{"id":28459,"date":"2025-10-27T10:00:00","date_gmt":"2025-10-27T10:00:00","guid":{"rendered":"https:\/\/spreecommerce.org\/nis2-ecommerce-compliance-2\/"},"modified":"2026-03-27T17:36:24","modified_gmt":"2026-03-27T17:36:24","slug":"nis2-ecommerce-compliance","status":"publish","type":"post","link":"https:\/\/spreecommerce.org\/nis2-ecommerce-compliance\/","title":{"rendered":"NIS2 and eCommerce: What Essential Entities Must Do Now"},"content":{"rendered":"\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\r\n  <section  class=\"highlight-box-wrap alignstandard text-align-left\" style=\" \">\r\n    <div class=\"highlight-box highlight-box-green\">\r\n      <div class=\"icon\">\r\n                  <img decoding=\"async\" loading=\"lazy\" width=\"24\" height=\"24\" src=\"https:\/\/spreecommerce.org\/wp-content\/themes\/spree\/images\/bulb.svg\" alt=\"\">\r\n              <\/div><!-- \/.icon -->\r\n      <div class=\"desc\">\r\n        <h3>Key Takeaways<\/h3>\n<p><strong>Last verified:<\/strong> March 2026<\/p>\n<p><strong>Regulation:<\/strong> NIS2 imposes 24-hour incident reporting, supply chain security controls, and board-level accountability on EU essential and important entities including energy, healthcare, government, and digital services.<\/p>\n<p><strong>The SaaS problem:<\/strong> SaaS platforms don&#8217;t offer self-hosted deployment, penetration testing rights, or encryption key ownership. NIS2 requires all three.<\/p>\n<p><strong>The solution:<\/strong> Self-hosted open source commerce delivers full audit trails, infrastructure control, and supply chain transparency.<\/p>\n<p><strong>Penalties:<\/strong> Up to \u20ac10M or 2% of global revenue for essential entities, with personal liability for management.<\/p>\n      <\/div><!-- \/.desc -->\r\n    <\/div>\r\n  <\/section>\r\n\r\n\n\n\n\n\n<h2 class=\"wp-block-heading\">What Does NIS2 Mean for eCommerce in 2026?<\/h2>\n\n\n\n<p>NIS2 expands mandatory cybersecurity obligations from roughly 10,000 operators under NIS1 to approximately 160,000 essential and important entities across the EU (European Commission, NIS2 Impact Assessment, 2022). Every eCommerce platform serving those organizations inherits the same security burden.<\/p>\n\n\n\n<p>The <a href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/policies\/nis2-directive\">NIS2 Directive<\/a> entered into force on November 12, 2022 and became enforceable across all EU member states on January 1, 2026. Enforcement is already underway. Member states began listing essential and important entities by April 17, 2025, and organizations must now notify their national CSIRT within 24 hours of discovering a cybersecurity incident.<\/p>\n\n\n\n<p><strong>What changed from NIS1 to NIS2?<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-table\" style=\"margin:24px auto 0; overflow-x:auto\"><table style=\"border-collapse:collapse; width:100%; table-layout:fixed\"><thead><tr><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">Change<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">NIS1 (2016)<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">NIS2 (2026)<\/th><\/tr><\/thead><tbody><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Entity coverage<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">~10,000 operators of essential services<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">~160,000 essential + important entities<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Incident reporting<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">72 hours<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">24 hours (essential), 72 hours (important)<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Supply chain<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Optional assessment<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Mandatory risk management (Article 21)<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Board accountability<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Not required<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Board-level cybersecurity governance<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Penalties<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Member state discretion<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u20ac10M \/ 2% of global revenue (essential)<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Penetration testing<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Recommended<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Mandatory advanced security assessment<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>For eCommerce companies, the scope expansion means this: if you operate an online marketplace, provide digital infrastructure to EU essential entities (energy, healthcare, government procurement), or are yourself classified as an essential or important entity by a member state, NIS2 applies to you now.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">What Does NIS2 Require from Your eCommerce Platform?<\/h2>\n\n\n\n<p>Your platform must support 10 specific capabilities covering incident response, supply chain management, and resilience testing. NIS2 Article 21(1) states that entities must &#8220;take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services.