Depends how you look at it. It's a directory, at the end of the day. The ultimate authority is the DID itself not the directory. The DID itself is derived from a hash of the initial operation signed with the private key.
Anyone can mirror that directory. Because each op is cryptographically signed, anyone who mirrors it can validate the entire log independently. Or you can have multiple, independent groiups operating replicas of the directory.
But because of their UX you need some source of truth, hence it's not completely centralised but still not able to be completely decentralised either.