A roadmap for implementing NIS2 and DORA on a WordPress site in 2026, with references to the official texts of the directives and regulations.
EN

NIS2 and DORA on WordPress: what a site must meet in 2026

4.60 /5 - (11 votes )
Last verified: May 1, 2026
8min read
Opinion
500+ WP projects
Security auditor
NIS2 is a wide-scope directive transposed into national law. DORA is a narrow-scope regulation applied directly. They overlap on financial entities that are also classified essential under NIS2. NIS2 (Directive 2022/2555). DORA (Regulation 2022/2554). NIS2 (Directive 2022/2555) 18 sectors, essential + important entities National transposition deadline 2024-10-17 Incident timeline 24h / 72h / 30d DORA (Regulation 2022/2554) Financial sector + critical ICT third-party providers Direct application from 2025-01-17 TLPT every 3 years for selected entities
NIS2 is a wide-scope directive transposed into national law. DORA is a narrow-scope regulation applied directly. They overlap on financial entities that are also classified essential under NIS2.

#NIS2 and DORA on WordPress: what a site must meet in 2026

Two EU acts define in 2026 what is required from the cybersecurity side of a WordPress site running regulated activity in the Union: the NIS2 Directive (2022/2555) and the DORA Regulation (2022/2554). They are not interchangeable. NIS2 is a directive with broad sectoral scope, transposed into national law. DORA is a sectoral regulation (finance) that applies directly. Both apply to WordPress if and only if the entity operating the site is within scope.

This article connects to the headless WordPress services pillar where the technical layer is described, and to the pillar on WCAG, BFSG and EAA, because accessibility and cybersecurity compliance increasingly land in the same procurement query.

#TL;DR

  • NIS2 transposition deadline: 2024-10-17. DORA applies from 2025-01-17.
  • NIS2: 18 sectors, split into essential and important entities.
  • DORA: financial sector plus critical ICT providers.
  • Requirements: documented risk management, incident reporting (24/72/30), audits.
  • WordPress itself is not in scope; the entity operating the site is, if it is regulated.

#Three things to know up front

First, NIS2 and DORA apply to the entity, not the technology. WordPress is not “compliant” or “non-compliant” as a CMS. What is compliant or not is the entity that operates the site. If a hospital, bank, cloud provider or e-commerce operator above the threshold is in scope, then its WordPress site enters the scope as part of that entity’s infrastructure.

Second, national transposition of NIS2 is delayed in many member states. The 2024-10-17 deadline passed, but several countries were at various stages of the legislative process after that date. National transposition status varies across member states; check the relevant national legal database before the final audit. For the Polish member state status, the draft amendment to the national cybersecurity act is publicly available and its current status should be verified in ISAP before any final audit. The status as of 2026-04 requires a separate legal review; this article does not replace legal advice.

Third, DORA applies directly. The regulation does not require transposition. If a financial entity or a critical ICT provider runs a WordPress site, the DORA obligations apply from 2025-01-17 regardless of any national legislative status.

#NIS2: scope of entities

The NIS2 Directive lists 18 sectors. The most common cases in which WordPress falls within scope:

Essential entities:

  • Energy (electricity, gas, oil, heating, hydrogen).
  • Transport (air, rail, water, road).
  • Banking.
  • Financial market infrastructures.
  • Health (hospitals, reference laboratories, pharmaceutical manufacturers, medical devices).
  • Drinking water and waste water.
  • Digital infrastructure (DNS providers, domain registries, cloud computing providers, data centre service providers, content delivery networks, trust service providers, providers of public electronic communications networks).
  • ICT service management (B2B).
  • Public administration (conditions defined in art. 2).
  • Space.

Important entities:

  • Postal and courier services.
  • Waste management.
  • Manufacture, processing and distribution of chemicals.
  • Manufacture, processing and distribution of food.
  • Manufacturing in: medical, computer and electronic, machinery, automotive sectors.
  • Digital service providers (online marketplaces, search engines, social platforms).
  • Research organisations.

Baseline threshold: medium-sized enterprise (50+ employees or annual turnover or balance sheet above 10 million EUR). Microenterprises and small enterprises are usually out of scope, with exceptions (for example trust service providers, TLD registries, certain DNS providers).

An essential entity has stricter obligations. An important entity has the same technical requirements but with less intensive supervision.

#DORA: scope of entities

DORA applies to around 20 types of financial entity:

  • Credit institutions.
  • Payment institutions.
  • Electronic money institutions.
  • Investment firms.
  • Crypto-asset service providers.
  • Central securities depositories.
  • Central counterparties.
  • Trading venues (exchanges).
  • Trade repositories.
  • Insurance and reinsurance undertakings.
  • Insurance and reinsurance intermediaries.
  • Institutions for occupational retirement provision.
  • Credit rating agencies.
  • Auditors examining financial statements of entities covered by DORA.
  • Administrators of critical benchmarks.
  • Investment funds (UCITS, AIFM).
  • Crowdfunding service providers.
  • Securitisation repositories.

