Summary
- Registry failure should be divided into at least four categories: failure of registry services, breakdown of member-controlled corporate governance, proven unlawful conduct that impairs the registry mandate, and political disagreement that does not itself establish failure.
- The threshold should rise with the consequence. Credible and particularized information may justify inquiry; verified material risk may justify an audit or temporary safeguard; derecognition should require clear, independently tested evidence of persistent institutional incapacity, failed rehabilitation, and a safer continuity alternative.
- Reviewers should publish a claim-by-claim evidentiary record, separate facts from inference, disclose conflicts, protect confidential resource-holder data, and connect every remedy to a demonstrated harm. Controversy, litigation, hostile rhetoric, or an unpopular policy position cannot substitute for proof.
Failure is a conclusion, not an atmosphere
An institution can look chaotic without being unable to perform its public function. It can also look calm while essential controls have decayed. That is why the phrase "registry failure" should never be allowed to operate as a mood. It must be a conclusion reached through defined facts, a stated burden, and a remedy linked to the kind of harm proved.
The distinction is especially important for Regional Internet Registries. An RIR is at once a technical service provider, a membership corporation, a policy forum, a custodian of registration records, and a entity in a globally coordinated numbering system. Trouble in one capacity may leave the others intact. A contested board election may damage legitimacy while allocation records, reverse DNS, registration services, and routing-security functions continue. A severe service outage may require immediate outside assistance even when the board is lawfully appointed and financially sound.
A criminal judgment against one officer may call for removal, restitution, and control reform without proving that the whole regional institution should lose recognition. A government may condemn a policy decision for political reasons even though the decision was reached through an open, neutral, and technically sound process.
Those are not variations of one fact. They are different claims with different evidence and different consequences. Combining them produces two symmetrical errors. The first is underreaction: reviewers treat operational danger as an internal corporate dispute and wait while resource holders lose services. The second is overreaction: reviewers treat disputed governance or unpopular speech as proof that the registry itself is unfit, then threaten recognition in order to influence a domestic contest.
The post-2023 revision of Internet Coordination Policy 2 has made this question unavoidable. The 2024 Implementation and Assessment Procedures for ICP-2 Compliance introduced language about material non-compliance, totality of circumstances, materiality of impact, secure operation, restoration, and emergency intervention. The second draft of the RIR Governance Document went further by defining operating commitments, audits, emergency continuity, rehabilitation, and derecognition. Yet neither text states a conventional evidentiary burden such as balance of probabilities, clear and convincing evidence, or another expressly calibrated test. Terms such as "reasonably believed," "material," "adequately," and "last resort" do a great deal of work.
That flexibility is understandable. Registry crises may be novel, evidence may be distributed, and urgent intervention cannot wait for a trial-sized record. But discretion without category discipline is hazardous. A reviewer needs room to respond; the affected institution and its resource holders need protection against a finding built from allegation, inference, or political alignment. The solution is not one rigid percentage of certainty for every stage. It is a ladder of proof tied to four distinct kinds of failure and to the severity of the proposed action.
The current texts contain thresholds, but not a complete proof rule
The 2024 procedures begin with a meaningful limiting principle. A compliance assessment is intended for performance or non-performance significant enough to affect, or potentially affect, the stable and secure operation of the Internet's unique identifier systems. The need for review depends on the totality of the circumstances and the materiality of the possible non-compliance. Other RIRs may request a review when they reasonably believe there may be material non-compliance, while ICANN may initiate one when it reasonably believes the RIR puts secure operation at risk.
An ICANN-initiated review must be limited in scope and cannot become a broad general supervisory role.
These are useful guardrails. They reject the idea that every governance complaint belongs in global compliance review. They require materiality and a connection to the identifier system. They also distinguish the threshold for opening an inquiry from its outcome. A reasonable belief that there may be a problem is not a final finding that the problem exists.
The outcome provisions are less precise. They allow a finding that no action is needed; a finding that no realistic path exists to restore sufficient operations quickly enough to avoid harm; or a finding that swift restoration is possible under an agreed plan. Draft findings ordinarily go to the subject RIR for correction of material factual errors. But ICANN may move immediately to a final determination if it identifies material non-compliance that cannot be cured in a reasonable period or is so critical that a remedy would be inappropriate. The document does not say how strong the evidence must be before that exceptional route is used.
