News

Introduction

Over the past few years, the double proxy has established itself as one of the most formidable technical mechanisms used by professional cybersquatters. Behind an apparent technical sophistication hides a very concrete legal reality: an organized opacity, intended to slow down the identification of those responsible, to neutralize in practice the actions of withdrawal and to amplify infringements of trademarks, domain names and corporate reputation.

In a context of growing organized crime, the double proxy is no longer a simple tool for anonymization. It now allows the deployment of industrial phishing, employment fraud, digital counterfeiting or identity theft campaigns, designed to resist traditional legal reaction mechanisms.

Understanding the double proxy: a cascade opacity mechanism

The double proxy is based on the successive interposition of several distinct technical intermediaries between the end user and the server effectively controlled by the attacker. In practice, the disputed domain name points to a first proxy, often operated by a CDN or reverse proxy provider, which then redirects to a second intermediary before reaching the final infrastructure.

These actors generally present themselves as mere technical providers and claim, in practice, the benefit of the hosting providers’ liability regime, subject to the legal qualification of their actual functions.. The objective is clear: to sever both the legal and technical link between the unlawful content and its true operator. Each layer acts as an additional screen, making the identification of the true hostng provider and the data controller particularly complex.

Fragmentation of responsibilities and enforcement actions

Unlike a simple proxy, the double proxy is based on a voluntary segmentation of technical and legal roles, which fragments the chain of responsibility and complicates any swift and coordinated action.

In practice, the chain of intermediation follows a well-established pattern. The registrar identifies a technical point of contact and refers to a CDN provider, whose official mission is to optimize the availability and performance of content. This provider then redirects to an intermediate hosting service, which is not necessarily the actual site operator. Finally, this host relies on a hidden origin server, sometimes located outside the European Union.

Each actor then presents himself as a passive intermediary and shifts responsibility to the next link in the chain. This cascading architecture exploits the grey areas of technical intermediaries’ liability law: without formally neutralizing notice-and-takedown mechanisms, it largely deprives them of  effectiveness by diluting the actual knowledge of unlawful content and the capacity for immediate action.

Why the double proxy has become the cybersquatter’s ultimate weapon

The first effect of the double proxy is a systemic neutralization, in practice, of takedown procedures. Each service provider invokes their status as an intermediary, requires local court orders or redirects the complainant to another actor in the chain. A withdrawal request, although well-founded, then turns into a fragmented procedural journey, incompatible with the urgency of ongoing fraud.

The second effect is an accelerator of large-scale fraudulent campaigns. The dual proxy allows for near-instant infrastructure recycling: when a website is suspended, content is replicated elsewhere, the domain name redirected, and the proxy chain reconfigured in minutes.

Finally, this architecture leads to a dilution of legal responsibilities. Each intermediary invokes its local compliance, or lack of actual knowledge, complicating the demonstration of bad faith, which is central to cybersquatting and domain name disputes.

Impact on rights holders

The double proxy weakens the effectiveness of trademark rights and extrajudicial mechanisms. UDRP-type procedures or blocking actions carried out with registrars lose effectiveness when fraudulent content remains accessible despite the suspension or blocking of the disputed domain name.

Each additional day during which a fraudulent website remains online generates immediate economic and reputational damage, marked by a loss of customer trust and an increased risk of personal data being misappropriated.

From an evidentiary standpoint, the double proxy greatly complicates evidence gathering. The rotation of IP addresses, limited log retention and the deliberate instability of intermediation chains make the identification of the real operator particularly challenging.

What solutions are available against double proxying?

Faced with the double proxy, the effectiveness of the response relies on a multi-level legal approach. This combines coordinated notifications with the registrars, CDN providers and hosting providers, legally qualified formal notices and, where justified , targeted extrajudicial or judicial actions. The objective is to identify, within the technical chain, the actors with a concrete capacity for intervention and to avoid the dilution of responsibilities.

Anticipation through technical evidence is decisive. The precise documentation of proxy chains, time-stamped captures of redirects, dynamic DNS analysis and rapid conservation of technical elements make it possible to establish the actual role of each intermediary and to contest usefully the classification as a purely passive intermediary.

In this respect, recent case law confirms the relevance of this approach. In a judgment of October 2^nd, 2025 (RG n° 24/10705) relating to a streaming fraud case, the Paris Judicial Court admitted that an infrastructure provider could be held liable as an indirect host provider, when the latter is duly notified of the illegal content and this qualification remains proportionate to its technical functions and its capacity to act.

Conclusion

The double proxy is today one of the most sophisticated and destabilizing tools of modern cybersquatting. Its impact goes well beyond technical considerations: it undermines the effectiveness of rights, the speed of remedies and user protection.

within response to this weapon, only a global strategy, combining legal expertise, technical mastery and anticipatory evidence gathering, can restore a balanced enforcement framework.

Dreyfus & Associés assists its clients in managing complex intellectual property cases, offering personalized advice and comprehensive operational support for the complete protection of intellectual property.

Dreyfus & Associés works in partnership with a global network of attorneys specializing in Intellectual Property.

Nathalie Dreyfus with the support of the entire Dreyfus team

Q&A

1. Is the use of double proxying illegal?

No. The use of a proxy, including multiple, is legally neutral in itself. It is not the technology that is unlawful, but its use. On the other hand, when double proxy is used to conceal manifestly unlawful activities, it constitutes a strong indicator of bad faith in the overall legal analysis.

2. Can an intermediary be forced to keep their logs?

In principle, not without judicial intervention. Data retention obligations are strictly regulated. On the other hand, rapid precautionary measures may be requested in order to avoid the automatic deletion of essential technical data.

3. Does the use of non-EU servers prevent any legal action?

No, but it complicates enforcement. It often requires combined actions (administrative, judicial) and more frequent reliance on international assistance or actors located upstream in the technical chain.

4. Are automated detection tools effective against double proxy?

They are useful but insufficient alone. They must be combined with legal and technical analysis, capable to interpret redirections, infrastructure structures and weak signals.

5. Is a website protected by a CDN necessarily suspicious?

No. CDNs are widely used for legitimate purposes. It is the combined use of several layers of proxy, associated with unlawful content, that may become problematic.

6. Are the hosting providers always able to act quickly?

Not necessarily. Some intermediaries have only partial control over the infrastructure and must themselves turn to other providers before they can intervene.

The purpose of this publication is to provide general guidance to the public and to highlight certain issues. It is not intended to apply to particular situations or to constitute legal advice.

Introduction

The Data Protection Act (Loi Informatique et Libertés), of January 6, 1978, has since then evolved to meet the new challenges posed by digital technologies and the management of personal data.

The successive reforms, particularly with the implementation of the General Data Protection Regulation (GDPR), the EU Directive 2016/680’s transposal, and recent amendments, have allowed the law to adapt to contemporary issues.

This article explores the major changes to this legislation and analyzes their impact on personal data protection in France.

