Zum Inhalt springen
GDPR-compliant B2B shops
IT-Sicherheit

IT Security and NIS2 for Your B2B Shop

What NIS2, GDPR and PCI-DSS mean for B2B store operators: scope assessment, reporting deadlines, supply-chain security, MFA and technical hardening.

13 min read IT-SicherheitNIS2ComplianceDSGVO

For B2B commerce, cyberattacks are no longer an abstract danger but a calculable operating risk. The damage to the German economy from digital and analog attacks rose to EUR 289.2 billion in 2025, up around 8 percent on the previous year (Bitkom). For anyone running a B2B online store, a second dimension has been added since 6 December 2025: the NIS2 Implementation Act anchors IT security for the first time as a legal obligation with registration, reporting chains and management accountability (Federal Office for Information Security). Together with the GDPR and the card security standard PCI-DSS, this creates a framework of duties that affects the store both technically and organizationally. This article sorts out the scope assessment, the reporting deadlines and the technical hardening, and shows why security is an ongoing maintenance process rather than a one-off project.

IT Security and NIS2 for Your B2B ShopNIS2 Implementation Actin force since 6 Dec 2025around 29,500 entitiesGDPRData protection and reportingaround EUR 1.2bn fines in 2025PCI-DSS 4.0.1Card payment securityMFA required since 31 Mar 2025Harden the B2B shopMFA and phishing-resistant loginsUpdates and patch managementBackups and monitoringSupply-chain securityB2B shop (Shopware)IncidentReporting chain to the BSI24 hoursEarly warning72 hoursReport with assessment1 monthFinal reportEUR 289bndamage to the economy 2025 (Bitkom)50 staff · EUR 10mthreshold for important entity (BSI)119 / daynew vulnerabilities 2025 (BSI)Registration · Hardening · Reporting · Maintenance — IT security as an ongoing process

Why IT Security in the B2B Store Becomes Mandatory

The figures from the Bitkom economic-protection report paint a clear picture. 87 percent of companies were recently affected by data theft, espionage or sabotage, up from 81 percent the year before (Bitkom). The share of purely digital attacks in the total damage rose from 67 to 70 percent, corresponding to a sum of EUR 202.4 billion (Bitkom). Ransomware remains particularly consequential: 34 percent of companies were affected, almost three times as many as in 2022 with 12 percent (Bitkom). For an online store whose revenue depends directly on system availability, every hour of downtime is a direct loss.

The threat landscape itself is also growing. In the reporting period from July 2024 to June 2025, the BSI recorded an average of 119 new vulnerabilities per day in IT systems, an increase of around 24 percent on the previous year (Federal Office for Information Security). Each of these gaps can hit an unpatched store instance, an outdated plugin or an open interface. This is exactly where the legislator steps in: NIS2 requires not just a one-off safeguard but ongoing risk management that keeps pace with the threat landscape. Regulatory requirements are also piling up; alongside the e-invoicing mandate, NIS2 hits the same systems.

Security Is a Management Matter -- with Personal Accountability

Under the NIS2 Implementation Act, management must approve the risk-management measures and oversee their implementation; it can be held accountable for failures (Federal Office for Information Security). IT security therefore cannot be delegated entirely to the IT team. A documented review of store security is the first step toward meeting the obligations in a verifiable way.

NIS2 Implementation Act: What Applies Since December 2025

The NIS2 Implementation Act (officially NIS2UmsuCG) transposes the European Directive (EU) 2022/2555 into national law and came into force on 6 December 2025 (Federal Office for Information Security). This raises the number of supervised entities from around 4,500 to about 29,500 (Federal Office for Information Security). The law distinguishes two classes: essential entities (besonders wichtige Einrichtungen) and important entities (wichtige Einrichtungen). Both must register with the BSI, report significant security incidents and introduce and document risk management -- the difference lies mainly in the intensity of supervision and the level of potential fines.

The underlying directive names the minimum requirements for risk management. They range from concepts for risk analysis and information security through incident handling and backup management to supply-chain security and the use of multi-factor authentication (EUR-Lex, Directive (EU) 2022/2555, Article 21). These areas form the core of what an affected store operator must demonstrate. They are deliberately technology-neutral so they fit different system landscapes -- from the small specialist retailer to the enterprise-wide Shopware platform.

Registration

Affected entities register with the BSI and keep their contact details current so that reporting channels work when it counts.

Risk management

Technical and organizational measures at the state of the art are introduced and documented in a traceable way.

Reporting duty

Significant incidents are reported to the BSI in several stages -- starting with an early warning within 24 hours.

Supply-chain security

The security of service providers, hosting and suppliers belongs in your own risk management and in your contracts.

