API Documentation
Applicability Checker API v1.1 (Beta)
🚧 Beta Notice: This API is under active development. Results are for informational purposes only and do not constitute legal advice. Read our full disclaimer.
Note: This API provides programmatic access to the same regulation filtering logic used by the Applicability Checker tool.
Endpoint
GET https://cyber-laws.com/api/check Returns matching EU cybersecurity regulations based on organization criteria.
Parameters
| Parameter | Required | Description |
|---|---|---|
q | Yes | 59-character binary string (0s and 1s) |
compressed | No | Set to 1 if q is Base64url compressed |
Binary Encoding
The q parameter encodes 59 checkbox
selections from the Applicability Checker. Each position corresponds to
a specific filter option in the UI:
Location & Ownership (Positions 0-3, 58)
Position | UI Label
---------|----------------------------------
0 | Based in the EU
1 | Serves EU customers
2 | Based outside the EU
3 | Non-EU controlled / subsidiary
58 | Designated Critical Entity
Manufacturer / Producer (Positions 4-11, 51)
Position | UI Label
---------|----------------------------------
4 | Manufacturer / Producer (parent) ⬅️ REQUIRED for 5-11, 51
5 | ↳ Hardware with digital elements
6 | ↳ Software products
7 | ↳ EHR / Health data software
8 | ↳ Medical devices
9 | ↳ Machinery / Industrial equipment
10 | ↳ Radio / Wireless devices
11 | ↳ Vehicles / Automotive
51 | ↳ Marine equipment
⚠️ Parent Required: Position 4 must be set to 1
before selecting any of positions 5-11, 51. The API returns 400 Bad Request
if child options are selected without their
parent.
Service Provider (Positions 12-19, 57)
Position | UI Label
---------|----------------------------------
12 | Service Provider (parent) ⬅️ REQUIRED for 13-19, 57
13 | ↳ Cloud / SaaS / PaaS / IaaS
14 | ↳ DNS / Domain services
15 | ↳ Trust services (eID, signatures)
16 | ↳ Managed IT services (MSP)
17 | ↳ Managed security (MSSP)
18 | ↳ Telecommunications
19 | ↳ Online platforms / Marketplaces
57 | ↳ Domain name registrar
⚠️ Parent Required: Position 12 must be set to 1
before selecting any of positions 13-19, 57. The API returns 400 Bad Request
if child options are selected without their
parent.
Infrastructure Operator (Positions 20-25, 47-50)
Position | UI Label
---------|----------------------------------
20 | Infrastructure Operator (parent) ⬅️ REQUIRED for 21-25, 47-50
21 | ↳ Energy (electricity, gas, oil)
22 | ↳ Healthcare facilities
23 | ↳ Blood / Tissue establishments
24 | ↳ Water / Wastewater
25 | ↳ Digital infrastructure
47 | ↳ Aviation
48 | ↳ Rail transport
49 | ↳ Maritime / Ports
50 | ↳ Road transport
⚠️ Parent Required: Position 20 must be set to 1
before selecting any of positions 21-25, 47-50. The API returns 400 Bad Request
if child options are selected without their
parent.
Sectors - Financial (Positions 26-32)
Position | UI Label
---------|----------------------------------
26 | Financial Services (parent) ⬅️ REQUIRED for 27-32
27 | ↳ Bank / Credit institution
28 | ↳ Insurance / Reinsurance
29 | ↳ Investment / Fund manager
30 | ↳ Payment / E-money
31 | ↳ Crypto-asset provider
32 | ↳ ICT/Cloud provider to financial sector
⚠️ Parent Required: Position 26 must be set to 1
before selecting any of positions 27-32. The API returns 400 Bad Request
if child options are selected without their
parent.