&#8221; In practice, that translates to concrete platform requirements:<\/p>\n\n\n\n<figure class=\"wp-block-table\" style=\"margin:24px auto 0; overflow-x:auto\"><table style=\"border-collapse:collapse; width:100%; table-layout:fixed\"><thead><tr><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">Requirement<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">Source<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">eCommerce Implication<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">Self-Hosted Capability<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">SaaS Limitation<\/th><\/tr><\/thead><tbody><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>24h incident notification<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Article 23<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Automate CSIRT reporting with logs, timeline, scope<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Full audit trail enables forensic reconstruction<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Vendor lock-in blocks direct CSIRT communication<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Supply chain risk assessment<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Article 21(2)(d)<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Map and audit sub-processors: payment, hosting, CDN<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Provider-agnostic infrastructure; vet every vendor<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">You inherit the vendor&#8217;s supply chain blind<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Access control &#038; MFA<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Annex I<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Role-based access, privileged access management<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Native roles, API tokens, enterprise SSO integration<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Limited visibility into platform internals<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Encryption (transit + rest)<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Annex I<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">TLS 1.2+, at-rest encryption with key ownership<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">You manage encryption keys yourself<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Vendor holds your encryption keys<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Audit trail<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Annex I<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Log all admin actions with timestamps and user attribution<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Every change logged and exportable to SIEM<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Logs may be vendor-filtered or delayed<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Business continuity<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Article 21(2)(c)<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Backup frequency, RTO\/RPO targets, DR drills<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Design your own SLA and test recovery<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Vendor SLA may not match your NIS2 obligations<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Resilience testing<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Article 21(2)(f)<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Penetration testing, red team exercises<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Full access to test your own infrastructure<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Vendor forbids testing shared infrastructure<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Vulnerability management<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Annex I<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Patch management SLA, vulnerability scanning<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Apply patches on your schedule; LTS support<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Vendor patches on their schedule, not yours<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Threat detection<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Annex I<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Real-time monitoring, anomaly detection<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Deploy any monitoring tools you choose<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Vendor provides standard protection only<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Governance &#038; documentation<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Article 21(1)<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Security policies, incident response plans, board reporting<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Customizable for your risk profile<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Vendor template may not fit your role<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Industries Affected by NIS2<\/h2>\n\n\n\n<p>Not every eCommerce business falls under NIS2. But if you operate in or sell to these sectors, compliance is mandatory.<\/p>\n\n\n\n<p><strong>Essential entities (strictest requirements, highest penalties):<\/strong> energy, healthcare, transport, water, banking and finance, digital infrastructure (DNS, CDN, cloud, data centers), and public administration. Penalties reach \u20ac10M or 2% of global turnover.<\/p>\n\n\n\n<p><strong>Important entities (evolving requirements):<\/strong> postal services, waste management, chemical production, food supply, designated manufacturers, and digital services including online marketplaces. Penalties reach \u20ac7M or 1.4% of global turnover.<\/p>\n\n\n\n<p>For eCommerce specifically: if your platform serves an essential entity, you inherit that entity&#8217;s security burden. Running a commerce platform for an energy utility&#8217;s procurement marketplace, a government buying portal, or an automotive manufacturing parts exchange means NIS2 applies to your infrastructure.<\/p>\n\n\n\n<p>ENISA&#8217;s 2024 annual threat report ranked supply chain attacks among the most frequent attack vectors targeting critical infrastructure operators in the EU. Your commerce platform is part of that supply chain. When a hospital procurement system or energy parts marketplace runs on your infrastructure, your security posture becomes their compliance risk.<\/p>\n\n\n\n<p><a href=\"\/dora-ecommerce-compliance\/\">DORA compliance requirements<\/a> in financial services align closely with NIS2&#8217;s incident reporting and resilience testing mandates. If your platform serves both finance and digital services, expect overlapping audits.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Why Do SaaS Platforms Fail NIS2 Compliance?<\/h2>\n\n\n\n<p>SaaS commerce platforms were built for convenience and shared infrastructure, which is exactly what NIS2 prohibits for regulated entities. The directive requires organizations to own their security posture, verify their supply chains, and demonstrate resilience through independent testing. SaaS vendors, by architecture, block all three.