The 2025 draft changes the architecture but leaves the evidentiary question open in another way. A derecognition proposal must identify the reasons and the specific provisions allegedly breached. The affected RIR receives time to respond. Each other RIR independently recommends for or against derecognition and publishes its reasons. Unanimous support from the other RIRs is required before ICANN makes a final decision. The draft also presumes rehabilitation, gives the RIR a reasonable opportunity to cure, and says derecognition is a last resort when the harms of tolerating non-compliance outweigh the benefits.
Unanimity among decision makers is not a standard of proof. Four institutions can unanimously accept weak evidence; one conflicted institution can block strong evidence. Nor does publication of reasons by itself cure an undefined burden. Reasons can be detailed yet still fail to distinguish established fact from assumption. A harm-balancing test can be sensible yet manipulable if the underlying harms are asserted rather than measured.
The NRO NC's Q1 2026 status report confirms that important parts remain unsettled. It records debate over derecognition and ad hoc audit trigger thresholds, anti-capture protections, emergency continuity initiation and renewal, transition planning, resource-holder rights, audit follow-up, and the place of rehabilitation in the derecognition sequence. These are not drafting details around a settled core. They are the structure through which proof becomes action.
A complete rule should therefore identify five separate thresholds: enough evidence to receive a complaint; enough to open compulsory inquiry; enough to impose an interim safeguard; enough to find material non-compliance; and enough to derecognize. At each stage it should say who bears the burden, what evidence is admissible, what must be independently verified, what response is allowed, and what degree of uncertainty remains tolerable. Without that ladder, the strongest procedural protections arrive too late, after the label of failure has already changed the bargaining power of every entity.
Service failure is proved by service evidence
Service failure is the most concrete category and, in an emergency, the one that permits the fastest response. The question is functional: can resource holders obtain the registry services on which legitimate operation depends, with adequate availability, integrity, accuracy, security, and timeliness? The proof should come from service facts rather than reputation or corporate conflict.
Relevant evidence includes sustained unavailability of registration interfaces; inability to process justified allocation, assignment, transfer, or update requests; loss or corruption of authoritative registration records; failure of reverse DNS delegation services; inability to issue, revoke, or maintain routing-security material where the RIR provides that function; prolonged loss of member authentication; broken data exchange with IANA or peer RIRs; material security compromise; and staffing or infrastructure failure that makes recovery implausible.
Duration, geographic breadth, affected service class, number of resource holders, data integrity, and the existence of a tested recovery path all matter.
Not every incident is institutional failure. Mature technical systems experience outages. A published incident, a bounded backlog, or degraded non-core functionality may be serious without meeting the threshold for external operation. The reviewer should ask whether the RIR detected the problem, preserved accurate records, communicated honestly, invoked continuity measures, restored service within a defensible objective, and corrected the cause. Resilience is not the absence of incidents; it is the ability to contain and recover from them.
The burden for temporary technical assistance should be lower than the burden for derecognition because the purpose and reversibility differ. Verified evidence that a critical service is unavailable, that delay will create material harm, and that the incumbent cannot restore it within the necessary period may justify a narrow continuity measure. That measure should cover only the affected service, last only as long as needed, and preserve the incumbent's right to resume once capability is independently verified. It should not be described as a final judgment on corporate legitimacy.
By contrast, using a service incident to support derecognition requires more. Reviewers should establish persistence or recurrence, failure of reasonable remediation, absence of a realistic recovery path, and institutional inability to sustain the whole required service mandate. They should also establish that an interim or successor arrangement can perform better without causing greater risk. A registry cannot be found unfit merely because another RIR has newer systems or more money. The comparison is against required service, not an idealized peer.
The 2025 draft usefully separates performance from emergency continuity. It requires stable, reliable, secure, accurate, and accountable services, then allows temporary arrangements when an RIR cannot adequately provide all or part of them. That phrase "all or any part" supports granular intervention. The evidentiary standard should preserve that granularity. If one function fails, prove that function, move only that function if necessary, and continue testing restoration. Do not convert a bounded technical defect into a presumption that the membership corporation, policy community, and regional mandate have all failed with it.
