For B2B commerce, cyberattacks are no longer an abstract danger but a calculable operating risk. The damage to the German economy from digital and analog attacks rose to EUR 289.2 billion in 2025, up around 8 percent on the previous year (Bitkom). For anyone running a B2B online store, a second dimension has been added since 6 December 2025: the NIS2 Implementation Act anchors IT security for the first time as a legal obligation with registration, reporting chains and management accountability (Federal Office for Information Security). Together with the GDPR and the card security standard PCI-DSS, this creates a framework of duties that affects the store both technically and organizationally. This article sorts out the scope assessment, the reporting deadlines and the technical hardening, and shows why security is an ongoing maintenance process rather than a one-off project.
Why IT Security in the B2B Store Becomes Mandatory
The figures from the Bitkom economic-protection report paint a clear picture. 87 percent of companies were recently affected by data theft, espionage or sabotage, up from 81 percent the year before (Bitkom). The share of purely digital attacks in the total damage rose from 67 to 70 percent, corresponding to a sum of EUR 202.4 billion (Bitkom). Ransomware remains particularly consequential: 34 percent of companies were affected, almost three times as many as in 2022 with 12 percent (Bitkom). For an online store whose revenue depends directly on system availability, every hour of downtime is a direct loss.
The threat landscape itself is also growing. In the reporting period from July 2024 to June 2025, the BSI recorded an average of 119 new vulnerabilities per day in IT systems, an increase of around 24 percent on the previous year (Federal Office for Information Security). Each of these gaps can hit an unpatched store instance, an outdated plugin or an open interface. This is exactly where the legislator steps in: NIS2 requires not just a one-off safeguard but ongoing risk management that keeps pace with the threat landscape. Regulatory requirements are also piling up; alongside the e-invoicing mandate, NIS2 hits the same systems.
Security Is a Management Matter -- with Personal Accountability
NIS2 Implementation Act: What Applies Since December 2025
The NIS2 Implementation Act (officially NIS2UmsuCG) transposes the European Directive (EU) 2022/2555 into national law and came into force on 6 December 2025 (Federal Office for Information Security). This raises the number of supervised entities from around 4,500 to about 29,500 (Federal Office for Information Security). The law distinguishes two classes: essential entities (besonders wichtige Einrichtungen) and important entities (wichtige Einrichtungen). Both must register with the BSI, report significant security incidents and introduce and document risk management -- the difference lies mainly in the intensity of supervision and the level of potential fines.
The underlying directive names the minimum requirements for risk management. They range from concepts for risk analysis and information security through incident handling and backup management to supply-chain security and the use of multi-factor authentication (EUR-Lex, Directive (EU) 2022/2555, Article 21). These areas form the core of what an affected store operator must demonstrate. They are deliberately technology-neutral so they fit different system landscapes -- from the small specialist retailer to the enterprise-wide Shopware platform.
Registration
Affected entities register with the BSI and keep their contact details current so that reporting channels work when it counts.
Risk management
Technical and organizational measures at the state of the art are introduced and documented in a traceable way.
Reporting duty
Significant incidents are reported to the BSI in several stages -- starting with an early warning within 24 hours.
Supply-chain security
The security of service providers, hosting and suppliers belongs in your own risk management and in your contracts.
Business continuity
Backup management, contingency plans and a rehearsed recovery ensure that operations survive an incident.
Evidence and accountability
Management approves the measures, oversees them and bears responsibility for their implementation.
Scope Assessment: Does Your Store Fall Under NIS2?
Whether a company falls under NIS2 comes down to two questions: does it belong to one of the regulated sectors, and does it exceed the size thresholds? The sectors include, among others, transport and logistics, postal and courier services, food production, chemicals, machinery and vehicle manufacturing, health and digital services (Federal Office for Information Security). Many B2B traders are directly covered through their industry -- as wholesalers, technical distributors or suppliers. A company counts as an important entity if it employs at least 50 people or generates more than EUR 10 million in annual revenue (Federal Office for Information Security).
The threshold for essential entities is higher: from 250 employees or over EUR 50 million in revenue combined with more than EUR 43 million in balance-sheet total (EUR-Lex, Directive (EU) 2022/2555, Article 3). The classification is not a mere formality, because it determines how closely the BSI supervises and how high potential fines can be. Anyone close to a threshold or running several sites should document the assessment carefully -- advice on classification belongs at the start of every project.
| Criterion | Important entity | Essential entity |
|---|---|---|
| Size threshold | from 50 employees or EUR 10m revenue | from 250 employees or over EUR 50m revenue |
| Balance-sheet total | not decisive | additionally over EUR 43m |
| Registration with the BSI | mandatory | mandatory |
| Reporting duty | 24 h / 72 h / 1 month | 24 h / 72 h / 1 month |
| Supervision | mainly after the fact | also proactive and closer |
| Fine range | set lower | set higher |
Indirectly Affected Companies Should Act Too
Registration and Reporting Chains: 24, 72 Hours, One Month
When the law came into force on 6 December 2025, a three-month window to register with the BSI began, which ended on 6 March 2026 (Federal Office for Information Security). Anyone newly falling under the obligation or who missed the deadline must register without delay. The centerpiece of the ongoing duties is the staged reporting of significant security incidents under Section 32 of the BSI Act. It follows the principle of speed before completeness: instead of a single, late-finished analysis, the law requires several, increasingly detailed reports.