The origin and evolution of the data protection Act

The Data Protection Act was initially adopted in 1978 to protect citizens’ privacy in the context of personal data management. This law established the Commission Nationale Informatique & Libertés (CNIL), French independent administrative authority, to ensure that data processing practices comply with the law’s fundamental principles. The original law aimed to regulate the collection and processing of personal data by both public and private sectors and has been amended twice:

• In 2004, with the introduction of new provisions to strengthen data protection, notably through the transposal of the European Directive 95/46/EC, which implemented adjustments to the law.

• In 2016, with the adoption of the General Data Protection Regulation (GDPR) in May, which came into effect in 2018, marking a significant evolution in both French and European legislation.

Major changes brought by the GDPR

The GDPR had a significant impact on the Data Protection Act by strengthening personal data protection and harmonizing rules at the European level. While it is not directly a modification of French law, its application forced national legislation to integrate its core principles.

The GDPR has enabled to guarantee :
• The right to clear and accessible information when collecting data.
• The right to access, rectify, and erase (right to be forgotten).
• Data portability from one service to another.

The GDPR also expanded the CNIL’s powers in terms of enforcement, allowing fines up to 4% of a company’s global turnover for non-compliance. The CNIL now plays a more proactive role in monitoring corporate compliance.

Relationship between national law and the GDPR

The Data Protection Act continues to play a complementary role to the GDPR on issues where the European regulation allows for national discretion.

For example:
• The processing of health data, offense-related data, or journalistic data.
• Criminal law files, governed by specific rules derived from the European directive introduced alongside the GDPR.

These provisions allow the legal framework to adapt to areas where security and protection concerns are particularly high.

The evolution of the Data Protection Act remains dynamic, with regular amendments, notably decrees published since 2018, specifying the operational modalities of the new rules.

New obligations for businesses

The Data Protection Act, as amended by the GDPR, now imposes additional obligations on businesses regarding the management of personal data:

• Appointment of a Data Protection Officer (DPO):
Certain businesses must appoint a DPO to ensure that data processing practices comply with the legislation.

• Explicit and Documented Consent:

Businesses must obtain explicit consent from users before collecting their data, and this consent must be documented and easily accessible.

• Privacy Impact Assessment (PIA):

Businesses must conduct PIAs when data processing presents a high risk to individuals’ rights and freedoms, especially in the case of automated processing.

Challenges of data protection in the digital Age

1) The rise of Big Data and AI

The massive processing of data (Big Data) and the growing use of artificial intelligence (AI) in personal data processing pose new challenges. Businesses must now justify the necessity of collecting data and can no longer rely on a lax approach.

2) The risks of data breaches

Despite efforts to strengthen security, data breaches remain frequent. Companies must not only take preventive measures but also be prepared to notify competent authorities and affected individuals in case of a data breach.

3) International Data Transfers
The transfer of data outside the European Union is strictly regulated. Businesses must implement appropriate mechanisms, such as standard contractual clauses or comply with adequacy regulations (e.g., the Privacy Shield for transfers to the United States), to ensure the security of personal data.

Conclusion

The Data Protection Act, as amended by the GDPR, represents a strengthened legal framework for personal data protection, particularly in the context of rapid technological advancements. Businesses must comply with these new rules, not only to avoid penalties but also to ensure the trust of their users.

Dreyfus & Associés assists its clients in managing complex intellectual property cases, offering personalized advice and comprehensive operational support for the complete protection of intellectual property.

Dreyfus & Associés works in partnership with a global network of specialized intellectual property lawyers.

Nathalie Dreyfus with the support of the entire Dreyfus team.

Q&A

1.How does the GDPR affect companies that process sensitive data?
Companies that process sensitive data must implement enhanced security measures and obtain explicit consent from the individuals concerned. They must also conduct a Data Protection Impact Assessment (DPIA) to assess the risks associated with these processing activities.

2.Which companies must appoint a DPO?
Companies that process personal data on a large scale or sensitive data must appoint a Data Protection Officer (DPO). It is also mandatory for public organizations and those involved in regular monitoring of individuals.

3.What are the risks for companies in case of non-compliance?
In case of non-compliance, companies risk financial penalties of up to 4% of their global turnover or €20 million, depending on the severity of the violation. They may also face legal action and damage to their reputation.

4.How can companies ensure the security of personal data?
Companies must implement technical and organizational security measures, such as data encryption, strict access controls, and continuous training for employees on security best practices.

5.What is a Data Protection Impact Assessment (DPIA)?
A Data Protection Impact Assessment (DPIA) allows companies to analyze the risks to data protection before launching processing activities that may affect individuals’ privacy. It is mandatory for high-risk processing, particularly in cases of large-scale surveillance.

6.Is user consent always necessary for the processing of their data?
Explicit consent is required when data is processed based on this consent. However, in certain cases (e.g., for contract execution or legal obligations), other legal bases, such as legitimate interest, can be used without the need for prior consent.

This publication is intended for general public guidance and to highlight issues. It is not intended to apply to specific circumstances or to constitute legal advice.

Introduction

ICANN (Internet Corporation for Assigned Names and Numbers) established the system of national top-level domains, known as ccTLDs (country code Top-Level Domains), the management of which is entrusted to each country. Specific rules govern the registration and use of these extensions, depending on local legal and regulatory requirements.

Choosing an appropriate ccTLD makes it possible to clearly indicate to search engines and users the intended target audience, thereby strengthening the relevance of content at a national or regional level. As such, the ccTLD constitutes an essential legal, technical, and strategic lever for any company developing an online activity, whether domestic or international.

Definition: what is a ccTLD?

A ccTLD (Country Code Top-Level Domain) is a domain name extension composed of two letters, assigned to a State or territory on the basis of the international ISO 3166-1 standard.

Each ccTLD corresponds to a clearly identified geographical area, for example .fr for France, .de for Germany, .it for Italy, .es for Spain, or .cn for China.

In addition, certain territories have been assigned specific codes under the ISO standard, in particular overseas territories, in order to reflect their particular geographical situation. Accordingly, alongside the French .fr extension, there are also .gf (French Guiana), .mq (Martinique), .re (Réunion), .nc (New Caledonia), .yt (Mayotte), and .gp (Guadeloupe).

Certain exceptions also exist. The United Kingdom, for instance, does not use the standard ISO code .gb, but rather the ccTLD .uk. Likewise, although the European Union is not a State, the ccTLD .eu is widely used by institutions and organisations in order to strengthen their visibility and identification at the European level.

The role of governance authorities

From an institutional perspective, the allocation of all ccTLDs is coordinated by ICANN. However, the management and registration of national domain names are carried out by the respective national registries, commonly referred to as NICs (Network Information Centers).

In France, for example, the .fr extension is administered by AFNIC (Association française pour le nommage Internet en coopération), which sets specific rules relating to eligibility, dispute resolution mechanisms, and the protection of prior rights.

Accordingly, a ccTLD is not merely a technical extension. It is the expression of national digital sovereignty, governed by specific rules that are often firmly rooted in local law.

What are the conditions for registering a ccTLD?

Each ccTLD is subject to its own registration rules, which are often stricter than those applicable to generic top-level domains (gTLDs) such as .com, .net, or .org. Certain extensions require a local presence, a national registration, or the appointment of a legal representative within the relevant territory.

