Compliance

OpenApe is regulation-ready by design. One architecture satisfies both sides of the Atlantic.

EU: NIS2 (Directive 2022/2555)

NIS2 requires strong authentication for critical systems. OpenApe delivers this without opt-in:

• Passkeys fulfill the strong authentication requirement (possession + biometrics/PIN)
• No extra MFA step — it's built into the login flow
• Agent authentication via Ed25519 challenge-response meets M2M standards for critical infrastructure

USA: NIST CSF 2.0 & Executive Order 14028

• NIST Cybersecurity Framework 2.0 — Passkeys + asymmetric auth satisfy Identity & Access Management controls
• Executive Order 14028 — requires MFA and Zero Trust for federal agencies and their suppliers
• SEC Cyber Rules (2023) — incident reporting aided by clean audit trails (human/agent separation)
• CMMC 2.0 — tiered security levels naturally mapped by the grant system (once/timed/always)

Why Passkeys-Only?

Passwords are explicitly prohibited in the DDISA spec. Here's what this eliminates:

Compromised SP Analysis

What can a compromised Service Provider actually do?

With Passkeys (current):

• ✅ Cannot steal credentials (phishing-proof)
• ✅ Cannot impersonate users at the IdP
• ✅ Cannot use assertions for other SPs (aud binding)
• ⚠️ Can see claims (email, act) of users who log in — accepted, unclosable surface
• ⚠️ Can hijack sessions on its own service

A compromised SP becomes a passive observer, not an active attacker. This is a fundamental security improvement over password-based systems.

Agent Authentication & NIS2

Agents authenticate via Ed25519 challenge-response, not passwords or passkeys:

NIS2 requires strong auth for humans. For M2M, asymmetric challenge-response is the gold standard.

Audit Trail

Every action is traceable:

• AuthN-JWT — sub (who), act (human/agent), iss (which IdP)
• AuthZ-JWT — decided_by (who approved), permissions, cmd_hash
• apes audit log — JSONL with command, grant ID, timestamp, result