Draft Policy ARIN-2025-4

Skip to main text Jump to related content

Resource Issuance to Natural Persons

Status: Under Discussion
Shepherds: Elizabeth Goodson, Doug Camin

Current Text (20 May 2025)

Problem Statement:

ARIN policies currently restrict the issuance of number resources to organizations. This limits access for individuals who are running networks under their own legal name, especially in regions where forming or registering a business is not required or feasible. Other RIRs such as RIPE NCC allow individuals to receive resources directly. ARIN should consider similar flexibility to ensure equal and consistent access to Internet number resources for all operators, regardless of legal structure.

Policy Statement:

This proposal introduces explicit policy text into the NRPM to allow number resource issuance to natural persons (individuals) who provide valid justification and identity verification.

Amend NRPM Section 2 to add the following definition:

2.18 Organization

An organization is a company, corporation, partnership, sole proprietorship, government agency, non-profit entity, educational institution, or a natural person acting in a capacity consistent with operating a network and who meets ARIN’s resource eligibility criteria.

Comments: Sections 4.2, 5.1, and 6.5 shall be interpreted to allow “organizations” as newly defined in Section 2.12, thereby including individuals where appropriate.

Staff may develop identity verification and residency requirements appropriate to individuals (e.g., government-issued photo ID and proof of address).

All resource justification, utilization, and RSA signing requirements remain unchanged.

There has been extensive discussion of this topic on the ARIN Public Policy Mailing List (PPML) in April 2025. Participants have cited inconsistencies and barriers created by reliance on state-level business registries, and called for more inclusive eligibility mechanisms similar to other RIR regions. The proposal addresses these concerns while maintaining accountability and justification requirements.

Timetable for Implementation: Recommend implementation within 3–6 months of ratification to allow ARIN staff and legal counsel to develop supporting processes.

Anything Else: This proposal does not reduce the level of justification required to obtain resources, but merely expands eligibility to natural persons who operate networks and meet all existing technical and usage criteria.

Staff Understanding: Staff understands that the intent of this policy is to minimize the administrative hurdles that individuals face when obtaining number resources and related services from ARIN.

As written, the policy would add a new definition to section 2 for “Organization”. The new definition would define the term Organization to encompass both its commonly understood meaning and additionally would include a “natural person” (in their capacity of operating a network and who meets ARIN’s resource eligibility criteria.) While ARIN currently serves individuals operating as a business, the change is intended to allow natural persons to obtain number resources and associated services from ARIN without any business construct (i.e., sole proprietorship, LLC, etc.).

ARIN presently provides Internet number resources and associated services to natural persons but requires such individuals to operate as a legally recognized business, such as a sole proprietor, DBA, LLC, freelancer, or professional corporation. ARIN was formed in 1997 as a membership organization to provide registry services to organizations within its region and has operated on a business-facing (B2B) model (serving ISPs, enterprises, and a variety of other organizations) since that time.

ARIN presently does provide number resources and related services to individuals who intend to operate Internet network infrastructure and who meet ARIN’s resource eligibility criteria; but ARIN accommodates these requests by directing the requester to first establish a legally recognized business, such as a sole proprietor, DBA, LLC, or corporation. (See ARIN Blog post “Can I request Internet number resources as an individual?”) Doing so allows clear compliance with existing NRPM policy that references “Organizations” and maintains ARIN as an entity that operates in a business-to-business service model.

Section 2.2.2.3 of the ARIN Policy Development Process (PDP) states, in part: “… A Policy Proposal may not define the specific processes by which the Policy Proposal will be implemented by ARIN staff, nor may it define or establish services offered by ARIN, or the fees charged by ARIN for its services. To suggest changes to ARIN processes, fees, or services, members of the Internet community may participate in ARIN’s Consultation and Suggestion Process (ACSP).”

The reformulation of Organization to include the addition of “natural persons” represents a substantive change to ARIN’s current service model, as it would redefine that scope of ARIN’s customer base. ARIN’s General Counsel noted to the ARIN AC that such a change was likely outside of the scope of the ARIN PDP and that expanding ARIN’s customer community to directly include natural persons could have potential implications for how ARIN is treated under law and regulation. While the potential organizational implications for directly serving individuals can be assessed by ARIN staff during the course of policy development, General Counsel further suggested that the change might be better suited for the ARIN Consultation and Suggestion Process (ACSP). The ARIN AC did adopt the proposal as a draft policy, and ARIN staff suggested that a staff and legal review be requested by the ARIN AC immediately given the potential for significant organizational implications resulting from the change. This initial staff and legal review is being provided to inform the current policy development effort with full knowledge that a complete assessment may require both additional policy language clarifications and further legal work as noted below.

