The NIS2 Directive Explained: What WordPress Site Owners Need to Know

The NIS2 Directive Explained: What WordPress Site Owners Need to Know

By /

Most conversations about EU digital regulation focus on GDPR. But there is another significant piece of legislation that came into full effect in October 2024 and affects a much broader range of organisations than many people realise: the NIS2 Directive. Short for the Network and Information Systems Directive 2 (officially Directive (EU) 2022/2555), NIS2 is the EU’s updated framework for cybersecurity obligations across critical and important sectors.

Important: If your WordPress website is part of a business operating in the EU – particularly in certain sectors – you may have obligations under NIS2 in addition to GDPR. The two frameworks are complementary, not alternatives.

What Is the NIS2 Directive?

NIS2 replaces the original NIS Directive from 2016, which was the EU’s first piece of sector-specific cybersecurity legislation. The original directive was criticised for inconsistent implementation across member states and a relatively narrow scope. NIS2 significantly expands both the range of entities covered and the obligations imposed on them.

The directive entered into force in January 2023. EU member states were required to transpose it into national law by 17 October 2024. As a directive rather than a regulation, the exact implementation varies slightly by country, but the core requirements are consistent across the EU.

NIS2 vs GDPR – Key Differences

Aspect GDPR NIS2
Focus Personal data protection Network & system security
Who it covers Any org processing EU personal data Medium/large orgs in covered sectors
Enforcement Data Protection Authorities National Competent Authorities / CSIRTs
Max fine €20M or 4% global turnover €10M or 2% global turnover (Essential)

A ransomware attack on a WordPress site could trigger obligations under both frameworks simultaneously – GDPR if personal data is compromised, NIS2 if the organisation is in scope.

Who Does NIS2 Apply To?

NIS2 divides in-scope entities into two categories: Essential Entities and Important Entities. The categorisation affects the intensity of supervision and the penalties that apply, but both categories must meet broadly the same security obligations.

Essential Entities

  • Energy (electricity, oil, gas, heating)
  • Transport (aviation, rail, road, maritime)
  • Banking & financial market infrastructure
  • Health (hospitals, pharma, medical devices)
  • Drinking water and wastewater
  • Digital infrastructure (DNS, TLD registries, cloud, CDNs)
  • ICT service management (MSSPs)
  • Public administration
  • Space

Important Entities

  • Postal and courier services
  • Waste management
  • Chemicals manufacturing & distribution
  • Food production, processing, and distribution
  • Manufacturing (medical devices, electronics, vehicles)
  • Digital providers (online marketplaces, search engines, social networks)
  • Research organisations
Size thresholds: NIS2 generally applies to organisations with at least 50 employees or annual turnover/balance sheet exceeding €10 million. Small and micro enterprises are generally excluded – so if you run a small WordPress blog, NIS2 is unlikely to apply directly to you. However, if you operate a WordPress-powered platform in a covered sector (a healthcare portal, online marketplace, or digital infrastructure service), assess your obligations carefully.

What Does NIS2 Require?

For organisations that are in scope, NIS2 imposes obligations in two main areas: risk management measures and incident reporting.

1. Cybersecurity Risk Management Measures

Article 21 of NIS2 requires in-scope entities to implement appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks. These must address at minimum:

Required Security Measures (Article 21)

  • Risk analysis and security policies – Documented policies covering how risks are identified, assessed, and treated. A good starting point is a thorough data audit of your WordPress website.
  • Incident handling – Processes for detecting, responding to, and recovering from security incidents.
  • Business continuity – Backup management, disaster recovery, and crisis management plans.
  • Supply chain security – Assessment of security practices of third-party suppliers including your hosting provider, CDN, and managed service providers.
  • Network and information system security – Access controls, vulnerability management, patch management, and network monitoring.
  • Cybersecurity hygiene and training – Staff awareness programmes and basic cyber hygiene (strong passwords, MFA, phishing awareness).
  • Cryptography – Use of encryption where appropriate – for example, ensuring your WordPress site is served exclusively over HTTPS.
  • HR security and access control policies – Managing user access rights, particularly for privileged WordPress admin accounts.
  • Multi-factor authentication (MFA) – Explicitly required by NIS2 for relevant accounts.

2. Incident Reporting Obligations

NIS2 introduces strict timelines for reporting significant security incidents to the relevant national authority. A “significant incident” is one that has caused or is capable of causing serious disruption to services or financial losses.

  • 24 hoursSubmit an early warning to the authority after becoming aware of a significant incident.
  • 72 hoursSubmit an incident notification with an initial assessment including severity and impact.
  • 1 monthSubmit a final report with detailed description, threat type, root cause analysis, and measures taken.

3. Management Body Accountability

One of the most notable aspects of NIS2 is that it places direct responsibility on the management body – the board of directors or senior leadership – for approving and overseeing cybersecurity risk management measures. Members of the management body can be held personally liable for non-compliance.

This is a significant escalation from previous frameworks and means cybersecurity can no longer be treated purely as a technical function delegated to the IT department. This mirrors how Privacy Impact Assessments under GDPR require senior sign-off.

NIS2 and WordPress: Practical Implications

If your organisation is in scope for NIS2 and uses WordPress as part of its digital infrastructure, here are the most immediately relevant practical steps. Many of these overlap with common GDPR mistakes WordPress site owners make – fixing one often helps with the other.

WordPress NIS2 Action Checklist

  • Keep WordPress core and plugins updated – NIS2’s vulnerability management requirements make timely patching essential. Enable automatic updates for WordPress core minor releases and regularly review plugins.
  • Enforce MFA for all admin accounts – Use a plugin such as WP 2FA or miniOrange to require multi-factor authentication for all users with administrator or editor roles.
  • Assess your hosting provider’s security practices – NIS2’s supply chain requirements mean you need to document the security measures your hosting provider has in place. Managed WordPress hosts that publish security white papers and compliance certifications make this easier.
  • Implement regular backups and a recovery plan – Business continuity obligations require you to restore operations following an incident. Use a reliable backup plugin and test your restore procedure periodically.
  • Log and monitor activity – Install an activity logging plugin to maintain audit trails of administrative actions. This supports both incident detection and incident reporting obligations.
If you are already following GDPR security requirements using WordPress’s built-in tools, you will have a strong head start on NIS2 compliance. The frameworks are complementary – good data hygiene and security practices serve both.

Penalties for Non-Compliance

NIS2 Financial Penalties

Entity Type Maximum Fine Alternative
Essential Entities €10,000,000 2% of global annual turnover (whichever is higher)
Important Entities €7,000,000 1.4% of global annual turnover (whichever is higher)

In addition, supervisory authorities can impose remediation orders and – in serious cases – temporary bans on management from exercising their roles. For context on how EU regulators have been approaching enforcement, see our post on growing scrutiny and major penalties for GDPR non-compliance – the same enforcement trend applies to NIS2.

Conclusion

NIS2 represents a significant step up in the EU’s cybersecurity regulatory requirements. While it won’t apply to the vast majority of small WordPress blogs and informational websites, organisations operating in covered sectors need to take it seriously – particularly given the management liability provisions and the strict incident reporting timelines.

The good news is that many of the underlying security measures NIS2 requires are simply good cybersecurity practice: keeping software updated, enforcing MFA, maintaining backups, and having a plan for when things go wrong. If you are already following GDPR requirements including a compliant privacy policy, you have a strong head start.

For a broader view of your website’s compliance obligations in 2026, check out our guide to WordPress GDPR and website compliance in 2026. And if you’re reviewing your cookie consent setup as part of your compliance audit, our GDPR and cookie consent guide for 2026 is a good next read.

Scroll to Top