Each TLD is operated by a registry. Verisign controls .COM and .NET, PIR controls the .ORG TLD, Afilias controls .INFO, Neustar controls .US, etc. Each registry may have certain terms or policies specific to its namespace.
ICANN is the body in charge of the domain name system that assigns official TLDs and sets the rules that they must abide by.
So in answer to your general question, either ICANN or the specific TLD's registry would be the one making the rules. The 2 character domain limitation was a suggested rule set forth by ICANN. Verisign didn't apply it to .COM or .NET, but rest of the gTLD registries have reserved two character names (.ORG, .INFO, .BIZ) so they cannot be registered.