The NIS2 Directive and API Security

In this guide to the NIS2 directive and API security, you’ll learn what NIS2 is, who it is relevant to, and why you should care about API security in your NIS2 compliance strategy.

What is NIS2?

The Name

NIS2 is the latest version of the Network and Information Security Directive.

The full name of the legislative act is “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive).”

When the directive was first published in the Official Journal of the European Union, it was primarily referred to as NIS 2. However, over time, NIS2 has become more prevalent in general use. We will use NIS2 throughout this article.

What Is NIS2 About?

NIS2 deals with cybersecurity incident management, response, and reporting, as well as risk management and mitigation. As such, it covers a lot of ground, such as:

• Technical and organizational measures
• Information system security policies
• Business continuity
• Asset management

The Objective

Like DORA, NIS2 arises from the need for unified cybersecurity standards across European Union. More precisely, its objective is twofold:

• To eliminate differences in cybersecurity requirements and measures between EU member states, considering the sweeping digitalization of economic sectors.
• To raise cybersecurity standards and readiness to a high level, considering the continuously growing attack surface.

In essence, the current version of the NIS is an attempt to ameliorate the inadequate level of cyber resilience and joint crisis response preparedness of businesses operating in the EU.

The Deadline

NIS2 entered into force on 16 January 2023. Each EU member state has 17 October 2024 as a deadline to adopt and turn the directive into domestic law.

Who Does NIS2 Affect?

NIS2 applies to 18 entity types divided into two categories:

Entities in sectors of high criticality

• Energy
• Transport
• Banking
• Financial market infrastructures
• Health
• Drinking water
• Wastewater
• Digital infrastructure
• ICT service management (B2B)
• Public administration
• Space

Entities in other critical sectors

• Postal and courier service
• Waste management
• Manufacture, production, and distribution of chemicals
• Production, processing, and distribution of food
• Manufacturing
• Digital providers
• Research

If they have at least 250 employees and over €50M in annual turnover, roughly all entities from the highly critical sectors belong to the group of what NIS2 refers to as essential entities. Entities from the other critical sectors, on the other hand, all fall within the group of important entities.

The following entities are exempt from NIS2:

• Defense, national, and public security
• Law enforcement
• Judiciary
• Parliaments
• Central banks

Interestingly, if they want to improve their cyber resilience, organizations other than those in the 18 sectors above can also opt for NIS2 compliance despite not being required to do so.

It’s also worth noting that NIS2 applies to entities that are not established in the EU but offer services on its territory.

Benefits and Penalties

Noncompliance with NIS2 can lead to severe repercussions, with entities facing substantial fines and management members potentially being subject to civil and criminal penalties.

Depending on which one is higher, an essential entity can be fined €10M or 2% of the total worldwide annual turnover. The fine for important entities can be €7M or 1.4% of the total annual turnover.

In addition, if the circumstances require, member state authorities can impose temporary penalties, such as stopping or limiting an entity’s operations or periodic penalty payments.

Apart from the obvious advantage of avoiding paying hefty fines or being prosecuted, compliance with NIS2 can serve as a business enabler, allowing an organization to thrive due to a good reputation, client trust, security incident preparedness, and a robust security posture.

NIS2 and NIS1

NIS2 builds upon and improves but also replaces the NIS1 directive, i.e., Directive 2016/1148/EC.

Apart from NIS2 imposing more stringent cybersecurity and reporting requirements, two significant differences compared to the first NIS are the following:

• NIS2 introduces a framework for coordinated vulnerability disclosure as well as a European vulnerability database.
• NIS2 requires a coordinated security risk assessment of supply chains.

NIS2 and DORA

An industry-specific regulation like DORA has precedence over NIS2 in cases directly applicable to the industry.

For instance, as DORA is the primary regulation for the EU’s finance industry, financial entities must follow DORA rather than NIS2 in finance-related matters.

Nevertheless, some entities covered primarily by DORA, such as major banks, can also be subject to the NIS2 requirements.

Why Securing APIs Is Necessary for NIS2 Compliance

APIs Power Our Digitalized World

Typically, a general-purpose security regulation such as NIS2 doesn’t explicitly mention APIs. So, why would organizations include API security on their NIS2 compliance agenda?

The NIS2, Preamble 3 states: “Network and information systems have developed into a central feature of everyday life with the speedy digital transformation [emphasis added] and interconnectedness of society, including in cross-border exchanges.”

This “speedy digital transformation” is, to a considerable extent, attributable to APIs. They’re the ones that make communication and data exchange within a network and an information system and between different networks and information systems possible.

APIs are like radio waves: We can’t see them, but they’re everywhere. They power the digitalization of all of today’s industries: automotive, banking, utilities, telecom, healthcare, and the rest.

Showing how prevalent APIs are, the 2023 State of API Security: A Global Study on the Reality of API Risk report reveals that as many as:

• 19% of organizations use 501–1,000 APIs
• 20% use 1,001-2,500 APIs
• 13% rely on more than 2,500 APIs

However, the NIS2 preamble also acknowledges the challenges that across-the-board digitalization and interconnectedness pose to the EU’s economy and society. In that spirit, it points out cybersecurity as a fundamental enabler in the digital transformation process.

