EU compliance audit for WordPress: accessibility, NIS2/DORA, AI Act
EN

EU compliance audit for WordPress: accessibility, NIS2/DORA, AI Act

5.00/5 - (17 votes)
7 min read
Guide

#Who delivers EU compliance audits for WordPress?

WP Poland is a WordPress agency with 20+ years of production experience and hundreds of shipped sites. EU compliance audits are led by seniors who remediate WooCommerce stores, regulated-sector portals, and sites sold into public procurement every week. Mariusz Szatkowski sits on the WordCamp Europe organising team (2024-2026), which keeps our practice tied to accessibility and security practitioners across Europe, not just directive summaries.

#What does the EU compliance audit include?

One purchase, three regimes on the WordPress layer:

  • Accessibility (EAA / WCAG 2.2 AA) - storefront, checkout, forms, media
  • Cybersecurity and supply chain (NIS2 / DORA) - plugins, hosting, ICT integrations, incident path
  • AI Act - labelling of AI-generated content, on-site model usage policies

Deliverables: written report, prioritised remediation backlog, procurement evidence pack.

#Where is the audit available?

We work remotely for clients in Poland, Germany, the Nordics, Portugal, Spain, and the wider EU. Report languages: English and Polish. The audit needs staging access or a production copy with read-only restrictions where possible.

#How much does the EU compliance audit cost?

Individual quote - depends on how many regimes apply, store or portal size, plugin and integration count, and whether P0 remediation runs in parallel with the audit.

ScopePriceNotes
Baseline audit (one regime)individual quoteE.g. EAA only on a WooCommerce store
Full audit (EAA + NIS2/DORA + AI Act)individual quoteConsolidated report and single backlog
Post-audit remediationindividual quoteOptional, separate timeline

We do not publish fixed public price lists because regime scope differs between a micro-store and a financial portal.


#EU compliance audit for WordPress: one purchase instead of three silos

EU procurement teams increasingly score accessibility, cybersecurity, and AI on the same supplier sheet. You already have articles on WCAG, BFSG, and EAA, NIS2 and DORA on WordPress, and AI Act content labelling. What was missing is a service that closes all three threads on one WordPress install without three vendors and three inconsistent reports.

The EU compliance audit is a consolidated technical review: what on your site breaches or risks breaching obligations under Directive 2019/882 (EAA), Directive 2022/2555 (NIS2), Regulation 2022/2554 (DORA), and Regulation 2024/1689 (AI Act). We do not re-explain the directives here - links point to our blogs and EUR-Lex.

Deadlines drive traffic: EAA applies to new services from 2025-06-28, NIS2 is transposed in member states with duties for essential and important entities, DORA covers financial services from 2025-01-17, and the AI Act phases in from 2025. If a buyer asks for evidence before you sign, this audit answers in a format procurement can file.

#What the EU compliance audit covers

The table below is the technical scope on WordPress. Legal detail and implementation checklists live in the linked articles - here we only state what we measure on your install.

RegimeAudit scope on WordPressDeeper reading
Accessibility / EAAWCAG 2.2 AA on purchase paths, forms, keyboard navigation, contrast, media, accessibility statementWCAG, BFSG, and EAA compliance stack
NIS2 / DORAPlugin and ICT integration register, hardening, 24h/72h incident path, DORA register-of-information fields, third-party riskNIS2 and DORA: 2026 compliance stack
AI ActAI-generated content labelling, model usage policy, auto-summarisation forms, on-site chatbotsAI Act: labelling AI-generated content

The audit does not replace legal counsel or a formal VPAT. It does give a technical gap map that external lawyers or auditors can fold into a broader assessment without rescanning code.