Business continuity

Backup management, contingency plans and a rehearsed recovery ensure that operations survive an incident.

Evidence and accountability

Management approves the measures, oversees them and bears responsibility for their implementation.

Scope Assessment: Does Your Store Fall Under NIS2?

Whether a company falls under NIS2 comes down to two questions: does it belong to one of the regulated sectors, and does it exceed the size thresholds? The sectors include, among others, transport and logistics, postal and courier services, food production, chemicals, machinery and vehicle manufacturing, health and digital services (Federal Office for Information Security). Many B2B traders are directly covered through their industry -- as wholesalers, technical distributors or suppliers. A company counts as an important entity if it employs at least 50 people or generates more than EUR 10 million in annual revenue (Federal Office for Information Security).

The threshold for essential entities is higher: from 250 employees or over EUR 50 million in revenue combined with more than EUR 43 million in balance-sheet total (EUR-Lex, Directive (EU) 2022/2555, Article 3). The classification is not a mere formality, because it determines how closely the BSI supervises and how high potential fines can be. Anyone close to a threshold or running several sites should document the assessment carefully -- advice on classification belongs at the start of every project.

CriterionImportant entityEssential entity
Size thresholdfrom 50 employees or EUR 10m revenuefrom 250 employees or over EUR 50m revenue
Balance-sheet totalnot decisiveadditionally over EUR 43m
Registration with the BSImandatorymandatory
Reporting duty24 h / 72 h / 1 month24 h / 72 h / 1 month
Supervisionmainly after the factalso proactive and closer
Fine rangeset lowerset higher

Indirectly Affected Companies Should Act Too

Even those that do not reach the thresholds can be pulled into scope through the supply chain: larger clients pass their NIS2 requirements on to suppliers and service providers by contract. A store that serves as an ordering channel and B2B portal for a regulated customer thus effectively becomes part of that customer's security requirements. Those who tackle hardening early gain an advantage in tenders and supplier audits.

Registration and Reporting Chains: 24, 72 Hours, One Month

When the law came into force on 6 December 2025, a three-month window to register with the BSI began, which ended on 6 March 2026 (Federal Office for Information Security). Anyone newly falling under the obligation or who missed the deadline must register without delay. The centerpiece of the ongoing duties is the staged reporting of significant security incidents under Section 32 of the BSI Act. It follows the principle of speed before completeness: instead of a single, late-finished analysis, the law requires several, increasingly detailed reports.

  1. Early warning within 24 hours: an initial report to the BSI including the assessment of whether an unlawful or malicious trigger is suspected and whether cross-border effects are possible (Federal Office for Information Security).
  2. Report within 72 hours: confirmation and an initial assessment of the incident with details on severity, impact and -- where known -- indicators of compromise.
  3. Final report after one month: a detailed report with root-cause analysis, severity, impact and the countermeasures taken.

Without Preparation, 24 Hours Is Extremely Tight

The first deadline runs from the moment you become aware, not from the end of the working day. An incident over the weekend keeps the clock ticking just the same. Those who have not defined reporting channels, responsibilities and contact details in advance lose valuable hours on organization instead of defense. A rehearsed response plan and a maintenance partner on standby shorten the time to the first reliable report.

Supply-Chain Security: the Store as a Link in the Chain

NIS2 explicitly puts the supply chain in focus. Affected entities must assess the security of their direct suppliers and service providers and factor it into their own risk management (EUR-Lex, Directive (EU) 2022/2555, Article 21). For a B2B store, this means double responsibility: upstream it is itself a supplier to regulated customers; downstream it depends on hosting, payment providers, extension vendors and maintenance partners. Each of these connections to external systems is at the same time a potential attack surface. A compromised third-party extension can open the entire store, even if your own software is well maintained.

A store is only as secure as the weakest link in its supply chain -- from hosting through the payment connection to the smallest extension.

Principle of supply-chain security under NIS2

GDPR and PCI-DSS: the Second and Third Layer

NIS2 does not stand alone. The GDPR obliges every store that processes personal data to take appropriate technical and organizational measures -- and, in the event of a personal data breach, to notify the supervisory authority within 72 hours (Article 33 GDPR). Enforcement is real: in 2025, European data protection authorities imposed fines of around EUR 1.2 billion (DLA Piper); since the regulation became applicable in 2018, known fines add up to nearly EUR 7 billion (CMS Enforcement Tracker). Customer communication also touches data protection: anyone sending order and service emails via automated email flows must map consent and data minimization cleanly.