Implementable as Written?: No. The redefinition of Organization in a manner contrary to both the common usage of the term and existing usage in NRPM does not provide adequate clarity regarding how natural persons requesting number resources are to be treated in policy going forward. The draft policy includes a comment to the effect that Sections 4.2, 5.1, and 6.5 shall be interpreted to allow use by natural persons, but there are many other usages of term Organization in the NRPM thus leaving numerous policy sections (3, 4.10, 8.2, 8.3, 9, etc.) whose applicability to natural persons would be left indeterminate by the draft policy text. In addition, the legal/regulatory analysis necessary to more fully determine implications of the draft policy – if adopted – will also be considered by external parties (e.g. legal/financial/insurance/tax advisors, governmental authorities/regulators) for whom the term “Organization” will lack sufficient clarity and risk misinterpretation if the term recast as proposed to incorporate natural persons. Staff recommends that the draft policy be expanded to more clearly define the portions of existing number resource policy that would or would not be applicable to natural persons, if adopted.

Impact on ARIN Registry Operations and Services: The draft policy would represent a significant change to current ARIN services and operations.

Legal Review: Draft Policy 2025-4 proposes that ARIN issue Internet number resources directly to natural persons/individual customers. Historically, ARIN has issued such resources only to legal, business entities with an established operation and appropriate justification, including sole proprietorships. The proposed change would shift ARIN’s operational model from business-to-business (B2B) to one that would include business-to-consumer (B2C) relationships.

This type of change to ARIN’s operations would necessarily involve a substantial number of legal and operational issues as well as a long implementation timeline given the number of issues that would need to be resolved. There would also need to be a review and likely updates to most, if not all, of ARIN’s service terms, agreements, and applicable operational policies and communication materials.

Several other significant legal considerations that will arise if this proposal is adopted include, but are not limited to, the following:

  1. Consumer Protection Laws Compliance

    Transacting directly with individuals would likely subject ARIN to consumer protection laws at multiple levels (federal, state/provincial) that are generally not applicable to commercial, B2B relationships. These laws may impose additional compliance obligations, limit enforceability of standard contract provisions, and increase the potential for regulatory scrutiny.

  2. Insurance Implications

    ARIN’s existing insurance coverage and strategy does not fully address liabilities arising from individual consumer transactions. A shift toward a model that includes B2C interactions could necessitate changes to current policies or procurement of additional coverage which would likely result in higher overall insurance costs.

  3. Tax and Financial Compliance

    A B2C model is likely to give rise to new tax obligations and reporting requirements depending on the jurisdiction, as ARIN has relied upon treatment as a business providing B2B services. As a business directly serving natural persons, it is likely that ARIN would have to undertake corresponding operational adjustments in billing, accounting, and customer classification, including the collecting and remitting of sales taxes that may become applicable as a result. This shift would introduce significant administrative overhead and potential audit exposure. It could also subject ARIN to other international tax regimes (e.g., EU VAT, U.S. state-level nexus laws), expanding its compliance burden across multiple jurisdictions.

  4. Data Privacy Obligations

    Interacting with individuals will likely require enhanced data privacy compliance, including revisions to ARIN’s privacy policies and procedures to address personal data rights and protections under applicable laws. Currently, ARIN deals with businesses which are publicly known, and these organizations provide business information including business point of contact information necessary for registry operation; and thus, a change to directly serving individuals carries significant risk as a result of the significant expansion of the regulatory regimes that could become applicable to ARIN at the federal, state, and provincial level, and with which ARIN must remain compliant.

  5. Data Accuracy

    Directly serving natural persons as customers will increase administrative burden on ARIN due to the increased need for verification of natural persons, some of which is presently accomplished by public authorities in the course of business entity registration; and it may reduce the overall reliability and verifiability of public contact data, which is foundational to ARIN’s registry function.

  6. Liability and Enforcement

    Individual customers may present greater risk to ARIN in terms of non-performance, limited recourse in the event of breach, and overall enforceability of ARIN’s terms of service. Individuals are also less likely than businesses to have assets available to satisfy liabilities to ARIN; and further, individuals present a greater challenge and risk in terms of pursuing any legal claim.

If adopted, ARIN 2025-4 would materially alter ARIN’s risk profile by introducing consumer-facing obligations and exposures. While the policy’s intent looks to simply enhance inclusivity, it is a very complex proposal that proposes changing the nature of services that ARIN offers, with corresponding changes to how ARIN is treated in multiple legal, tax, regulatory regimes. Proper implementation will require significant investment to determine the full extent of the legal, operational, and compliance adaptations necessary, as well as determining resulting implementation cost. A further, in-depth review of the final policy text would be necessary prior to implementation, including analysis of contract, insurance, tax, data privacy, compliance, and any other applicable impacts.

Implementation Timeframe Estimate: Minimum 1 year pending further evaluation

Implementation Requirements: (Initial assessment)

  • Staff Training
  • Updates to internal procedures and guidelines
  • Website, training and printed materials
  • Further discussion needed to determine scope of additional outreach and education
  • Review and implementation of tax obligations and reporting requirements
  • Updates to ARIN Online; in-depth review of requirements needed

Proposal/Draft Policy Text Assessed: 20 May 2025

History and Earlier Versions

History
Action Date
Proposal 21 April 2025
Draft Policy 20 May 2025

Advisory Council

Board of Trustees

ARIN Public Policy Meetings

Related