Customer Data Privacy &Cyber Risk in E-Commerce

In our previous Brave Horizons analysis — Circular Packaging Solutions — Reducing Waste and Liability — we examined how the EU’s regulatory architecture is imposing simultaneous compliance obligations on SME retailers: obligations that arrive irrespective of company size, budget, or the presence of a dedicated compliance function. That analysis is directly relevant here. The same convergence dynamic is now occurring across a different but interconnected domain: customer data privacy and cybersecurity. E-commerce SMEs that process payment data, store customer profiles, and rely on third-party digital supply chains are now operating within a four-layer regulatory stack — while facing a threat landscape that has set consecutive records for attack volume, breach costs, and fraud losses. Close The Control Gap Why This Matters Now The EU’s regulatory architecture for digital security and data privacy reached a new compliance threshold in 2025. The NIS2 Directive (Directive (EU) 2022/2555) has been in force at EU level since 2023; Member States were required to transpose it into national law by 17 October 2024. Applicability to a specific SME depends on entity type, sector classification, and the relevant national implementation — but in-scope online marketplaces and digital service providers face mandatory cybersecurity risk management and incident reporting obligations (European Commission, 2024). PCI DSS v4.0’s previously future-dated requirements became mandatory on 31 March 2025, including Requirement 6.4.3 (payment page script inventory and authorisation) and Requirement 11.6.1 (tamper-detection mechanisms for payment pages) — with multi-factor authentication (MFA) mandates across cardholder data environments (PCI SSC, 2025). The Cyber Resilience Act (Regulation (EU) 2024/2847) entered into force in December 2024, with obligations phased in over time: product security-by-design requirements apply progressively, and vulnerability reporting obligations begin from September 2026 (CRA Articles 14 and 71(2); European Commission, 2024). GDPR enforcement — already producing cumulative fines exceeding €7.1 billion since 2018 — generated €1.2 billion in penalties in 2025 alone (Kiteworks, 2026). CMS Law’s GDPR Enforcement Tracker shows that security failures remain a recurring basis for GDPR penalties; current enforcement category breakdowns are available at the tracker. These four frameworks are not operating in sequence. They are applying simultaneously. E-commerce SMEs that have treated data privacy and cybersecurity as separate administrative concerns — or that have deferred compliance investment pending regulatory clarity — are now overdue. The commercial consequences of underinvestment are well-documented. IBM Security reports the global average data breach cost reached USD 4.44 million in 2025 — a 9% year-on-year decrease driven by faster AI-assisted breach containment, though US breach costs hit an all-time high of USD 10.22 million in the same period (IBM Security, 2025). IBM Security’s 2025 report records the retail sector average breach cost at USD 3.54 million, with customer personal identifiable information representing the most commonly compromised data type across all breached sectors (IBM Security, 2025). In NinjaOne’s 2026 survey, 94% of respondents reported their small business experienced at least one cyberattack in 2025, and 78% said a significant breach could put them out of business entirely (NinjaOne, 2026). Sift reports continued growth in account takeover (ATO) fraud and material e-commerce loss exposure (Sift, 2025). How This Reaches E-Commerce SMEs: The Four Transmission Channels Regulatory, cost, trust, and third-party channels each carry this risk into SME operations through a distinct mechanism. The regulatory channel operates through direct compliance obligations. Certain online marketplaces and digital service providers may fall within NIS2 scope as “important entities”, depending on entity type, sector classification, size threshold, and national transposition — those that do face mandatory cybersecurity risk management, supply chain security obligations, and staged incident reporting: an early warning within 24 hours of awareness, a formal notification within 72 hours, and a final report within one month (European Commission, 2024; NIS2 Article 23). Smaller operators below NIS2 thresholds carry no direct NIS2 obligation but remain fully subject to GDPR and PCI DSS 4.0, which carry no size exemption for core data protection obligations. A sole-trader e-commerce business processing card payments must meet PCI DSS 4.0’s MFA requirement and e-skimming protection requirements from 31 March 2025. The cost channel is the most immediate for resource-limited operators. The USD 4.44 million global average breach cost in 2025 reflects a dataset weighted toward larger organisations; the proportional impact on SMEs with limited recovery capital is likely more severe (IBM Security, 2025). Ransomware recovery costs averaged USD 5.13 million in 2024, with projections for 2025 in the range of USD 5.5 to 6.0 million — and downtime frequently exceeding ransom payments by a factor of 100 (PurpleSec, 2025). For e-commerce businesses where platform unavailability is a direct revenue event, the financial exposure is not theoretical. The trust channel is now commercially quantifiable. Fewer than 48% of consumers believe the benefits of online services outweigh privacy concerns (Usercentrics, 2025; this figure should be verified against the primary