Compliance Requirements for LIRs

Operating as a Local Internet Registry (LIR) with RIPE NCC comes with significant responsibilities and compliance obligations. Understanding and meeting these requirements is essential for maintaining your membership in good standing, avoiding penalties, and ensuring the integrity of the Internet number resource system. This comprehensive guide covers all aspects of LIR compliance.

Why Compliance Matters

Protecting the Internet Resource System

Compliance requirements exist to ensure:

• Accurate registration data for security, routing, and network operations
• Fair resource distribution based on demonstrated need
• Prevention of resource hoarding or speculation
• Accountability in the Internet number resource system
• Global coordination of IP addressing and ASN assignments

Consequences of Non-Compliance

Failure to meet compliance requirements can result in:

• Formal warnings from RIPE NCC
• Additional audits and scrutiny
• Resource recovery - RIPE NCC reclaiming allocated resources
• Membership suspension or termination
• Financial penalties or fee adjustments
• Reputational damage within the networking community
• Legal liability in some cases

Benefits of Strong Compliance

Organizations maintaining excellent compliance enjoy:

• Smooth resource request processes
• Minimal audit disruption
• Strong standing in the community
• Reduced administrative burden
• Better relationship with RIPE NCC
• Lower risk of operational issues

Legal and Contractual Obligations

RIPE NCC LIR Account Agreement

When you become an LIR, you enter into a legal agreement with RIPE NCC that establishes:

Your Obligations:

• Adhere to RIPE policies and procedures
• Maintain accurate registration data
• Pay membership fees on time
• Respond to RIPE NCC requests and audits
• Follow proper resource management practices
• Maintain appropriate organizational capacity

RIPE NCC's Obligations:

• Provide membership services
• Allocate IP resources according to policy
• Offer support and training
• Maintain infrastructure and databases
• Conduct fair and transparent operations

Key Agreement Terms:

Duration:

• Annual renewable membership
• 30-day notice required for termination
• Obligations continue until formal closure

Financial Terms:

• Annual membership fee (€1,800 for 2025)
• Per-resource fees (ASNs, PI sponsorships)
• Payment due within 30 days of invoice
• Late payment consequences

Data Protection:

• GDPR compliance for EU organizations
• Personal data handling
• Privacy requirements
• Data retention policies

Liability and Indemnification:

• Limited liability provisions
• Indemnification clauses
• Dispute resolution procedures

RIPE Policy Framework

RIPE policies are developed through an open, bottom-up process involving the Internet community. As an LIR, you must comply with all current policies, which cover:

Resource Allocation Policies:

• IPv4 allocation and assignment rules
• IPv6 allocation and assignment policies
• ASN assignment criteria
• Resource transfer regulations
• Recovery of unused resources

Database Policies:

• Registration requirements
• Data accuracy standards
• Abuse contact obligations
• Privacy and data protection

Operational Policies:

• LIR membership requirements
• Contractual relationships
• Fee structures
• Audit procedures

Important Note: RIPE policies can change through the policy development process. LIRs must stay informed about policy proposals and adapt to policy updates.

Database Registration Requirements

Maintaining accurate data in the RIPE Database is one of the most critical compliance obligations.

Mandatory Registration Data

For each resource you hold or assign, you must register:

Organization Information:

• Legal organization name (exactly as registered)
• Organization type (LIR, OTHER, etc.)
• Registered business address (not P.O. boxes)
• Country of legal registration
• Official registration numbers or identifiers

Contact Information:

• Administrative contact (admin-c)
• Technical contact (tech-c)
• Abuse contact (abuse-c) - mandatory and validated
• All contacts must be reachable and responsive

Resource Details:

• IP address ranges (inetnum/inet6num objects)
• Network names and descriptions
• Status codes (ALLOCATED, ASSIGNED PA, etc.)
• Country where resources are used
• Organization links

Routing Information:

• ASN details (aut-num objects)
• Routing policy information
• BGP configuration data
• Peering relationships

Data Accuracy Standards

Timeliness:

• Update database within a reasonable time after changes occur
• Best practice: Update within 7 days of any change
• Critical changes (abuse contact): Update immediately
• Regular reviews recommended (monthly or quarterly)

Completeness:

• All mandatory fields must be populated
• Optional but relevant fields should be included
• Descriptive information should be meaningful
• Contact details must be complete and functional

Accuracy:

• Information must reflect current reality
• No placeholder or dummy data
• Addresses must be genuine locations
• Contact emails must be monitored
• Phone numbers must be reachable

Consistency:

• Information across related objects must align
• Internal records should match database entries
• Updates should maintain referential integrity

Prohibited Database Practices

Violations that trigger enforcement:

Inaccurate Information:

• Fake organization names or addresses
• Non-existent contact information
• Misleading descriptions
• Incorrect country codes

Unresponsive Contacts:

• Abuse contacts that don't respond
• Bouncing email addresses
• Disconnected phone numbers
• Contacts that refuse to cooperate

Incomplete Registration:

• Missing mandatory fields
• Placeholder text instead of real data
• Partial or vague information

Data Protection Violations:

• Publishing personal data improperly
• Violating GDPR requirements
• Failing to handle requests for data correction

Abuse Contact Requirements

The abuse contact (abuse-c) is particularly critical for compliance.

What is an Abuse Contact?

The abuse contact is a designated role or person who:

• Receives and handles abuse reports
• Responds to security incidents
• Addresses spam, hacking, or malicious activity
• Coordinates with law enforcement if needed
• Takes action to resolve abuse issues

Mandatory Requirements

1. Abuse Contact Must Exist:

• Every allocated or assigned resource must have an abuse-c attribute
• Applies to both IPv4 and IPv6 allocations/assignments
• Required for all LIR resources

2. Abuse Contact Must Be Reachable:

• Valid, monitored email address (abuse@yourdomain.com typical)
• Must not bounce or auto-reject
• Must accept external email (not just internal)

3. Abuse Contact Must Be Responsive:

• Respond to abuse reports within 24 hours (best practice)
• Take appropriate action on valid reports
• Provide substantive responses, not just acknowledgments
• Maintain response records

4. Abuse Contact Must Be Validated:

• RIPE NCC periodically tests abuse contacts
• Validation failures trigger compliance procedures
• Must confirm receipt and handling capability

Abuse Validation Process

Regular Validation: RIPE NCC sends test messages to abuse contacts to verify:

• Email deliverability
• Human monitoring (not just auto-responders)
• Appropriate response capability
• English language handling (though responses can be in any language)

Validation Failure Consequences:

1. First failure: Warning notification
2. Second failure: Escalated warning with deadline
3. Continued failure: Compliance audit
4. Persistent failure: Potential resource recovery

How to Pass Validation:

• Monitor abuse mailbox daily
• Respond to all messages promptly
• Demonstrate understanding of the report
• Show willingness to investigate and act
• Maintain professional communication

Best Practices for Abuse Handling

1. Dedicated Abuse Team or Role:

• Assign specific personnel to abuse handling
• Provide training on abuse response
• Establish escalation procedures
• Document processes

2. Rapid Response:

• Target response time: Under 24 hours
• Acknowledge receipt immediately
• Investigate claims thoroughly
• Take appropriate action
• Follow up with reporter

3. Documentation:

• Log all abuse reports received
• Record actions taken
• Maintain evidence of investigations
• Track trends and patterns

4. Automation Where Appropriate:

• Auto-acknowledgment of receipt (but follow up manually)
• Ticketing systems for tracking
• Integration with monitoring tools
• Reporting and analytics

5. Proactive Measures:

• Monitor your networks for abuse
• Implement security best practices
• Educate customers about acceptable use
• Take action before external reports

Resource Usage and Justification

LIRs must use allocated resources according to RIPE policies and provide justification for requests.