Corporate governance breakdown requires control evidence
Governance failure is harder to prove because corporate conflict generates rival narratives. The central issue is not whether meetings were contentious or litigation occurred. It is whether the institution retains a lawfully accountable governing body, member control, impartial administration, financial stewardship, and the practical ability to direct registry operations.
Evidence should be anchored in authoritative corporate materials and observable control. That may include constitutive documents, current bylaws, the applicable companies statute, court orders, election rules, independently verified member registers, notices, minutes, resolutions, financial statements, auditor reports, conflict disclosures, bank mandates, employment authorities, and system-access records. It should identify who can lawfully appoint or remove directors, who can authorize expenditure, who directs staff, whether decisions receive required approval, and whether the board can actually carry them out.
An election complaint alone does not prove breakdown. The reviewer must identify the defect, its scale, its effect on the result, and the available domestic remedy. A late notice that affected no outcome is different from deliberate exclusion of eligible voters. A contested proxy is different from a fabricated electorate. A court-ordered rerun is evidence that a defect needs correction; it is not necessarily evidence that the corporation can never govern itself.
Equally, continued technical service does not cure a board that has no lawful authority, cannot approve a budget, cannot supervise executives, or has lost effective control to an undisclosed faction.
The correct final question is institutional capacity: despite the defect, is there a lawful and timely path to restore member-controlled governance while preserving service? If yes, the remedy should favor that path. It may include a supervised election, independent verification of the voter roll, conflict controls, a temporary limit on extraordinary transactions, enhanced financial review, or a court-recognized interim authority. Derecognition should not be used to choose between candidates or accelerate one side's preferred corporate outcome.
Governance proof also requires a jurisdictional boundary. RIR recognition is global coordination; corporate existence and board authority are ordinarily matters of local law. ICP-2 reviewers may assess whether governance meets recognition commitments, but they should not casually declare a domestic order invalid or substitute their interpretation of corporate law for a competent court. If the legal position is uncertain, the finding should state that uncertainty and focus on its practical effect.
For example: no body presently has uncontested authority to direct critical operations, and no timely adjudicative route appears capable of resolving that control gap. That is a testable institutional fact. Saying that the "wrong" faction won is political advocacy.
The evidence threshold for a material governance finding should be clear and independently corroborated. Because the facts may be contested and the reputational effect severe, a balance-of-probabilities formulation is too easy to satisfy with selective records when derecognition is contemplated. The decision should require a firm conviction, based on verified records and a fair response, that core control is persistently defective and that specified rehabilitation measures have failed or cannot work in time. The label should follow the proof, never precede it.
Unlawful conduct must be connected to the registry mandate
Illegality is the category most likely to produce moral urgency and analytical shortcuts. An allegation of fraud, corruption, sanctions violation, discrimination, data misuse, contempt, or other unlawful conduct can dominate public attention. But an RIR failure finding should not become a parallel criminal or civil tribunal. It should rely on competent legal outcomes where available and ask a narrower institutional question: does the unlawful conduct materially impair the RIR's ability to meet its registry obligations?
The strongest evidence is a final or operative judgment, enforceable order, regulator finding, admitted conduct, independently audited loss, or verified transaction record. Pending charges, anonymous claims, leaked correspondence, and partisan summaries may justify preservation of evidence or an independent inquiry. They should not be treated as proven unlawful conduct. Even a judgment must be read carefully: what was decided, against whom, under which law, on what evidentiary basis, with what appeal status, and with what consequence for registry operation?
The connection requirement prevents guilt by association. If a former employee committed theft and the institution detected it, recovered assets, reported the offense, strengthened controls, and maintained services, that episode may show resilience rather than institutional unfitness. If directors diverted registry funds, obstructed audit, retained control, and left the organization unable to pay staff or secure systems, the same broad category of misconduct has a direct bearing on recognition. If a court finds an election procedure unlawful but orders a workable remedy, the proper response may be compliance with the order.
If the RIR repeatedly defies binding orders and thereby loses lawful control of assets essential to service, the evidence points toward a deeper failure.
Political actors may also use "unlawful" as shorthand for conduct they dislike. A government might assert that an open regional policy conflicts with a national preference. A member might describe an adverse contractual decision as theft. An incumbent board might label criticism sabotage. Reviewers should insist on legal specificity and institutional relevance. What provision was violated? Which body has jurisdiction? What operative determination exists? What assets, services, rights, or controls are affected?