By way of example, the registration of a .fr domain name is limited to holders established within the European Union, as well as in Iceland, Liechtenstein, Norway, or Switzerland.

Registration conditions vary depending on the policy adopted by the relevant registry. For more information about the eligibility rules for the .fr extension, please refer to our previously published article.

Similarly, the Canadian ccTLD .ca is strictly reserved for companies and individuals having their registered office or residence in Canada.

As a result, ccTLDs are not subject to a uniform regime.

What are the advantages of ccTLDs for businesses?

A lever of credibility and local trust

A ccTLD sends a strong signal of geographical proximity to users. It enhances trust, improves the clarity of the offer, and reinforces commercial credibility, particularly in markets where local presence is decisive. For many consumers, a national extension is naturally associated with a company established locally and subject to the applicable national law.

A strategic advantage for search engine optimisation

From an SEO perspective, a ccTLD clearly indicates the geographical target to search engines. It improves rankings for local searches and enables the implementation of a more precise international SEO strategy than reliance on a generic domain name alone.

A tool for protecting trademarks and digital assets

ccTLDs play a key role in the fight against cybersquatting, phishing, and other fraudulent uses. The defensive registration of strategic country-code extensions helps reduce the risk of trademark infringement, traffic diversion, and online impersonation, while facilitating recovery actions based on local law.

Conclusion

The ccTLD (Country Code Top-Level Domain) has become a structuring tool at the heart of corporate digital strategies. Far beyond a simple geographical extension, it serves as a vector of credibility, a lever for local visibility, and an essential legal instrument for protecting trademarks and online intangible assets.

The firm Dreyfus & Associés works in partnership with a global network of intellectual property lawyers.

Nathalie Dreyfus with the support of the entire Dreyfus firm team

Q&A

Does registering a domain name under a ccTLD automatically protect a trademark?
No, but it is an effective tool for preventing and combating online infringements.

Are all ccTLD extensions subject to the same registration requirements?
No. There is no uniform regime applicable to ccTLDs. Registration requirements vary depending on the policy of the relevant registry. Some extensions are open without specific conditions, while others require a local presence, national incorporation, or the appointment of a local representative.

Can a ccTLD be used as an indicator of territorial targeting in a dispute?
Yes. Courts and IP offices frequently take the national extension into account when assessing the intended audience, particularly in cases involving trademark infringement or unfair competition.

Can a ccTLD domain name be deleted if the eligibility requirements are no longer met?
Yes. Many registries provide for the suspension or deletion of a domain name if the holder no longer satisfies the required criteria, in particular where local presence is lost.

Are dispute resolution procedures identical for all ccTLDs?
No. Each ccTLD applies its own mechanisms, which may be based on the UDRP, local alternative dispute resolution procedures, or national courts.

Introduction

In December 2009, the new Montenegrin regulation applicable to .me domain names entered into force, entitled Regulation on Procedures for the Registration and Use of Domain Names under the National .ME Domain. This regulation paved the way for the introduction of an arbitration mechanism in addition to theUDRP (Uniform Domain-Name Dispute Resolution Policy), which had until then been the preferred means of resolving disputes relating to this extension.

This arbitration mechanism represents a structural development in the domain name dispute resolution framework, as it now makes it possible to address more complex situations that go beyond the strict scope of cybersquatting, and to integrate contractual, commercial, or strategic issues closely linked to contemporary domain name use.

The legal and institutional framework of the .me domain

From its launch in 2007, the .me extension enjoyed immediate and unparalleled success. Although formally attached to Montenegro, it quickly established itself as an extension with a clear international vocation, with more than 320,000 domain names registered within just a few months, an unprecedented pace for a ccTLD and a clear indication of its attractiveness to economic players and trademark owners worldwide.

The .me is a ccTLD operated in accordance with international standards, while remaining subject to Montenegrin law. This hybrid nature explains the early integration of the UDRP and the gradual opening to complementary national mechanisms.

The UDRP procedure as applied to .me domain names

The UDRP and arbitration are not mutually exclusive. They serve distinct yet complementary purposes, offering rights holders a broader strategic range. While the UDRP is often described as a form of arbitration, it is in fact a specific extrajudicial administrative procedure.

The UDRP is characterized by a deliberately narrow scope, limited to situations of manifest abuse, based on strictly defined criteria, and leading exclusively to technical remedies, namely the transfer or cancellation of the disputed domain name. It does not produce res judicata effects, as state courts remain competent in all circumstances. The procedure remains particularly well suited to cases of clear bad faith, but it shows its limits when confronted with complex contractual or commercial disputes.

For further information on the UDRP framework, readers are invited to consult our previously published guide.

The arbitration procedure applicable to .me domain names

The Montenegrin regulation governing .me domain names provides for the implementation of an autonomous arbitration mechanism, distinct from the UDRP procedure. The coexistence of these two dispute resolution avenues requires prior strategic reflection, based on the nature of the dispute, the economic interests at stake, and the legal effect sought.

Fully falling within the scope of arbitration law, this mechanism is based on the existence of an arbitration agreement, whether express or implied. It is distinguished by its ability to address complex disputes involving contractual, commercial, or competitive elements, whereas the UDRP remains confined to cases of abusive registration and use of domain names, in particular cybersquatting. The procedure allows for in-depth examination, extensive administration of evidence, and results in an arbitral award capable of recognition and enforcement at the international level, notably under the New York Convention.

For trademark owners, arbitration therefore constitutes a complementary tool with significant strategic value. It offers a more flexible and structured dispute resolution framework when the domain name forms part of an existing business relationship, while ensuring a comprehensive assessment of the dispute and a decision with enhanced legal force.

Conclusion

The introduction of arbitration for .me domain names, alongside the UDRP procedure in Montenegro, significantly strengthens the enforcement tools available to rights holders. It allows the legal response to be tailored to the increasing complexity of domain name uses.

Dreyfus & Associés law firm assists its clients in designing bespoke strategies that integrate all available mechanisms for resolving digital disputes.

Dreyfus & Associés works in partnership with a global network of specialized intellectual property lawyers.

Nathalie Dreyfus, with the support of the entire Dreyfus team.

Q&A

1. Does arbitration allow remedies other than the transfer or cancellation of the domain name ?

Yes. Unlike the UDRP, arbitration may, depending on the applicable framework, address broader claims, such as contractual obligations, corrective measures, or future commitments between the parties.

2. Is arbitration riskier for a trademark owner than the UDRP procedure ?

Arbitration is not riskier, but it is more demanding. It requires thorough legal preparation, strong factual arguments, and a clear strategic vision, whereas the UDRP is based on strict and limited criteria.

3. Can one freely choose between the UDRP procedure and arbitration for a .me dispute ?

Yes, in most cases. The choice depends on the nature of the dispute, the objectives pursued, and the respondent’s profile. Prior analysis is essential to avoid an inappropriate or ineffective procedure.

