Skip to main content

Cooperation Working Group Minutes RIPE 92

Wednesday, 20 May 2026, 11:00 - 12:30 (UTC+1)
Scribe: Kjerstin Burdiek
Chairs: Johan (Julf) Helsingius, Desiree Miloshevic and Achilleas Kemos (online)
Status: Draft

View the session recordings

Read the stenography transcript

1. Welcome

Desiree introduced the agenda. Julf noted the minutes from RIPE 91 were approved. Julf announced this would be his last meeting as chair as he would be stepping down after 10 years. There would be a call for volunteers to fill his chair on the mailing list after this meeting.

The recording is available at:
https://ripe92.ripe.net/programme/meeting-plan/sessions/88/MHATX3/

2. Survival Tools for Internet Resilience (or) Where Does the Policy Step In

Eliza Rohotska, Attorneys Association “Axon”

The recording is available at:
https://ripe92.ripe.net/programme/meeting-plan/sessions/88/8CJ398/

Eliza presented about the impact of policy on Internet resilience in Ukraine. She noted that policy can either be beneficial or problematic depending on how it is used. In Ukraine, a key feature of Internet resilience had been decentralisation, thanks to the large number of ISPs, most of which were individual entrepreneurs rather than legal entities. However, changes in policy had now made it more difficult for these individual providers to continue. For instance, the government had passed Order 424, which required providers to ensure full provision of their services for at least three days. This was a big challenge for smaller providers as it required a significant number of resources, including expensive equipment. Staffing was also a challenge, as legal entities were considered critical infrastructure and had the right to reserve some staff from the military draft, but individual enterprises did not. At the same time, taxes on operators had increased. And international laws such as NIS2 also had an impact, as the Ukrainian government updated its cybersecurity legislation to include the requirements of this directive. This placed more administrative burdens on operators, which affected smaller ISPs more heavily. Due to all of these factors, many smaller ISPs had ceased operations. So while the increased legal requirements were intended to strengthen network operations, they had the effect of limiting resilience by centralising operations into larger ISPs. It was therefore important to adapt European legislation for wartime realities in the country to protect smaller operators and decentralisation generally.

Nataly Byelous, RETN, praised Ukraine’s example of network resilience, including how the country had kept other countries connected by continuing to support international traffic. She encouraged members of the WG to look into the Keep Ukraine Connected initiative and donate equipment if possible.

Alistair Woodman, representing several open-source projects, said he had reached out to the European Commission about their regulation. On one hand, companies wanted to avoid being regulated. On the other hand, the effects of AI showed regulation was not strong enough. Regulators were accustomed to having a longer time frame to work on policy, but they no longer had that time. And while they had been giving carveouts to bureaucracy, AI was a threat to that group as well, so some regulation was needed.

Eliza agreed with him on the last point but said it was necessary to take countries’ unique situations into account.

Sander Steffann, on behalf of the Keep Ukraine Connected initiative, invited Eliza to reach out if there was anything else they could do to help.

Eliza thanked him.

3. Shared Points of Failure How Widespread Vulnerabilities and Overlap Between Organisations Impacts Cyber Resilience

Martin Price and Edward Austin, Lancaster University

The recording is available at:
https://ripe92.ripe.net/programme/meeting-plan/sessions/88/T8ZNGJ/

Martin and Edward presented their research on organisations’ attack surface. They shared some External Attack Surface Mapping (EASM) tools that could be used to give the same view an attacker would see. With these tools, they located clusters of organisations sharing vulnerabilities and reported them to the UK’s National Cyber Security Centre (NCSC). Martin and Edward produced visualisations of these vulnerabilities at scale. They found that Small and Medium-sized Enterprises (SMEs) were not doing enough to patch common vulnerabilities, perhaps because they were not aware these were major threats. The NCSC wanted to use EASM data to advise SMEs on this. However, it was challenging for the NCSC to move from giving reactive advice to shaping policy as there were not enough incentives for organisations to make changes that would disrupt their operations, such as changing providers if many of them depended on the same software. EASM could possibly be used to make clear to them the severity of the problem. Martin and Edward shared an example map of the attack surface for the English government at all levels, showing the hot spots where vulnerabilities and high IP counts coincided. This meant an attacker could use one exploit to affect multiple regions, for example, if they were using the same hosting provider. Martin and Edward noted there was a heavy reliance on AWS in the UK, whereas the EU used several different providers. This could be a problem for cyber resilience in the UK. While the EU was pushing back on the use of American clouds with the EU Cloud Act, there was nothing similar yet in the UK.

Jim Reid, speaking for himself, noted that they had discussed vulnerabilities in the abstract. He suggested initially focusing on more important vulnerabilities, like processing benefits, and then moving to less significant ones, such as a local library’s website. They could ask local authorities what their most important services were and what platforms they used for them.

Martin agreed and said they were indeed looking into how to prioritise vulnerabilities.

Hisham Ibrahim, RIPE NCC, asked how they had geolocated IP addresses in their map of England’s attack surface.

Martin said the map did not show the physical location of the IP addresses, only the location of those resources’ users.

Vladislav Vodopian, GLEIF, said cloud and hosting providers were not the only potential issue for government services. The German national TLD, .de, went down because the German registry, DENIC, published incorrect DNSSEC records. So it was important to consider the functioning of the TLD as well.

Martin said this was a good point.

