NIS2
The NIS2 Directive requires essential and important entities to implement cybersecurity risk management measures. Apiway’s platform features map directly to key NIS2 requirements.
Management Accountability
Section titled “Management Accountability”NIS2 requires that management bodies are accountable for cybersecurity measures.
How Apiway addresses this:
- Stewardship — Every API is assigned to a named human steward in the organisation registry. Accountability is explicit, not implicit.
- Governance flows — Changes require approval from designated reviewers. The approval trail is permanent.
- Risk dashboard — Management can see active security risks across the entire API portfolio in real time.
Supply Chain Security
Section titled “Supply Chain Security”NIS2 mandates security measures for the supply chain, including direct suppliers.
How Apiway addresses this:
- External API onboarding — Every consumed API goes through your governance flow before deployment. You review the spec, assess compliance, and approve.
- Dependency tracking — The topology maps all external dependencies. You know exactly which third-party APIs your services depend on.
- Credential management — External API credentials are tracked with expiry dates for proactive rotation.
- Consumption guards — Budget ceilings on outbound calls prevent runaway consumption of external services.
Incident Handling
Section titled “Incident Handling”NIS2 requires the ability to detect, respond to, and recover from security incidents.
How Apiway addresses this:
- Real-time risk tracking — The gateway detects WAF violations, authentication failures, and rate limit breaches. Events are classified by severity and pushed to the risk service.
- SSE event streams — Security events are published in real time via Server-Sent Events. Your SIEM or alerting tools can subscribe.
- Governance triggers — Budget exhaustion and rate limit breaches trigger governance flows automatically — no manual escalation needed.
- Blue-green revisions — If an incident is caused by a deployment, discard the staging revision. Active traffic is unaffected.
Evidence Generation
Section titled “Evidence Generation”NIS2 compliance requires demonstrating that measures are in place — not just having them.
| Evidence | Source |
|---|---|
| API ownership records | Organisation registry — stewards per API |
| Change approval history | Governance flow records with SVG diagrams |
| Security event logs | Risk service — categorised, timestamped, severity-classified |
| Supply chain audit | External API onboarding records with governance approvals |
| Access control records | Entitlement assignments per subscription |
| Compliance scores | Per-API compliance reports over time |