Can the problem be cured by removing individuals or correcting conduct rather than removing recognition from the institution?
An urgent interim measure may still be justified before final adjudication if there is verified risk of irreparable harm: destruction of records, dissipation of funds needed for service, compromise of signing material, or exclusion of authorized operators from critical systems. The measure should preserve assets and capability, not pronounce guilt. It should be time-limited, independently supervised, and reviewable. The burden for preservation is therefore substantial risk supported by concrete evidence; the burden for a final illegality-based failure finding is a reliable legal determination plus proof of material institutional effect.
This separation protects both the numbering system and the rule of law. Reviewers do not need to ignore misconduct until every appeal ends. Nor may they convert allegations into a global penalty. They can preserve, audit, limit, and support while the proper forum determines legality. Derecognition becomes relevant only when proven conduct, continuing control, failed cure, and operational consequence converge.
Political disagreement is not registry failure
The hardest safeguard to write is also the simplest to state: disagreement with an RIR's policy, public position, regional constituency, leadership style, or jurisdiction is not evidence of failure. The registry system is supposed to contain disagreement. Bottom-up policy development would be meaningless if a central actor could threaten recognition whenever a region reached an unpopular but lawful result.
Political disagreement can arrive dressed as technical necessity. Governments may call a governance model insufficiently sovereign. Large resource holders may call equal treatment economically irrational. Civil society groups may view a lawful allocation rule as inequitable. Other RIRs may find a region's institutional culture frustrating. ICANN may be criticized for acting, or for not acting. None of those positions is inherently illegitimate. None establishes failure without evidence that an applicable obligation has been breached and material harm follows.
The reviewer should apply a strict non-substitution rule. It may test whether the policy forum was open, documented, impartial, accessible, and genuinely community-driven. It may test whether the resulting policy conflicts with a binding global policy or applicable law. It may test whether similarly situated requestors receive consistent treatment. It may not decide that another policy would be wiser and call the difference non-compliance.
This rule also applies to institutional criticism. A registry does not lose legitimacy because its leaders criticize ICANN, the NRO, another RIR, a government, or a litigant. Robust speech may be uncomfortable, and false factual statements may warrant correction, but recognition cannot depend on deference. Conversely, an incumbent cannot defeat review by branding every documented governance defect a political attack. The reviewer must move from rhetoric to particulars: exact duty, exact act or omission, exact evidence, exact harm.
Political context is still relevant as a source of bias and risk. A campaign for derecognition led by a commercial rival, an incumbent faction, a government seeking control, or peer institutions with strategic interests deserves heightened conflict scrutiny. The claim does not become false because the complainant is interested. It does require independent verification and transparent recusal. Public support letters should be tested for authority, denominator, duplication, affiliation, and whether signatories understood the remedy they were endorsing.
The standard for rejecting a complaint as political should also be disciplined. Reviewers should not use that label to avoid genuine facts. A politically motivated complainant may present authentic evidence of service loss or captured governance. The proper response is to separate motive from proof. Evidence survives hostile motive if independently verified; political preference fails even when sincerely held if it cannot be tied to a breached obligation.
This category needs a strong presumption against coercive remedy. Where the record shows only disagreement, the result should say so plainly: no compliance action is warranted. That published conclusion matters. It protects regional autonomy, discourages repeated strategic complaints, and demonstrates that review can vindicate an institution rather than merely place it under suspicion.
Proof must rise as the remedy becomes harder to reverse
A single standard for every stage would either paralyze emergency response or make derecognition too easy. The better design is progressive. Each rung authorizes a different action and demands a stronger record.
At intake, a complaint should be accepted if it is specific, within the governing criteria, and supported by information capable of verification. The complainant should identify the duty, conduct, time period, affected service or constituency, and available material. Unsupported conclusions need not trigger compulsory production. This low threshold keeps the door open without turning accusation into status.
Opening a formal review should require reasonable grounds, based on credible and particularized information, to suspect material non-compliance. The 2024 procedure's reasonable-belief language fits this stage. The notice should define scope and explain the connection to secure and stable identifier operation. A review opened for election integrity should not silently expand into every financial, policy, and personnel dispute. New issues can be added only through a supplemental notice.