<\/p>\n\n\n\n<figure class=\"wp-block-table\" style=\"margin:24px auto 0; overflow-x:auto\"><table style=\"border-collapse:collapse; width:100%; table-layout:fixed\"><thead><tr><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">NIS2 Capability<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">Shopify Plus<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">BigCommerce<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">Salesforce Commerce Cloud<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">commercetools<\/th><\/tr><\/thead><tbody><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Self-hosted deployment<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c SaaS only<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c SaaS only<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c SaaS only<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c SaaS only<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Penetration testing rights<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c Forbidden<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c Forbidden<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u26a0\ufe0f Limited approval<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c Forbidden<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Encryption key ownership<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c Vendor holds<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c Vendor holds<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u26a0\ufe0f Shared management<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c Vendor holds<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>24h incident response autonomy<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u26a0\ufe0f Vendor SLA<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u26a0\ufe0f Vendor SLA<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u26a0\ufe0f Vendor SLA<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u26a0\ufe0f Vendor SLA<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Supply chain transparency<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c Opaque<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c Opaque<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u26a0\ufe0f SOC 2 reports<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c Opaque<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Data residency control<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c Multi-region<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c Multi-region<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u26a0\ufe0f Regional options<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u26a0\ufe0f EU hosting option<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Board governance support<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c No templates<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c No templates<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u26a0\ufe0f Basic audit trail<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c No templates<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>The fundamental gap: when an incident occurs on a SaaS platform, you must wait for the vendor&#8217;s response team to analyze, contain, and report. NIS2 Article 23 holds <em>you<\/em> responsible for the 24-hour notification, but you don&#8217;t control the infrastructure where the incident happened. You&#8217;re legally accountable for a system you&#8217;re not allowed to inspect.<\/p>\n\n\n\n<p>This isn&#8217;t a theoretical risk. Germany&#8217;s BSI (Federal Office for Information Security), which oversees NIS2 implementation for Europe&#8217;s largest economy, has explicitly stated that organizations &#8220;remain fully responsible for the security of their operations regardless of outsourcing arrangements&#8221; (BSI, NIS2 Implementation Guidance, 2024). No vendor SLA changes that legal reality.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">How Self-Hosted Open Source Commerce Meets NIS2<\/h2>\n\n\n\n<p>Self-hosted open source commerce flips the compliance model: instead of hoping your vendor meets requirements, you verify it yourself. You own the infrastructure, the code, and every security decision.<\/p>\n\n\n\n<p>For eCommerce platforms that must meet NIS2&#8217;s supply chain, incident response, and resilience testing mandates, a self-hosted open source platform with full audit trails, provider-agnostic infrastructure, and penetration testing rights provides the strongest architectural fit.<\/p>\n\n\n\n<figure class=\"wp-block-table\" style=\"margin:24px auto 0; overflow-x:auto\"><table style=\"border-collapse:collapse; width:100%; table-layout:fixed\"><thead><tr><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">NIS2 Requirement<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">Self-Hosted Open Source Approach<\/th><\/tr><\/thead><tbody><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>24h incident response<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Full audit trail with user, timestamp, action, IP. Export to SIEM in real-time. Reconstruct any incident timeline in minutes, not days.<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Supply chain control<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Choose your payment processor, CDN, hosting, and monitoring independently. Audit each vendor&#8217;s security posture on your terms.<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Penetration testing<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Test against your own infrastructure whenever needed. No vendor approval required. Deploy to staging and run red team exercises.<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Encryption key ownership<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Self-managed TLS certificates. Database-level at-rest encryption. Keys never leave your control.<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Data residency<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Deploy to any EU data center (Germany, France, Netherlands, Ireland). Data stays in your chosen region.