Guidance

Criteria to be a .gov.uk Approved Registrar 

Follow this guidance to understand how to become a .gov.uk Approved Registrar

These criteria come into force on 30 September 2024.

How to become a .gov.uk Approved Registrar

Your organisation must:

  • meet all the criteria if it’s a registered company or sole trader

  • meet all the criteria from section 5 onwards if it’s a public sector organisation  

  • continue to meet all relevant criteria for as long as it registers .gov.uk domain names

  • make sure your Registrants understand you have to meet these criteria

The Central Digital and Data Office (CDDO) may update this criteria from time to time at its reasonable discretion, for example to help keep the .gov.uk domain namespace secure. CDDO will invite feedback from Registrars on any proposed changes to these criteria before updating them.

Registrars must have met the criteria no later than 30 September 2024.

Costs to meet the criteria

CDDO has no current intention of charging your organisation to become a .gov.uk Approved Registrar. However, as CDDO has not yet contracted with the Registry Operator CDDO cannot yet confirm how the Registry will be funded.

Your organisation is responsible for all costs to meet the criteria to be a .gov.uk Approved Registrar.

Making sure your organisation is eligible

The following apply only to organisations that are not UK public sector organisations:

1. You are a registered company or sole trader.

2. You commit to having a commercial contract with your Registrants for .gov.uk domains.

3. Your contracts with Registrants fall under the jurisdiction of courts in England and Wales to settle any dispute or claim, including non-contractual disputes or claims.

4. You commit to having Cyber Essentials or Cyber Essentials Plus certification for the teams and tools you use to manage .gov.uk domain names, and keeping this certification up-to-date. If you do not have Cyber Essentials or Cyber Essentials Plus certification at this time, you commit to getting either certification by 30 September 2024.

The following apply to all organisations:

5. You commit to making the Registry Operator and your Registrants aware if:

  • you can no longer meet the Criteria to be a .gov.uk Approved Registrar, or your status as a .gov.uk Approved Registrar has changed.

  • control of your organisation has changed or is expected to change

  • if there is any event that might lead to your organisation ceasing trading, such as a voluntary winding up, a bankruptcy, or an insolvency event

6. You commit to having a complaints policy in place.

7. You commit to complying with the Data Protection Act 2018 (as amended, updated or replaced from time to time) and all applicable privacy legislation in relation to the storage and handling of your Registrant’s personal data.

8. You commit to having a privacy policy in place.

9. You consent to being listed on the publicly available list of .gov.uk Approved Registrars.

Helping your Registrant meet their obligations

10. You commit to helping Registrants meet the domain name registration and management rules that apply to them, listed below. You must subscribe to updates and request your Registrants to subscribe to updates on these pages:

11. You commit to ensuring changes to domain records advised by Registry Operator or the CDDO Domain Management Team’s are made, either by supporting your Registrants or - if authorised - doing the changes yourself.

12. You commit to allowing the Registry Operator or the CDDO Domain Management Team to interact directly with the Registrant to help them meet the domain name registration and management rules.

13. You commit to escalating to the Registry Operator any instances where your Registrants are persistently failing to meet the domain name registration and management rules. You commit to taking any resulting action required by the Registry Operator or the CDDO Domain Management Team to protect the .gov.uk domain, dependent services and namespace.

14. You commit to recommending .gov.uk domain names as the preferred option to UK public sector organisations because .gov.uk domain names are monitored and protected and identify official public sector organisations. For example, central government departments, ALBs, city, town, parish councils or any other appropriate public sector organisations.

Providing customer support for your Registrant

15. You commit to providing reasonable support to your Registrants as is appropriate in the circumstances to move to another .gov.uk Approved Registrar whenever they wish, and in the case of you losing your .gov.uk Approved Registrar status.

16. You commit to providing Registrants with customer support between Monday to Friday during normal UK business hours, unless otherwise specifically agreed in writing with your Registrant.

17. You commit to telling the CDDO Domain Management Team and your Registrants what out-of-hours support (if any) you provide for urgent changes or changes required at specific times. The CDDO Domain Management Team will determine in its sole discretion what is an urgent change.