An audit or evidence-preservation order should require a demonstrated need: material facts cannot be resolved from existing records, and delay risks loss, concealment, or continuing harm. Access should be proportionate. Registration information must remain confidential, and unrelated member data should not be exposed. Reviewers should record custody and permit the subject RIR to identify legal restrictions without allowing confidentiality to become blanket obstruction.
Temporary service intervention should require verified material impairment or imminent impairment of a defined critical service, inability of the incumbent to restore within the harm window, and credible readiness of a temporary operator. The decision can be made under urgency, but the factual predicate must be concrete. It should specify the service, users affected, authority, duration, data access, security controls, return test, and review date.
A final finding of material non-compliance should require the reviewer to establish the essential facts on the record after response, independent verification, and reasoned treatment of contrary evidence. Where the finding concerns disputed governance or misconduct, the reviewer should have a firm and well-supported conviction, not merely a slight balance. Each finding should state confidence and unresolved uncertainty.
Derecognition should require the highest institutional showing: clear and convincing evidence that core obligations are materially and persistently unmet; the defect impairs or imminently threatens the numbering system or resource-holder rights; reasonable rehabilitation has failed or cannot succeed in the necessary period; less intrusive remedies are inadequate; and a tested continuity arrangement makes removal safer than continued recognition. This does not mean mathematical certainty.
It means the decision maker can explain why serious alternative accounts have been rejected and why the residual uncertainty is acceptable given the consequences.
The result is asymmetrical by design. It should be easier to inspect than to condemn, easier to preserve than to transfer, and easier to provide narrow temporary service than to extinguish institutional status. That is not indulgence toward incumbents. It is protection against irreversible error while retaining speed where service danger is real.
The burden cannot sit entirely on the accused registry
An RIR has a duty to maintain auditable records and cooperate with legitimate review. It therefore carries a production burden for material in its custody: service records, governance decisions, financial controls, audit information, and explanations of disputed conduct. Refusal or destruction can support an adverse inference. But the ultimate burden of proving failure should remain with those seeking the finding and remedy.
This distinction matters because a demand for "all information and access necessary" can become circular. The reviewer decides what is necessary, the institution is criticized for not producing it, and non-production becomes proof that there is no realistic restoration path. Sometimes that inference is justified. Sometimes the material does not exist, is controlled by a receiver or court, is protected by law, is technically inaccessible, or was demanded on an impossible timetable. A fair record identifies which explanation applies.
The subject RIR should receive a schedule of allegations, a material index, a chance to correct facts, and enough time to respond unless a precisely described emergency prevents it. Two weeks to correct factual errors in draft findings, as provided in the 2024 procedures, may be workable for a bounded operational issue and inadequate for years of corporate litigation. Time should follow scope and urgency. Any compressed period should be accompanied by provisional findings and prompt later review.
Complainants also carry duties. Institutional actors should disclose relevant interests, prior disputes, litigation, commercial relationships, and participation in proposed successor arrangements. Member coalitions should identify how membership and authorization were verified, while protecting legitimate personal information. Experts should disclose who retained them and the limits of their methods. Public officials should distinguish official records from policy positions.
Independent verification is the bridge between these burdens. Service measurements can be reproduced. Financial claims can be tested by auditors. Board authority can be compared against filed records and orders. Election claims can be tested against a verified roll and rules. Technical custody can be demonstrated through controlled exercises. A conclusion resting only on the complainant's documents or only on the incumbent's assurances is inherently weaker.
The burden should also be claim-specific. If the reviewer proves record-keeping failure but not service failure, it should say exactly that. If it proves governance breakdown but finds technical continuity intact, it should preserve that distinction. If unlawful conduct is unproven but control weaknesses are established, the remedy should address the controls. Bundling weak and strong allegations into one overall impression is not totality analysis; it is evidentiary dilution.
Finally, missing evidence should be described rather than filled by assumption. The public can understand that an issue remains unresolved because a court record is sealed, a test could not be performed, or custody is disputed. Candor about limits produces more legitimacy than false completeness. The standard of proof is not only a threshold inside the decision maker's mind. It is a discipline for showing readers why the available record supports one conclusion and not another.