Sectors - Other (Positions 33-36)
Position | UI Label
---------|----------------------------------
33 | Public Administration
34 | Space
35 | Defense / Military
36 | Research / Education
(No parent-child relationship - these can be selected independently)
Activities (Positions 37-40)
Position | UI Label
---------|----------------------------------
37 | Processes personal data
38 | Develops or deploys AI systems
39 | Develops or sells ICT products/services
40 | Provides essential services to society
(Note: Position 38 (Uses AI systems) is a parent tag - see AI Activities below.)
Customer / Supply Chain (Positions 41-43, 52)
Position | UI Label
---------|----------------------------------
41 | ICT services to financial sector
42 | Supply to critical infrastructure
43 | Sell to public administration entities
52 | Sell to Union institutions
(No parent-child relationship - these can be selected independently)
AI Activities (Positions 38, 44-46) 🆕
Position | UI Label
---------|----------------------------------
38 | Develops or deploys AI systems (parent) ⬅️ REQUIRED for 44-46
44 | ↳ General Purpose AI (GPAI)
45 | ↳ AI output used in EU
46 | ↳ Prohibited AI Practices
ℹ️ Special Behavior: Unlike other parent-child groups, AI children contextualize rather than narrow. Selecting "Develops or deploys AI systems" + "AI output used in EU" still matches regulations that only require the parent tag (like PLD).
🌍 Art. 2(1)(c) Nexus: Position 45 (AI output used in EU) creates EU jurisdiction for non-EU companies even without "Serves EU customers" (position 1). This implements the AI Act's "output used in the Union" provision (Art. 2(1)(c)).
Organization Size (Positions 53-56)
Position | UI Label
---------|----------------------------------
53 | Micro
54 | Small
55 | Medium
56 | Large
(Used for NIS2 size-based exemptions. Radio button selection (mutually exclusive).)
📋 Parent-Child Summary
| Parent Position | Child Positions |
|---|---|
| 4 (Manufacturer / Producer) | 5, 6, 7, 8, 9, 10, 11, 51 |
| 12 (Service Provider) | 13, 14, 15, 16, 17, 18, 19, 57 |
| 20 (Infrastructure Operator) | 21, 22, 23, 24, 25, 47, 48, 49, 50 |
| 26 (Financial Services) | 27, 28, 29, 30, 31, 32 |
| 38 (Develops or deploys AI systems) 🆕 | 44, 45, 46 |
Example: To encode "EU-based cloud provider serving EU customers":
11000000000011000000000000000000000000000010000000000000000 (Positions 0 (EU-based), 1 (EU customers), 12 (Service Provider ✓), 13 (Cloud), 42 (Serves financial))
Note: Position 12 (Service Provider parent) must be set before position 13 (Cloud services).
💡 Tip: The easiest way to generate valid binary
strings is to use the Applicability Checker UI, select your criteria, and click "Copy Link" to get a shareable
URL with the q parameter. The UI automatically handles
parent-child relationships.
Response Format
{
"regulations": [
{
"id": "nis2",
"name": "NIS2 Directive (EU) 2022/2555",
"type": "Directive",
"desc": "High common level of cybersecurity...",
"eurLex": "https://eur-lex.europa.eu/...",
"status": "In force (transposition ongoing)",
"blogLink": "/en/blog/eu_nis2_summary",
"warnings": ["⚠️ Applies via ICT Third-Party Risk..."]
}
],
"alerts": [
{
"type": "hint",
"severity": "info",
"message": "Consider selecting additional criteria..."
}
],
"count": 3,
"query": "11000000000011000000000000000000000000000010000000000000000",
"timestamp": "2024-12-16T21:22:57.583Z",
"meta": {
"version": "1.0-beta",
"disclaimer": "https://cyber-laws.com/en/disclaimer",
"notice": "By using this API, you accept the terms at cyber-laws.com/en/disclaimer. Beta software - not legal advice."
