eCommerce Meets NIS2 – New Obligations Starting Mid-2025

• Key Assumptions of the NIS2 Directive
• Who Is Covered by the NIS2 Directive and to What Extent
• Technical and Organizational Obligations
• Penalties for Non-Compliance
• Time to Implement – It’s Worth Acting Now
• How to Implement NIS2 Requirements on Time and Stress-Free?

Although until now cybersecurity regulations have primarily focused on critical infrastructure sectors, the new NIS2 Directive extends this scope to also include companies within the digital economy – including eCommerce.

This means the need to implement a range of new procedures and protective mechanisms. Importantly, the implementation deadline is approaching – in Poland, the directive will take effect in the second quarter of 2025.

The NIS2 Directive (Network and Information Security Directive 2), along with the amendment to the Act on the National Cybersecurity System (KSC), introduces stricter and more comprehensive requirements in the area of protection against cyber threats. The main goal of the new regulations is to strengthen the security of key services and infrastructure across the European Union.

The directive assumes a significant expansion of the list of companies subject to obligations. Moreover, it clearly defines requirements related to risk management, securing IT systems, and monitoring potential threats.

For the eCommerce sector, this means the need to analyze internal procedures and potential security gaps.

The scope of the directive includes, among other things, the following obligations:

• risk management and reporting of security incidents,
• security control of suppliers, such as software providers or online payment systems,
• conducting regular security audits and related employee training.

Implementing these requirements will involve conducting a comprehensive security gap analysis and investing in data protection systems, which presents a significant organizational and financial challenge.

Sales platforms, hosting service providers, online payment processors, and cloud operators – all of these entities have been included in the new regulatory framework.

This means that even medium-sized companies that were not previously required to meet security standards will now have to comply with European regulations. So how does the EU directive classify companies?

Company classification under NIS2:

• Essential Entities – including organizations operating in the most critical sectors of the economy, such as energy, public health, or financial infrastructure.
• Important Entities – including, among others, digital businesses, online service providers, e-commerce platforms, and hosting companies.

The smallest businesses – those employing fewer than 50 people and generating less than 10 million euros in annual revenue – have been partially excluded from the NIS2 regulations. On the other hand, medium-sized companies (employing between 50 and 250 people, with revenues up to 50 million euros) and small businesses operating in sectors critical to cybersecurity must meet the new requirements.

In practice, this means that eCommerce businesses that meet these criteria are required to implement appropriate protection measures and comply with the directive’s provisions.

The introduction of the NIS2 Directive involves a range of obligations, which, especially for smaller companies, may represent a significant organizational and financial burden. These obligations include, among others:

• Incident reporting – companies must report cybersecurity breaches within 24–72 hours. In practice, this means ensuring continuous monitoring, often carried out by dedicated teams or external service providers.
• Audits and certification – conducting regular security reviews may require the involvement of specialized external firms.
• Infrastructure investment – the need to implement modern monitoring tools, firewalls, and systems for detecting and responding to incidents.
• Employee training – companies are required to systematically improve employees' competencies in cybersecurity.

It is easy to see that the new requirements force companies not only to reorganize existing processes but also to develop and implement entirely new operational procedures.

The NIS2 Directive provides for financial penalties for entities that fail to meet the required standards. For essential entities, the maximum fine can reach 10 million euros or 2% of total annual turnover – whichever is higher.

Important entities, including many companies in the e-commerce sector, can be fined up to 7 million euros or 1.4% of annual turnover. This shows how seriously EU institutions treat digital security and how important it is to quickly adapt to the new reality.

According to the schedule, Member States have until October 2024 to implement the NIS2 provisions. In Poland, the enactment of relevant regulations is planned for the second quarter of 2025.

Although there is still some time left formally, it is worth using it for comprehensive preparation – from system audits and risk analysis to the implementation of specific technological solutions and procedures.

Companies that approach the upcoming changes strategically will not only avoid sanctions but also increase their resilience to cyberattacks.

NIS2 requirements apply to an increasing number of online stores – if yours is one of them, it’s worth taking action.

At Advox, we support eCommerce businesses in carrying out the technical implementations necessary to meet the new obligations. We offer support in a 24/7 SLA model, ensuring your e-store is constantly monitored. Let’s talk about how best to prepare your store for the NIS2 requirements – leave your contact and we’ll get in touch with you.

Source