Security: building trust in .fr

Afnic makes every effort to maintain a high level of quality, security and continuity of service for the TLDs it manages. 

To ensure this high level of performance, our approach is one of continuous improvement, constantly seeking the balance between compliance with ever more demanding standards and resilience and agility. 

An ISO 27001 certified ISMS

Afnic has always made security one of its top priorities. The implementation of an Information Security Management System (ISMS) has made this objective even more tangible. This ISMS is ISO27001:2017 certified by Afnor, which provides assurance to our stakeholders that this commitment is met at all times.

The historical background of the certification covers the essential services involved in the management of .fr:

• Domain name (DNS) resolution and the support of the DNSSEC protocol
• The Whois directory
• The Shared Registration System (SRS)
• The external escrow service (daily back-up of the registry)
• The registry database

Since 2020, the scope has been extended and now covers the same services within the framework of the French oversea ccTLDs managed by Afnic: .pm, .re, .tf, .wt and .yt.

Beyond the ISO 27001 certification procedure, we also rely on the recommendations and best practices issued on behalf of the State by ANSSI, the French National Cybersecurity Agency).

• See the certificate obtained by Afnic

Beyond compliance: security by design

Security is not just a matter of information systems: it is part of our DNA (thanks to our Inria roots), inherent in our core business and an essential component of our organisation. 

The integrated management of our ‘Security’ and ‘Excellence’ processes make security everyone’s business and a key dimension: 

• of the continuous evolution of our information systems;
• and of the development of our products and services.

We also rely on a number of different manufacturers and software publishers: it’s a question of independence, risk control and cost control. We maintain in-house business skills at the highest level and carry out certain developments ourselves.

… and data protection by design

A pioneering registry in the protection of personal data (anonymised by default since 2006), Afnic upgraded its systems in 2018, not only to implement the GDPR (General Data Protection Regulation), but also to integrate this issue into the lower layers of the information system. 

Rather than simply complying, we decided to create a Personal Data protection Management System, as well as the post of DPO (Data Protection Officer), to strengthen data protection in all processes. 

It is a question of security and confidentiality, but also of commitment: at Afnic, we consider personal data as essential data.

Essential service, uncomprising security

In 2019, Afnic was designated an Operator of Essential Service (OES). An OES is an operator providing a service that depends on network and information systems and essential for maintaining of critical societal and/or economic activities.

This designation entails new requirements in terms of cybersecurity, and notably the obligation to comply with the 23 security rules contained in the transposition into French law of the European NIS (Network and Information Services) Directive, in close collaboration with ANSSI.

True to our drive for excellence, we chose to apply a continuous improvement approach to each of these 23 rules. Our ambition is to make our IS as resilient as possible, to strengthen our capacity to deal with incidents quickly and to minimise their effects.

Security approval: our commitment

The security approval of an information system is an information and accountability process that leads to a formal decision taken by Afnic, a comptent authority (Approval Authority), which certifies that the risks to security of this system have been identified and that the necessary measures to protect it are implemented. It also certifies that any risks that remain (residual risks) have been identified and accepted by the Approval Authority.

Afnic has started this process in 2013 and formally pronounced the first approval in 2014. This approval has since been periodically renewed in 2015, 2016, 2018, 2019 for periods of 12 to 18 months.

The approval concerns the information system supporting the essential services of the French Top Level Domains managed by Afnic, namely, .fr, .pm, .re, .tf, .wf and .yt.

An approach based on continuous improvement

Like all Afnic’s processes, security is dealt with in the context of an approach based on continuous improvement. We operate in a field in which both technologies and threats are evolving rapidly. The constant evolution of our IS is essential if we are to respond to the demands of our clients (registrars and registries). It is also a matter of ensuring that all the TLDs for which we are responsible benefit from an IS that is ever more agile, stable and robust. 

The services developed for our clients, such as .FR Lock and Abuse Report, also contribute to this continuous improvement, constantly enriching our experience in the field of security. 

Furthermore, in accordance with the commitment made to the State, Afnic invests heavily each year, devoting more than 8% of its turnover to the acquisition of hardware and software contributing to the security and stability of .fr.