<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Board governance<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Design your own security policies, risk register, and board reporting cadence. No vendor template constraints.<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Vulnerability management<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">LTS releases with security patches for 3+ years. Apply patches on your schedule. Fork and patch if needed.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Spree Commerce, licensed under BSD 3-Clause, gives you full source code access to audit every line against NIS2 requirements. Deploy to AWS, Azure, Google Cloud, OVH, or your own data center. Integrate Stripe, Adyen, Mollie, or any payment processor, then document each one in your supply chain risk register exactly as NIS2 Article 21 requires.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Architecture for NIS2-Compliant Commerce<\/h2>\n\n\n\n<p>A NIS2-compliant commerce architecture separates concerns: the commerce platform, hosting infrastructure, payment processing, and monitoring systems are independently chosen and audited.<\/p>\n\n\n\n<figure class=\"wp-block-table\" style=\"margin:24px auto 0; overflow-x:auto\"><table style=\"border-collapse:collapse; width:100%; table-layout:fixed\"><thead><tr><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">Layer<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">Component<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">Location<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">Your Control<\/th><\/tr><\/thead><tbody><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Commerce Platform<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">API Gateway, Admin, Checkout, Orders, Audit Logging<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Your EU Data Center<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Full source code access, non-repudiable audit trail<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Data<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Primary Database<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">EU-hosted (your cloud or on-prem)<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Encryption keys held by your team<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Security<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">WAF, DDoS Protection<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Your EU Data Center<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Rules and thresholds you define<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Performance<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Rate Limiting, Cache<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Your EU Data Center<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Configuration under your control<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Payments<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Payment Provider (Stripe, Adyen, Mollie)<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Assessed third party<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Documented in your NIS2 risk register<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Monitoring<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">SIEM, Logging, Alerting<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Audited third party<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Real-time log export to your CSIRT<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Backup<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Disaster Recovery<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Audited third party (EU region)<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">RTO\/RPO targets you define and test<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>Data residency:<\/strong> Commerce platform and primary database in an EU region. Backups replicated to a second EU region. No data crosses borders without explicit configuration.<\/p>\n\n\n\n<p><strong>Encryption:<\/strong> TLS 1.2+ for all traffic in transit. At-rest encryption for the database with keys stored separately from data, managed by your team.<\/p>\n\n\n\n<p><strong>Access control:<\/strong> MFA for all admin users. Role-based access hierarchies: admin, merchant manager, customer support, finance. API token lifecycle management with automatic rotation and session timeouts.<\/p>\n\n\n\n<p><strong>Audit logging:<\/strong> Every admin action, API call, and data change logged with user ID, timestamp (UTC), action, resource, result, IP address, and user agent. Logs shipped to SIEM in real-time. Retained for 3+ years in append-only storage.<\/p>\n\n\n\n<p><strong>Incident response integration:<\/strong> Audit logs export to CSIRT-compatible formats. Your incident response team replays events, reconstructs the timeline, and generates a forensic report within the 24-hour window.<\/p>\n\n\n\n<p><strong>Payment processing isolation:<\/strong> Use a PCI-DSS certified payment processor (Stripe, Adyen, Mollie) with explicit audit rights. Document the processor&#8217;s security controls in your NIS2 risk register. Never store card data on your platform.