Usercentrics report). Separately, 36% have stopped using a website because of privacy concerns. In Thales’ 2026 Digital Trust Index survey, 68% of respondents reported abandoning a website or app due to poor digital experience in the past year, and 33% switched to a competitor or gave up on the purchase entirely (Thales, 2026). For SME e-commerce operators competing on customer lifetime value, the trust penalty from a privacy or security failure is a revenue event, not merely a reputational one. The third-party channel applies through digital supply chain dependencies. SecurityScorecard documents that 30% of breaches now involve a third party — double the proportion from prior years — with an average of 5.28 downstream victims per third-party incident (SecurityScorecard, 2025). E-commerce SMEs running third-party checkout scripts, analytics platforms, and marketing automation tools are exposed to breaches initiated through vendors over whom they exercise no direct security controls. Sector Examples: How the Risk Lands Differently Consider an SME operating a branded e-commerce store on a hosted platform, using a third-party payment processor and a mix of analytics and marketing scripts from multiple vendors. Under PCI DSS v4.0 Requirements 6.4.3 and 11.6.1, this business must maintain an authorised inventory of all scripts on its payment pages and implement tamper-detection mechanisms — obligations that apply even when payment processing is handled by the third party. An unscripted analytics tag or chatbot integration loading on the checkout page without authorisation represents a Magecart e-skimming exposure. Most SMEs operating in this model have not conducted the required script inventory. The 2025 Verizon Data Breach Investigations Report, which analysed 12,195 confirmed data breaches globally, identified Magecart e-skimming as responsible for 80% of payment card breaches in the system intrusion pattern — confirming e-skimming as a persistent and dominant attack vector for e-commerce operators (Verizon, 2025). Consider next a digital marketplace SME with 55 employees and €12 million in annual revenue — meeting NIS2’s “important entity” threshold. Under NIS2, this business faces mandatory cybersecurity risk management requirements including formal risk assessments, access management controls, and incident response capability, and must follow NIS2’s staged incident reporting timeline: an early warning to its national competent authority within 24 hours of becoming aware of a significant incident, a formal notification within 72 hours, and a final report within one month (Directive (EU) 2022/2555). The practical gap between these obligations and the typical security posture of a mid-market SME without a dedicated IT security function is material. For a subscription SaaS business deploying AI-driven personalisation or fraud detection tools, the EU AI Act introduces additional data governance obligations that intersect with GDPR Article 22’s automated decision-making provisions. Peer-reviewed analysis of this dual-framework exposure confirms that compliance obligations under both frameworks may apply simultaneously for AI systems processing personal data for commercial profiling (Taylor & Francis, 2025). Proposed amendments to the EU AI Act and GDPR being assessed in 2026 may further affect scope and timelines for high-risk AI system obligations, though the core obligations under both frameworks remain in effect (Crowell & Moring, 2026). Risk Interpretation: The ERM Lens Customer data privacy and cyber risk sits across three risk categories simultaneously in an enterprise risk management (ERM) framework. Compliance risk arises from NIS2 scope obligations, PCI DSS 4.0 mandatory requirements, and GDPR enforcement exposure — including enforcement actions categorised as failures in technical and organisational security measures (CMS Law GDPR Enforcement Tracker). Financial risk arises from breach costs, ransomware recovery expenses, regulatory fines of up to 4% of global annual turnover under GDPR Article 83(5), and fraud losses that accumulate independently of regulatory action. Operational risk arises from platform unavailability, data loss, and supply chain compromise affecting business continuity. Velocity is high: NIS2 national transposition was required by October 2024; PCI DSS 4.0 requirements have been fully mandatory since March 2025; GDPR enforcement is immediate and accelerating. Severity is high: breach costs frequently exceed the recovery capacity of most SMEs — 78% of SMB leaders fear a significant breach could put them out of business entirely (NinjaOne, 2026). Persistence is structural: the threat landscape is chronic and worsening; regulatory obligations are permanent. This is not a risk that resolves with the passing of a compliance deadline. The most common control gaps are: no multi-factor authentication on administrative and cardholder data environment access; unaudited third-party scripts on payment pages; no documented incident response procedure; and processor agreements that have not been reviewed for GDPR Article 28 compliance. Any one of these gaps, if unaddressed, converts a manageable compliance task into an emergency response. Practical Implications Three decisions will determine e-commerce SMEs’ cyber and privacy risk position over the next 12 months. The first is whether to implement PCI DSS 4.0 Requirements 6.4.3 and 11.6.1 — completing the payment page script inventory and tamper-detection mechanism — or to wait for an enforcement finding. These requirements have been mandatory