Skip to main content
All scenarios

API / Developer Platform

APIs are invisible to users — but not to regulators.

APIs that process, transmit, or store personal data are fully in scope of GDPR and NIS2. Machine-to-machine communication doesn't reduce your obligations — it increases them.

Reality check

Do your API consumers know exactly what data you process on their behalf, and do you have DPAs in place?

GDPR (General Data Protection Regulation)

mandatory Art. 28, Art. 32, Art. 33

Your obligations

  • API-level access control and authentication
  • Data Processing Agreements for API consumers
  • Rate limiting to prevent data scraping
  • Logging of data access for audit trail
  • Data minimisation in API responses

SiteGuardian monitors this

  • TLS/HTTPS encryption monitoring
  • Automated cookie consent detection
  • Security headers analysis
  • Email transport encryption checks
  • Breach notification SLA tracking (72h)
  • Digital DPA/AVV signing

Risk if ignored

API data leaks are reportable breaches. No DPA = both parties liable. Scraping incidents = security violation.

NIS2 Directive (Cybersecurity)

conditional Art. 21, Art. 23

Your obligations

  • API security monitoring and anomaly detection
  • Vulnerability management for API endpoints
  • Incident response plan for API compromise
  • Supply chain documentation for API dependencies

SiteGuardian monitors this

  • 24h/72h/1m incident reporting SLA
  • DNSSEC and DNS security monitoring
  • Security headers and TLS enforcement
  • Uptime and availability monitoring
  • Supply chain risk scoring
  • Incident auto-classification (NIS2 Art. 23)

Risk if ignored

API providers are in NIS2 scope if they serve essential or important entities. Shared responsibility model.

Digital Services Act (DSA)

conditional Art. 14, Art. 16, Art. 27

Your obligations

  • Transparency reporting on content moderation
  • Notice-and-action mechanism for illegal content
  • Terms of service clarity requirements
  • Algorithmic transparency for recommender systems

Risk if ignored

Fines up to 6% of global turnover. Service restrictions in the EU.

Does this apply to you?

If you answer yes to 2 or more, these regulations very likely apply to your business.

See where you stand

Our free scanner checks your website's security posture, SSL, headers, email authentication, and more. No account needed.

Scan your API endpoint's security
View all scenarios · EU Regulatory Directory · Compliance Plan

This page provides general information about EU regulatory frameworks. It does not constitute legal advice. Consult a qualified legal professional for advice specific to your situation. SiteGuardian documents your monitoring continuously — compliance is your organisation's responsibility.