Does GDPR apply to my website if I'm outside the EU?

Yes, if your website has visitors from the EU/EEA and you collect any personal data including cookies and IP addresses, GDPR applies regardless of your company's location.

What are the penalties for GDPR non-compliance?

Fines up to €20 million or 4% of global annual turnover, whichever is higher. NIS2 penalties reach €10 million or 2% for essential entities. PCI DSS violations can cost $5,000-$100,000 per month plus loss of card processing.

What is the difference between PCI DSS and GDPR?

GDPR covers personal data protection across all sectors. PCI DSS specifically covers cardholder data security for payment processing. If you process credit cards, both apply. PCI DSS requires quarterly scans, a WAF, and TLS 1.2 minimum.

Do all four compliance frameworks require the same security measures?

Largely yes. All require TLS encryption, access control, incident response, vulnerability management, and logging. Implementing one framework makes the others significantly easier to achieve.

What is ISO 27001 and is it mandatory?

ISO 27001 is a voluntary international standard for information security management with 93 controls. It is not law, but is increasingly required by enterprise customers, government contracts, and cyber insurance providers.

Web Security Compliance: GDPR, PCI DSS, NIS2, and ISO 27001

Four frameworks, one goal: protect data and systems. Here's what each one requires for your web application and what happens if you don't comply.

Published April 6, 2026·Updated 2026-04-10·15 min read·By ismycodesafe.com Security Team

Why Compliance Matters

Compliance isn't optional. It's the law. GDPR fines reached €2.1 billion in the first five years. PCI DSS non-compliance can mean losing the ability to process credit cards. NIS2 introduces personal liability for management. Ignorance is not a defense.

But compliance also makes business sense. The average cost of a data breach is $4.45 million (IBM, 2023). The cost of implementing proper security controls is a fraction of that. Compliance frameworks give you a structured path to security that would otherwise require expensive consulting.

Who it applies to: Any organization that processes personal data of EU/EEA residents, regardless of where the organization is located. If your website has European visitors and collects any data (including cookies and IP addresses), GDPR applies to you.

Key requirements for web applications:

Lawful basis for processing. You need a legal reason to collect each piece of data (consent, contract, legitimate interest)
Consent management. Cookie banners that allow genuine choice (not dark patterns). Pre-checked boxes are illegal.
Data minimization. Only collect data you actually need
Encryption in transit. HTTPS is the minimum. TLS 1.2 or higher.
Encryption at rest. Sensitive data must be encrypted in your database
Breach notification. 72 hours to notify the supervisory authority after discovering a breach
Privacy by design. Security and privacy must be built in, not bolted on
Right to erasure. Users can request deletion of their data
Data portability. Users can request their data in a machine-readable format

Penalties: Up to €20 million or 4% of global annual turnover, whichever is higher. See the official GDPR text.

PCI DSS. Payment Card Industry Data Security Standard

Who it applies to: Any organization that stores, processes, or transmits cardholder data. If your website accepts credit card payments (even through a third-party processor) some PCI DSS requirements apply.

Key requirements for web applications:

TLS 1.2+. Required for all payment page communications
No cardholder data storage. Unless absolutely necessary, don't store card numbers. Use tokenization via Stripe, Braintree, or similar.
Quarterly vulnerability scans. Required by an Approved Scanning Vendor (ASV)
Web application firewall. Required for public-facing payment applications
Access logging. All access to cardholder data must be logged and monitored
Strong authentication. MFA for admin access to payment systems

Penalties: Fines from $5,000 to $100,000 per month. Card brands can also increase processing fees or terminate your ability to accept cards. Details at the PCI Security Standards Council.

NIS2 Directive

Who it applies to: EU entities in 18 sectors classified as "essential" or "important": energy, transport, banking, health, digital infrastructure, ICT service management, public administration, and more. The directive also covers their supply chains.

Key requirements:

Risk management measures. Policies for risk analysis and information system security
Incident handling. Procedures for detecting, managing, and reporting incidents
Business continuity. Backup management and disaster recovery
Supply chain security. Security requirements for suppliers and service providers
Vulnerability disclosure. Policies for coordinated vulnerability disclosure
Encryption. Use of cryptography and where appropriate, encryption
Multi-factor authentication. MFA and continuous authentication
Incident reporting. Early warning within 24 hours, full notification within 72 hours

Penalties: Up to €10 million or 2% of global annual turnover for essential entities. Management can be held personally liable. See the official NIS2 text and ENISA's NIS2 page.

ISO 27001

Who it applies to: ISO 27001 is voluntary. But increasingly required by enterprise customers, government contracts, and insurance providers. It's the international standard for information security management systems (ISMS).

Key requirements:

Risk assessment. Identify assets, threats, and vulnerabilities systematically
Security controls. Implement controls from Annex A (93 controls in the 2022 version)
Documentation. Written policies, procedures, and records
Internal audits. Regular self-assessment against the standard
Management review. Leadership involvement in security decisions
Continuous improvement. Regular review and update of security measures

Certification: Requires an audit by an accredited certification body. Annual surveillance audits. Full re-certification every three years.

Where They Overlap

Good news: these frameworks share core requirements. Implementing one makes the others easier:

Requirement	GDPR	PCI DSS	NIS2	ISO 27001
Encryption in transit (TLS)	Yes	Yes	Yes	Yes
Access control	Yes	Yes	Yes	Yes
Incident response	72h	Yes	24h/72h	Yes
Vulnerability management	Implied	Quarterly	Yes	Yes
Logging and monitoring	Yes	Yes	Yes	Yes
Multi-factor auth	Recommended	Required	Required	Recommended

Practical Steps

Start with HTTPS and security headers. This satisfies the encryption requirements across all four frameworks. Run ismycodesafe.com to check your current status.
Add a privacy policy and cookie consent. Required by GDPR, expected by all frameworks.
Implement access controls. Authentication, authorization, and MFA for admin accounts.
Set up logging. Log security events, store logs securely, set up alerts.
Create an incident response plan. Know who to contact, what to do, and how fast. Document it.
Run regular vulnerability scans. Quarterly at minimum for PCI DSS. Monthly is better practice.
Document everything. Policies, procedures, and evidence of compliance. You need proof, not just practice.

Check your website right now

110 security checks in 60 seconds. Free, no signup required.

Scan My Website (Free)

ismycodesafe.com Security Team

We run automated security scans on thousands of websites daily, combining static analysis, SSL/TLS inspection, header auditing, and CVE lookups. Our team tracks OWASP, NIST, and evolving compliance requirements (GDPR, NIS2, PCI DSS) to keep these guides accurate and practical.

About us Free tools Contact

GDPR for Developers: What Your Website Must Do

Practical GDPR implementation for web applications.

NIS2 Directive: What EU Businesses Need to Know in 2026

The EU's new cybersecurity requirements explained.