Ulrich Visser, ICANN, asked if using more service providers could lead to more frequent outages than relying on one.

Martin said it was at least important to be aware of this reliance.

4. What's in the Digital Networks Act and what should you do about it?

Mike Blanche, independent consultant

The recording is available at:
https://ripe92.ripe.net/programme/meeting-plan/sessions/88/UPKB9J/

Mike reviewed the contents of the Digital Networks Act, released in January 2026. Key points of the document included an overall broadening of regulation in this area, mechanisms for intersector cooperation, the development of a single regulatory framework for cloud, content and application providers, weakened net neutrality rules and guidelines for IP interconnection. Mike said that the Act lacked sufficient definitions in its justification, therefore not establishing clear boundaries for its scope. While the Act’s stated objective was reinforcing competition, enabling innovation and facilitating cooperation, Mike said that the real result was a dilution of open Internet provisions, to the benefit primarily of big telecom companies. The Act brought any network providing digital or online content into scope, not just telecom operators. This meant increased obligations for entities as diverse as service providers, CAPs, software and AI developers and equipment manufacturers. The Act also called for a voluntary conciliation procedure, which Mike stated might lead to more disputes than the current ad-hoc resolution methods. The Act also contained language that framed peers as liable for the business models of the third parties they interconnected with, depending on how they impacted traffic. Mike encouraged people to respond to the European Commissions’ consultation on this, work with other organisations and give feedback on the Act to their local and national representatives.

Greg Choules, ISC, noted how expansive the policy was.

Blake Willis, on behalf of himself, asked if the European Commission intended for BEREC or some other organisation to be the primary enforcer of the Act.

Mike said BEREC or national regulators would enforce the Act. The regulation also called for the creation of the Office for Digital Networks, linked to BEREC. Enforcement by national regulators could lead to different implementation due to different views, potentially resulting in forum shopping to resolve disputes.

Blake asked if the phrase “digital single market” appeared in this regulation, as that should imply the opposite result.

Mike said it did, and there were proposals for regulatory harmonisation.

Harald Summa, speaking for himself, said he had once attended a roundtable with Thierry Breton, the main champion of this Act, and it had been clear that Thierry’s goal was having five incumbent carriers in Europe. The RIPE community should have been more involved in lobbying about this legislation and for a better Internet in general.

Mike said data had shown Thierry Breton had met with large European incumbent telecom companies more than other stakeholders, although the reason why was not established.

Jim Reid, speaking for himself, thanked him for the summary. He noted that forum shopping had also happened previously in relation to the NIS directives and data protection directives, and it would likely happen again. He asked what was happening in the UK in this area.

Mike said the UK was facing its own challenges. He noted that it was unclear why the regulation was expanding so much in scope when there was no market failure to address.

Danko Jevtovic, RNIDS, said he had been involved in discussions at the European Commission about domain names. At the time, the discussion had also included how the Commission could regulate root servers, but they lacked a full understanding of these. He said they seemed very quick to jump to regulation. This presentation was a warning for the community that they needed to get more involved, or else the Commission would rely on their own experts, most of whom were from telecom companies. Commission members did not understand how TCP/IP brought free interconnection to the Internet.

5. RIPE NCC Engagements in Public Policy and Internet Governance

Hisham Ibrahim, RIPE NCC

The recording is available at:
https://ripe92.ripe.net/programme/meeting-plan/sessions/88/A7BPZT/

Hisham gave an update on the RIPE NCC’s activities in the Internet governance space. After a busy year in 2025 with WSIS+20 and the IGF, one big event the RIPE NCC was preparing for in 2026 was the ITU’s Plenipotentiary Conference. Hisham explained how the RIPE NCC carried out external engagement through sharing data and reports, conducting learning activities, creating dialogues with the community and building resilience to regulatory changes. In particular, the RIPE NCC had interacted with the ITU, including signing a joint IPv6 declaration with the ITU-D. They had also engaged with the EU on the International Digital Strategy, the NIS2 simplification and the Cybersecurity Act revision. The RIPE NCC had also participated in the Internet Standards Deployment Multistakeholder Forum that was recently launched by the European Commission. And they had engaged with governments directly by hosting regional roundtables in the EU, South East Europe and the Middle East, as well as by hosting meetings with ministers in Central Asia and the Caucasus. In general, they customised their approach for each government and their needs. They had also signed Memoranda of Understanding with several countries and various intergovernmental organisations, as well as with Europol as part of their expanded engagement with Law Enforcement Authorities. Hisham noted that the RIPE NCC was the secretariat for the RIPE community and encouraged the WG to reach out to the RIPE NCC for support on topics they felt needed more discussion.

Maria Häll, of the Swedish University Network, thanked the presenters and praised the WG co-chairs, and she thanked the RIPE NCC for their work. She noted how important engagement was, especially in light of the points made in other presentations about the potentially negative effects of even well-intentioned regulation. She stressed the need to increase capacity-building and outreach as well.

Victoria Risk, ISC, thanked Hisham and noted that the ICANN SSAC had put together a WG to write a document for regulators to explain the technical operation of DNS and the important role of open source on the Internet. She recommended a related slide deck they had also put together about this in case anyone in the WG wanted to share it with regulators.

6. AOB

Working Group Chairs

Jim Reid, unaffiliated, thanked Julf for his time as co-chair.

Desiree thanked attendees, closed the meeting and reminded attendees to rate the talks.