NIS2 arrived quietly. Its questions for API teams are anything but.
The 17th of October came and went without much ceremony. NIS2's transposition deadline passed with several member states late, France among those still finalizing its implementing law, and many affected companies unsure whether they are "essential," "important," or out of scope. It would be easy to conclude that nothing has really changed yet.
That conclusion misreads how this directive will arrive. NIS2 will not announce itself with a single enforcement wave. It will surface one question at a time, in supplier questionnaires, in incident post-mortems, in board risk reviews, and the teams who operate integration infrastructure will be asked to answer a striking share of them.
How directives actually arrive
There is a pattern to European technology regulation that is worth internalizing, because it repeats. The formal deadline passes with transposition incomplete, enforcement structures half-built, and a widespread sense that there is time. Then, quietly, the obligations start propagating through the economy, not from regulators first, but from customers and partners who now have to ask their suppliers the questions the directive asks of them.
This is why waiting for the final national text is the wrong instinct. Long before an authority knocks, a major client will send a security questionnaire that assumes NIS2 compliance, or an incident will require the 24-hour notification the directive mandates, and the answers will be needed whether or not the local law is finished. The directive's questions become real through the supply chain well ahead of any enforcement action.
Why the API layer is in scope
NIS2's obligations cluster around risk management, incident handling, and, notably, supply chain security. For a modern enterprise, the supply chain is not only software components; it is live connections. Every partner integration, every SaaS dependency, every data feed is a running relationship with a third party, and the directive expects you to know them, assess them, and detect when one begins behaving badly.
- Asset visibility: can you enumerate your external connections and their owners, today, without a discovery project?
- Incident timelines: the 24-hour early warning for significant incidents assumes you can determine scope in hours. Cross-system log archaeology does not fit in that window.
- Access discipline: management accountability provisions make "a shared credential from 2019" a sentence no one wants to say to their board.
Directives are transposed slowly, then enforced suddenly. The gap between the two is the cheapest time to prepare.
Sensible moves this quarter
None of this requires waiting for the final national texts. Inventory your external flows from the gateway outward. Attach an owner and a criticality to each. Verify that every third-party connection authenticates with credentials you can rotate and revoke individually. And run one tabletop exercise against the 24-hour clock: pick a plausible incident and see how long scoping actually takes.
Each of these moves has value even if your organization turns out to be out of scope, which is the reassuring part. An accurate inventory of external dependencies, credentials you can revoke one at a time, and a rehearsed incident process are simply good operational hygiene. NIS2 is, in this sense, asking you to do things you would want to do anyway, and using a deadline to make them urgent.
Organizations running their estates on Waygrid will find most of the raw material already in place, live inventories, per-consumer identity, and complete interaction records. The directive's texts will keep evolving. The questions they generate are already fixed, and they are the same questions well-run infrastructure has always answered.