- Early warning within 24 hours: an initial report to the BSI including the assessment of whether an unlawful or malicious trigger is suspected and whether cross-border effects are possible (Federal Office for Information Security).
- Report within 72 hours: confirmation and an initial assessment of the incident with details on severity, impact and -- where known -- indicators of compromise.
- Final report after one month: a detailed report with root-cause analysis, severity, impact and the countermeasures taken.
Without Preparation, 24 Hours Is Extremely Tight
Supply-Chain Security: the Store as a Link in the Chain
NIS2 explicitly puts the supply chain in focus. Affected entities must assess the security of their direct suppliers and service providers and factor it into their own risk management (EUR-Lex, Directive (EU) 2022/2555, Article 21). For a B2B store, this means double responsibility: upstream it is itself a supplier to regulated customers; downstream it depends on hosting, payment providers, extension vendors and maintenance partners. Each of these connections to external systems is at the same time a potential attack surface. A compromised third-party extension can open the entire store, even if your own software is well maintained.
A store is only as secure as the weakest link in its supply chain -- from hosting through the payment connection to the smallest extension.
GDPR and PCI-DSS: the Second and Third Layer
NIS2 does not stand alone. The GDPR obliges every store that processes personal data to take appropriate technical and organizational measures -- and, in the event of a personal data breach, to notify the supervisory authority within 72 hours (Article 33 GDPR). Enforcement is real: in 2025, European data protection authorities imposed fines of around EUR 1.2 billion (DLA Piper); since the regulation became applicable in 2018, known fines add up to nearly EUR 7 billion (CMS Enforcement Tracker). Customer communication also touches data protection: anyone sending order and service emails via automated email flows must map consent and data minimization cleanly.
Anyone accepting card payments is additionally subject to the PCI-DSS. Since 31 March 2025, the future-dated requirements of version 4.0, initially introduced as best practice, have been mandatory (PCI Security Standards Council). These include multi-factor authentication for all access to the cardholder data environment and -- where passwords are used -- a minimum length of 12 characters made up of letters and numbers (PCI Security Standards Council). In practice, the risk can be reduced by not storing card data in the store itself but outsourcing payment processing to certified methods and keeping your own scope small.
| Framework | Applies to | Core obligation | Reporting deadline |
|---|---|---|---|
| NIS2 / BSI Act | regulated sectors above the threshold | risk management, registration, reporting | 24 h / 72 h / 1 month |
| GDPR | any processing of personal data | appropriate safeguards, data-subject rights | 72 h to the supervisory authority |
| PCI-DSS | acceptance of card payments | protection of cardholder data | by contract to acquirer and brand |
Three Frameworks, One Shared Foundation
Technical Hardening of the B2B Store
Technical hardening translates the legal requirements into concrete settings on the store. It begins with the access points and ends with monitoring. Many measures pay off twice: current software and a lean, clean configuration increase security and at the same time have a positive effect on load times and stability. Anyone renewing the store technically anyway -- for example during a migration to a current Shopware base -- should build in hardening and currency from the start rather than retrofitting them.
- Multi-factor authentication for all administration and editorial access to the store
- Role and permission concept following the principle of least privilege
- Regular patch and update management for the core, extensions and server
- End-to-end transport encryption (TLS) and secure HTTP security headers
- Automated, tested backups with a defined recovery time
- Logging of security-relevant events and their regular review
- Secured interfaces and vetted third-party extensions
- Recurring checks for known vulnerabilities and misconfigurations
Security Maintenance: Security as an Ongoing Process
The most important shift in perspective: IT security is not a state you establish once, but a process you maintain. With an average of 119 new vulnerabilities per day (Federal Office for Information Security), a store that was secured once ages a little with every day. NIS2 phrases this idea as an obligation for ongoing risk management -- and this is exactly where the difference lies between a one-off project and continuous care.
One-Off Hardening Versus Ongoing Security Maintenance
One-off safeguard
The store is reviewed and hardened at a fixed point in time. Sensible as a starting point, but rarely sufficient for lasting compliance.
- Protection reflects the state on the review day
- Newly known vulnerabilities remain open at first
- Updates are applied irregularly
- In an incident, a rehearsed point of contact is missing
Ongoing security maintenance
The store is kept current continuously, monitored and supported in an emergency. The reliable target state.
- Security updates are applied promptly
- Monitoring detects anomalies early
- Backups are tested regularly
- Reporting channels and a response plan are prepared
Map Security as a Maintenance Service
Roadmap: Implementing NIS2 and Store Hardening
The path to NIS2-compliant store security can be broken down into manageable steps. It begins with clarity about scope and ends with a monitored ongoing operation -- provided the safeguarding is planned as a continuous task.
- Check scope: compare sector and size thresholds, capture indirect obligations via customers and the supply chain, and document them.
- Register: if affected, complete or catch up on registration with the BSI and keep contact details current.
- Assess the current state: review the store, server, interfaces and service providers for currency, access and vulnerabilities.
- Harden: set up multi-factor authentication, update management, encryption, backups and logging.
- Establish the reporting process: define and rehearse responsibilities, reporting channels and a response plan for the 24-hour deadline.
- Operate permanently: carry security forward through ongoing maintenance instead of treating it as a completed project.
Sources and Studies