18. You commit to acting in a professional manner when interacting with Registrants, the gov.uk Registry Operator and the CDDO Domain Management Team in relation to all .gov.uk domain names.

19. You commit to providing accessible channels for your Registrants. For example, any website for Registrants must meet the international WCAG 2.1 AA accessibility standard.

Acting on behalf of your Registrant

The .gov.uk Technical Points of Contact are responsible for the technical management of a .gov.uk domain as outlined in the Keeping your domain name secure guidance. The Technical Points of Contact must be someone from the Registrant, Registrar or IT supplier.

20. You commit to confirming in writing with the Registry Operator and CDDO Domain Management Team who the Technical Points of Contact are, or being the Technical Points of Contact for the domain and any other services you manage on their behalf, if your Registrant requests it.

21. You commit to providing the Registry Operator with accurate and complete data to support and maintain every .gov.uk domain name you manage, and allowing the Registry Operator to share this data with the CDDO Domain Management Team.

Protecting the Registrant’s domain and Registry data

22. You commit to checking all Registry data change requests meet best practice as outlined in the Keeping your domain name secure guidance.

23. You commit to providing notifications of any changes made to key contacts to the CDDO Domain Management Team and keeping WHOIS details up-to-date.

24. You commit to assessing and mitigating the risks of any suppliers you depend on to protect Registrant data.

25. You commit to providing multi-factor authentication (MFA) to Registrants if you allow them to use your domain management tools. For our purposes MFA can be done using an authenticator app, email, specific characters from a memorable word or single use backup codes.

26. You commit to using MFA when Registrar staff use any services that relate to managing a Registrant’s .gov.uk domain name or data.

27. You commit to making sure a .gov.uk domain name is made safe by following the how to stop using your .gov.uk domain name guidance when a Registrant or the CDDO Domain Management Team tells you the domain is no longer in use.

28. As the Technical Point of Contact managing email records, you commit to following guidance on securing government email for .gov.uk domains you host.

29. As the Technical Point of Contact managing domain records, you commit to being able to roll-back any changes you make for Registrants. This could be done by keeping a last known good copy of the domain name data.

30. As the Technical Point of Contact managing the Registrant’s .gov.uk zone file, you commit to sharing an up-to-date copy of your Registrant’s .gov.uk zone file with the CDDO Domain Management Team, and using the CDDO Domain Management Team’s approved mechanisms for doing so.

Handling domain name issues

31. You commit to addressing issues raised by the CDDO Domain Management Team or the Registry Operator to protect the .gov.uk domain names you manage and the .gov.uk domains namespace generally. 

32. You commit to monitoring the approved channels such that you are made aware of such issues. The approved channels may be email, web-based or instant messaging tools and in the case of an emergency, phone.

33. You commit to responding to such issues in the following timeframes:

Type of issue Initial response, including an analysis and timeframe to fix the issue Time to fix, from the issue being raised
Critically Impacting:
Widespread or entire organisation functionally disrupted and financially impacted
4 hours if you have a 24/7 support agreement with your Registrant
Or
4 business hours in all other cases
8 hours if you have a 24/7 support agreement with your Registrant
Or
1 business day in all other cases
Highly Impacting:
Part of the organisation functionally disrupted and financially impacted
24 hours if you have a 24/7 support agreement with your Registrant
Or
2 business days in all other cases
72 hours if you have a 24/7 support agreement with your Registrant
Or
3 business days in all other cases
Moderately Impacting:
Small part of the organisation functionally disrupted and financially impacted.
7 days Timeframe by agreement with the CDDO Domain Management Team
Low Impacting:
Reputation damage
7 days Timeframe by agreement with the CDDO Domain Management Team
Non-impacting Hygiene:
A configuration that if left for a period of time might create a vulnerability
7 days Timeframe by agreement with the CDDO Domain Management Team

Retaining domain records

34. You commit to maintaining all communications with Registrants in respect of their .gov.uk registrations, including the content of the registration records, and changes.

35. You commit to making this data available to the CDDO Domain Management Team and/or the Registry Operator upon request and for 2 years after any loss of your status as a .gov.uk Approved Registrar.

Updates to this page

Published 6 July 2023

Sign up for emails or print this page