4. Is arbitration confidential, unlike the UDRP procedure ?

Yes. Confidentiality is one of the major advantages of arbitration, particularly valued by companies seeking to avoid public exposure of sensitive or strategic disputes.

5. Is arbitration suitable for disputes involving international groups ?

Absolutely. Arbitration offers procedural, linguistic, and legal flexibility, making it particularly well suited to international groups operating across multiple markets and facing cross-border issues.

This publication is intended for general public guidance and to highlight issues. It is not intended to apply to specific circumstances or to constitute legal advice. 

Introduction

The receipt of fraudulent invoices has become one of the most recurrent and costly risks for intellectual property rights holders. The scheme is now well known : fraudsters exploit public data from official registers, reproduce visual codes and institutional language, and then request payments for services that are either non-existent or devoid of any legal value. Beyond the financial loss, these practices undermine trust in the intellectual property ecosystem and compel companies to adopt genuine risk governance mechanisms.

When invoicing becomes a tool for fraud : heightened vigilance for intellectual property rights holders

A fraudulent invoice is a payment request designed to resemble an official communication, referring to a trademark filing, a publication, an opposition period, or a renewal. It frequently proposes registration in so-called “private registers” presented as mandatory, even though they have no official status whatsoever.

The fraud relies on ambiguity between official fees and optional services lacking any legal relevance, while insinuating that failure to pay could jeopardize rights. Intellectual property offices, including the EUIPO, publish warnings and examples of misleading communications on their websites, identifying companies involved in such scams.

By way of example, in 2023 a series of fraudulent emails was reported. These messages originated from email accounts using domain names closely resembling those of the EUIPO. Such phishing emails falsely claimed to come from the Office’s Deputy Executive Director and requested payment of an alleged registration fee to a foreign bank account that in no way belonged to the Office.

This constitutes identity theft fraud, evidenced in particular by a fake registration certificate imitating the name, acronym, and logo of the Office.

The vulnerability of rights holders

The exposure of rights holders begins as soon as an application is published and continues through to renewal. Publication acts as a trigger, as it makes visible the applicant’s identity, the filing date, and the procedural status. A second critical phase arises during opposition periods, when internal organizations may hesitate as to the appropriate steps to take in response to earlier rights holders. Finally, the approach of renewal deadlines offers fertile ground for fraudsters, especially when teams receive purported “final reminders” even before the office has issued any official communication. The risk is heightened when intellectual property management is spread across several subsidiaries or brands, and when payment processes prioritize speed over verification.

Identifying warning signs

The most reliable method is to verify structural elements rather than debating the tone or style of the message. Authenticity depends on the identity of the sender, the payment channel, and the beneficiary bank account. Where an office provides a secure online portal, legitimate payments and notifications should be checked primarily through that channel, not through unsolicited emails.

Fraudsters typically use domain names very close to official ones, with minor typographical variations, and attach documents imitating certificates or decisions. Within companies, the decisive reflex is procedural : no payment relating to intellectual property should be approved without verification of the file in the official portal or internal records, and without formal confirmation of the beneficiary’s legitimacy.

The accelerating effect of artificial intelligence (AI)

Generative AI increases both credibility and scalability. It facilitates multilingual drafting of messages with a convincing legal tone, removes obvious errors, and enables mass personalization based on public data. It also allows optimization of timing : by observing corporate processing habits, fraudsters can target periods when the likelihood of payment is highest. Observations by European authorities and anti-fraud cooperation bodies describe a structured phenomenon, fueled by significant gains reinvested in tools, front entities, and international logistics. The practical consequence is clear : awareness alone is no longer sufficient, and security increasingly depends on robust internal controls.

Best practices in combating fraud

When faced with a suspicious request, the appropriate response is not simply to delete the fraudulent email. Internally, legal teams and the person responsible for intellectual property must be informed to verify whether an official fee is genuinely due, and accounting departments should be alerted to block payment execution.

If a payment has already been made, the bank should be contacted immediately to explore cancellation or recovery options, as speed is often decisive. Externally, reporting is not incidental: it feeds investigations, enables offices to issue alerts, and contributes to dismantling fraudulent campaigns. From an evidentiary standpoint, it is essential to preserve the message in its original form in order to retain headers and technical data, as simple forwarding may erase useful information.

Conclusion

Fraudulent invoices exploit the transparency of official registers, which calls for a structured response : validation procedures, secure channels, training, and an internal culture in which urgency never overrides verification.

Dreyfus & Associés law firm assists its clients in implementing preventive measures, managing incidents, liaising with offices and authorities, and analyzing phishing and identity theft components when they overlap.

Dreyfus & Associés works in partnership with a global network of lawyers specialised in intellectual property.

Nathalie Dreyfus, with the support of the entire Dreyfus firm team.

Q&A

1. What types of fraudulent invoices most commonly circulate in the field of intellectual property ?
The most common involve registrations in private registers with no legal value, fake renewal or opposition notices, and purportedly mandatory service offers. Some directly imitate communications from offices or advisors to create confusion as to the official nature of the request.
2. At which key stages in the life of an intellectual property right is the risk of fraud highest ?
The risk is particularly high at the time of publication, during opposition periods, and as renewal deadlines approach. These stages make information public and create time pressure conducive to unchecked payments.
3. How can a legitimate request be distinguished from an attempted fraud ?
Any payment request must be verified through the offices’ official secure channels; unsolicited, urgent emails or those featuring unusual bank accounts should raise immediate concern.
4. How can an effective internal validation process for intellectual property payments be organized ?
All payments should be validated by the legal function or the person responsible for the portfolio, based on official portals or pre-verified banking references. No payment should be made solely on the basis of an unsolicited or purportedly urgent email.
5. Should an attempted fraud be reported even if no payment has been made ?
Yes. Reporting helps fuel investigations, warn other users, and strengthen the effectiveness of collective anti-fraud mechanisms.

This publication is intended to provide general guidance and to highlight certain issues. It is not intended to apply to specific circumstances or to constitute legal advice.

Introduction

Artificial intelligence (AI) is rapidly spreading within companies. Task automation, decision-support tools, content generation and the optimisation of internal processes are becoming increasingly common, often driven by employees themselves in a context where AI tools are widely accessible.

This rapid adoption may create the illusion of freedom of use. In reality, the use of AI in the workplace is subject to a dense and now clearly structured legal framework, resulting from the combined application of labour law, the General Data Protection Regulation (GDPR), collective bargaining agreements (CBAs) and, more recently, the European regulation on artificial intelligence (the AI Act).

AI is therefore neither a neutral tool nor a purely technical instrument. It cannot be freely used in the workplace whenever it affects work organisation, employees’ rights or the processing of data.

The general legal framework governing the use of AI in companies: a multi-level approach

The use of AI in the workplace is governed by an intricate set of national and European rules, which fully apply whenever an algorithmic tool influences work organisation, decision-making processes or the processing of personal data.

The AI Act: a new pillar, but not a standalone one

Regulation (EU) 2024/1689 on artificial intelligence (the AI Act), adopted in June 2024, is the first European legal framework specifically dedicated to AI. It introduces a risk-based approach to AI systems.

