E-commerce without IT security is like a shop without a lock. With the EU’s new NIS2 directive, the bar is being raised significantly for how companies across Europe must approach cybersecurity. For e-commerce businesses, this means new requirements and new risks. But it also opens up an opportunity to strengthen both operations and trust.
At Vertica, we have extensive experience building digital solutions that meet the growing demands of modern IT security. Specifically in relation to NIS2, we’re already helping clients like Molslinjen, REMA Distribution, Brødrene Dahl and Hørkram translate the directive’s requirements into practical solutions — and peace of mind.
What is NIS2? And why does it affect e-commerce?
NIS2 (Network and Information Security 2) is the EU’s updated directive on network and information security. While the first version mainly focused on traditional infrastructure sectors, NIS2 expands the requirements to include online platforms, digital service providers, and logistics and distribution services with critical societal functions. As a result, many more e-commerce businesses now fall under NIS2 if they are categorised as an “important entity.”
In Denmark, the directive becomes law from July 2025. All companies classified as “essential” or “important entities” must therefore be registered no later than 1 October 2025. This means that even businesses that have never before been regulated in terms of cybersecurity will now face concrete obligations - with fines of up to €10 million or 2% of annual revenue for non-compliance.
In other words, security is no longer optional in e-commerce. It’s a legal requirement and a fundamental prerequisite for doing business in the EU.
What does NIS2 require in practice?
The NIS2 directive emphasises that companies must be able to prevent, detect and handle security threats. The idea is to move the focus away from isolated technical measures and towards a holistic approach to cybersecurity.
In practical terms, NIS2 means you need to have control of the following areas to be compliant:
- Risk management and policies: Companies must have formal information security policies and be able to document that they continuously assess threats and vulnerabilities.
- Access control: Stricter procedures for who has access to critical systems and how those rights are managed.
- Technical measures: From firewalls and monitoring to patching and encryption.
- Incident response: Clear plans for how to handle a security incident.
- Supply chain security: Responsibility for ensuring that suppliers and partners also meet the requirements.
- Management responsibility: Directors and boards now carry explicit responsibility for cybersecurity. It can no longer be delegated solely to the IT department.
In short: NIS2 shifts security from being a technical discipline to a business-critical leadership responsibility.
How does Vertica help with NIS2 compliance?
At Vertica, we see NIS2 as an opportunity to strengthen security - for ourselves and for our customers. Not just because the law requires it, but because it genuinely strengthens your business. Our approach combines analysis, technical measures, preparedness and culture.
We begin with a thorough review of your current situation: which systems are most critical, where the vulnerabilities are, and which parts of the directive apply to your organisation. Based on that, we help you develop the necessary policies and plans so your documentation is in order.
Next, we focus on technical measures that make a real difference: access control, monitoring tools, backup and restore processes, and integrations with the systems your business depends on.
And then there’s incident readiness. At Vertica, we have an automated system that alerts us by phone if there are functional issues in a solution, and our alarm handling is staffed 24/7. So when something happens (and it will at some point), we can respond immediately. We follow a clear incident response plan to ensure events are handled in the best possible way - and that reporting happens within the required legal timeframes.
But we don’t stop there. Security isn’t a project you can tick off a list. We work continuously with awareness and training so both our own developers and your teams maintain a high security standard. Our specialists monitor the threat landscape, adjust processes and help ensure that compliance becomes a natural part of everyday operations.
What should you do now?
The first step is to determine whether your business is covered by NIS2 - this depends on whether your activities are considered critical to society. If you are (or likely will be), the next step is to get a clear picture of your risk profile and the gaps that need to be closed. From there, it’s about prioritising the work: from policies and documentation to technical measures and incident response procedures.
NIS2 sets sharp requirements, and for many businesses, ensuring compliance feels more like a need-to task than something that creates value. But in a time of growing threats and high uncertainty, strong security is a genuine competitive advantage.
Companies that approach the task the right way end up with solutions that are more stable, more trustworthy and better prepared for future threats. That builds trust. And trust is one of the most important currencies in today’s market.
.webp)
