NIS2 and DORA readiness

What I ship

A written readiness report. A populated supplier register that follows the DORA Article 28 fields or the NIS2 Annex II evidence-trail structure. A control gap assessment mapped to the directive's required controls. An incident reporting runbook with the 24-hour, 72-hour, and one-month timelines pre-mapped to your specific stack. A 60-minute walkthrough for your operational team.

Why WordPress estates need this differently

Most readiness work targets bespoke software or SaaS. WordPress and WooCommerce introduce specific compliance surfaces: plugins with administrator-level capabilities, themes that touch the database, payment gateways that fan out to third parties, and an editorial layer that often runs outside formal change-management. Treating those as first-class objects in the supplier register is the difference between a defensible report and a checkbox exercise.

Who this is for

• Medium and large entities in NIS2 essential and important sectors (Annex I, Annex II)
• Regulated financial entities subject to DORA
• Critical ICT third-party providers serving DORA-scoped customers
• Public-sector procurement that requires a third-party readiness statement before a WordPress procurement closes

Certification vs operational reality

ISO, GDPR, and NIS2 paperwork does not guarantee that a department can actually send an encrypted email. Classic field case: a public-sector or mid-market entity has the auditor, the policies, and the certificate, but its older Ricoh and Nashuatec multi-function printers cannot negotiate TLS with the mail server and silently fail scan-to-email. The scanned PDF ends up on a USB stick, breaking the chain of custody and leaving no log of who handled the file. That class of device rarely has an exception in the ISO statement of applicability, the GDPR records of processing, or the KSC register. Our audit therefore covers both documents and what actually happens at the desk, and maps every such device into the asset and supplier lists.

Polish transposition note (relevant for clients with PL operations)

Poland's NIS2 transposition launches the Krajowy System Cyberbezpieczeństwa (KSC) register via a government online application from 7 May 2026, with a 3 October 2026 self-registration deadline. Public bodies, telcos, and digital service providers are auto-enrolled on 6 May. Sanctions reach 100 million PLN; executive liability up to 3x monthly salary, and the April 2026 amendment extends that personal accountability beyond board members to the broader executive layer overseeing in-scope areas. Source: Polish trade-press reporting via Ministerstwo Cyfryzacji, May 2026. International groups with Polish entities should expect their PL subsidiaries to land in this scope; we cover that in the supplier register and evidence trail.

Engagement model

Senior B2B contracts on EU jurisdiction. Four-week window from kickoff to report. Quarterly review retainer available. Pricing is individual.