In an ever-changing technological environment, where European regulations are becoming increasingly stringent and information systems security is a major issue, how can companies maintain their capacity for innovation while complying with regulatory constraints?
This central question was at the heart of a discussion I had the pleasure of leading with Jean-Noël Veyrat, APIM Product Owner at CDC Informatique (IT subsidiary of Caisse des Dépôts), during our intervention at France API 2025.
A delicate balance between three strategic imperatives
Caisse des Dépôts, a public institution founded in 1816 and focused on the general interest, offers a privileged observation ground for understanding the contemporary challenges of API management. As Jean-Noël explains, innovation, compliance and regulation, and security are three areas where the value of API products is revealed.
“These three mandates can seem in opposition; typically, security means tighter controls, whereas innovation is more about fluidity. This apparent tension between security and innovation is a daily challenge for the technical teams I work with. On the one hand, security requirements call for tighter controls; on the other, innovation demands fluidity and agility. Regulations, for their part, establish a strict framework that can seem restrictive.”
An innovative organizational approach: the mandala metaphor
One of the most original contributions of our exchange lies in the conceptual approach developed by Jean-Noël to understand the architecture of information systems. Inspired by a trip to a Himalayan region and the discovery of a thangka (Tibetan tapestry) depicting the history of the world through a series of mandalas, this approach offers a unique vision of the organization of data flows.
“A mandala is a way to map, symbolize, and simplify a given situation. A mandala catches the eye: one grasps its meaning at a glance, without needing to read a long paragraph from left to right and top to bottom to understand its significance.”
This analogy can be applied to information systems: by placing the most valuable assets (databases, micro-services, etc.) at the center, surrounded by successive layers of security, up to the external zones where potential threats are located. This mapping facilitates an understanding of north-south and east-west flows, something that is essential in modern API architecture.
Watch our full conversation at France API 2025 in this video (in French):
Empowering developers: a strategic priority
A major challenge we have explored concerns the empowerment of developers. Jean-Noël illustrated this philosophy through a particularly eloquent – and very French – culinary metaphor: that of raclette*.
“When I have guests over for dinner, the composition of the plate is more or less fixed: each guest receives the same thing. With raclette, on the other hand, everything is presented and can be freely composed. Potatoes, cold cuts, pickles, salad, grilled vegetables… And above all, no plate will look like that of its neighbor.”
This analogy perfectly reflects the philosophy of the development platform implemented by CDC Informatique: providing all the necessary components (databases, bootstrap code, integration methods) while leaving developers the freedom to compose their solution according to their specific needs.
*Raclette is a dish of Swiss origin – a claim neighbors across the Alps may dispute. It consists of heating raclette cheese and scraping off the melted part, typically onto boiled potatoes.
On second thought, a taco bar would probably be a more illustrative analogy for an American audience 😊
Mocking: a tool for innovation and control
Among the empowerment tools we discussed, mocking holds a special place. Jean-Noël explains that API mocking is “a new discipline in API management where we move from a static stub to completely dynamic responses.”
Mocking involves creating simulated (or “fake”) versions of APIs for testing and development. Instead of using a real API, a mock is used to mimic its behavior, thus providing businesses with the ability to test the relevance and appeal of their ideas without immediately incurring the costs of full development.
See also: API Mocking for Faster, Cost-Efficient Development
This is exactly the kind of innovation we’re integrating into our Amplify platform at Axway to meet these empowerment challenges.
Amplify Engage, our API marketplace, integrates features such as API linting, mocking, curation capabilities, productization and asset monetization.
Engage’s integration with API security solutions has also significantly extended its capabilities and broadened its scope, positioning Amplify Engage at the heart of our customers’ API ecosystems by fostering collaboration between developers and API consumers, whether internal, external, or a combination of both.
See also: API Linting with Spectral [From Basic Rules to Enterprise-Wide Standards]
Digital sovereignty and technology decisions
The issue of digital sovereignty is becoming increasingly important when it comes to decisions around tech procurement. As I noted during our discussion:
“We’re seeing more and more customers ask us if we’re truly a French or even a European partner, because there’s this need for autonomy and sovereignty.”
This concern arises in a tense geopolitical context, where the availability of information systems can be compromised by political decisions, as illustrated by when one of the world’s largest technology companies was accused of disconnecting the International Criminal Court main prosecutor from his email systems.
The Caisse des Dépôts anticipated this issue as early as 2006-2007, choosing solutions that would allow complete control over their API management platform. As Jean-Noël told me:
“One of the most important criteria for us was to have complete control over our product: at the time, we weren’t yet talking about national sovereignty, but it was the same idea.”
At Axway, we’ve always believed customers should be free to choose a deployment tailored to their unique risk analysis: public cloud, sovereign cloud, private cloud or on-premises, depending on the sensitivity of their data and the expected availability of services.
See also: Data governance in action: Axway’s leadership on privacy and security
The simplification challenge
The central message of our exchange can be summed up in one word: simplification. Jean-Noël emphasized this fundamental point:
“Simplification carries value. No matter how many layers of abstraction we add, or how many features we multiply, etc., if it’s too complicated to use and design, in my opinion, we’re on the wrong track.”
As supporting evidence: this ‘mandala’ drawn by his daughter to encourage her dad before his presentation, whose simplicity speaks volumes – the message is clear, with a purple heart in a field of flowers, making the value more immediate.
This philosophy of simplicity guides CDC Informatique’s entire product approach, with the conviction that a product must be simple to use for customers – i.e., the developers and technologists who use the product – and simple to understand.
It’s a vision we fully share in our support for customers undergoing digital transformation.
Looking forward
Moving towards the integration of artificial intelligence into API ecosystems is the next challenge we mentioned. If AI agents are to become the new API consumers, this philosophy of simplicity and enablement developed in recent years is likely to be an asset in the transition. It’s why we at Axway are working on integrating standards such as MCP (Model Context Protocol).
See also: Innovate, govern, and secure web gateways with Axway Amplify AI Gateway
The example of Caisse des Dépôts, which Jean-Noël generously shared with us, shows that it is possible to reconcile innovation, security, and regulatory compliance – provided you adopt a clear product approach, focus on simplification and user enablement, and choose technology partners that are aligned with your sovereignty needs.
This strategy, forged over some 20 years of experience, provides a valuable frame of reference for the organizations I work with on a daily basis, who face the same challenges.
Join our webinar series on best practices to be successful with your API programs