In particular, AI systems are classified as high-risk when they are used for:

• recruitment and candidate selection,
• employee evaluation or scoring,
• performance management,
• monitoring or control of professional behaviour.

The Regulation already imposes, for certain provisions, key obligations on employers, including:

• the prohibition of certain AI practices considered incompatible with fundamental rights;
• the obligation to ensure appropriate training for persons using AI systems in a professional context.

However, practical experience shows that the AI Act cannot be considered in isolation. It forms part of a pre-existing legal framework that continues to produce its full effects.

The GDPR: the central legal foundation of AI in the workplace

In almost all cases, AI used in companies involves the processing of personal data. The GDPR therefore constitutes the unavoidable legal entry point.

As a general rule, the employer remains the data controller, even where the AI tool is provided by a third-party service provider. In this capacity, the employer must in particular:

• define a specific, explicit and legitimate purpose;
• identify a valid legal basis;
• comply with the principles of data minimisation, proportionality and security;
• provide clear and transparent information to employees.

The French Data Protection Authority (CNIL) regularly recalls that algorithmic systems cannot escape the fundamental requirements for the protection of individuals’ rights.

The GDPR also strictly regulates decisions based solely on automated processing that produce legal or similarly significant effects. In practice, human intervention remains mandatory, particularly in recruitment, evaluation or disciplinary processes.

Labour law and collective bargaining agreements: a decisive social framework

Beyond European regulations, labour law and collective bargaining agreements (CBAs) play a central role in governing the use of AI in companies.

From a legal perspective, AI is treated as a new workplace technology. As such, its introduction triggers, in many sectors, specific obligations to inform and consult employee representative bodies.

Collective bargaining agreements frequently regulate:

• the introduction of new technologies affecting work organisation or working conditions;
• employee monitoring, surveillance or evaluation systems;
• measures likely to have an impact on employment, skills or management methods.

As a result, an AI project may comply with the GDPR and the AI Act while still being legally weakened if it fails to comply with applicable collective bargaining obligations. This level of regulation remains too often underestimated by companies.

What obligations do employers face when using AI in the workplace?

Employers may use AI to organise work, improve performance or secure internal processes, provided that they respect a fundamental principle: decision-making responsibility remains human.

AI may assist, inform or automate certain tasks, but it can never replace the employer’s responsibility, whether towards employees or supervisory authorities.

The growing use of generative AI tools also raises a specific risk: the unintentional disclosure of personal or confidential data through prompts. Such data may be processed outside the European Union or reused for model training purposes.

Employers must therefore:

• strictly regulate authorised uses;
• train employees on legal and compliance risks;
• select service providers offering strong guarantees in terms of confidentiality and security.

AI deployer or AI provider: a particularly fragile legal boundary

One of the key structural contributions of the AI Act lies in the distinction between AI deployers and AI providers.

At first glance, the distinction appears straightforward:

• the provider designs or places an AI system on the market;
• the deployer uses that system in the course of its professional activity.

In practice, the AI Act adopts a functional approach. An employer may be classified as a provider when it goes beyond a passive use of the tool, in particular when it:

• trains or retrains a model using its own internal data;
• modifies operating parameters;
• integrates the AI system into an internal decision-making process;
• combines several tools to create a proprietary algorithmic solution.

These situations are common in HR, compliance or performance-management projects and result in enhanced obligations in terms of governance, documentation and risk management.

What measures should companies take to properly govern the use of AI?

To secure the use of AI in the workplace, companies must implement clear legal and organisational governance, including in particular:

• an internal AI use policy or charter;
• precise rules governing data and prompt management;
• training programmes addressing legal and compliance risks;
• robust contractual oversight of AI service providers.

Such an approach significantly reduces litigation risks, strengthens regulatory compliance and fosters trust with employees.

Conclusion

Artificial intelligence is a powerful tool, but it cannot be used freely or without control in the workplace. Its use directly engages the employer’s liability and requires legal mastery that is as rigorous as technical expertise.

A clear strategy, combined with appropriate internal rules, is essential to reconcile innovation, performance and legal certainty. Governing AI in the workplace requires a comprehensive approach, integrating the GDPR, labour law, collective bargaining agreements, intellectual property law and the European regulation on artificial intelligence.

Dreyfus & Associés works in partnership with a global network of lawyers specialised in Intellectual Property.
Nathalie Dreyfus with the support of the entire Dreyfus firm team

FAQ

1. Is the employer responsible for decisions made by an AI system?
Yes. The employer remains fully responsible for decisions taken within the company, even where such decisions are assisted or prepared by an AI system. AI may serve as a decision-support tool, but it can never replace human responsibility, in particular in matters relating to recruitment, employee evaluation or disciplinary measures.

2. Does the AI Act replace the GDPR and labour law?
No. The AI Act does not replace either the GDPR or labour law. It supplements an existing legal framework. A single AI tool may be subject simultaneously to the AI Act, the GDPR, labour law rules and collective bargaining agreements, which requires a combined reading and a comprehensive compliance approach.

3. Can an employee refuse to use an AI tool imposed by the employer?
In principle, employees are required to comply with the employer’s instructions issued under its managerial authority. However, a refusal may be legitimate if the AI tool has not been properly disclosed to employees, if it infringes their fundamental rights, or if it has not been subject to the mandatory consultation of employee representatives. A lack of training or use contrary to data protection rules may also undermine the legitimacy of the tool.

4. What happens if an employee uses an unauthorised AI tool in the course of their work?
The use of an unauthorised AI tool may constitute a breach of professional obligations, particularly with regard to confidentiality and data security. However, any disciplinary measure requires that the applicable rules have been clearly defined, communicated to employees and remain proportionate. In the absence of an internal policy or AI charter, the employer’s disciplinary leeway is reduced.

5. Can an employee claim intellectual property rights over content generated with the assistance of AI?
Yes, but only in very limited circumstances. An employee may claim intellectual property rights over AI-assisted content only where their human contribution is creative, decisive and identifiable. In the absence of a personal intellectual contribution (creative choices, structuring, or substantial modification of the content), the output generated by AI is not protected by copyright. Furthermore, where the content is created in the course of the employee’s duties, the exploitation rights generally belong to the employer or are contractually governed.

This publication is intended to provide general guidance to the public and to highlight certain issues. It is not intended to apply to specific situations nor to constitute legal advice.

Introduction

This issue is central for companies facing alleged infringements of their trademarks, patents, designs and models, or copyrights. In a context of intensified competition and rapid circulation of information, the temptation to act quickly, sometimes too quickly, is strong. Recent case law, however, firmly reiterates that the enforcement of intellectual property rights is subject to strict limits, particularly when exercised outside judicial proceedings and when it involves third parties.

Enforcing intellectual property rights without a court decision: an accepted but regulated principle

Extrajudicial action as a legitimate tool for rights protection

French law does not systematically require a prior court decision to enforce intellectual property rights.
In practice, numerous mechanisms allow for a swift response to an alleged infringement, including the sending of a cease-and-desist letter, notice-and-takedown requests addressed to online platforms, removal procedures involving technical intermediaries, or customs actions.

