Who delivers EU compliance audits for WordPress?
WP Poland is a WordPress agency with 20+ years of production experience and hundreds of shipped sites. EU compliance audits are led by seniors who remediate WooCommerce stores, regulated-sector portals, and sites sold into public procurement every week. Mariusz Szatkowski sits on the WordCamp Europe organising team (2024-2026), which keeps our practice tied to accessibility and security practitioners across Europe, not just directive summaries.
What does the EU compliance audit include?
One purchase, three regimes on the WordPress layer:
- Accessibility (EAA / WCAG 2.2 AA) - storefront, checkout, forms, media
- Cybersecurity and supply chain (NIS2 / DORA) - plugins, hosting, ICT integrations, incident path
- AI Act - labelling of AI-generated content, on-site model usage policies
Deliverables: written report, prioritised remediation backlog, procurement evidence pack.
Where is the audit available?
We work remotely for clients in Poland, Germany, the Nordics, Portugal, Spain, and the wider EU. Report languages: English and Polish. The audit needs staging access or a production copy with read-only restrictions where possible.
How much does the EU compliance audit cost?
Individual quote - depends on how many regimes apply, store or portal size, plugin and integration count, and whether P0 remediation runs in parallel with the audit.
| Scope | Price | Notes |
|---|---|---|
| Baseline audit (one regime) | individual quote | E.g. EAA only on a WooCommerce store |
| Full audit (EAA + NIS2/DORA + AI Act) | individual quote | Consolidated report and single backlog |
| Post-audit remediation | individual quote | Optional, separate timeline |
We do not publish fixed public price lists because regime scope differs between a micro-store and a financial portal.
EU compliance audit for WordPress: one purchase instead of three silos
EU procurement teams increasingly score accessibility, cybersecurity, and AI on the same supplier sheet. You already have articles on WCAG, BFSG, and EAA, NIS2 and DORA on WordPress, and AI Act content labelling. What was missing is a service that closes all three threads on one WordPress install without three vendors and three inconsistent reports.
The EU compliance audit is a consolidated technical review: what on your site breaches or risks breaching obligations under Directive 2019/882 (EAA), Directive 2022/2555 (NIS2), Regulation 2022/2554 (DORA), and Regulation 2024/1689 (AI Act). We do not re-explain the directives here - links point to our blogs and EUR-Lex.
Deadlines drive traffic: EAA applies to new services from 2025-06-28, NIS2 is transposed in member states with duties for essential and important entities, DORA covers financial services from 2025-01-17, and the AI Act phases in from 2025. If a buyer asks for evidence before you sign, this audit answers in a format procurement can file.
What the EU compliance audit covers
The table below is the technical scope on WordPress. Legal detail and implementation checklists live in the linked articles - here we only state what we measure on your install.
| Regime | Audit scope on WordPress | Deeper reading |
|---|---|---|
| Accessibility / EAA | WCAG 2.2 AA on purchase paths, forms, keyboard navigation, contrast, media, accessibility statement | WCAG, BFSG, and EAA compliance stack |
| NIS2 / DORA | Plugin and ICT integration register, hardening, 24h/72h incident path, DORA register-of-information fields, third-party risk | NIS2 and DORA: 2026 compliance stack |
| AI Act | AI-generated content labelling, model usage policy, auto-summarisation forms, on-site chatbots | AI Act: labelling AI-generated content |
The audit does not replace legal counsel or a formal VPAT. It does give a technical gap map that external lawyers or auditors can fold into a broader assessment without rescanning code.
Deliverables
At the end of the engagement you receive three artefacts procurement actually reads:
- Written report (PDF) split across the three regimes. Each finding has a P0-P3 priority, evidence (screenshot, code excerpt, log), and remediation instructions a WordPress developer can implement without back-and-forth.
- Remediation backlog in a format ready for Jira, Linear, or a spreadsheet - task dependencies, effort hints, and whether the fix belongs in theme, plugin, or hosting configuration.
- Procurement evidence pack - ICT supplier map (hosting, CDN, payments, email, analytics), plugin versions, update policy, incident notification path sketch aligned with NIS2 expectations.
Plus a 30-minute video walkthrough for engineering and compliance. We answer follow-up questions for 30 days while you work through the backlog.
Who needs this
Not every WordPress site needs the full three-module scope. Most often commissioned by:
- WooCommerce stores selling to EU customers after the EAA effective date - especially checkout, product filters, and contact forms.
- Regulated-sector firms (finance, insurance, critical infrastructure) or their ICT suppliers, where NIS2 and DORA land in the same RFP as accessibility.
- Public sector and government contractors who must show WCAG and supply chain evidence before signing a framework agreement.
- Agencies selling WordPress to EU buyers who want one reference audit instead of three subcontracted offers.
If you are a micro-enterprise with a narrow EAA exemption, we say so on the first call and do not invoice for out-of-scope modules.
How the engagement runs
Five steps from the howTo frontmatter - in practice:
Step 1 - brief. Describe site type, countries, sector, and integrations (payments, CRM, AI tools). Without this, regime scope is guesswork.
Step 2 - regime scoping. On the call we confirm whether EAA, NIS2/DORA, AI Act, or a subset applies. We point to blogs if your internal team needs legal context before signing.
Step 3 - proposal. Individual quote, timeline, required access (staging, read-only SFTP, plugin list).
Step 4 - audit. Automated WCAG scan on representative URLs, manual sample of critical paths, plugin review for NIS2/DORA, AI labelling check. We can close P0 gaps in parallel if contracted.
Step 5 - report and handover. PDF, backlog, evidence pack, recording. Optionally we move into remediation or ongoing WordPress maintenance with quarterly re-audit of selected modules.
Proof from practice
In Q2 2026 we completed EAA scoping for an anonymised WooCommerce store (40+ products, standard block theme, three payment and marketing plugins). Within two weeks of kick-off we delivered a WCAG report with 23 findings, seven marked P0 on checkout (field labels, mini-cart focus trap, pay button contrast). The backlog went to the client team as ready tickets; we closed P0 remediation in the following sprint. No client name, no invented metrics - typical post-EAA project shape.
Related deep-dives and service pillars
This audit aggregates three pillars. If you need a deeper dive on one regime, standalone services exist:
| Service | When separate | Link |
|---|---|---|
| Accessibility audit WCAG | EAA only, without NIS2 and AI | Theme remediation philosophy |
| NIS2 and DORA readiness | Financial sector, ICT supplier register | Deeper DORA Article 28 mapping |
| WordPress security audit | Incident, malware, hardening without compliance framing | Cleanup and hardening after breach |
Blog deep-dives (detail lives here, not repeated above):
- WCAG 2.2, BFSG, and EAA: 2026 compliance stack
- EAA and WCAG 2.1: scope, deadlines, and exemptions
- Accessibility statement for WordPress: template and EN 301 549 mapping
- NIS2 and DORA on WordPress: 2026 compliance stack
- NIS2 vs DORA: scope overlap for WordPress agencies in 2026
- AI Act: labelling AI-generated content
- AI transparency policy
Primary sources (EUR-Lex): EAA 2019/882, NIS2 2022/2555, DORA 2022/2554, AI Act 2024/1689.
Ready to commission the audit? Send a brief via the contact form with your site type, sector, and the deadline by which you must show compliance evidence.