since 31 March 2025. The exposure is current, not future. The second is whether to review GDPR processor agreements against Article 28 requirements now, or to risk enforcement action when a third-party breach reveals undocumented subprocessor relationships. Recent GDPR enforcement and guidance continue to place responsibility for processor governance on controllers — SMEs using third-party e-commerce platforms or payment processors cannot contractually transfer their underlying compliance obligations (GDPR). The third is whether to treat consumer trust as a revenue lever by investing in visible privacy controls — clear consent mechanisms, transparent data practices, privacy-first customer communications — or to remain in minimum compliance mode. Cisco’s 2025 Data Privacy Benchmark Study, surveying 2,600+ professionals across 12 countries, confirms that 96% of organisations find privacy investment ROI outweighs costs, with a median return of 1.6x (Cisco, 2025). Action Options Immediate (within 30 days) Enable multi-factor authentication on all administrative account access and across every system that touches cardholder data. This is mandatory under PCI DSS 4.0 from March 2025 — Requirements 8.4 and 8.5 — not optional. Conduct a checkout page script inventory: list every third-party script loading on your payment pages, verify each is authorised, and put a tamper-detection mechanism in place. Requirements 6.4.3 and 11.6.1 are now enforceable obligations. Run a basic data mapping exercise: what personal data does your business hold, from whom was it collected, where is it stored, and who — internally and externally — has access to it? This inventory is the prerequisite for every downstream GDPR compliance action. Medium-term (one to six months) Assess your NIS2 status: depending on entity type, sector, and your national implementation, meeting thresholds of 50 employees or €10 million annual turnover may classify you as an “important entity” with mandatory obligations — verify with your national competent authority, then begin the cybersecurity risk management assessment and establish your staged incident reporting mechanism. Review all third-party data processor agreements for GDPR Article 28 compliance: data processing terms, subprocessor lists, breach notification obligations (must require notification to you within a timeframe compatible with your own 72-hour obligation), and audit rights. Introduce a documented incident response procedure covering the first 72 hours: who leads, what is isolated, which systems are preserved for evidence, who is notified, and how the GDPR notification obligation is met. Run a table-top exercise against a plausible scenario. Strategic (six months and beyond) Evaluate your AI governance exposure: if you deploy AI tools for personalisation, fraud detection, or customer analytics, assess the intersection of the EU AI Act and GDPR Article 22’s automated decision-making obligations. The OECD’s Digital Security Policy Framework provides a proportionate baseline for SME cyber risk governance (OECD, 2022). Formalise a supply chain security programme: vendor security questionnaires for all third-party processors, contractual notification obligations, and an annual review cadence. SecurityScorecard’s 2025 data confirms that third-party incident exposure is now a primary — not residual — risk for e-commerce operators (SecurityScorecard, 2025). Invest in consumer-facing privacy as a revenue strategy: privacy-first consent mechanisms, clear data use communications, and visible trust signals at the point of purchase. Thales’ data shows that 33% of consumers switch to a competitor or give up on the purchase entirely when digital experience fails — making the commercial case for trust investment directly (Thales, 2026). Management Questions to Ask Do we know which third-party scripts are running on our checkout pages, and when each was last reviewed for unauthorised code? Has multi-factor authentication been enabled for all admin accounts and across our cardholder data environment — confirming compliance with PCI DSS 4.0 Requirements 8.4 and 8.5? Have we assessed whether we meet the NIS2 “important entity” threshold (more than 50 employees or more than €10 million annual turnover), and if so, have we begun our cybersecurity risk management obligations? Do we have a current inventory of all third-party processors handling personal data on our behalf, and do our processor agreements meet GDPR Article 28 contractual requirements? When did we last review and update our privacy notice — and does it accurately reflect our current data flows, including any AI tools used for personalisation, fraud detection, or customer analytics? Do we have a documented incident response procedure? If we discovered a breach this morning, who would we call, what would we isolate in the first 72 hours, and how would we meet our GDPR notification obligation? What is our account takeover exposure — do we have fraud monitoring on customer login activity and unusual account behaviour, particularly for high-value or recently-modified accounts? If our primary payment processor, logistics platform, or e-commerce infrastructure provider experienced a breach overnight, would we know within hours — and do our supply chain security clauses require them to notify us? Conclusion The convergence of NIS2, PCI DSS 4.0, GDPR enforcement, and the Cyber Resilience Act creates a compliance-security double exposure for e-commerce SMEs that most are underprepared for. These are not future obligations. They are current, enforceable