These measures pursue a clear economic objective: to promptly bring an allegedly unlawful practice to an end, limit damage to the value of the right, and preserve the right holder’s competitive position.

Freedom of action subject to loyalty and caution

This freedom, however, is neither absolute nor discretionary.

Case law requires that any extrajudicial action be based on a solid factual foundation, conducted with restraint, and comply with the principle of fair dealing in commercial relations. Failing this, the enforcement of rights may amount to a civil fault engaging the author’s liability.

Legal limits to the extrajudicial enforcement of intellectual property rights

The principle: prohibition of discrediting a competitor

On the basis of Article 1240 of the French Civil Code, disparagement is established whenever a company disseminates information to third parties that is likely to discredit a competitor’s products, services, or activities.

Case law is consistent: the tone used or the absence of malicious intent is irrelevant where the information disseminated has not been judicially established.

The boundary between legitimate information and abusive action

Directly informing the alleged infringer of the existence of prior rights and requesting the cessation of the disputed acts is generally accepted.

By contrast, alerting third parties—such as distributors, customers, or commercial partners—to an alleged infringement places the action in a zone of significant legal risk.

Allegations of infringement and abusive actions: key lessons from recent case law

Clear confirmation by the Court of Cassation

In a decision dated October 15, 2025 (No. 24-11.150), the Court of Cassation firmly reiterated that notifying third parties of an alleged infringement, in the absence of a court decision, constitutes an act of disparagement.

In this case, a company holding copyright in wooden wind chimes had been authorised to carry out a copyright seizure (“saisie-contrefaçon”) against a competing company and its subcontractor. Following this seizure, it sent cease-and-desist letters to several distributors of the targeted competitors, requesting that they cease marketing the allegedly infringing products.

The competing companies, considering that they had been unfairly implicated while no infringement had yet been legally established, brought an action for disparagement against the copyright holder.

At first instance, the lower courts considered that the wording of the letters sent to the resellers was measured and did not, as such, constitute disparagement. However, the Court of Cassation overturned the appellate decision, holding that “in the absence of a court decision recognising the existence of copyright infringement, the mere fact of informing third parties of a possible infringement of such rights constitutes disparagement of the products alleged to be infringing.”

Principles derived from case law

The Court thus reaffirmed three key principles governing any extrajudicial intellectual property enforcement strategy:

• The defence of rights does not justify everything: invoking an intellectual property right does not confer any entitlement to publicly disseminate unproven accusations.
• Pre-litigation communications must remain targeted: they must be strictly limited to the person suspected of infringement and must not extend to economic third parties.
• Good faith is irrelevant: even if measured, cautious and devoid of animosity, the dissemination of an unadjudicated allegation of infringement constitutes a civil fault.

Best practices for protecting rights without incurring liability

Structuring a legally secure extrajudicial action

An effective strategy is based on a graduated sequence of actions that complies with judicial requirements:

• Objectively assess the risk: evaluate the strength of the asserted rights and the reality of the alleged infringement.
• Limit exchanges to the alleged infringer: any cease-and-desist letter must be addressed exclusively to the presumed author of the acts.
• Adopt factual and proportionate wording: avoid definitive characterisations of “infringement” until recognised by a court.
• Preserve evidence: bailiff reports, seizures, and technical or comparative analyses should precede any communication.

When turning to the courts becomes essential

Where the economic risk is high or the infringement spreads through a distribution network, promptly seising a court often becomes the only secure course of action.

A judicial decision offers a dual benefit: it legitimises subsequent communications and protects the right holder against any allegation of disparagement.

Conclusion

Can intellectual property rights be enforced without a court decision? Yes, but only subject to strict limits. Case law reiterates that the defence of rights cannot justify communications liable to harm a competitor’s reputation in the absence of prior judicial recognition.

In this context, a controlled, legally framed and proportionate strategy remains essential. Anticipation and support from specialists help secure rights enforcement while preserving fair competition.

Dreyfus & Associés assists its clients in managing complex intellectual property cases, offering personalized advice and comprehensive operational support for the complete protection of intellectual property.

Dreyfus & Associés works in partnership with a global network of attorneys specializing in Intellectual Property.

Nathalie Dreyfus with the support of the entire Dreyfus team

FAQ

1. Is legal risk limited to litigation exposure?
No. It also includes reputational, commercial and sometimes structural risks for the company.

2. Is extrajudicial action always less risky than court proceedings?
No. If poorly handled, it may expose its author to civil liability that can be more costly than initially contemplated litigation.

3. Does good faith protect against an action for disparagement?
No. Case law considers good faith to be irrelevant.

4. Is a seizure for infringement sufficient to communicate with third parties?
No. It is an evidentiary tool, not a judicial recognition of infringement.

5. Can freedom of expression be relied upon?
It is limited by the principles of loyalty and protection against disparagement.

This publication is intended for general public guidance and to highlight issues. It is not intended to apply to specific circumstances or to constitute legal advice.

On November 4, 2025, the case Getty Images (US) Inc. v. Stability AI Limited gave rise to a highly anticipated decision of the High Court of Justice in London, stating that the use of trademarks in the context of artificial intelligence is not, in itself, unlawful. This judgment is of considerable importance for defining the scope of liability in the field of generative AI and intellectual property law.

Introduction

On November 4, 2025, the High Court of Justice in London delivered a long-awaited decision in Getty Images (US) Inc. v. Stability AI Limited, providing key clarifications on the interaction between generative artificial intelligence and intellectual property rights.

In particular, the Court held that the use of trademarks in the context of AI is not unlawful per se, while emphasizing that specific infringements may nevertheless be established in concrete circumstances. This ruling constitutes a significant reference point in defining the liability of generative AI stakeholders.

Background and facts of the case

Getty Images, a leading provider of licensed images, brought legal proceedings against Stability AI, alleging that the latter had used its images to “train” its generative AI system, Stable Diffusion, a deep learning model capable of generating images from textual descriptions.

Getty Images claimed that Stability AI had used, without authorization, images from its databases to train its model and had generated synthetic images reproducing its “Getty Images” or “iStock” watermarks.

These allegations were based on three main legal grounds:

• infringement of copyright and database rights;
• infringement of the “Getty” and “iStock” trademarks, on the basis that certain generated images appeared to reproduce or evoke watermarks associated with those marks;
• acts of passing off, namely the misleading appropriation of Getty Images’ commercial reputation.

Arguments raised by the parties

Getty Images argued that Stability AI had reproduced copyright-protected works without authorization. In its view, the training process should be regarded both as an indirect reproduction of those works and as an unlawful extraction from its databases.

From a trademark law perspective, Getty Images primarily alleged infringement of its trademarks, asserting that the reproduction of its distinctive signs in AI-generated images constituted unauthorized use, likely to give rise to unfair competition, in particular by creating confusion in the public’s mind as to the existence of a license or a partnership.

Stability AI,  contended under copyright law that the Stable Diffusion model neither stores nor reproduces source images, but relies on statistical learning that cannot be equated with copying protected works. It further argued that the training operations had been carried out outside the United Kingdom, thereby excluding the application of UK copyright law.

