRO and ICANN documents establish collective and recognition-level authority, but the bridge to individual service rights remains incomplete. That is the missing consent problem.
Membership approval is not a complete substitute for resource-holder rights
AFRINIC is membership-based, and a restored member-elected board is central to legitimacy. Yet not every party operationally dependent on registry service necessarily holds identical membership or voting rights. A corporate vote can authorize the organization within its constitution; it does not automatically rewrite every contract or waive every data right.
The distinction also runs the other way. An individual resource holder's contract should not allow it to capture corporate governance. Rights should follow the relevant relationship. Members vote where the constitution permits. Resource holders receive service and protect their account and data rights. Operators bear the operational consequences of registry decisions. The regional community contributes policy legitimacy. ICANN and the other registries protect global coordination within their instruments.
A failover compact should therefore use several forms of authorization rather than one vague appeal to “the community.” Corporate approval, operator terms, recognition procedures and court authority can reinforce each other. They should not be treated as interchangeable.
The mandate gap becomes dangerous when an institution claims that support from one constituency authorizes action over all others. A public consultation may show legitimacy but not transfer contracts. A member resolution may direct AFRINIC but not bind a nonmember under an unstated term. A global assessment may justify emergency coordination but not settle a private billing dispute.
Operators are the parties that absorb registry mistakes in live networks
Network operators sign customer contracts, configure routers, maintain security systems and answer for outages. Registry decisions can affect their ability to demonstrate resource authority, update operational contacts, create route authorisations or maintain reverse-DNS delegations. The operator is not merely an observer of registry governance.
This does not mean operators own the registry or can ignore regional policy. It means continuity design should recognize where practical loss lands. If a substitute misidentifies an authorized account holder, the resulting delay or revocation can affect routing and customer service. If records become inaccessible, the operator bears the cost of proving an entitlement the registry should already know.
Operator-facing rights are therefore not an optional concession. They are part of system reliability. Notice, correction, portability and appeal reduce technical error because the parties closest to the affected networks can identify mistakes. Audit trails let them establish what changed and under whose authority.
A contingency plan that speaks only among registries may be technically sophisticated yet incomplete. The service exists for resource holders and networks, not for the institutional comfort of the registries themselves.
Resource records should be portable without making rights casually transferable
Portability has two dimensions. The first is evidentiary: an operator should be able to obtain a verifiable record of its resources, status, contacts, submitted requests and relevant decisions. The second is operational: a lawful substitute should be able to continue service without forcing the operator to reconstruct its history from emails or private archives.
Portable records reduce dependence on a failing institution. They also improve accountability because the operator can compare the pre-failover state with later changes. A signed snapshot, change log and clear provenance can establish whether a disputed alteration occurred before or after activation.
Portability should not be confused with free transferability of the underlying rights. A resource record may be portable while an allocation remains subject to regional policy and contract. The substitute receives the evidence and a limited authority to administer it; it does not acquire ownership of the resource or unlimited discretion to rewrite the relationship.
The contingency compact should specify the minimum portable record and the authenticity mechanism. It should also require the temporary provider to return a complete delta of every change, decision and pending matter. Without that requirement, restoration can produce two incompatible histories.
RPKI and reverse DNS make the authority question operationally urgent
Some registry functions are not passive directories. Resource Public Key Infrastructure allows holders to authorize route origins through cryptographically verifiable entities. Reverse-DNS delegation links number space to domain-name infrastructure. Account and delegation changes can therefore influence how networks validate routing and resolve addresses.
A backup can preserve repositories and signing material, but use of that material is a separate authority. Who may issue, revoke or replace a certificate? What happens when a holder disputes the substitute's authentication? Can emergency keys be activated without invalidating existing trust? How is a mistaken action reversed and communicated?
The answers require both technical ceremonies and legal mandate. Key custody can be divided, activation can require multiple approvals, and emergency actions can be limited to maintaining existing validity. Yet the governance instrument must identify those approvals and the scope of action.