Plus Critical ICT Third-Party Providers (CTPP) designated by European supervision. This is the mechanism through which DORA pulls business partners into its scope, without their own registration as a financial entity.

A WordPress site run by a bank, an insurer or an investment fund enters DORA scope as part of the entity’s ICT systems.

#What concretely needs to be done: the common core

NIS2 and DORA share a convergent core of technical and organisational requirements. Implementation on WordPress:

Cyber risk management. Documented risk register, procedure for risk assessment and acceptance, security policies approved by the board. These are documents, not just server configuration.

Access control and authentication. Multi-factor authentication (MFA) required for WordPress administrators. Strong passwords required. Session expiry required. All administrator accounts must be named, not shared.

Incident management. Procedure for detection, classification and reporting of incidents. A significant incident under NIS2 is one with a significant impact on service provision. Reporting to CSIRT or the competent authority within 24 hours of detection (early warning), 72 hours with an initial assessment, one month with a final report.

Supply chain security. A WordPress plugin, hosting, CDN, transactional email provider, SMS provider, AI provider. Each is part of the chain. You need a register of them, risk assessments and contractual clauses.

Business continuity and disaster recovery. Backup, continuity plan, disaster recovery, tested regularly, not only performed.

Personnel training. Required at board level and across the wider organisation. An “internal presentation” is not enough; a documented training plan is needed.

Security of development and maintenance processes. Policies covering software development, testing and vulnerability management. WordPress core is updated; plugins must be too, with a process of testing on staging before production.

Cryptography. A cryptography policy, including TLS, encryption of data at rest, digital signatures. WordPress does not encrypt the database by default; the solution is encryption at the file system or database level.

#DORA-specific: ICT third-party management

DORA has a section in chapter V dedicated to ICT third-party management. It requires:

  • A register of all contracts with ICT providers.
  • Classification of contracts (critical, non-critical).
  • Mandatory contractual clauses in agreements with providers of critical functions.
  • An exit procedure with a migration plan.
  • Threat-led penetration tests (TLPT) at least once every 3 years for selected entities.

For a WordPress operator this means that the hosting provider and critical plugins (security plugin, backup plugin, payment gateway plugin) enter the ICT register.

#NIS2-specific: penalties and supervision

The NIS2 Directive sets out administrative penalties that national transpositions translate into specific amounts. The upper caps in the directive itself:

  • Essential entity: up to 10 million EUR or 2 percent of annual worldwide turnover, whichever is higher.
  • Important entity: up to 7 million EUR or 1.4 percent of annual worldwide turnover, whichever is higher.

National transpositions may introduce their own caps; verify in the current version of the law for the relevant jurisdiction.

Supplementary sanctions: temporary suspension of certification, temporary bans on holding management functions for the responsible person. The latter is the most prominent change in NIS2: management has personal responsibility for cyber risk management.

#A practical implementation map for WordPress

Four categories of work, one audit:

Layer 1, infrastructure. Compliant hosting. Off-site backup. TLS 1.3. WAF. 24/7 monitoring or SOC contract. Update policy for core, themes, plugins.

Layer 2, application. MFA for administrators. Strong passwords. Logging of all administrative actions to a separate stream. Anti-CSRF. Anti-XSS at template level. Input validation. Login attempt limits.

Layer 3, organisation. Security policies. Risk register. IR plan. BCDR plan. ICT provider register. Procedure for reporting incidents to the CSIRT/regulator. Training.

Layer 4, documentation and audit. Process documentation. Audit logs. Periodic external or internal audit. Retention compliant with GDPR.

WordPress as a CMS covers about 30 percent of technical requirements out of the box, after hardening and plugins about 60 percent. The remaining 40 percent is organisation, documentation and procedures.

#What next

Practical consequences for the choice of the team running WordPress: an agency that runs the site for an entity covered by NIS2 or DORA itself enters the supply chain. Our careers page mentions EU jurisdiction and compliance as standard, because this is a procurement filter in 2026.

#Supporting articles in this cluster

Five practitioner deep-dives sit beneath this pillar, each addressing one operational delta a regulated WordPress engagement actually has to ship:

#Where this article fits

This article connects to the headless WordPress services pillar (technical layer), the pillar on WCAG/BFSG/EAA (accessibility compliance on the same procurement scoreboard), the WPPoland careers page (EU jurisdiction signal), and the article on nearshore Poland (EU jurisdiction as value for the western buyer).

Next step

Turn the article into an actual implementation

This block strengthens internal linking and gives readers the most relevant next move instead of leaving them at a dead end.

Most relevant next steps

WordPress security audit

Hardening, risk reduction, and stronger login protection.

WordPress maintenance

Updates, monitoring, and reliable post-launch support.

WordPress developer

Implementation, architecture, and custom WordPress engineering.

Want this implemented on your site?

I can turn this topic into a practical audit, hardening plan, and a prioritised list of fixes.

