When European ccTLD registries ranked cybersecurity risks, the top concern wasn’t technical — it was human.

The Top-Level Domain Threat Landscape Analysis (TLA) 2026 identified social engineering and phishing targeting registry employees as the highest-ranked combined threat across participating registry operators.

The findings show that while registries operate highly resilient technical infrastructures, cybersecurity risk lies in the human and organisational layers surrounding them.

The top 5 of the highest-ranked risks

• Human-centric attacks (social engineering & phishing) ranked highest when combining likelihood and potential impact
• Domain Management System compromise was assessed as less likely, but potentially severe in operational and regulatory impact
• Persistent infiltration by sophisticated threat actors reflects concern over long-term, covert operations rather than isolated events
• Cyber incidents affecting critical suppliers highlight ecosystem and supply-chain dependencies
• Legacy systems and inconsistent security discipline were identified as sources of accumulated structural risk

The findings show that risk for ccTLD registries is not driven by weaknesses in core DNS technology. Instead, registries recognise that risk increasingly arises from people, processes, and interconnected ecosystems.

Using an all-hazard methodology, registries evaluated 28 potential threat scenarios, assessing both likelihood and potential impact across operational, financial, regulatory, and reputational dimensions. This provides a shared benchmark to help prioritise security efforts and support NIS2-aligned governance.

The full report is available to all TLD ISAC Members and CENTR full members who contributed to the survey.