Stability AI also denied any liability, asserting that any potential infringement resulted from prompts provided by end users rather than from its own conduct.

The Court’s legal analysis

An approach based on the reality of the infringement

The Court recalled that trademark law does not sanction abstract risks, but rather actual and perceptible uses. Accordingly, the analysis focused on the images generated and disseminated, rather than on the technical training process alone.

Some images had been generated from content identifiable as originating from Getty Images, while others stemmed from broader and non-identifiable datasets. This distinction played a decisive role in the Court’s assessment.

Rejection of the copyright counterfeiting claims

With regard to copyright, the Court carried out a precise legal characterization of the disputed subject matter. It clearly distinguished between:

• the model training process, which falls within the scope of statistical learning; and
• the reproduction of protected works, which alone is capable of constituting infringement.

The Court found that Stable Diffusion does not store or contain source images in a recognizable form. The model could therefore not be treated as a medium incorporating copies of protected works within the meaning of the Copyright, Designs and Patents Act 1988.

This conclusion was reinforced by a strict territorial analysis: as the training had been carried out outside the United Kingdom, UK copyright law was in any event inapplicable.

The Court thus drew a clear line between algorithmic learning and legally relevant reproduction, rejecting any principle-based liability of the AI provider on this ground.

Recognition of a limited trademark counterfeiting

For trademark matters, the Court adopted a more nuanced approach. It acknowledged the existence of counterfeiting, but characterized its scope as “extremely limited”.

The trademarks at issue were found to be identical or quasi-identical, and the services concerned fell within the same economic field as those covered by Getty Images’ registrations.

The judge specified that the lack of extensive evidence of actual confusion was not decisive, insofar as the likelihood of confusion could be inferred from the overall context.

Use of trademarks at the stage of generated content: consumer perception

It is at the stage of content generation and dissemination that legal risk crystallizes. The Court therefore examined the perception of the average consumer, a central concept in trademark law.

In the Getty case, several user profiles were considered:

• members of the general public using cloud-based services;
• developer users;
• users of downloadable models.

The Court held that a significant number of these users could believe that a partnership or license existed, a factor which weighed heavily in the recognition of trademark infringement.

Conclusion

The Getty Images v. Stability AI decision confirms that the use of trademarks in the AI creation process is not unlawful by nature, but may constitute an infringement of intellectual property rights where the traditional conditions of infringement are met and concretely demonstrated.

It represents an important milestone for both rights holders and AI developers, by clarifying the analytical criteria and evidentiary requirements applicable, while rejecting any blanket condemnation of generative AI.

In a context of rapidly expanding AI uses, specialized legal expertise remains essential to secure projects and anticipate litigation risks.

Dreyfus & Associés assists its clients in anticipating and managing these emerging risks related to generative AI, integrating trademark law, data protection and emerging technologies.

Dreyfus & Associés  is in partnership with a global network of intellectual property law specialists.

Nathalie Dreyfus, with the support of the entire Dreyfus firm team

FAQ

1. Can an AI system infringe a trademark without intent?
Yes. Intent is not a necessary condition in trademark law where there is use in the course of trade.

2. Is the appearance of a trademark in an AI-generated output always unlawful?
No, but it becomes problematic in cases of likelihood of confusion, damage to reputation, or parasitism.

3. Are AI developers responsible for generated images?
Case law trends towards increased accountability where outputs are commercially exploited.

4. How can trademark use by AI systems be monitored?
Through a combination of technological monitoring, legal analysis, and audits of generative platforms.

5. Can the removal of a trademark from AI outputs be requested?
Yes, through appropriate amicable or judicial proceedings, depending on the context and jurisdiction.

This publication is intended to provide general guidance and to highlight certain issues. It is not intended to address specific situations nor to constitute legal advice.

Introduction

Understanding DNS abuse has become a strategic priority for companies operating online, well beyond the technical community. The Domain Name System (DNS) underpins global digital commerce, trademark visibility, and trust. Yet, it is also one of the most exploited layers of the Internet infrastructure, routinely leveraged for phishing, malware distribution, botnet coordination, and large-scale fraud.

Over the past two years, and particularly since April 2024, the regulatory and contractual landscape governing DNS abuse has undergone a structural transformation. Through reinforced contractual obligations imposed by ICANN, enhanced compliance oversight, and the launch of new policy initiatives within the GNSO, DNS abuse mitigation has shifted from best-effort cooperation to binding, enforceable responsibility.

What is DNS abuse under ICANN rules?

At the highest level, DNS abuse refers to a limited and deliberately narrow category of online harms that rely on the DNS itself to function. This scope is essential: ICANN does not regulate online content, but rather the technical coordination of the DNS.

A precise and enforceable definition

For contractual and compliance purposes, DNS abuse exists when a domain name is used to enable or materially support:

• Malware, meaning malicious software designed to compromise systems or data
• Botnets, consisting of remotely controlled networks of infected devices
• Phishing, involving deception to obtain credentials or sensitive information
• Pharming, redirecting users to fraudulent destinations through DNS manipulation
• Spam, but only when it serves as a delivery mechanism for one of the above threats

This definition draws a strict line between DNS-level abuse and content-based illegality (such as trademark infringement), which falls outside ICANN’s mandate.

DNS abuse beyond technical enforcement

Historically, DNS abuse mitigation relied heavily on voluntary cooperation and informal best practices. That model has proven insufficient against industrialized cybercrime, where abusive domains are registered in volume, activated within minutes, and rotated rapidly.

From a legal and business perspective, DNS abuse now represents:

• A direct risk to trademark integrity and consumer trust
• A source of contractual exposure for registrars and registries
• A compliance risk with measurable enforcement consequences
• A governance issue, requiring documented decision-making and accountability

In practice, DNS abuse has become a cross-disciplinary risk, sitting at the intersection of cybersecurity, contract law, regulatory compliance, and digital governance.

How did the 2024 contractual amendments change registrar and registry obligations?

ICANN’s contractual amendments, effective 5 April 2024, mark a clear shift in DNS abuse mitigation. What had long been framed as cooperative best practice is now established as a binding contractual obligation, subject to compliance review and enforcement.

Registrars: clearer duties and an obligation to act

Under the revised Registrar Accreditation Agreement, registrars must maintain accessible abuse reporting mechanisms and ensure that reports are effectively processed. Beyond accessibility, the core change lies in the explicit duty to act when presented with actionable evidence of DNS abuse involving a domain name they sponsor.

This standard does not require absolute certainty. It requires a reasonable assessment based on available information. Once met, registrars must take timely and appropriate measures to disrupt the abuse.

Registries: complementary responsibilities at the TLD level

Registry operators are subject to parallel obligations under the Base gTLD Registry Agreement. They must publish abuse contact points and, upon receiving actionable evidence of DNS abuse, either escalate the matter to the sponsoring registrar or take direct mitigation measures where appropriate.

How is DNS abuse enforced today?