#Deliverables

At the end of the engagement you receive three artefacts procurement actually reads:

  1. Written report (PDF) split across the three regimes. Each finding has a P0-P3 priority, evidence (screenshot, code excerpt, log), and remediation instructions a WordPress developer can implement without back-and-forth.
  2. Remediation backlog in a format ready for Jira, Linear, or a spreadsheet - task dependencies, effort hints, and whether the fix belongs in theme, plugin, or hosting configuration.
  3. Procurement evidence pack - ICT supplier map (hosting, CDN, payments, email, analytics), plugin versions, update policy, incident notification path sketch aligned with NIS2 expectations.

Plus a 30-minute video walkthrough for engineering and compliance. We answer follow-up questions for 30 days while you work through the backlog.

#Who needs this

Not every WordPress site needs the full three-module scope. Most often commissioned by:

  • WooCommerce stores selling to EU customers after the EAA effective date - especially checkout, product filters, and contact forms.
  • Regulated-sector firms (finance, insurance, critical infrastructure) or their ICT suppliers, where NIS2 and DORA land in the same RFP as accessibility.
  • Public sector and government contractors who must show WCAG and supply chain evidence before signing a framework agreement.
  • Agencies selling WordPress to EU buyers who want one reference audit instead of three subcontracted offers.

If you are a micro-enterprise with a narrow EAA exemption, we say so on the first call and do not invoice for out-of-scope modules.

#How the engagement runs

Five steps from the howTo frontmatter - in practice:

Step 1 - brief. Describe site type, countries, sector, and integrations (payments, CRM, AI tools). Without this, regime scope is guesswork.

Step 2 - regime scoping. On the call we confirm whether EAA, NIS2/DORA, AI Act, or a subset applies. We point to blogs if your internal team needs legal context before signing.

Step 3 - proposal. Individual quote, timeline, required access (staging, read-only SFTP, plugin list).

Step 4 - audit. Automated WCAG scan on representative URLs, manual sample of critical paths, plugin review for NIS2/DORA, AI labelling check. We can close P0 gaps in parallel if contracted.

Step 5 - report and handover. PDF, backlog, evidence pack, recording. Optionally we move into remediation or ongoing WordPress maintenance with quarterly re-audit of selected modules.

#Proof from practice

In Q2 2026 we completed EAA scoping for an anonymised WooCommerce store (40+ products, standard block theme, three payment and marketing plugins). Within two weeks of kick-off we delivered a WCAG report with 23 findings, seven marked P0 on checkout (field labels, mini-cart focus trap, pay button contrast). The backlog went to the client team as ready tickets; we closed P0 remediation in the following sprint. No client name, no invented metrics - typical post-EAA project shape.

This audit aggregates three pillars. If you need a deeper dive on one regime, standalone services exist:

ServiceWhen separateLink
Accessibility audit WCAGEAA only, without NIS2 and AITheme remediation philosophy
NIS2 and DORA readinessFinancial sector, ICT supplier registerDeeper DORA Article 28 mapping
WordPress security auditIncident, malware, hardening without compliance framingCleanup and hardening after breach

Blog deep-dives (detail lives here, not repeated above):

Primary sources (EUR-Lex): EAA 2019/882, NIS2 2022/2555, DORA 2022/2554, AI Act 2024/1689.

Ready to commission the audit? Send a brief via the contact form with your site type, sector, and the deadline by which you must show compliance evidence.

Related cluster

Explore other WordPress services and knowledge base

Strengthen your business with professional technical support in key areas of the WordPress ecosystem.

Recommendations from LinkedIn

Recommendations and reviews of working with WPPoland

Selected recommendations from WordPress, WordCamp and e-commerce leaders - with a focus on delivery on time, technical depth, and a business-driven approach to WordPress development.

Karolina Czapla

Karolina Czapla

Marketing Strategist – Performance & Digital Strategy

“Working with Mariusz on WordCamp has shown me how rare it is to combine deep technical skill with genuine leadership. He plans, coordinates and delivers with precision, while giving the team space to grow and contribute....”

Co‑organiser, WordCamp Gdynia 2024 & 2025

Argert Boja

Argert Boja

Senior Full‑Stack Developer

“Mariusz is the teammate everyone hopes for: strong full‑stack WordPress skills, clear explanations and a positive attitude even under pressure. He moves easily between custom plugins, performance work and Gutenberg layou...”