Remedies should track the failure that was actually proved
The value of category discipline appears in the remedy. Service failure calls first for technical continuity: incident containment, backup activation, temporary operation of defined functions, data-integrity verification, and a restoration test. Governance breakdown calls for lawful control: election correction, independent administration, financial safeguards, conflict management, or court-compatible interim authority. Unlawful conduct calls for preservation, removal of responsible individuals, restitution, compliance, and control repair. Political disagreement calls for no coercive compliance remedy at all.
These responses may overlap, but they should not be confused. A temporary operator should not redesign membership rules. An election supervisor should not receive unrestricted registration data. ICANN should not use technical coordination to decide who deserves corporate office. A domestic receiver should not alter global number-resource policy merely because it controls local assets. Each actor should hold only the authority needed for the demonstrated problem.
Rehabilitation must also be measurable. The 2025 draft establishes a presumption in favor of cure and reasonable support from ICANN and the other RIRs. A cure plan should translate that principle into dated tests: restoration of named services; verified custody of records; adoption and implementation of controls; completion of a lawful vote; delivery of audited accounts; removal of conflicted access; or compliance with an operative order. "Rebuild trust" is an aspiration, not a test.
Support cannot mean leverage. Peer RIRs may provide staff, infrastructure, escrow, security review, or specialist advice. They should not condition essential assistance on policy concessions, litigation withdrawal, leadership preference, or future commercial alignment. The terms, costs, data access, and decision rights of assistance should be published to the extent security and privacy allow. Otherwise rehabilitation can become an informal transfer of control.
Escalation should depend on failed milestones and continuing harm, not impatience. If an institution misses a date for reasons within its control, the reviewer can tighten safeguards. If a court postpones an election while protecting lawful operation, the delay may not demonstrate refusal. If technical restoration succeeds but governance repair remains open, temporary service intervention should end when its own predicate ends. Remedies should not persist simply because they have become administratively convenient.
Derecognition then becomes a distinct judgment, not the automatic final step of every review. The decision should compare the risk of continued recognition under enforceable safeguards with the risk of transfer to a named interim or successor arrangement. It should identify what happens to services, records, contracts, staff, member rights, and regional policy participation. If continuity is speculative, the case for immediate derecognition is incomplete no matter how troubling the incumbent's conduct appears.
Proportionality is sometimes criticized as softness. Here it is operational rigor. The objective is not to punish an institution in the abstract. It is to maintain a trustworthy regional registry system. A narrower remedy that cures the proven failure while preserving service and member rights is stronger governance than a dramatic remedy whose collateral effects are unknown.
Urgency changes timing, not the identity of facts
Emergencies create a temptation to lower every threshold at once. A better rule changes the timing and scope of action while preserving the distinction between provisional risk and final fact. The reviewer can act quickly on verified danger without pretending that every contested issue has been decided.
Suppose a critical authentication system is compromised and unauthorized changes appear possible. Immediate isolation, backup activation, access suspension, and temporary processing by a prepared operator may be warranted. The evidence needed is direct: compromise indicators, control loss, affected service, and credible inability to contain the risk internally. There is no need to decide whether the board election was lawful before securing the service. Nor does the security action prove that derecognition is necessary.
The same logic applies to records and money. If there is reliable evidence that registry records may be destroyed or operating funds dissipated, a competent authority can preserve them. Preservation is not confiscation, and it should not determine ultimate ownership. A short confidential order may be justified before broad consultation, followed by prompt notice and independent review.
Emergency decisions need a written minimum record. It should state the facts known, their provenance, the facts unverified, the harm window, the alternatives considered, the exact measure, and the date of reconsideration. If publication would expose a vulnerability, a public summary can omit sensitive detail while an independent reviewer receives the full record. Secrecy about technique need not become secrecy about authority.
The draft's 90-day emergency-continuity period recognizes the need for a temporal boundary, while the 2026 status report records concern that 90 days may be too short to identify a successor and that extensions may lack oversight. The answer is not an automatic renewal. Each extension should require fresh evidence that the service risk remains, that the temporary operator complied with scope, that restoration or transition work is progressing, and that no less intrusive arrangement is available. The burden should increase as temporary control lasts longer.
