The EU’s NIS2 directive—transposed into national law from 17 October 2024 onward—imposes tougher cyber-risk management, incident-reporting and supply-chain duties on “essential” and “important” entities. Although only a handful of member states met the deadline, enforcement pressure is already building in 2025, leaving many micro-agencies and solo WordPress professionals exposed.
This talk demystifies NIS2 through a WordPress lens. We will translate the directive’s legalese into concrete, platform-specific steps: choosing maintained plugins, adopting least-privilege practices, hardening servers, documenting processes, and preparing 24-hour incident-notification playbooks. We will also tackle the often-ignored supply-chain clause, showing how to vet upstream themes, SaaS tools and hosting providers without a corporate budget.