The same is true for reverse DNS and registry updates. Keeping existing data available is lower risk than accepting a contested change. A service map should classify actions by reversibility and impact, with higher-authority thresholds for destructive or rights-altering operations.
This is why the consent gap cannot be dismissed as abstract corporate law. It determines who may press the buttons that alter operational trust.
Contract transfer, data protection and governing law need explicit treatment
If another registry becomes the temporary provider, several legal questions arise immediately. Is the operator's AFRINIC agreement assigned, novated or merely serviced on AFRINIC's behalf? Which entity invoices and receives payment? Which privacy notice governs? Where can the operator bring a claim? Who bears liability for a service error? Does the substitute apply AFRINIC policy or its own regional rules?
Those questions should not be answered by technical default. A peer registry may be best positioned to operate the system, but its home law and ordinary policies may differ. Emergency service should not quietly relocate the contractual relationship or import another region's policy.
The preferred model is agency-like service without implied general agency: the temporary provider acts under a narrowly defined emergency mandate, applies AFRINIC's existing policy and terms where lawful, segregates data and money, and does not acquire the relationships permanently. If local law requires assignment or novation, the instrument should say so and provide notice and protections.
Where a court-appointed receiver authorizes the arrangement, the order should identify these consequences. Where advance terms authorize it, the terms should be accessible and specific. A generic promise to cooperate is not enough for high-impact functions.
Activation triggers should be objective, layered and reviewable
A sound contingency should not depend on an undefined declaration that an RIR is “unstable.” Instability can describe litigation, financial pressure, loss of staff, record compromise, service outage or lack of lawful governance. Those conditions justify different responses.
A trigger matrix could include:
| Condition | Initial measure | Additional authority before expansion |
|---|---|---|
| Loss of one site or system | Technical failover under existing service authority | None if AFRINIC remains in control |
| Temporary staff shortage | Peer staffing and funded support | Authorized AFRINIC request or lawful substitute requestor |
| Risk to record integrity | Freeze destructive changes, verify backup, preserve logs | ICP-2 notice and appropriate local authority |
| Inability to authenticate routine updates | Temporary authenticated maintenance | Published emergency determination and operator notice |
| No lawful decision-maker for contested requests | Preserve status quo and seek independent authority | Court order, valid receiver power or adopted emergency rule |
| Persistent inability to provide regional service | Time-limited emergency provider | Recognition decision plus transition and affected-party safeguards |
| Permanent succession | Formal derecognition and successor recognition | Complete adopted process, contract treatment and regional legitimacy |
The matrix allows rapid action without granting the maximum power at the first sign of trouble. It also gives courts, operators and registries a shared vocabulary for what has actually been activated.
Notice should explain consequence, not merely announce the substitute
An operator notice should identify the triggering event, the decision-maker, the instrument, the effective time, the functions activated and the expected duration. It should say whether existing credentials remain valid, where requests should be sent, which policy applies and how urgent corrections are handled.
The notice should also say what has not transferred. If the substitute cannot make new allocations, change fees or decide contested claims, that boundary matters. If a court has authorized broader powers, the order or an accessible summary should be linked.
Notice can be staged in a genuine emergency. A short initial message may accompany activation, followed quickly by a detailed rationale. Security-sensitive implementation details need not be published. The public should still receive enough information to understand authority and scope.
Operators should have a verified contact route independent of a potentially compromised AFRINIC account. The system also needs a mechanism to reach operators whose contact data is stale, without treating failure to respond as consent to every change.
Transparency is not only retrospective accountability. It is part of safe activation because it helps legitimate users distinguish a real emergency provider from phishing, impersonation or unauthorized intervention.
Correction and appeal must function during, not after, the emergency
An emergency provider will encounter inconsistent records and contested claims. Waiting until service returns to AFRINIC may be unacceptable. The substitute therefore needs a correction process that is fast, evidentiary and limited.
Routine clerical errors can be corrected through verified evidence and dual approval. High-impact disputes should preserve the status quo where possible and move to an independent reviewer, receiver or court. The operator should receive a reasoned decision and an audit reference. Emergency staff should not rely on undocumented personal knowledge or private pressure.
