Legal and Compliance

Our Resource Public Key Infrastructure (RPKI) service has successfully obtained its SOC 2 Type I assurance report. This certification underscores our commitment to the highest standards of data security, confidentiality, availability, and processing integrity. The SOC 2 Type I report verifies that the systems and controls used for RPKI align with trusted industry standards.

ISO 27001 is an international standard for information security management systems (ISMS) that provides a systematic approach to managing sensitive company information, ensuring its confidentiality, integrity and availability through risk management and continuous improvement.

We are currently in the process of attaining this certification. This page will be updated once the certification process has been completed and the certificate of compliance from the auditing organisation has been attained.

We ensure compliance with the General Data Protection Regulation (GDPR) for all personal data that we process, including personal data held in the RIPE Database.

We report on GDPR requests and on data breaches on a yearly basis.

A subprocessor is a third party service provider or data processor engaged by the RIPE NCC, who has, or potentially will have, access to or process personal data on behalf of the RIPE NCC.

The RIPE NCC uses certain subprocessors in the general running of business and to assist in providing services. Specifically with regards to the provision of services related to the LIR Portal, the RIPE Database and RPKI certification a list of subprocessors in use by the RIPE NCC is provided in the document at the following link.

We respect people's privacy and we are committed to protecting all personal information that is provided. The main purpose for which we process personal information is to support our role as a Regional Internet Registry (RIR).

Cookies are small files that a browser can record after visiting a website. These files are set on your computer (or other device) through your browser. We use cookies and present visitors to our websites with a cookie notification. By choosing to allow only required cookies or accepting all, you confirm that you are aware of the cookies the RIPE NCC is using, and the purposes they are used for, as described in our Privacy Statement.

The RIPE community has authorised us to act as the registration authority and keep an accurate register of Internet number resources within our service region, and to manage the operation of the RIPE Database. Many of the operational responsibilities for data handling are delegated to the individuals who maintain sets of data related to their IP network operations. If one of these Maintainers fails to meet their data protection responsibilities, the RIPE NCC could have a legal obligation to intervene. This may require the RIPE NCC to modify or delete personal contact details.

The DSA is an EU regulation that sets clear responsibilities for online platforms and digital services to combat illegal content, enhance transparency, and protect user rights to ensure a safe and fair digital space.

We provide users with a point of contact to report content they believe violates any applicable laws on web pages hosted under the ripe.net domain or on any publicly available RIPE NCC services.

NIS2 is an EU Directive which establishes measures that aim to achieve a common level of cybersecurity across the EU. 

We are in the process of determining the applicability of the Directive to our services and preparing for compliance in advance of it entering into force in the Netherlands, which is expected to occur in Q3 of 2025.

DORA is an EU regulation that obliges financial entities to maintain a register of ICT services provided by third-party providers as part of their risk management framework.

We compiled all relevant information into a standardised format (whitepaper) to simplify this process for relevant RIPE NCC members as required under DORA.

The RIPE NCC, as an association under Dutch law, must comply with sanctions from the Netherlands and the EU. Since Internet number resources are considered economic resources, EU financial sanctions apply. We cannot allocate new resources to sanctioned persons or entities and must freeze any they already hold.

We monitor sanctions developments to assess if they affect our ability to provide services or enter agreements with certain network operators. If a party is sanctioned, we may refuse to sign agreements or offer services (see Due Diligence for the Quality of the RIPE NCC Registration Data - section 3).