NIS2 Annex II for WordPress agencies: scope, deadlines, evidence trail
Article 21 of Directive 2022/2555 is the operative clause that decides what an audit looks like. Annex I and Annex II decide who has to sit through that audit. This article maps the ten Article 21(2) measures to a WordPress agency control and the evidence file I expect to find when a regulated client asks for a supplier review.
This is a supporting article inside the NIS2 and DORA on WordPress pillar, with cross-references to the DORA Article 28 third-party guide and the 24-hour incident response playbook.
TL;DR
- Article 21(2) lists ten risk-management measures. None is optional.
- Annex I = essential entities. Annex II = important entities. Same measures, different supervision.
- Auditors look for four artefacts per measure: policy, owner, evidence record, review cadence.
- The penalty caps in Article 34 apply to the entity, not its WordPress vendor, but supply chain clauses flow the obligations downstream anyway.
- I keep one folder per Article 21 paragraph in every regulated-client engagement.
Who is in scope: Annex I vs Annex II
Annex I lists the essential entities: energy, transport, banking, financial market infrastructures, health, drinking and waste water, digital infrastructure, ICT service management (B2B), public administration, space. Annex II lists the important entities: postal and courier services, waste management, chemicals, food, manufacturing of medical devices, computers and electronics, machinery and motor vehicles, digital service providers, research organisations.
Both annexes apply to medium-sized entities and above (50+ employees, or annual turnover above 10 million EUR, or balance sheet above 10 million EUR). Microenterprises and small enterprises are out of direct scope unless they fall under one of the named exceptions in Article 2(2): trust service providers, TLD registries, certain DNS providers, public administration, providers of public electronic communications networks.
The practical filter for a WordPress agency: a hospital, a bank, a chemical plant, a data centre operator, a TLD registry, a UCITS manager. If the client is one of these, the scoping conversation starts. If the client is a hotel, a SaaS startup or a regional retailer, scoping usually ends in “out of scope, but security best practice still applies.”
Article 21(2): the ten measures
The directive text reads as ten lettered paragraphs from (a) to (j). Each one becomes a folder in my project workspace.
(a) Policies on risk analysis and information system security. A signed risk register listing assets, threats, likelihood, impact and treatment. For WordPress: list the production server, staging server, plugin set, third-party APIs (payment, email, analytics, AI), admin accounts and content database. Threats: plugin RCE, credential stuffing, ransomware on backups, GDPR breach via export. Treatment: update cadence, MFA, off-site encrypted backup, WAF rule set.
(b) Incident handling. Detection, classification, response, recovery, post-mortem. Evidence file: an IR runbook with named owners, the monitoring tool that triggers alerts (Wordfence, Sucuri, hosting-level IDS, Cloudflare alerts), the Slack or PagerDuty channel, the post-mortem template.
(c) Business continuity, including backup management and disaster recovery, and crisis management. Backup with off-site storage, RPO and RTO defined, restore tested. Crisis communication plan including who talks to the press and who talks to the regulator. Annual restore drill with a written report.
(d) Supply chain security, including security-related aspects concerning relationships between each entity and its direct suppliers or service providers. This is where the WordPress agency lands. The regulated entity must keep a register of suppliers, classify them by criticality, run due diligence, write security clauses into contracts. Cross-reference: DORA Article 28 has the same logic but stricter for finance.
(e) Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure. Documented secure development lifecycle. For WordPress: code review for custom plugins and themes, dependency scanning (Snyk, Dependabot, the WordPress.org plugin checker), vulnerability disclosure email, patch management policy.
(f) Policies and procedures to assess the effectiveness of cybersecurity risk-management measures. Internal audit, external audit or penetration test. Evidence: scope statement, test report, remediation tracker, retest record.
(g) Basic cyber hygiene practices and cybersecurity training. Annual training for all staff, role-specific training for admins. Evidence: training log with names, dates, content covered.
(h) Policies and procedures regarding the use of cryptography and, where appropriate, encryption. TLS 1.3 at the edge, encryption of backups, encryption of database backups at rest. Hash algorithm policy (no MD5 or SHA-1). Cryptographic key inventory.
(i) Human resources security, access control policies and asset management. Joiner-mover-leaver process. Named admin accounts, no shared credentials. Asset inventory including all WordPress installs, staging environments, repository access, hosting console access. Quarterly access review.
(j) Use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems. MFA on every WordPress admin, every hosting console, every CDN console, every code repository, every email. No exceptions for “trusted internal users”.
The evidence trail: four artefacts per measure
For each of the ten paragraphs I expect to produce four artefacts when an auditor turns up:
| Artefact | What it looks like | Why it matters |
|---|---|---|
| Policy document | Approved by management, dated, version-controlled | Article 20 requires management approval and oversight |
| Process owner | A named role (CISO, Head of Engineering, Agency Director) | Auditors disqualify “the team” as ownership |
| Implementation record | Logs, screenshots, ticket numbers, scan reports, contract clauses | Demonstrates the policy is operating, not just written |
| Review cadence | Annual or quarterly review, calendar entry, minutes | Shelfware policy with no review = audit finding |
I run this four-column table for every Article 21(2) sub-paragraph. Ten paragraphs, forty artefacts. That is what an audit binder looks like in 2026.
Reporting deadlines from Article 23
Annex II is the steady-state list. When an incident actually happens, Article 23 applies:
- 24 hours from awareness: early warning to the CSIRT or competent authority.
- 72 hours from awareness: incident notification with initial assessment and indicators of compromise.
- 1 month from awareness: final report including root cause and applied remediation.
- Intermediate report on request from the regulator at any time.
The detailed playbook for those first 24 hours lives in the WordPress incident response under NIS2 article.
Penalty caps and management responsibility
Article 34 sets the upper caps national transpositions must respect:
- Essential entities: at least 10 million EUR or 2% of total worldwide annual turnover, whichever is higher.
- Important entities: at least 7 million EUR or 1.4% of total worldwide annual turnover, whichever is higher.
Article 20(1) puts the responsibility on management bodies, including the obligation to oversee implementation. Article 20(2) requires management to follow training. National transpositions can add personal liability sanctions for the named officer responsible.
What this means for the agency
A WordPress agency that wants to keep regulated clients in 2026 needs to ship two artefacts on every engagement:
- A self-attestation against Article 21(2)(d) supply chain clauses, listing the security measures the agency itself implements.
- A reference document the client can paste into its own Article 21 binder, showing how the WordPress engagement maps to each of the ten measures.
I bundle both into a “supplier security pack” and send it inside the proposal. It removes the procurement-team round-trip and signals that the engagement understands the regulated context. Pricing for compliance-engineering engagements is individual; the scope of the binder dictates the hours, not a list price.