Consequently, healthy and sustainable digitalization requires secure networks and information systems. And that requires strong network security, application security, and, among others, API security.

Is API Security a Subtheme of Application Security?

APIs would require special treatment even if API security were just a subtheme of application security.

However, as security experts and organizations have increasingly recognized, APIs fall within the scope of a separate cybersecurity subdomain and require different treatment than apps.

The fact that there are currently two separate OWASP (Open Worldwide Application Security Project) top ten lists, OWASP Top 10 API Security Risks and OWASP Top Ten (AppSec), is a clear testament to this recognition.

The separate OWASP API security project indicates the uniqueness of API security risks and threats. It also highlights the growing need for API security experts, purpose-built API security solutions, and dedicated API security budgets.

API Breaches are Common

APIs are widespread for a reason. They enable data exchange, facilitate innovation, and provide an extremely convenient user experience. However, they also extend your organization’s attack surface and can lead to data breaches and other security incidents, which typically end in a loss of reputation or revenue.

2023 saw more than a few major API security incidents—one of which was the infamous T-Mobile data breach—as well as ethical hackers and security researchers disclosing severe API vulnerabilities endangering sensitive user data.

But API incidents are not limited only to highly publicized breaches. Even a cursory look at the API data breach tracker shows how frequent they can be in all domains—from finance to energy to hospitality.

In addition, research implies that a great majority of API incidents remain unknown to the public or any online API breach tracker.

For instance, the 2023 State of API Security survey shows that 60% of organizations suffered a data breach within two years resulting from a vulnerable API. Of those, as many as 74% experienced three or more incidents.

Comparing these stats to the number of publicly known API breaches shows how little we know about the actual security status of APIs in the wild.

API Security Measures

The whole idea behind NIS2 is to ensure that organizations in the EU implement consolidated security measures and controls that, among other things, protect their digital data, products, and services. This necessitates a strong API security posture.

To have a strong API security posture, you must consider the following:

• Create and maintain a comprehensive API inventory.

  A comprehensive API inventory provides visibility into your API landscape. Gaining as complete security visibility as possible is a powerful risk management and mitigation practice. It allows you to address critical issues such as shadow and zombie APIs before they grow into throbbing headaches.

  Since APIs enable integration between different systems and services, thus directly affecting supply chain security, your inventory should include third-party APIs as well.

• Implement precise data classification.

  Know which API endpoints transmit sensitive data and apply appropriate cybersecurity measures to protect your company’s, partners’, and clients’ valuable information.

• Conduct frequent and regular API security tests.

  Security testing enables you to manage, more precisely, detect and remediate vulnerabilities in your APIs. To make the most of it, take a proactive approach by shifting left and testing your APIs early in development.

  Continuous testing in SDLC (software development life cycle) can be a game changer for your organization. It reduces the probability of a grave cyber threat wreaking havoc on your system and can dramatically cut remediation costs.

  Addressing vulnerabilities early in development, when the stakes are still low, is much cheaper than in production, let alone after an API breach in a live application.

  However, don’t neglect testing in production. For various reasons, vulnerabilities can sneak into production and live environments.

  Automated testing, including API penetration testing, can be tremendously helpful in that regard. It can fill workforce gaps and reduce your security team’s workload, especially if powered by efficient artificial intelligence or machine learning engines.

  In addition, ensure that third-party APIs are thoroughly tested. Vulnerable third-party APIs can easily become your problem, and they can be grave.

• Use automated reporting.

  As an example, automatically generated API security test reports provide continuous evidence of your compliance efforts.

This list is far from complete. Nonetheless, it’s a good start to securing your APIs and working on NIS2 compliance.

Final Thoughts

NIS2 is a new directive that aims to close the gaps in member-state cybersecurity regulations and raise the level of risk management and incident preparedness across the European Union. With the deadline approaching soon, organizations must make large steps toward NIS2 compliance.

Due to their essential role in the digitalization of economic sectors, you must include APIs in your compliance efforts. Invest in API security expertise and purpose-built security solutions and implement security best practices in API development, and you’ll be well on the path to success.

Contact us to learn how Equixly helps with API security and speeds up your NIS2 compliance efforts.

Download the NIS2 Checklist for CISOs and Security Managers:

Accept the Privacy Policy Download the PDF

Carlo De Micheli

Director of Product Marketing

Carlo is a versatile professional with extensive international experience. His enthusiasm for innovation extends across cybersecurity, automotive, and aerospace, where he actively engages in pioneering projects. Holding a technical background in aerospace engineering and supplementing it with independent studies in programming and security, Carlo has organized and presented at international conferences and established tech startups related to the sharing economy and fashion before embracing marketing and sales.

Zoran Gorgiev

Technical Content Specialist

Zoran is a technical content specialist with SEO mastery and practical cybersecurity and web technologies knowledge. He has rich international experience in content and product marketing, helping both small companies and large corporations implement effective content strategies and attain their marketing objectives. He applies his philosophical background to his writing to create intellectually stimulating content. Zoran is an avid learner who believes in continuous learning and never-ending skill polishing.