Since April 2024, enforcement activity has intensified significantly. ICANN relies on:

• Third-party complaints, filed by rights holders, security researchers, or affected users
• Proactive audits and monitoring, initiated internally
• Public compliance reporting, increasing transparency and reputational pressure

Failure to comply can lead to formal breach notices and escalating contractual consequences.

Strategic implications for professional stakeholders

For legal advisers, compliance officers, and technical teams, several priorities emerge.

• Structured governance and audit-ready procedure: clear internal procedures for intake, assessment, escalation, and response are now essential. Documentation is no longer optional.
• Operational capability and staff readiness: teams handling abuse reports must understand both technical indicators of DNS abuse and the contractual standards governing mitigation.
• Proportionality and exposure to legal liability: over-reaction can be as damaging as inaction. Unjustified suspensions may expose operators to contractual disputes or liability toward registrants.
• Integrated cross-functional coordination: effective DNS abuse mitigation increasingly depends on coordination between legal, technical and compliance teams.

Conclusion

DNS abuse remains one of the most persistent threats to Internet stability and user trust. Through its 2024 contractual amendments and strengthened compliance framework, ICANN has fundamentally reshaped the expectations placed on registrars and registry operators.

For professional stakeholders, DNS abuse mitigation is now a legal and contractual obligation with tangible enforcement consequences. Mastery of this framework is essential to managing risk, ensuring compliance, and protecting digital assets in an increasingly hostile online environment.

Dreyfus & Associés assists its clients in managing complex intellectual property cases, offering personalized advice and comprehensive operational support for the complete protection of intellectual property.

Dreyfus & Associés works in partnership with a global network of attorneys specializing in Intellectual Property.

Nathalie Dreyfus with the support of the entire Dreyfus team

Q&A

What is the difference between DNS abuse and online content infringement?

DNS abuse concerns technical misuse of the DNS itself, whereas content infringement relates to what is published on a website and falls outside ICANN’s mandate.

Is spam always considered DNS abuse?

No. Spam qualifies only when it is used to deliver malware, phishing, or similar DNS-enabled threats.

Are registrars required to suspend domains automatically?

No. They must take proportionate and appropriate measures, which may vary depending on context.

Can registry operators act directly against abusive domains?

Yes, where appropriate, or they may escalate the matter to the sponsoring registrar.

Does DNS abuse mitigation create legal risk for registrars?

Yes. Both failure to act and disproportionate action can carry contractual and legal consequences.

This publication is intended for general public guidance and to highlight issues. It is not intended to apply to specific circumstances or to constitute legal advice.

Introduction

The sharp increase in demand for out-of-court dispute resolution services in the field of domain names constitutes one of the most significant indicators of recent developments in digital law. According to official data published by WIPO, more than 6,200 UDRP complaints were filed in 2025, representing the highest volume ever recorded, and a slight increase compared to 2024 (6,168 cases).

This growth is not a short-term or cyclical phenomenon. It reflects a structural transformation in the way intellectual property disputes are resolved, driven directly by the digitalization of intangible assets.

An analysis of the 2025 statistics provides key legal, economic, and strategic insights for businesses, particularly regarding the now central role of WIPO procedures in the protection of intangible assets.

Statistical analysis of domain name disputes

UDRP: a new all-time record

In 2025, more than 6,200 UDRP complaints were filed, a level never reached since the creation of the UDRP mechanism.

These figures confirm a continued intensification of cybersquatting, phishing, and identity theft practices, involving domain names that imitate well-known trademarks or distinctive corporate signs. Such practices are frequently accompanied by:

• deceptive websites,
• mail server (MX) configurations,
• targeted fraud campaigns aimed at employees, partners, or customers.

At the same time, these infringements have become increasingly professionalized, involving mass registrations, multiple extensions, and fraudulent uses combining websites and email services.

An industrialized form of litigation

Cumulative data show that WIPO has now administered more than 80,000 domain name disputes since the inception of its dispute resolution mechanisms.

From a statistical perspective, this critical mass produces two major effects:

• a highly structured and predictable case-law,
• a growing deterrent effect on the most visible fraudulent operators.

Geographical distribution and sectors of activity

Complaints originate from rights holders established in numerous countries, with a strong concentration of filings from the United States, France, and the United Kingdom.

The disputes span a wide range of economic sectors, including retail and distribution, digital technologies, healthcare, finance, and consumer goods.

WIPO mechanisms: scope and operational effectiveness

UDRP and related procedures: an international standard

The procedures administered by WIPO, foremost among them the UDRP, make it possible to obtain the transfer or cancellation of a domain name when three cumulative conditions are met:

• identity or confusing similarity with a prior right,
• absence of rights or legitimate interests on the part of the respondent,
• registration and use in bad faith.

A pragmatic and predictable procedural framework

The average duration of a procedure remains limited, generally a matter of weeks, with reasoned decisions that are widely published, thereby contributing to legal certainty and jurisprudential consistency.

Strategic impacts for companies and legal departments

Integrating WIPO procedures into a global protection strategy

The statistics invite companies to rethink their internal organization, including:

• anticipation of infringements,
• structured international monitoring,
• the ability to initiate WIPO proceedings rapidly.

A complementary lever to judicial litigation

Recourse to WIPO does not systematically replace court actions, but rather forms part of a complementary approach.

It allows companies to reserve judicial proceedings for matters with high strategic value, while effectively addressing large-scale or repetitive infringements. In practice, WIPO procedures often make it possible to:

• Act quickly,
• Reduce costs,
• Secure digital assets upstream of more complex litigation.

Conclusion

WIPO’s record 2025 statistics reflect a clear reality: out-of-court resolution of intellectual property disputes has become a central pillar of digital law.

For businesses, these mechanisms now constitute an essential strategic tool, provided they are integrated into a comprehensive and forward-looking approach to the protection of intangible assets.

Dreyfus & Associés assists its clients in managing complex intellectual property cases, offering personalized advice and comprehensive operational support for the complete protection of intellectual property.

Dreyfus & Associés works in partnership with a global network of attorneys specializing in Intellectual Property.

Nathalie Dreyfus with the support of the entire Dreyfus team

FAQ

1. How can a WIPO procedure be prepared effectively?
By gathering solid technical evidence, conducting a precise legal analysis, and clearly demonstrating bad faith.

2. Are WIPO decisions binding?
They are enforceable at the registrar level, subject to the absence of judicial proceedings initiated within the prescribed deadlines.

3. Are WIPO procedures truly effective?
The growing volume of cases and their recurrence demonstrate an effectiveness recognized by companies of all sizes.

4. Does a WIPO procedure prevent subsequent judicial action?
No. It does not preclude complementary actions before the competent courts.

5. Why is there such a sharp increase in WIPO procedures?
The statistics reflect the multiplication of digital infringements and the search for rapid, international, and specialized solutions.

6. Will domain name disputes continue to increase?
Current statistical trends indicate a likely continuation of growth, driven by fraudulent practices and the expansion of domain name extensions.

This publication is intended to provide general guidance to the public and to highlight certain issues. It is not intended to apply to specific circumstances or to constitute legal advice.