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">NIS2 Compliance by Industry<\/h2>\n\n\n\n<figure class=\"wp-block-table\" style=\"margin:24px auto 0; overflow-x:auto\"><table style=\"border-collapse:collapse; width:100%; table-layout:fixed\"><thead><tr><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">Industry<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">NIS2 Classification<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">Core Compliance Focus<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">eCommerce Use Case<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">Deep Dive<\/th><\/tr><\/thead><tbody><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Energy<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Essential<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Resilience testing, supply chain, incident response<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">B2B marketplace for parts and service suppliers<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><a href=\"\/energy-carbon-marketplace\/\">Energy &#038; Carbon marketplace compliance<\/a><\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Healthcare<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Essential<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Data protection, board accountability, resilience<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Hospital supply chains, pharma procurement<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">HealthTech eCommerce (coming soon)<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Government<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Essential<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Supply chain transparency, full infrastructure control<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Procurement portals, public sector platforms<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><a href=\"\/public-sector-procurement-ecommerce\/\">Public sector procurement commerce<\/a><\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Finance<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Essential<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Incident response, audit trails, encryption<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">B2B financial platforms, investment marketplaces<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><a href=\"\/dora-ecommerce-compliance\/\">DORA eCommerce compliance<\/a><\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Automotive<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Important<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Supply chain risk, data residency, resilience testing<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Parts exchanges, manufacturing procurement<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><a href=\"\/eu-automotive-manufacturing-ecommerce\/\">EU Automotive B2B commerce<\/a><\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\"><strong>Digital Services<\/strong><\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Important<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Scalable incident response, DDoS mitigation<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Large B2C\/B2B marketplaces with EU presence<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u2014<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Energy and healthcare face the strictest requirements under essential entity classification, with maximum penalties of \u20ac10 million or 2% of global turnover. Government and finance follow closely. Automotive manufacturing and large digital services fall under &#8220;important entity&#8221; rules with somewhat lower but still significant penalties.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Build NIS2-Compliant Commerce with Spree<\/h2>\n\n\n\n<p>NIS2 enforcement is active. The first major fines are expected by mid-2026. If your eCommerce platform serves EU essential or important entities, the gap between a SaaS setup and NIS2&#8217;s infrastructure requirements is a compliance risk measured in millions of euros.<\/p>\n\n\n\n<p>For organizations that need 24-hour incident response, independent penetration testing, encryption key ownership, and supply chain transparency on their commerce platform, Spree provides the self-hosted open source foundation designed for exactly this regulatory environment.<\/p>\n\n\n\n<figure class=\"wp-block-table\" style=\"margin:24px auto 0; overflow-x:auto\"><table style=\"border-collapse:collapse; width:100%; table-layout:fixed\"><thead><tr><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">Capability<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">Spree<\/th><th style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; font-weight:600; background-color:#f3f3f3; vertical-align:top; word-wrap:break-word\">SaaS Platforms<\/th><\/tr><\/thead><tbody><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Self-hosted deployment<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u2705 Any cloud, on-prem, GovCloud<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c Vendor infrastructure only<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Open source (BSD 3-Clause)<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u2705 Audit every line of code<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c Proprietary black box<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Full audit trail<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u2705 Every action logged with attribution<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u26a0\ufe0f Vendor-filtered logs<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Encryption key ownership<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u2705 You manage all keys<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c Vendor holds keys<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Penetration testing<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u2705 Test your own infrastructure<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c Vendor forbids testing<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Data sovereignty<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u2705 Deploy in any EU region<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c Multi-region by default<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">Provider-agnostic<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u2705 Choose every vendor independently<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c Locked into vendor ecosystem<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">B2B + marketplace native<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u2705 Built in, not plugins<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u26a0\ufe0f Add-ons and modules<\/td><\/tr><tr><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">LTS security support<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u2705 3+ years of patches<\/td><td style=\"border:1px solid #d5d5d5; padding:10px 12px; text-align:left; vertical-align:top; word-wrap:break-word\">\u274c Forced auto-upgrades<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong><a href=\"https:\/\/spreecommerce.org\/get-started\/\">Get started with Spree<\/a><\/strong> to assess your NIS2 compliance gap and scope your self-hosted commerce architecture.