Need cloud computing? Get started now

What the NIS2 Directive Means for Your Business and Your APIs

Akamai Wave Blue

Written by

Steven Duckaert

March 22, 2023

Akamai Wave Blue

Written by

Steven Duckaert

Steven Duckaert is Director of Pre-Sales for EMEA and APJ at Akamai, specializing in API security. With extensive experience in the cybersecurity and IT infrastructure industries, Steven plays a pivotal role in driving the technical sales strategy and guiding customers across the region. Known for his leadership, strategic vision, and deep technical knowledge, Steven is committed to enabling businesses to thrive in an increasingly connected world.

If your business operates in the EU and provides digital services or critical infrastructure, you will be subject to the requirements of the NIS2 Directive.
If your business operates in the EU and provides digital services or critical infrastructure, you will be subject to the requirements of the NIS2 Directive.

Akamai acquired Noname Security in June 2024. This archived blog post was originally published on March 22, 2023.

In recent years, cybersecurity threats have become increasingly common and sophisticated, posing significant risks to individuals, businesses, and governments. In response to these threats, the European Union (EU) introduced the NIS2 Directive, a new legislation focused on improving cybersecurity across the EU.

In this blog post, we will discuss the reasons behind the NIS2 Directive, what it means for your business, and how you can implement a comprehensive API security program to comply with the directive.

Why the NIS2 Directive was introduced

The NIS2 Directive is part of the EU’s broader strategy to improve cybersecurity across the EU. Cybersecurity threats, including cybercrime, cyber espionage, and cyberattacks on critical infrastructure, are increasing in frequency and complexity, and can have significant consequences for individuals, businesses, and governments. The EU recognizes that cybersecurity is critical to ensuring the stability and resilience of its economy, society, and democracy.

The NIS2 Directive aims to address these cybersecurity challenges by establishing a comprehensive legal framework for cybersecurity in the EU. The directive imposes obligations on all critical infrastructure providers and digital service providers operating in the EU to implement appropriate technical and organizational measures to manage the risks posed to the security of their network and information systems.

What the NIS2 Directive means for you

If your business operates in the EU and provides digital services or critical infrastructure, you will be subject to the requirements of the NIS2 Directive. This means that you will need to implement appropriate technical and organizational measures to manage the risks posed to the security of your network and information systems, including your APIs.

To comply with the NIS2 Directive, you will need to implement a comprehensive API security program that includes measures such as authentication, authorization, encryption, and monitoring. This may involve implementing additional security controls to ensure that only authorized parties can access and use the APIs. In addition, you will need to report security incidents to the relevant authorities, including incidents related to APIs.

Implementing a comprehensive API security program

To comply with the NIS2 Directive and ensure the security of your APIs, you must implement a comprehensive API security program that addresses all aspects of API security, from design to deployment to ongoing management.

Here are some actionable recommendations for implementing an effective API security program followed by an outline of a possible API security program.

  • Conduct a comprehensive cybersecurity risk assessment to identify the risks posed to the security of your network and information systems, including your APIs
  • Implement appropriate technical and organizational measures to manage the identified risks, including authentication, authorization, encryption, and monitoring of your APIs
  • Report security incidents to the relevant authorities, including incidents related to your APIs, and ensure that you have mechanisms in place to detect and report security incidents related to your APIs
  • Ensure compliance with relevant regulations and standards, including the NIS2 Directive, the General Data Protection Regulation (GDPR), and other applicable data protection laws and regulations
  • Provide training and awareness programs to employees, contractors, and third-party providers on API security best practices, including secure coding practices, secure deployment practices, and incident response procedures

The following outline details a possible five-step API security program.

1. API design and development

  • Use secure coding practices when developing APIs to prevent common vulnerabilities, such as SQL injection (SQLi), cross-site scripting (XSS), and buffer overflow attack
  • Implement authentication and authorization mechanisms to ensure that only authorized users can access and use the APIs
  • Use transport layer security (TLS) to encrypt communication between the client and the API server to prevent machine-in-the-middle attacks
  • Implement rate-limiting and throttling mechanisms to prevent abuse of the API and denial-of-service (DoS) attacks
  • Implement error handling and logging mechanisms to detect and respond to security incidents

2. API testing

  • Conduct comprehensive security testing of APIs to identify vulnerabilities and weaknesses, including penetration testing, vulnerability scanning, and code reviews
  • Implement functional testing and regression testing to ensure that APIs are working as intended and have not been compromised by security issues

3. API deployment

  • Implement secure deployment practices, such as using secure configuration settings, minimizing the attack surface, and restricting access to API servers to authorized personnel only
  • Implement security monitoring mechanisms to detect and respond to security incidents in real time, including intrusion detection and prevention systems, security information and event management (SIEM) tools, and log analysis

4. API management

  • Implement security policies and procedures for the management of APIs, including access control, user management, and data governance
  • Implement incident response and disaster recovery plans to respond to security incidents, including the identification of critical APIs and the prioritization of response efforts
  • Ensure compliance with relevant regulations and standards, including the EU NIS2 Directive, the GDPR, and other applicable data protection laws and regulations

5. API training and awareness

  • Provide training and awareness programs to employees, contractors, and third-party providers on API security best practices, including secure coding practices, secure deployment practices, and incident response procedures
  • Conduct regular security audits and assessments to identify potential vulnerabilities and ensure compliance with security policies and procedures

Conclusion

The NIS2 Directive is a comprehensive legal framework that aims to improve cybersecurity across the EU. If your business falls under the scope of the NIS2 Directive, you will need to implement appropriate technical and organizational measures to manage the risks posed to the security of your network and information systems, including your APIs.

By implementing a comprehensive cybersecurity program that addresses all aspects of API security, you can reduce the risk of security incidents and ensure compliance with the EU NIS2 Directive and other relevant regulations and standards.



Akamai Wave Blue

Written by

Steven Duckaert

March 22, 2023

Akamai Wave Blue

Written by

Steven Duckaert

Steven Duckaert is Director of Pre-Sales for EMEA and APJ at Akamai, specializing in API security. With extensive experience in the cybersecurity and IT infrastructure industries, Steven plays a pivotal role in driving the technical sales strategy and guiding customers across the region. Known for his leadership, strategic vision, and deep technical knowledge, Steven is committed to enabling businesses to thrive in an increasingly connected world.