}
}Alert Types
| Type | Severity | Description |
|---|---|---|
auto_corrected | info | Missing parent options were automatically added to your selection |
mutual_exclusion | error | You selected conflicting options that cannot both be true |
invalid_selection | warning | Your selection will not match any regulations - consider adding more criteria |
incomplete_selection | info | Your selection needs additional criteria to show relevant regulations |
hint | info | A suggestion to improve your results based on your current selection |
exemption_caveat | warning | An exemption you may expect might not apply in your specific case |
Example Usage
✅ Valid: EU cloud provider serving financial sector
GET https://cyber-laws.com/api/check?q=11000000000011000000000000000000000000000010000000000000000 Positions: 0 (EU-based), 1 (EU customers), 12 (Service Provider ✓), 13 (Cloud), 42 (Serves financial)
✅ Valid: Non-EU software manufacturer serving EU market
GET https://cyber-laws.com/api/check?q=01101010000000000000000000000000000000000000000000000000000 Positions: 1 (EU customers), 2 (Non-EU), 4 (Manufacturer ✓), 6 (Software)
✅ Valid: Non-EU AI company with output used in EU (Art. 2(1)(c)) 🆕
GET https://cyber-laws.com/api/check?q=00100000000000000000000000000000000000100000010000000000000
Positions: 2 (Non-EU), 38 (Uses AI ✓), 45 (AI output in EU)
Note: AI Act applies via Art. 2(1)(c) even without position 1 (EU customers).
✅ Valid: Auto-fixed parent relationship 🆕
GET https://cyber-laws.com/api/check?q=11000000000001000000000000000000000000000000000000000000000
Positions: 0 (EU-based), 1 (EU customers), 13 (Cloud without 12)
Note: Position 12 (Service Provider) is automatically added by the server.
❌ Invalid: Invalid: Wrong binary length
GET https://cyber-laws.com/api/check?q=1100
⚠️ Returns 400 Bad Request - Binary string must be exactly 59 characters
{
"error": "Invalid selection: child options selected without parent",
"code": 400,
"details": ["...positions 13-19 (service provider subtypes) require Service Provider (position 12) to be selected first..."],
"help": "Parent options must be selected (set to 1) before their child options."
}
Code Examples
cURL
curl "https://cyber-laws.com/api/check?q=11000000000011000000000000000000000000000010000000000000000"JavaScript (fetch)
const query = "11000000000011000000000000000000000000000010000000000000000";
const response = await fetch(`https://cyber-laws.com/api/check?q=${query}`);
const data = await response.json();
console.log(`Found ${data.count} regulations`);Python (requests)
import requests
query = "11000000000011000000000000000000000000000010000000000000000"
response = requests.get(f"https://cyber-laws.com/api/check?q={query}")
data = response.json()
print(f"Found {data['count']} regulations")Error Responses
{
"error": "Missing required parameter: q",
"code": 400,
"help": "Provide a 59-character binary string..."
}Common errors:
-
400- Missing or invalidqparameter -
400- Wrong binary string length (must be exactly 59 characters) -
400- Invalid characters (only 0 and 1 allowed) -
429- Rate limit exceeded (wait untilX-RateLimit-Reset)
Tolerant Parsing
The API uses tolerant parsing for parent-child relationships.
If you select a child option without its required parent (e.g. position
13/Cloud without position 12/Service Provider), the system will automatically
add the parent and return an auto_corrected alert instead
of an error.
Rate Limits
To ensure fair usage and protect the service:
- 60 requests per minute per IP
- No global quotas
Rate limit headers are included in responses:
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 58
X-RateLimit-Reset: 1702760520CORS
The API allows cross-origin requests from any origin:
Access-Control-Allow-Origin: * Caching
Responses are cached for 1 hour:
Cache-Control: public, max-age=3600 ⚠️ Disclaimer: This API is provided for informational and educational purposes only. It does not constitute legal advice, professional advice, or any form of consulting services. The results should not be used as the sole basis for compliance decisions. Always consult with qualified legal and compliance professionals. See our full disclaimer for important legal information.