Service pillar

NIS2 and DORA readiness

Premium B2B compliance, EU jurisdiction, scoped per project.

Pricing is individual. I reply within one working day.

What I ship

A written readiness report. A populated supplier register that follows the DORA Article 28 fields or the NIS2 Annex II evidence-trail structure. A control gap assessment mapped to the directive's required controls. An incident reporting runbook with the 24-hour, 72-hour, and one-month timelines pre-mapped to your specific stack. A 60-minute walkthrough for your operational team.

Why WordPress estates need this differently

Most readiness work targets bespoke software or SaaS. WordPress and WooCommerce introduce specific compliance surfaces: plugins with administrator-level capabilities, themes that touch the database, payment gateways that fan out to third parties, and an editorial layer that often runs outside formal change-management. Treating those as first-class objects in the supplier register is the difference between a defensible report and a checkbox exercise.

Who this is for

  • Medium and large entities in NIS2 essential and important sectors (Annex I, Annex II)
  • Regulated financial entities subject to DORA
  • Critical ICT third-party providers serving DORA-scoped customers
  • Public-sector procurement that requires a third-party readiness statement before a WordPress procurement closes

Certification vs operational reality

ISO, GDPR, and NIS2 paperwork does not guarantee that a department can actually send an encrypted email. Classic field case: a public-sector or mid-market entity has the auditor, the policies, and the certificate, but its older Ricoh and Nashuatec multi-function printers cannot negotiate TLS with the mail server and silently fail scan-to-email. The scanned PDF ends up on a USB stick, breaking the chain of custody and leaving no log of who handled the file. That class of device rarely has an exception in the ISO statement of applicability, the GDPR records of processing, or the KSC register. Our audit therefore covers both documents and what actually happens at the desk, and maps every such device into the asset and supplier lists.

Polish transposition note (relevant for clients with PL operations)

Poland's NIS2 transposition launches the Krajowy System Cyberbezpieczeństwa (KSC) register via a government online application from 7 May 2026, with a 3 October 2026 self-registration deadline. Public bodies, telcos, and digital service providers are auto-enrolled on 6 May. Sanctions reach 100 million PLN; executive liability up to 3x monthly salary, and the April 2026 amendment extends that personal accountability beyond board members to the broader executive layer overseeing in-scope areas. Source: Polish trade-press reporting via Ministerstwo Cyfryzacji, May 2026. International groups with Polish entities should expect their PL subsidiaries to land in this scope; we cover that in the supplier register and evidence trail.

Engagement model

Senior B2B contracts on EU jurisdiction. Four-week window from kickoff to report. Quarterly review retainer available. Pricing is individual.

NIS2 is a wide-scope directive transposed into national law. DORA is a narrow-scope regulation applied directly. They overlap on financial entities that are also classified essential under NIS2.NIS2 (Directive 2022/2555). DORA (Regulation 2022/2554).NIS2 (Directive 2022/2555)18 sectors, essential + important entitiesNational transposition deadline 2024-10-17Incident timeline 24h / 72h / 30dDORA (Regulation 2022/2554)Financial sector + critical ICT third-party providersDirect application from 2025-01-17TLPT every 3 years for selected entities
NIS2 is a wide-scope directive transposed into national law. DORA is a narrow-scope regulation applied directly. They overlap on financial entities that are also classified essential under NIS2.

Frequently asked questions

Does NIS2 apply to my WordPress site?

It applies to medium and large entities in essential and important sectors as defined in Annex I and Annex II. If you are a digital service provider, online marketplace, healthcare provider, public administration, or critical infrastructure supplier above the size threshold, you are in scope. The directive is national law in every member state by now; the supervisory authority is country-specific.

What about DORA?

DORA applies to regulated financial entities and to their critical ICT third-party providers, in force since 17 January 2025. If your WordPress estate carries customer-facing financial services or you operate as an ICT supplier to one, Article 28 requires a register of information and contractual provisions on subcontracting, exit strategy, and incident reporting.

What is the deliverable?

A written readiness report, a populated supplier register that follows the DORA Article 28 fields or the NIS2 Annex II structure, a control gap assessment with remediation effort estimates, and an incident reporting runbook with the 24-hour, 72-hour, and one-month timelines pre-mapped to your stack.

Can you also remediate the gaps?

Yes, as a separate engagement. The readiness report stays decoupled from implementation so it remains defensible. If you ask me to remediate, the implementation is scoped from the gap list; pricing is individual. Remediation typically combines hardening work from the security audit pillar with supplier-contract changes that your legal team owns.

How does this work for WordPress as opposed to bespoke software?

Most NIS2 and DORA readiness firms understand bespoke software and SaaS. WordPress and WooCommerce introduce specific failure modes: plugins with admin-level capabilities, themes with database access, payment gateways that fan out to third parties, and an editorial layer that often goes outside change-management. I treat those as first-class compliance surfaces, not afterthoughts.

Related cluster

Explore other WordPress services and knowledge base

Strengthen your business with professional technical support in key areas of the WordPress ecosystem.

Cluster reading

Scope and stack

Evidence and operational artefacts

Incident response

Adjacent services

Recommendations from LinkedIn

Recommendations and reviews of working with WPPoland

Selected recommendations from WordPress, WordCamp and e-commerce leaders - with a focus on delivery on time, technical depth, and a business-driven approach to WordPress development.

Karolina Czapla

Karolina Czapla

Marketing Strategist – Performance & Digital Strategy

“Working with Mariusz on WordCamp has shown me how rare it is to combine deep technical skill with genuine leadership. He plans, coordinates and delivers with precision, while giving the team space to grow and contribute....”

Co‑organiser, WordCamp Gdynia 2024 & 2025

Argert Boja

Argert Boja

Senior Full‑Stack Developer

“Mariusz is the teammate everyone hopes for: strong full‑stack WordPress skills, clear explanations and a positive attitude even under pressure. He moves easily between custom plugins, performance work and Gutenberg layou...”

Worked alongside Mariusz on WordPress projects

Daniel Blossfeld

Daniel Blossfeld

Process Optimization & Digitalization Consultant

“I had the pleasure of working with Mariusz for almost three years. During that time, his WordPress development skills proved invaluable across a range of projects, from website builds to online member areas and even Shop...”

Mariusz was his client for WordPress work

Jessica Di Pasquale

Jessica Di Pasquale

Leading SEO initiatives with data-driven growth strategies.

“Mariusz is a very skilled, patient and expert guy. Always ready to help and to fix errors, I really appreciated working with him. He is such a great colleague!”

Managed Mariusz directly

Belinda Koch

Belinda Koch

Web-Tracking Analyst at TUI

“Mariusz is a great person to work with. He is extremely motivated to learn new things and share his knowledge, and is very knowledgeable on a wide range of topics. We worked together on digital analytics and tracking top...”

Worked with Mariusz on digital analytics and tracking topics

Paweł Lewczuk

Paweł Lewczuk

Front-end developer, WordPress developer

“I collaborated with Mariusz on several projects and our cooperation was always exemplary. I believe there are many more joint projects ahead of us. Highly recommended!”

Mariusz was Paweł's client

Make the auditor's job boring

Tell me the entity classification (NIS2 sector or DORA scope) and the WordPress estate in scope. I reply within one working day.

Contact me