Write about the implementation Browse the blog
Related cluster

Explore other WordPress services and knowledge base

Strengthen your business with professional technical support in key areas of the WordPress ecosystem.

Security Audit

Audit, hardening, and incident risk reduction.

View service
Maintenance & Support

Stability, updates, and post-launch support.

View service
WordPress Developer

Custom WordPress engineering and architecture.

View service
Speed Optimization

Core Web Vitals, caching, and faster delivery.

View service
Next.js / Astro Migration

Migration to Astro, Next.js, and headless WordPress.

View service
GEO / LLMO Optimization

Visibility in Google and AI answer systems.

View service

Related categories

security development devops hardening

Supporting articles

WordPress Security Hardening 2026: The Complete Guide From Server to Application
WordPress Security Hardening 2026: The Complete Guide From Server to Application

A comprehensive WordPress security hardening guide for 2026 covering server configuration, authentication with Passkeys, WAF setup, CSP headers, database protection, headless security, and a 25-point audit checklist.

Advanced WordPress Security Hardening in 2026
Advanced WordPress Security Hardening in 2026

A practical guide to hardening WordPress in 2026 with passkeys, edge protection, infrastructure controls, and safer operational habits.

Ultimate WordPress login security guide (2026): Stop brute force attacks
Ultimate WordPress login security guide (2026): Stop brute force attacks

Still using "admin"? You are being hacked right now. The definitive guide to securing WordPress authentication: 2FA, Passkeys, Fail2Ban, Cloudflare Turnstile, login monitoring, and incident response procedures.

Article FAQ

Frequently Asked Questions

Practical answers to apply the topic in real execution.

SEO-ready GEO-ready AEO-ready 5 Q&A

Popular questions

When does NIS2 start to apply? How does DORA differ from NIS2? Is the WordPress site of a hotel or shop covered by NIS2? Is installing a security plugin enough? What about incident reporting?
When does NIS2 start to apply?
#
The deadline for transposing the NIS2 Directive into national law was 2024-10-17. By that date, member states were required to enact national laws implementing the directive. In practice, several countries delayed transposition. National transposition status varies across member states; check the relevant national legal database before a final audit. For the Polish member state status, consult ISAP at https://isap.sejm.gov.pl/.
How does DORA differ from NIS2?
#
DORA is a regulation (Regulation 2022/2554), it applies directly in all member states from 2025-01-17 without transposition. It targets a narrow sector: financial institutions and their critical ICT providers. NIS2 is a directive with a broad scope of essential and important entities, transposed into national law.
Is the WordPress site of a hotel or shop covered by NIS2?
#
It depends on the entity. NIS2 covers 18 sectors, divided into essential and important. Hotels and retail shops are not listed as regulated sectors directly. However, if WordPress is used by a regulated entity (for example a hospital, a digital service provider above the headcount threshold, a cloud provider), then the security obligations transfer to it.
Is installing a security plugin enough?
#
No. NIS2 and DORA require a documented cyber risk management system, incident reporting to CSIRT/CERT or the financial regulator, and audits. A plugin is one element. Server configuration alone, password policies, multi-factor authentication, logs and IR procedures are required at the organisational level, not only the technical one.
What about incident reporting?
#
NIS2 requires reporting a significant incident to the CSIRT or competent authority within 24 hours (early warning), 72 hours (detailed notification), and one month (final report). DORA has its own time thresholds for financial entities. A WordPress operator must have a procedure for detection and reporting, not only for response.

Need an FAQ tailored to your industry and market? We can build one aligned with your business goals.

Let’s discuss

Related Articles

CRA covers products with digital elements. NIS2 covers entities. DORA covers financial entities. When all three apply at once, headless WordPress sits at the intersection. I sketch what the joint evidence package looks like in 2026.
wordpress

Cyber Resilience Act + NIS2 + DORA: the 2026 compliance stack for headless WordPress

CRA covers products with digital elements. NIS2 covers entities. DORA covers financial entities. When all three apply at once, headless WordPress sits at the intersection. I sketch what the joint evidence package looks like in 2026.

Article 28 of Regulation 2022/2554 makes financial entities responsible for the ICT risk of every third-party they touch. I walk through the supplier due-diligence checklist I ship with WordPress engagements for banks and insurers in 2026.
wordpress

DORA Article 28 ICT third-party risk: WordPress hosting and WAF supplier audit

Article 28 of Regulation 2022/2554 makes financial entities responsible for the ICT risk of every third-party they touch. I walk through the supplier due-diligence checklist I ship with WordPress engagements for banks and insurers in 2026.

Article 21 of Directive 2022/2555 lists ten risk-management measures every in-scope entity must implement. I map each one to a WordPress agency control, with the evidence file each one requires for audit.
wordpress

NIS2 Annex II for WordPress agencies: scope, deadlines, evidence trail

Article 21 of Directive 2022/2555 lists ten risk-management measures every in-scope entity must implement. I map each one to a WordPress agency control, with the evidence file each one requires for audit.