Proper Resource Usage

IPv4 Allocations:

• Must be used for legitimate networking purposes
• Can be used for own infrastructure
• Can be assigned to customers with proper justification
• Cannot be warehoused or hoarded
• Subject to 2-year transfer restriction for new allocations

IPv6 Allocations:

• Abundant space should be used generously
• Implement dual-stack where possible
• Encourage IPv6 adoption
• Document addressing plans
• Can expand allocations based on growth

ASN Assignments:

• Must be used for active BGP routing
• Require unique routing policy
• Need at least one external peering
• Cannot be reserved without use

Assignment Documentation

When assigning resources to customers or infrastructure, document:

Customer Assignments:

• Organization details
• Justification for address space size
• Intended usage
• Assignment date
• Contract or service agreement references

Infrastructure Assignments:

• Network purpose and design
• Equipment and service details
• Growth projections
• Technical architecture

Retention:

• Keep documentation for duration of assignment plus 3 years
• Make available during audits
• Organize for easy retrieval
• Protect confidential customer information

Demonstrating Efficient Utilization

For Additional Resources: When requesting more space, show:

• Current allocation is 50%+ utilized (IPv6) or 80%+ (IPv4)
• Detailed addressing plan
• Growth projections with evidence
• Efficient addressing practices
• No large blocks of unused space

Efficiency Criteria:

• Assignments match demonstrated need
• Minimal waste or unused space
• Appropriate subnet sizes
• Aggregation where possible
• Long-term planning evident

Audit Procedures and Response

RIPE NCC conducts audits to verify compliance. Understanding and preparing for audits is essential.

Types of Audits

1. Registration Data Accuracy Audits:

• Verify database information is correct
• Check contact reachability
• Validate organization details
• Review resource registrations

2. Resource Utilization Audits:

• Examine how resources are being used
• Verify assignments match justifications
• Check for unused or under-utilized space
• Review assignment documentation

3. Abuse Contact Validation:

• Test abuse contact responsiveness
• Verify proper abuse handling
• Check compliance with requirements

4. Targeted Audits:

• Triggered by complaints or issues
• Focus on specific concerns
• May be unannounced
• Higher scrutiny level

5. Random Sampling:

• Periodic checks of LIR compliance
• Part of routine oversight
• Not triggered by specific issues

Audit Notification and Timeline

Initial Notification:

• Sent via email and LIR Portal
• Specifies information requested
• Provides response deadline (typically 2-4 weeks)
• Includes RIPE NCC contact for questions

Response Period:

• Usually 14-28 days to respond
• Extensions possible with justification
• Earlier response appreciated
• Non-response triggers escalation

Evaluation Period:

• RIPE NCC reviews submission (1-3 weeks)
• May request clarifications
• Provides findings report
• Identifies any issues

Remediation Period:

• If issues found, given time to correct (typically 30 days)
• Must demonstrate corrective actions
• Follow-up verification
• Close-out when resolved

What RIPE NCC Requests in Audits

Common Audit Requests:

Database Accuracy Verification:

• Confirm organization information is correct
• Verify contact persons are reachable
• Validate business address is accurate
• Confirm resources are properly registered

Resource Usage Documentation:

• Assignment records for customer allocations
• Justification for address space requests
• Evidence of resource utilization
• Network diagrams or topology information
• Customer contracts or service agreements

Policy Compliance Checks:

• Confirmation of proper assignment practices
• Evidence of needs-based allocation
• Verification of proper status codes
• Review of transfer or sub-allocation practices

Abuse Handling Evidence:

• Abuse contact monitoring procedures
• Examples of abuse report handling
• Response time metrics
• Corrective action documentation

How to Respond to Audits

Step 1: Acknowledge Receipt

• Confirm you received the audit request
• Indicate you're preparing response
• Ask for clarification if anything is unclear
• Request extension if absolutely necessary

