I think this is in relation to some of the physical requirements associated with registration.
For example, see the below Rules listing on .ca domains at Registrar Gandi.
.CA domains at gandhi.net
.de and .nl have something similar, though .at appears to be open to anyone.
.ca does allow DNSSEC as does .de and .nl, but .at is not listed as allowing it, according to another list on Gandi.
This is just my best guess–someone who actually wrote the guide may have a better answer.