Anyone accepting card payments is additionally subject to the PCI-DSS. Since 31 March 2025, the future-dated requirements of version 4.0, initially introduced as best practice, have been mandatory (PCI Security Standards Council). These include multi-factor authentication for all access to the cardholder data environment and -- where passwords are used -- a minimum length of 12 characters made up of letters and numbers (PCI Security Standards Council). In practice, the risk can be reduced by not storing card data in the store itself but outsourcing payment processing to certified methods and keeping your own scope small.

FrameworkApplies toCore obligationReporting deadline
NIS2 / BSI Actregulated sectors above the thresholdrisk management, registration, reporting24 h / 72 h / 1 month
GDPRany processing of personal dataappropriate safeguards, data-subject rights72 h to the supervisory authority
PCI-DSSacceptance of card paymentsprotection of cardholder databy contract to acquirer and brand

Three Frameworks, One Shared Foundation

NIS2, GDPR and PCI-DSS at their core demand the same basics: current software, strong authentication, logged access, tested backups and a rehearsed contingency process. Set this foundation up cleanly once and you satisfy large parts of all three frameworks at the same time. The same applies to adjacent duties such as accessibility under the BFSG, which follows the same path of structured implementation.

Technical Hardening of the B2B Store

Technical hardening translates the legal requirements into concrete settings on the store. It begins with the access points and ends with monitoring. Many measures pay off twice: current software and a lean, clean configuration increase security and at the same time have a positive effect on load times and stability. Anyone renewing the store technically anyway -- for example during a migration to a current Shopware base -- should build in hardening and currency from the start rather than retrofitting them.

  • Multi-factor authentication for all administration and editorial access to the store
  • Role and permission concept following the principle of least privilege
  • Regular patch and update management for the core, extensions and server
  • End-to-end transport encryption (TLS) and secure HTTP security headers
  • Automated, tested backups with a defined recovery time
  • Logging of security-relevant events and their regular review
  • Secured interfaces and vetted third-party extensions
  • Recurring checks for known vulnerabilities and misconfigurations

Security Maintenance: Security as an Ongoing Process

The most important shift in perspective: IT security is not a state you establish once, but a process you maintain. With an average of 119 new vulnerabilities per day (Federal Office for Information Security), a store that was secured once ages a little with every day. NIS2 phrases this idea as an obligation for ongoing risk management -- and this is exactly where the difference lies between a one-off project and continuous care.

One-Off Hardening Versus Ongoing Security Maintenance

One-off safeguard

The store is reviewed and hardened at a fixed point in time. Sensible as a starting point, but rarely sufficient for lasting compliance.

  • Protection reflects the state on the review day
  • Newly known vulnerabilities remain open at first
  • Updates are applied irregularly
  • In an incident, a rehearsed point of contact is missing

Ongoing security maintenance

The store is kept current continuously, monitored and supported in an emergency. The reliable target state.

  • Security updates are applied promptly
  • Monitoring detects anomalies early
  • Backups are tested regularly
  • Reporting channels and a response plan are prepared

Map Security as a Maintenance Service

The NIS2 obligation for ongoing risk management is most reliably mapped through a fixed maintenance and support service: planned updates, monitored availability, tested backups and a prepared response plan. This turns a legal requirement into a plannable operating component. Talk to us about your existing store environment and we will derive the right measures from it.

Roadmap: Implementing NIS2 and Store Hardening

The path to NIS2-compliant store security can be broken down into manageable steps. It begins with clarity about scope and ends with a monitored ongoing operation -- provided the safeguarding is planned as a continuous task.

  1. Check scope: compare sector and size thresholds, capture indirect obligations via customers and the supply chain, and document them.
  2. Register: if affected, complete or catch up on registration with the BSI and keep contact details current.
  3. Assess the current state: review the store, server, interfaces and service providers for currency, access and vulnerabilities.
  4. Harden: set up multi-factor authentication, update management, encryption, backups and logging.
  5. Establish the reporting process: define and rehearse responsibilities, reporting channels and a response plan for the 24-hour deadline.
  6. Operate permanently: carry security forward through ongoing maintenance instead of treating it as a completed project.

Sources and Studies

This article is based on data from: Federal Office for Information Security (BSI) -- press release on the entry into force of the NIS2 Implementation Act (December 2025), NIS-2 information packages on duties and reporting (Section 32 BSI Act) and The State of IT Security in Germany 2025; EUR-Lex -- Directive (EU) 2022/2555 (NIS-2 Directive), in particular Articles 3, 21 and 23; PCI Security Standards Council -- PCI DSS v4.0.1 and the requirements mandatory from 31 March 2025; Bitkom -- Economic Protection 2025 study report (over 1,000 companies surveyed); DLA Piper -- GDPR Fines and Data Breach Survey 2026 and CMS GDPR Enforcement Tracker. Figures may vary depending on the survey date and sample. Specific legal obligations should be clarified with qualified advice.