Worked alongside Mariusz on WordPress projects

Daniel Blossfeld

Daniel Blossfeld

Process Optimization & Digitalization Consultant

“I had the pleasure of working with Mariusz for almost three years. During that time, his WordPress development skills proved invaluable across a range of projects, from website builds to online member areas and even Shop...”

Mariusz was his client for WordPress work

Jessica Di Pasquale

Jessica Di Pasquale

Leading SEO initiatives with data-driven growth strategies.

“Mariusz is a very skilled, patient and expert guy. Always ready to help and to fix errors, I really appreciated working with him. He is such a great colleague!”

Managed Mariusz directly

Belinda Koch

Belinda Koch

Web-Tracking Analyst at TUI

“Mariusz is a great person to work with. He is extremely motivated to learn new things and share his knowledge, and is very knowledgeable on a wide range of topics. We worked together on digital analytics and tracking top...”

Worked with Mariusz on digital analytics and tracking topics

Paweł Lewczuk

Paweł Lewczuk

Front-end developer, WordPress developer

“I collaborated with Mariusz on several projects and our cooperation was always exemplary. I believe there are many more joint projects ahead of us. Highly recommended!”

Mariusz was Paweł's client

How is an EU compliance audit different from a standalone accessibility audit?#
An accessibility audit measures WCAG 2.2 AA on the front end. An EU compliance audit combines that result with NIS2 and DORA mapping on the WordPress supply chain (hosting, plugins, SaaS) and AI Act controls where the site publishes or generates content with models. You get one report and one backlog instead of three inconsistent documents from different vendors.
Does a small WooCommerce store need the full EU audit?#
Scope depends on the operator, not the CMS alone. Micro-enterprises have narrower EAA exemptions, but a store with 40+ products serving EU customers often falls under accessibility obligations from 2025-06-28. NIS2 and DORA apply to regulated sectors or their ICT suppliers. On the discovery call we confirm which of the three regimes actually applies so you do not pay for modules outside scope.
How long does an EU compliance audit on WordPress take?#
A typical WooCommerce store with a few dozen products and a standard plugin stack: two weeks from kick-off to report with backlog. Portals with multiple integrations, SSO, and custom plugins: three to four weeks. Timeline depends on staging access, the integration list, and whether P0 remediation runs in parallel with the audit.
What do I receive at the end?#
A written report split across EAA/WCAG, NIS2/DORA, and AI Act; a remediation backlog with P0 to P3 priorities; a procurement evidence pack (supplier map, plugin register, incident path sketch); and a 30-minute video walkthrough for engineering and compliance. Optional P0 remediation can be scoped separately.
Does this audit replace a WCAG certificate or legal opinion?#
No. The technical WordPress audit shows gaps at the CMS, theme, plugin, and configuration layer. It does not replace formal legal review or a full VPAT for a specific public contract. The report is written so an external lawyer or auditor can fold it into a broader compliance assessment without rescanning code.
Can you implement fixes after the audit?#
Yes. The audit backlog can be commissioned as remediation: accessibility fixes in theme and WooCommerce, NIS2-oriented hardening, AI Act labelling in content templates. Critical gaps (missing checkout labels, public REST endpoints) are closed first, before the rest of the team reads the full report.

Need an FAQ tailored to your industry and market? We can build one aligned with your business goals.

Let’s discuss

Related Articles

AI-slop content cleanup

A YMYL diagnostic for WordPress sites: how to find fake stats, fabricated citations, duplicate AI pages, wrong dates, and invented team bios before they damage trust, compliance, or AI citations.

Why Perplexity cites your brand and ChatGPT does not

Our own Geoboard baseline showed Perplexity as the strongest engine and ChatGPT with zero presence across eight tracked prompts in the same run. Here is the mechanism behind that split, and what it means for procurement, evaluators, and agencies reporting AI visibility to clients.