Step 2: Gather Information

• Collect all requested documentation
• Review database entries for accuracy
• Prepare explanations for any discrepancies
• Organize materials systematically

Step 3: Review and Verify

• Double-check all information before submitting
• Ensure accuracy and completeness
• Verify documents are current
• Remove sensitive customer data if appropriate

Step 4: Submit Response

• Send through LIR Portal or email as instructed
• Include all requested materials
• Provide clear explanations
• Submit before deadline

Step 5: Address Findings

• Review RIPE NCC's findings carefully
• Correct any identified issues promptly
• Update database as needed
• Implement process improvements
• Confirm completion of corrective actions

Audit Best Practices

Proactive Preparation:

• Conduct self-audits quarterly
• Maintain organized documentation
• Keep database current at all times
• Review compliance regularly

During Audit:

• Respond promptly and professionally
• Provide complete information
• Be honest about any issues
• Ask questions if unsure
• Maintain clear communication

After Audit:

• Implement recommended improvements
• Update procedures to prevent recurrence
• Document lessons learned
• Thank RIPE NCC for feedback

Financial Compliance

Meeting financial obligations is essential for maintaining membership.

Payment Requirements

Annual Membership Fee:

• Currently €1,800 (2025)
• Due within 30 days of invoice date
• Pro-rated for new members
• Billed annually

Per-Resource Fees:

• ASN assignments: €50/year each
• PI sponsorships: €75/year each
• Billed separately or with membership

Late Payment Consequences:

1. Payment overdue: Reminder notices
2. 30 days late: Service warnings
3. 60 days late: Service suspension threat
4. 90+ days late: Membership termination proceedings

Maintaining Good Financial Standing

Best Practices:

• Set up payment reminders
• Use automatic payment methods if available
• Keep billing contact information current
• Review invoices promptly for accuracy
• Budget for annual fees in advance
• Maintain backup payment methods

If Facing Payment Difficulties:

• Contact RIPE NCC immediately
• Discuss payment plan options
• Don't let account go delinquent
• Maintain communication
• Resolve issues before they escalate

Staying Compliant: Ongoing Requirements

Regular Maintenance Tasks

Daily:

• Monitor abuse contact email
• Address urgent abuse reports
• Check for critical notifications

Weekly:

• Review LIR Portal notifications
• Process resource requests
• Update database for any changes
• Handle routine tickets

Monthly:

• Review all database objects for accuracy
• Verify contact information is current
• Check resource utilization
• Review abuse handling metrics
• Update internal documentation

Quarterly:

• Conduct comprehensive self-audit
• Review compliance with all policies
• Test abuse contact processes
• Train staff on any policy changes
• Update procedures as needed

Annually:

• Complete financial payments on time
• Review all resources and assignments
• Update organization information
• Assess need for additional resources
• Strategic compliance planning

Staying Informed

Policy Changes:

• Subscribe to RIPE policy announcement mailing lists
• Attend RIPE meetings (virtual or in-person)
• Review policy proposals affecting LIRs
• Participate in policy discussions if relevant
• Update internal procedures when policies change

RIPE NCC Communications:

• Read announcements from RIPE NCC
• Monitor LIR Portal notifications
• Attend member webinars and training
• Review RIPE Labs articles
• Follow official RIPE NCC channels

Training and Education

Maintaining Expertise:

• Ensure staff understand current policies
• Take advantage of free RIPE NCC training
• Pursue RIPE NCC certifications
• Cross-train multiple staff members
• Document procedures and knowledge

Topics to Master:

• RIPE policy framework
• Database management
• Resource allocation principles
• Abuse handling
• Audit procedures
• Financial obligations

Consequences of Non-Compliance

Escalation Ladder

Level 1: Informal Reminders

• Email notifications about issues
• Requests to correct problems
• No formal consequences yet
• Opportunity to resolve quickly