Appeal need not suspend every action. A clearly malicious credential compromise may require immediate protective suspension. But the affected holder should receive prompt notice, evidence sufficient to respond and a rapid review. The distinction between reversible protection and final deprivation should remain visible.
The draft governance document's post-event reporting is useful, but it cannot substitute for live redress. A report three months later does not restore a route-authorisation entity needed today. Rights must travel with the service.
Transparency should operate before, during and after activation
Before a crisis, the registries should publish the authority model, service map, trigger classes, data roles and accountability route. They can test technical recovery without exposing credentials or exploitable details. Operators should know how to verify an authentic emergency notice.
During activation, the decision-maker should publish the reason, scope, provider and duration. Aggregate service metrics, material scope changes and unresolved risk should be reported. Confidential incidents can be described without exposing customer data.
After activation, a public report should compare the trigger with the evidence, list the functions used, explain high-impact decisions, disclose outages or errors, account for funds and evaluate whether the mandate was adequate. Affected operators should receive their own change histories.
Transparency also disciplines the institutions. If the provider knows every expansion of scope will be recorded, it is less likely to turn a narrow continuity role into policy-making. If AFRINIC knows its restoration readiness will be assessed publicly, it has an incentive to maintain portable records and tested recovery capability.
The goal is not publicity for its own sake. It is to make authority auditable without publishing secrets.
Split-brain governance is as dangerous as split-brain data
Engineers design against split-brain systems in which two nodes both believe they are authoritative. A registry crisis can produce the governance equivalent. AFRINIC's receiver or restored board may claim authority while a temporary provider is already processing requests. Different courts or institutions may recognize different actors. Operators may send contradictory instructions to both.
The contingency instrument should define a single authoritative state and a method for changing it. Activation time, service scope and signing authority should be recorded in a tamper-evident log. Requests received during the transition should have one case identifier. The non-authoritative system should either become read-only or route requests to the active provider.
Restoration needs the same discipline. There should be a cutover decision, reconciled data, key transition and published effective time. Pending disputes must not disappear between institutions. Both sides should attest to the transferred state, with an independent path if they disagree.
Mandate clarity prevents institutional split brain. If two bodies can each plausibly claim to have activated themselves, technical consistency alone will not restore trust.
Return is a core operator right, not an administrative afterthought
A temporary provider should enter with an exit obligation. The operator needs assurance that its records, pending requests, credentials and payment status will return intact when AFRINIC resumes, or will move through a lawful permanent transition if AFRINIC cannot.
The return criteria should be objective: lawful governance, verified technical capacity, reconciled records, security testing, adequate staff and a valid recognition status. AFRINIC should not regain sensitive control merely by announcing readiness, but neither should the emergency provider retain service because return is inconvenient.
The draft 90-day period provides a decision point. Before it expires, the authorized institutions should publish whether service returns, the emergency mandate is renewed under stated authority, or a formal successor process begins. Repeated extensions should require stronger review.
Operators should not have to re-prove settled entitlements solely because the provider changes. The complete record, including emergency-period decisions, should follow the relationship. That is the practical content of portability and continuity.
A positive mandate model is available
The mandate gap can be closed without slowing every emergency action. The registries, ICANN, AFRINIC members and resource holders can establish a layered compact with the following elements.
First, continuous escrow and peer custody for defined records, with tested recovery and strict purpose limits. Second, objective activation classes tied to specific service failures. Third, unanimous system-level authorization for a temporary provider, combined with valid local or contractual authority for downstream acts. Fourth, a function schedule distinguishing preservation, routine maintenance, discretionary decisions and commercial powers.
Fifth, operator notice, verified access, correction, appeal and portable records. Sixth, segregation of data, funds and policy so the substitute does not absorb AFRINIC by default. Seventh, a short duration, published scope changes and independent review. Eighth, a tested return or lawful successor process. Ninth, post-event reporting and operator-specific change histories. Tenth, clear liability and governing-law provisions.
This model treats technical backup as an asset, not a threat. It lets engineers prepare aggressively while requiring institutions to justify activation. It also recognizes that consent can be supplied in advance through a public, enforceable compact rather than collected individually during an outage.