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Frequently Asked Questions<\/h2>\n\n\n\n<div class=\"wp-block-wpseopress-faq-block-v2 is-layout-flow wp-block-wpseopress-faq-block-v2-is-layout-flow\">\n<details id=\"does-nis2-apply-to-my-ecommerce-platform\" class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary><strong>Does NIS2 apply to my eCommerce platform?<\/strong><\/summary>\n<p>NIS2 applies if you&#8217;re designated as an essential or important entity by your EU member state, or if you provide commerce services to one. Energy, healthcare, government, finance, and digital infrastructure entities are explicitly covered. If your platform runs a B2B marketplace for hospital supplies, a procurement portal for a government agency, or a parts exchange for an energy utility, you inherit their NIS2 obligations. Member states began listing entities in April 2025. Assess your platform against Section 2 now.<\/p>\n<\/details>\n\n\n<details id=\"what-s-the-difference-between-the-24-hour-72-hour-and-1-month-deadlines\" class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary><strong>What&#8217;s the difference between the 24-hour, 72-hour, and 1-month deadlines?<\/strong><\/summary>\n<p>NIS2 Article 23 creates a three-tier reporting timeline. Within 24 hours of discovering a significant incident, send an early warning to your national CSIRT, even if details are incomplete. Within 72 hours, submit a detailed report covering scope, affected systems, and preliminary remediation. Within one month, file a final report with full forensic analysis, root cause, and lessons learned. Self-hosted platforms with real-time audit logging reconstruct incident timelines within hours. SaaS-dependent organizations must wait for the vendor&#8217;s response before starting.<\/p>\n<\/details>\n\n\n<details id=\"what-are-the-financial-penalties-for-nis2-non-compliance\" class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary><strong>What are the financial penalties for NIS2 non-compliance?<\/strong><\/summary>\n<p>Essential entities face fines up to \u20ac10 million or 2% of global annual turnover, whichever is higher. Important entities face up to \u20ac7 million or 1.4%. Beyond fines, NIS2 introduces personal liability: management faces temporary bans from holding executive positions if gross negligence is proven. Enforcement began January 1, 2026, and first major fines are expected by mid-2026.<\/p>\n<\/details>\n\n\n<details id=\"what-does-supply-chain-risk-assessment-require-in-practice\" class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary><strong>What does &#8220;supply chain risk assessment&#8221; require in practice?<\/strong><\/summary>\n<p>You must document and audit every third-party service your commerce platform depends on: payment processor, cloud host, CDN, monitoring, backup service. For each vendor, record their security certifications (ISO 27001, SOC 2), data residency, audit rights in your contract, incident notification SLA, and your contingency plan if they fail. Self-hosted platforms let you choose and replace every vendor independently. SaaS platforms lock you into the vendor&#8217;s ecosystem with limited audit rights.<\/p>\n<\/details>\n\n\n<details id=\"how-often-must-i-conduct-penetration-testing-under-nis2\" class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary><strong>How often must I conduct penetration testing under NIS2?<\/strong><\/summary>\n<p>NIS2 Annex I mandates &#8220;advanced security assessment,&#8221; which includes penetration testing. While the directive doesn&#8217;t set a fixed frequency, regulators expect at least annual external penetration tests and bi-annual internal tests. Germany&#8217;s BSI implementation guidance recommends testing every 6 months for highest-risk systems. Self-hosted platforms allow unlimited testing against your own infrastructure. SaaS vendors prohibit testing of their shared environments entirely.<\/p>\n<\/details>\n\n\n<details id=\"do-i-need-self-hosted-infrastructure-for-nis2-compliance\" class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary><strong>Do I need self-hosted infrastructure for NIS2 compliance?<\/strong><\/summary>\n<p>For essential and important entity obligations, yes. NIS2 requires infrastructure-level controls: encryption key ownership, penetration testing rights, supply chain audit authority, and independent incident response. These are architectural requirements that SaaS platforms structurally do not provide. You can use SaaS for non-critical storefronts outside NIS2 scope, but your regulated commerce operations need self-hosted infrastructure with full control over security, data, and vendor relationships.<\/p>\n<\/details>\n\n<script type=\"application\/ld+json\">{\"@context\": \"https:\/\/schema.org\", \"@type\": \"FAQPage\", \"url\": \"https:\/\/spreecommerce.org\/nis2-ecommerce-compliance\/\", \"@id\": \"https:\/\/spreecommerce.org\/nis2-ecommerce-compliance\/\", \"mainEntity\": [{\"@type\": \"Question\", \"url\": \"https:\/\/spreecommerce.org\/nis2-ecommerce-compliance\/#does-nis2-apply-to-my-ecommerce-platform\", \"name\": \"Does NIS2 apply to my eCommerce platform?\", \"answerCount\": 1, \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"<p>NIS2 applies if you're designated as an essential or important entity by your EU member state, or if you provide commerce services to one. Energy, healthcare, government, finance, and digital infrastructure entities are explicitly covered. If your platform runs a B2B marketplace for hospital supplies, a procurement portal for a government agency, or a parts exchange for an energy utility, you inherit their NIS2 obligations. Member states began listing entities in April 2025. Assess your platform against Section 2 now.