One government, fewer domain names

It’s mainly for communications-related reasons that the government has so many domain names. The assumption has always been that a domain name helps to boost the visibility of a campaign or project. However, such thinking has led to a fragmented landscape in which it’s hard for the public to know whether a website or service actually belongs to the government.

The situation is complicated by the fact that domain names are no longer merely communications resources. They have become digital assets, with implications for technical management, information security and recognisability. New choices therefore need to be made. The government’s new internet domain policy is intended to support that transition.

More than just a marketing resource

Formulated in 2011, the government’s previous domain name policy was aimed mainly at achieving a uniform, transparent approach to domain names and their use, protecting the legal position and managing costs. Over the intervening years, however, the context has changed. “We no longer call it the domain name policy, but the internet domain policy. And its scope is much broader now,” says Dirk Maats, Senior Policy officer at the Ministry of the Interior and Kingdom Relations (BZK). “We’ve taken a more integrated approach, embracing not only communications, but also technical matters and information security.”

The broader approach is motivated by various considerations. First, the marked rise in digital threats. Dependency on digital services has also increased. And then there’s the fact that many domain names are now used for applications, e-mail and connections between systems. Domain names have therefore gone from being marketing resources to vital links in the electronic chain.

3-track strategy for improving recognisability

Modernisation of the government’s policy isn’t a standalone initiative. Since 2019, the government has been pursuing a 3-track strategy for improving recognisability of its electronic services.

As well as developing the new policy, the government has set up a Register of Government Internet Domains (RIO), enabling the public to check whether a domain name does belong to the government. In parallel, the possibility of going over to a dedicated extension for all government domain names is being explored. By advancing on the 3 tracks simultaneously, the government is seeking to improve recognisability.

The new policy itself was adopted early this year, and has since served to define how government organisations should approach internet domains. Existing domain names will be retained for the time being, but requests to register new ones will be vetted more strictly, in line with the ‘existing unless’ principle.

Fewer individual campaign domain names

In practical terms, the new policy means that the threshold to registering individual domain names will be raised. Robin Gelhard, Senior Online Service Advisor at BZK explains: “At BZK, we’ve got about 300 public websites and even more domain names. When someone at the ministry wants a domain name for, say, some web content or a web application, they have to ask us. We then assess whether the content can go on Rijksoverheid.nl, or can be liked to another existing domain name. A new domain name is registered only if neither of those other options is possible.”

Often, that assessment process leads to the conclusion that no new domain name is needed. Instead, a new project might be accommodated under an existing domain name, maybe by creating a subdomain or subdirectory. That makes it clearer who is behind the project, while also reinforcing the existing domain name.

A good example is the dashboard created during the COVID 19 pandemic, which was given the address coronadashboard.rijksoverheid.nl. People could therefore see at a glance that the dashboard was a national government service. That probably wouldn’t have been the case if a new domain name had been created especially for the purpose.

Marketing versus central government

The new policy doesn’t always sit comfortably with established communications practices. Campaigns generally benefit from short, memorable domain names. Especially if they are going to be plugged in radio and TV ads. The trouble is that that means more and more domain names – which the new policy is intended to prevent. The preference is to come up with something logical linked to an existing domain name. While the creation of new domain names is still permitted, it’s now the exception, not the rule.

What’s more, by linking a standalone initiative (e.g. something developed by an individual project team) to the organisation’s wider goals, you increase the communication value of the existing domain name.

Who’s responsible for what?

There’s a clear division of responsibilities. BZK is the policy owner, while each department has one or more Domain Name Liaison Officers: designated contacts who have the task of assessing whether new domain names are needed and requesting registrations in appropriate cases. The Public Information and Communications Service (DPC), which is part of the Ministry of Ministry of General Affairs, implements the policy in the role of registrar and registrant of government domain names. The DPC also provides public DNS services for most of the domain names.

Dave Buis, Domain Name and DNS Management Advisor at the DPC: “As the body responsible for implementing the policy, we manage thousands of domain names and public DNS zones. We also give solicited and unsolicited advice to Domain Name Liaison Officers – our departmental gatekeepers.”

The Domain Name Liaison Officers decide whether a new domain name is needed in each case. The requests are then tested against the policy. That results in more central control, without the centralisation of all case-by-case decision-making.

Domain names aren’t disposable goods

One important aspect of the new policy is information security. In the past, domain names were often seen as temporary, but that’s a risky way to look at them.

“Previously, domain names were frequently viewed as disposable goods,” says Gelhard. “However, if you let a domain name go, someone else can make off with it. Then, if there are still backlinks, active mail flows or user accounts on other platforms, risks can arise. We therefore deliberately hang onto some domain names.”

Phishing risks also need to be considered. Often, it isn’t immediately clear that a domain name belongs to the government. Names based on slogans or abbreviations don’t give away who their owner is, and logos are easily imitated. Also, if there is a huge number of domain names in use, it’s hard for the public to decide what’s genuine. Consistent use of recognisable domain names helps to reduce such risks.

Against the current geopolitical backdrop, the need to reduce risk is greater than ever, because the electronic threat level is higher. The central registration and improved management of domain names are therefore vital. The new policy is also aligned with the requirements of the imminent Cyber Security Act (Cbw).

gov.nl: the current state of play

In parallel with introduction of the new internet domain policy, steps are being taken towards creation of a uniform domain extension for the Dutch government. In 2023, it was decided in principle that .gov.nl was the preferred extension. BZK is currently investigating the financial and organisational consequences of the plan.

While technically possible, the introduction of a uniform domain extension such as gov.nl would necessitate a phased migration. Oversight and support of that migration would account for the lion’s share of the cost. More recently, the lower house of the Dutch parliament passed a motion stating that organising all government websites under a single domain extension is desirable.

A uniform domain extension such as gov.nl would further increase recognisability. However, switching to it would be a major undertaking. So the impact is being assessed before anything is decided. No definite policy has been adopted, as political agreement is required first.

Regularising domain names is difficult

In practice, the government frequently has to contend with domain names that have already been registered. Regularising such names is difficult.

“We’re sometimes facing an established situation,” says Gelhard. “A domain name has already been registered without the knowledge of the central Communications Directorate, and has already been mentioned in news bulletins or parliamentary documents. So you’re stuck with it. Since 2011, all government domain names are supposed to have been registered through the DPC. However, people do sometimes register names through other registrars, without approval.”

Therefore, as well as setting parameters and providing guidance, the policy also needs to change behaviour. And that takes time. Organisations need to be aware of the consequences of introducing new domain names.

Ongoing task

The aim is to curb the proliferation of government domain names, and ultimately to reduce them in number. And progress is gradually being made. Some organisations have already begun cleaning up their portfolios. Ultimately, it’s about getting a grip on domain names as digital assets, so that the government can provide secure and recognisable electronic services.

That’s a never-ending task. New initiatives are always being taken. Technology is constantly changing. Threats continue to multiply. The internet domain policy isn’t therefore an endpoint, but a framework that requires constant adaptation and refinement.

As Buis sums up: “The goal is to take control of the electronic chain. That implies clear duties and responsibilities, clear technical parameters, and more emphasis on information security. That’s a lengthy process, but a process that’s vital for reliable and recognisable electronic government.”