After the immediate danger passes, ordinary proof protections return. The institution can contest factual claims, resource holders can describe impact, and reviewers can distinguish root cause from emergency symptom. A cyber incident may reveal weak governance, but that inference must be tested. A governance conflict may have delayed response, but delay must be attributed accurately. A third party may have exploited the crisis, and its conduct should not be assigned to the registry without evidence.
Urgency therefore supports a two-track decision: act on the narrow hazard now; decide institutional status on a fuller record later. This prevents resource holders from being exposed while reviewers deliberate, and it prevents an emergency measure from predetermining the constitutional result.
Independence must be visible, not assumed
The institutions assessing an RIR are not disinterested strangers. Other RIRs coordinate with it, may provide emergency service, may influence successor arrangements, and may face the same rules in the future. ICANN has system-stability responsibilities and also institutional interests. Members may be complainants, litigants, candidates, creditors, or customers. Expertise is concentrated among actors who often have a stake.
Conflict does not make decision impossible, but it changes the required safeguards. Every reviewer and recommending body should disclose direct financial, litigation, governance, and successor interests. Recusal should apply where an actor would gain control, assets, fees, or strategic advantage from the outcome. If recusal threatens a unanimity rule, the rule should specify how abstention is counted rather than allowing a conflicted actor either to veto or validate the case.
The independent auditor is especially important, but appointment alone does not guarantee independence. Terms of reference, funding, access, methods, and reporting lines matter. An auditor should not be asked to decide legal questions beyond competence or to turn management recommendations into findings of material breach. Technical experts should test service facts; corporate and legal experts should test authority and compliance; the ultimate decision maker should integrate their results without erasing their limits.
The 2025 draft provides an independent third-party review route for certain recognition objections, but the derecognition path relies on recommendations by the other RIRs followed by ICANN's decision and existing ICANN review procedures. Given the stakes, an independent evidentiary panel should be available before final derecognition, particularly where facts are contested or peer conflicts are material. Its role need not be to make policy. It can test whether findings are supported, contrary evidence was addressed, conflicts were managed, and the burden was met.
Transparency should reveal the chain of reasoning. A published decision should list each alleged provision, finding, evidence category, counterargument, confidence, material harm, cure offered, result of cure, and selected remedy. Confidential annexes may protect security and member data, but the public explanation must be sufficient to understand why the action is lawful and proportionate. A conclusion that cites confidential information without describing its nature or corroboration is difficult to challenge and easy to abuse.
Independent review also protects the reviewers. A decision that survives adversarial fact-checking carries more authority in domestic courts, regional communities, and network operations. A decision corrected before final action avoids institutional damage. Accountability is not an obstacle to timely coordination; it is what allows urgent coordination to be trusted after the immediate crisis.
A publishable finding needs an evidence map
The final determination should be readable as an evidence map rather than a narrative of escalating concern. The map begins with the applicable obligation. It then identifies the alleged act or omission, date range, affected service or right, material relied upon, verification method, response, unresolved issue, finding, confidence, and remedy. Each step should be explicit.
For service claims, the map can include availability measurements, transaction samples, incident records, recovery tests, integrity checks, and affected-user evidence. For governance claims, it can include filed corporate records, election materials, court orders, audited financial controls, access authorities, and verified member data. For unlawful-conduct claims, it can identify the operative legal determination and explain its institutional effect. For political claims, it can show why no breached duty was established.
The decision should separate direct evidence, corroborated testimony, expert inference, disputed assertion, and missing information. It should avoid counting repetition as corroboration. Ten public letters derived from one unverified claim remain one evidentiary origin. A news report may establish that an allegation was made, not that the allegation is true. An official letter may establish the sender's position, not the underlying fact. A court judgment proves what it actually decided, not every assertion in the pleadings.
Materiality requires its own explanation. A defect is material when it impairs a core obligation, creates significant risk to resource holders or the numbering system, defeats member control or neutrality, or prevents reliable correction. The number of affected parties matters, but so do severity and concentration. A defect harming a small set of resource holders can be material if it is deliberate discriminatory treatment or compromises critical routing authority. A procedural error affecting many people may be immaterial if promptly corrected without effect.
Causation should not be skipped. If service deteriorated during litigation, did the legal dispute cause loss of staff, block funding, remove access, or merely coincide with a separate technical failure? If governance became unstable after an external intervention, which harms predated the intervention and which followed it? If the registry failed to answer a request, was the request within authority, sufficiently clear, legally permissible, and feasible in the time given? These questions prevent circular findings in which review pressure creates the very incapacity later cited as proof.