requirements, and the enforcement record demonstrates that regulators are acting on them. Verizon’s 2025 DBIR recorded 12,195 confirmed data breaches globally — with ransomware present in 44% of all breaches and third-party involvement doubling to 30% of incidents (Verizon, 2025). While global average breach costs fell for the first time in five years in 2025, US breach costs hit a record USD 10.22 million and the overall threat environment continues to intensify (IBM Security, 2025). Sift reports continued growth in account takeover fraud and material e-commerce loss exposure (Sift, 2025). The threat landscape is not stabilising. The businesses that absorb these exposures most effectively are not necessarily those with the largest security budgets. They are those that have closed the most critical control gaps: MFA across all administrative access, a clean payment page script inventory, documented incident response, and processor agreements reviewed for GDPR compliance. None of these measures requires a dedicated security team or enterprise-grade infrastructure. What to watch: the Cyber Resilience Act’s vulnerability reporting obligations take effect in September 2026 (Cyber Resilience Act (CRA) - CRA Articles 14 and 71(2)). E-commerce businesses selling software, apps, or connected goods should begin their conformity assessment now. The OECD’s SME Digitalisation 2024 report confirms that SME cybersecurity capability has not kept pace with digitalisation rates — making proactive compliance action a competitive as well as a risk management imperative (OECD D4SME, 2024). Key Takeaways NIS2 national transposition was required by October 2024. Certain online marketplaces and digital service providers meeting applicable size and sector thresholds may be classified as “important entities” under their national implementation, with mandatory cybersecurity risk management and staged incident reporting obligations (early warning within 24 hours, notification within 72 hours, final report within one month). Scope verification under the relevant national transposition is the first action required from any SME that may meet these criteria. PCI DSS v4.0 is fully mandatory from 31 March 2025. Requirements 6.4.3 and 11.6.1 — payment page script inventory and tamper detection — apply to any e-commerce business operating an online checkout, including those using third-party payment processors. MFA is mandatory across all cardholder data environments. GDPR enforcement generated €1.2 billion in penalties in 2025 (Kiteworks, 2026). CMS Law’s GDPR Enforcement Tracker shows security failures remain a recurring basis for GDPR penalties — a pattern documented in the tracker and in enforcement databases. The distinction between data privacy law and cybersecurity law has effectively collapsed in the enforcement record. Security controls are no longer merely cyber risk management — they are GDPR compliance obligations. Third-party breaches account for 30% of all incidents, double the proportion from prior years, with an average of 5.28 downstream victims per incident (SecurityScorecard, 2025). SME e-commerce operators cannot limit their security programme to internal systems. Vendor security assessments and contractual notification obligations are a proportionate and necessary extension of that programme. Consumer trust is a measurable commercial variable. Fewer than 48% of consumers believe online service benefits outweigh privacy concerns (Usercentrics, 2025). In Thales’ 2026 Digital Trust Index survey, 68% of respondents reported abandoning a website or app due to poor digital experience, with 33% switching to a competitor immediately (Thales, 2026). Investing in visible privacy controls is a customer retention and revenue strategy, not only a compliance exercise. Security AI and automation reduce average breach costs by USD 1.9 million per incident (IBM Security, 2025). For SMEs without large security teams, targeted deployment of automated monitoring, MFA, and threat detection tools is the most cost-effective approach to closing the capability gap. Strategic Implication For e-commerce SMEs, the cyber risk and data privacy landscape of 2026 represents a structural compliance–security integration challenge. The four regulatory frameworks now in force — NIS2, PCI DSS 4.0, GDPR, and the Cyber Resilience Act — do not allow for sequential implementation. They apply simultaneously, and the enforcement record demonstrates that regulators are not waiting for readiness. The businesses that manage this most effectively will be those that treat PCI DSS 4.0 compliance, GDPR processor governance, and NIS2 scope assessment not as separate workstreams but as a unified cyber risk management programme: one owner, a shared evidence base, and a documented incident response capability at its centre. What's Next in Brave Horizons Coming next in Brave Horizons: Social Licence to Operate — Community Engagement for Retail Chains. As SME retailers navigate stakeholder expectations beyond regulatory compliance, the capacity to build and maintain a social licence with local communities is emerging as both a reputational and operational risk factor. Subscribe at amaranthbrose.com. Ready to pressure-test your cyber risk and data privacy framework? If this analysis surfaces gaps in your current compliance posture — payment page security, NIS2 scope, GDPR processor governance, or incident response readiness — book a risk advisory consultation with Amaranth Brose. Book a focused risk advisory session, below ↓ ↗ Explore Amaranth Brose advisory services