The key question is who may decide, not who can operate the servers
The other regional registries almost certainly possess relevant technical expertise. They understand number-resource systems and can provide staff, infrastructure and continuity support more credibly than an improvised outsider. The NRO's mutual-aid posture is therefore a strength of the regional system.
Capability, however, is not mandate. An institution may be able to operate a service without having authority to decide a disputed entitlement. It may lawfully hold a backup without being entitled to use the data for a different purpose. It may be unanimously selected by its peers without having acquired the affected operator's contract.
The public instruments have moved in the right direction. The Stability Fund supports recovery. The 2024 procedures create assessment and emergency-provider concepts. The 2025 draft adds triggers, time limits, consultation and reporting. What remains is a direct bridge to the people and companies whose networks depend on the service.
The NRO does not need to abandon contingency planning. It needs to finish the constitutional part of the plan.
The mandate gap is fixable before the next activation
AFRINIC's crisis has already supplied the difficult hypothetical: a regional registry may need help while lacking an uncontested board capable of requesting it. The system should not wait for an outage to decide whether a receiver can authorize peer staffing, whether escrow can be released or whether a temporary provider can make contested changes.
The immediate priority is to publish an operator-facing authority schedule alongside the next ICP-2 governance text. The schedule should cite the source for each power, explain how domestic law interacts with recognition decisions and identify the contract treatment. AFRINIC's own terms should be reviewed so advance emergency authority is explicit and proportionate.
The second priority is a public test that exercises not only restoration of data but restoration of rights. Can an operator authenticate? Can it see its authoritative history? Can a disputed change be paused and appealed? Can the substitute return every record and pending case? A technically successful recovery that cannot answer those questions is incomplete.
The third priority is to make temporary status real. Scope, time and return should be enforced, not merely promised. If permanent succession becomes necessary, it should proceed under the adopted derecognition and recognition process rather than through repeated emergency extensions.
These measures would increase rather than diminish confidence in NRO support. Operators are more likely to accept rapid activation when they know its authority and limits.
Continuity without consent is fragile; consent without continuity is hollow
The debate should not be framed as law versus engineering. A purely legal right to service is of little comfort if every registry record is lost. A perfect backup is dangerous if no one can say who may activate it or correct its errors. Resilient infrastructure requires both.
The NRO's public measures show substantial preparation for funding, technical assistance and peer coordination. They also show an evolving recognition that emergency operation needs publication, consultation, a time limit and review. The remaining weakness is not hostility to operators. It is the absence, in the adopted public architecture, of a complete operator-facing mandate for service substitution.
That gap can be filled by advance terms, a recognized governance compact and competent legal authority. The compact need not grant individual vetoes. It should grant notice, purpose limitation, correction, appeal, portability and return, while authorizing narrowly necessary action under objective triggers.
Technical backup is good. Mutual aid is good. A prepared emergency provider is good. The governance failure would be allowing those strengths to substitute for the unanswered question: by whose authority does the provider act over the operators it is meant to protect?
Sources and analytical limits
This analysis relies principally on the NRO memorandum, AFRINIC's 2005 NRO joinder, the Joint RIR Stability Fund, the regional registries' July 2022 message, the 2019 ASO memorandum, the 2024 ICP-2 assessment procedures, ICANN's ratification notice, the draft RIR Governance Document, version 2, the NRO review timetable, and the 2005 IANA AFRINIC recognition report.
The cited materials establish the public institutional commitments, proposed rules and statements of their authors. The draft governance document was not treated as adopted. The public record does not expose all escrow arrangements, security ceremonies, service contracts, privacy terms, receiver instructions or peer-registry preparations. It is therefore possible that private instruments answer some activation questions. This article does not disclose or evaluate protected technical details, and it does not conclude that any particular emergency act would be unlawful without examining its instrument and governing law.
Its conclusion is narrower: the adopted public architecture does not yet demonstrate a complete, operator-facing mandate for the full range of service powers that a substitute might need.