Finally, the decision should state what would change the result. If compliance depends on a successful recovery test, name it. If derecognition follows failed rehabilitation, list the missed measures. If no action is needed, explain why the allegations did not meet the threshold. This makes the standard prospective. Future RIRs, members, courts, and reviewers can understand how conduct will be assessed without guessing from institutional rhetoric.
The four-part test
A practical failure rule can be stated in four questions, applied in order.
First, what kind of failure is alleged? The reviewer must classify each claim as service, corporate governance, unlawful conduct, political disagreement, or a clearly explained combination. Classification prevents evidence from migrating invisibly between categories. A harsh political statement cannot prove downtime. A service outage cannot prove election fraud. A court dispute cannot prove that data is corrupt.
Second, what reliable facts establish breach and material effect? The reviewer identifies the duty, verifies the evidence, considers the response, and states uncertainty. The burden follows the action sought: credible particulars for inquiry, verified material risk for interim protection, a firm evidence-based conclusion for material non-compliance, and clear and convincing institutional proof for derecognition.
Third, which remedy is necessary for the proved harm? The reviewer starts with the narrowest effective response. Service support addresses service. Governance correction addresses control. Legal compliance addresses unlawful conduct. Political disagreement receives no coercive remedy. Any overlap must be justified claim by claim.
Fourth, is derecognition safer than continued recognition under enforceable rehabilitation? The answer requires more than dissatisfaction with the incumbent. Reviewers must show persistent core incapacity, failed or impossible cure, material harm, and a ready continuity arrangement that protects resource holders. If those elements are missing, derecognition is premature.
This test would not predetermine any named registry dispute. That is its virtue. It can assess any RIR, including institutions whose peers or ICANN may find politically aligned or operationally familiar. The same evidence rules would apply to service collapse in one region, captured governance in another, misconduct in a third, or strategic complaints against a fourth.
The test also gives content to the principles adopted during the revision effort. Auditability becomes verifiable evidence rather than document volume. rehabilitation becomes measured cure rather than indefinite negotiation. Emergency continuity becomes a bounded service response rather than provisional derecognition. Last resort becomes a comparative finding that less intrusive measures failed and transfer is ready.
No standard can remove judgment. Internet number governance is too institutionally complex for an automatic formula. But judgment can be disciplined. Categories can be defined, burdens can rise, evidence can be tested, conflicts can be disclosed, and remedies can be matched to harm. That is the difference between a power that protects the registry system and a power that can be used to settle political disputes through operational pressure.
Proof before status
Recognition is not a prize for agreeable institutions, and derecognition should not be punishment for embarrassing ones. Both are coordination decisions with consequences for networks that did not choose the dispute. The evidentiary rule should therefore be built around protection of function, lawful member control, reliable records, regional autonomy, and continuity.
The present reform materials contain many of the necessary components. The proposed ICP-2 Version 2 principles call for auditable operation, stable service, continuity, anti-capture controls, external audit, remedial bias, and handoff. The later draft adds procedures. The status report records unresolved questions honestly. What remains is to connect those components through an explicit proof ladder.
That ladder must refuse a universal label of failure. Service interruption is proved through service evidence and answered first with continuity. Corporate breakdown is proved through lawful-control evidence and answered first with rehabilitation. Unlawful conduct is proved through competent legal outcomes and a demonstrated institutional connection. Political disagreement, however intense, is not failure at all.
Only after reviewers make those distinctions should they ask whether an RIR has lost the capacity to remain recognized. By then, the record should show not merely that something went wrong, but what went wrong, why it matters, what was tried, why it failed, and why the proposed replacement is safer. That is the standard a mature registry system needs: proof before status, continuity before punishment, and remedies no broader than the facts can carry.
Sources
- ICANN, Implementation and Assessment Procedures for ICP-2 Compliance, ratified 24 December 2024
- NRO, Proposed ICP-2 Version 2 Principles
- NRO, Second Draft of the RIR Governance Document
- NRO NC, RIR Governance Document Version 2 Status Report, Q1 2026
- ICANN, Criteria for Establishment of New Regional Internet Registries