Level 2: Formal Warnings

• Official compliance notices
• Specific issues identified
• Deadlines for correction
• Documented in your account

Level 3: Enhanced Scrutiny

• More frequent audits
• Additional reporting requirements
• Restrictions on new resource requests
• Escalated management attention

Level 4: Service Restrictions

• Hold on new resource allocations
• Suspension of some member services
• Required compliance plan
• Executive level engagement

Level 5: Resource Recovery

• RIPE NCC reclaims non-compliant resources
• Particularly unused or improperly used allocations
• Formal process with appeal rights
• Significant operational impact

Level 6: Membership Termination

• Closure of LIR account
• Loss of all associated benefits
• Potential loss of resources
• Reputation damage
• Difficulty becoming LIR again

Appeal and Dispute Resolution

If you disagree with RIPE NCC compliance decisions:

Internal Review:

• Request clarification from RIPE NCC
• Provide additional context or information
• Discuss with different staff member
• Seek informal resolution

Formal Appeal:

• Submit written appeal through proper channels
• Include all relevant evidence
• State your case clearly
• Request specific relief

Arbitration:

• Last resort for unresolved disputes
• Defined in membership agreement
• Neutral third-party review
• Binding resolution

Best Practices for Excellent Compliance

1. Proactive Management

• Don't wait for audits to check compliance
• Conduct regular self-assessments
• Fix issues before they're identified externally
• Maintain continuous compliance, not just during audits

2. Documentation Excellence

• Keep detailed records of all assignments
• Document justifications thoroughly
• Maintain audit trails of changes
• Organize for easy retrieval

3. Process and Procedures

• Develop written compliance procedures
• Train staff on processes
• Review and update procedures regularly
• Ensure consistency across team

4. Technology and Automation

• Use IPAM tools to track resources
• Automate database updates where possible
• Implement monitoring and alerting
• Maintain accuracy through systems

5. Communication and Responsiveness

• Respond promptly to RIPE NCC requests
• Maintain professional relationships
• Be transparent about challenges
• Ask for help when needed

6. Continuous Improvement

• Learn from audits and feedback
• Implement suggested improvements
• Share best practices within your organization
• Stay ahead of compliance trends

Getting Compliance Help

RIPE NCC Support

• Guidance on policy interpretation
• Compliance questions answered
• Audit preparation assistance
• Training and resources

Professional Services

Via-Registry offers compliance support including:

• Compliance audits and assessments
• Database management services
• Audit response assistance
• Training and consultation
• Ongoing compliance monitoring

Whether you need occasional guidance or comprehensive compliance management, expert help is available.

For more information about LIR operations and requirements, see our guide: Becoming a RIPE LIR: Setup & Management.

Conclusion

Compliance is not just about avoiding penalties – it's about being a responsible member of the Internet community and ensuring the integrity of the global IP address system. By understanding and meeting your obligations as an LIR, you contribute to the stable operation of Internet infrastructure while protecting your organization's resources and reputation.

Key compliance pillars:

• Accurate, current database registration
• Responsive, effective abuse handling
• Proper resource usage and documentation
• Timely financial obligations
• Proactive audit preparedness
• Continuous monitoring and improvement

With solid processes, appropriate tools, trained staff, and proactive management, compliance becomes a routine part of operations rather than a source of stress. Invest in compliance excellence, and you'll enjoy smooth operations, strong RIPE NCC relationships, and peace of mind.

---

Sources:

• RIPE NCC LIR Account Agreement: https://www.ripe.net/about-us/legal/ripe-ncc-lir-account-agreement/
• Requirements for End User Assignment Agreement: https://www.ripe.net/manage-ips-and-asns/resource-management/number-resources/independent-resources/requirements/
• Contractual Requirements for PI Resource Holders: https://www.ripe.net/publications/docs/ripe-637/
• RIPE NCC Audit Activity Procedures: Various RIPE procedural documents

Last updated: [Date will be set automatically]