PREDICTIVE intelligence
Our research indicated that 44 % of financial services organisations received regulatory fines resulting from an API security incident in 2023 .
Coming into force in January 2025 , it requires organisations to prepare for and withstand operational disruptions , including cyberattacks and technology failures . In addition , DORA also applies to third-party IT providers , such as data centres or cloud service providers that deliver services into this sector . In total , more than 22,000 financial institutions and IT service providers in the EU are affected .
DORA sets out several requirements that have implications for API security , namely :
Digital operational stability : This involves organisations implementing regular testing programmes that identify potential gaps , vulnerabilities and / or deficiencies with digital operational stability such as network security tests , penetration tests , web-app tests and more . Conducting mandatory reviews based on threatled penetration testing ( TLPT ), depending on the size , risk and business profile of the financial enterprise is important , as is regularly testing your APIs for vulnerabilities .
DORA outlines examples of security testing which include web-based application and API testing . This includes utilising public-facing resources such as the Open Web Application Security Project ( OWASP ) top 10 threats , which helps to identify errors in configuration , weaknesses , logic flaws and code issues that may allow threat actors to gain access , manipulate , or otherwise control organisational resources .
Governance and strategy : There is now increased responsibility for management bodies with regard to IT risk management and compliance with security regulations . This includes increased audit plans and specialised training .
NIS2 a step forward for EU cyber resilience
Coming into force in October 2024 , the NIS2 Directive is the most comprehensive European cybersecurity directive to date . It has stricter requirements for risk management and incident reporting , covers a wider remit of industries , and features increasingly hard-hitting financial penalties for non-compliance .
While it does not specifically mention APIs , NIS2 ’ s requirements for enhanced cybersecurity , risk management , incident reporting , and supply chain security have significant implications for the security and management of APIs in organisations subject to the directive . For example :
• Increased security requirements : NIS2 imposes stricter security requirements on organisations , including those related to the protection of information systems . As APIs are integral to the functioning of many digital services , ensuring their security becomes crucial under NIS2 .
• Risk management : Organisations are required to adopt appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems . Since APIs can be potential attack vectors , they need to be included in risk management strategies .
34 WWW . INTELLIGENTCISO . COM