<\/p>\"}}, {\"@type\": \"Question\", \"url\": \"https:\/\/spreecommerce.org\/nis2-ecommerce-compliance\/#what-s-the-difference-between-the-24-hour-72-hour-and-1-month-deadlines\", \"name\": \"What's the difference between the 24-hour, 72-hour, and 1-month deadlines?\", \"answerCount\": 1, \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"<p>NIS2 Article 23 creates a three-tier reporting timeline. Within 24 hours of discovering a significant incident, send an early warning to your national CSIRT, even if details are incomplete. Within 72 hours, submit a detailed report covering scope, affected systems, and preliminary remediation. Within one month, file a final report with full forensic analysis, root cause, and lessons learned. Self-hosted platforms with real-time audit logging reconstruct incident timelines within hours. SaaS-dependent organizations must wait for the vendor's response before starting.<\/p>\"}}, {\"@type\": \"Question\", \"url\": \"https:\/\/spreecommerce.org\/nis2-ecommerce-compliance\/#what-are-the-financial-penalties-for-nis2-non-compliance\", \"name\": \"What are the financial penalties for NIS2 non-compliance?\", \"answerCount\": 1, \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"<p>Essential entities face fines up to \u20ac10 million or 2% of global annual turnover, whichever is higher. Important entities face up to \u20ac7 million or 1.4%. Beyond fines, NIS2 introduces personal liability: management faces temporary bans from holding executive positions if gross negligence is proven. Enforcement began January 1, 2026, and first major fines are expected by mid-2026.<\/p>\"}}, {\"@type\": \"Question\", \"url\": \"https:\/\/spreecommerce.org\/nis2-ecommerce-compliance\/#what-does-supply-chain-risk-assessment-require-in-practice\", \"name\": \"What does \\\"supply chain risk assessment\\\" require in practice?\", \"answerCount\": 1, \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"<p>You must document and audit every third-party service your commerce platform depends on: payment processor, cloud host, CDN, monitoring, backup service. For each vendor, record their security certifications (ISO 27001, SOC 2), data residency, audit rights in your contract, incident notification SLA, and your contingency plan if they fail. Self-hosted platforms let you choose and replace every vendor independently. SaaS platforms lock you into the vendor's ecosystem with limited audit rights.<\/p>\"}}, {\"@type\": \"Question\", \"url\": \"https:\/\/spreecommerce.org\/nis2-ecommerce-compliance\/#how-often-must-i-conduct-penetration-testing-under-nis2\", \"name\": \"How often must I conduct penetration testing under NIS2?\", \"answerCount\": 1, \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"<p>NIS2 Annex I mandates \\\"advanced security assessment,\\\" which includes penetration testing. While the directive doesn't set a fixed frequency, regulators expect at least annual external penetration tests and bi-annual internal tests. Germany's BSI implementation guidance recommends testing every 6 months for highest-risk systems. Self-hosted platforms allow unlimited testing against your own infrastructure. SaaS vendors prohibit testing of their shared environments entirely.<\/p>\"}}, {\"@type\": \"Question\", \"url\": \"https:\/\/spreecommerce.org\/nis2-ecommerce-compliance\/#do-i-need-self-hosted-infrastructure-for-nis2-compliance\", \"name\": \"Do I need self-hosted infrastructure for NIS2 compliance?\", \"answerCount\": 1, \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"<p>For essential and important entity obligations, yes. NIS2 requires infrastructure-level controls: encryption key ownership, penetration testing rights, supply chain audit authority, and independent incident response. These are architectural requirements that SaaS platforms structurally do not provide. You can use SaaS for non-critical storefronts outside NIS2 scope, but your regulated commerce operations need self-hosted infrastructure with full control over security, data, and vendor relationships.<\/p>\"}}]}<\/script><\/div>\n","protected":false},"excerpt":{"rendered":"<p>What Does NIS2 Mean for eCommerce in 2026? NIS2 expands mandatory cybersecurity obligations from roughly 10,000 operators under NIS1 to approximately 160,000 essential and important entities across the EU (European Commission, NIS2 Impact Assessment, 2022). Every eCommerce platform serving those organizations inherits the same security burden. The NIS2 Directive entered into force on November 12, [&hellip;]<\/p>\n","protected":false},"author":87,"featured_media":28458,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_seopress_robots_primary_cat":"none","_seopress_titles_title":"NIS2 eCommerce Compliance: What Essential Entities Must Do","_seopress_titles_desc":"NIS2 requires essential entities to control their eCommerce infrastructure. Learn compliance requirements and why self-hosted open source meets the bar.","_seopress_robots_index":"","footnotes":""},"categories":[146],"tags":[1077,1090,1091,1089,1079],"class_list":["post-28459","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-open-source-ecommerce","tag-ecommerce-compliance","tag-essential-entities","tag-eu-cybersecurity","tag-nis2","tag-self-hosted-commerce"],"acf":[],"_links":{"self":[{"href":"https:\/\/spreecommerce.org\/wp-json\/wp\/v2\/posts\/28459","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/spreecommerce.org\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/spreecommerce.org\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/spreecommerce.org\/wp-json\/wp\/v2\/users\/87"}],"replies":[{"embeddable":true,"href":"https:\/\/spreecommerce.org\/wp-json\/wp\/v2\/comments?post=28459"}],"version-history":[{"count":0,"href":"https:\/\/spreecommerce.org\/wp-json\/wp\/v2\/posts\/28459\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/spreecommerce.org\/wp-json\/wp\/v2\/media\/28458"}],"wp:attachment":[{"href":"https:\/\/spreecommerce.org\/wp-json\/wp\/v2\/media?parent=28459"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/spreecommerce.org\/wp-json\/wp\/v2\/categories?post=28459"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/spreecommerce.org\/wp-json\/wp\/v2\/tags?post=28459"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}