NIS2 Penetration Testing Requirements

If you are reading this, the news has already reached you: NIS2 is in force, your organisation falls within scope, and one of the obligations being interpreted across every member state is regular penetration testing. The Directive itself never says the words "penetration test" but Article 21(2)(f) requires "policies and procedures to assess the effectiveness of cybersecurity risk-management measures," and across the EU's regulators, supervisors, and consultancies that requirement is being treated as a pentest mandate in everything but name.

This guide is built for the CISOs and compliance leads at essential and important entities in Germany, the Netherlands, Spain, and the wider EU who need a precise answer to four questions: does NIS2 require penetration testing, what does Article 21 actually demand, how often must we test, and what shape must the test take to satisfy a national supervisor. It also addresses the question that gets asked privately and rarely answered cleanly: if we already run an ISO 27001 programme and we are GDPR-compliant, why do we need anything else? The answer is more nuanced than competitors suggest, and we lay it out below.

Throughout, the position we take is the conservative, defensible one: rely on the directive's text as the binding obligation and treat national transposition as the operational overlay because as of mid-2026, transposition status varies dramatically by country and several major economies are operating on draft texts, holding actions, or direct effect. For the broader pentest context, see our penetration testing cost guide and our assumed-breach methodology overview.

1. Does NIS2 Require Penetration Testing?
2. NIS2 Article 21 — The Ten Cybersecurity Measures
3. Who Is an Essential vs Important Entity Under NIS2?
4. NIS2 Implementation by Country
5. What a NIS2-Aligned Penetration Test Must Cover
6. How Often Must NIS2 Entities Test?
7. NIS2 vs GDPR vs ISO 27001 — Do You Need All Three?
8. SecurityWall's NIS2-Aligned Penetration Testing

Does NIS2 Require Penetration Testing?

Practically yes, even though the directive does not name it. Article 21 of Directive (EU) 2022/2555 requires essential and important entities to take "appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems." The list of minimum measures in Article 21(2) includes at point (f) "policies and procedures to assess the effectiveness of cybersecurity risk-management measures."

That phrase is the operative hook. National supervisors, the European Union Agency for Cybersecurity (ENISA), and consultancies across the EU are uniformly interpreting effectiveness assessment as requiring evidence that controls function under adversarial conditions which is precisely what a penetration test produces. Vulnerability scanning, internal audit reports, and policy documentation are necessary but not sufficient on their own; supervisors expect to see independent, adversarial testing as part of the evidence chain.

The implication for any in-scope organisation is that "we have policies" is not an answer. Article 23's incident-notification obligations a 24-hour early warning, a 72-hour incident notification, and a final report within one month only add to the pressure: if a significant incident occurs that a penetration test would have identified, the unremediated finding becomes documented evidence of your own negligence. Operational disruption in NIS2-covered sectors routinely exceeds even the directive's substantial fines.

NIS2 Article 21 The Ten Cybersecurity Measures

Article 21(2) sets out ten minimum measures every essential and important entity must implement. A penetration testing programme touches the majority of them directly or indirectly.

A well-scoped engagement therefore does not just satisfy 21(2)(f) in isolation it provides operational evidence across at least half of the directive's minimum measures simultaneously.

Who Is an Essential vs Important Entity Under NIS2?

NIS2 dramatically widens scope compared to the original NIS Directive covering eighteen sectors in total, divided into two tiers with different oversight regimes.

Essential entities include organisations in the highest-criticality sectors: energy (electricity, oil, gas, district heating, hydrogen), transport (air, rail, water, road), banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure (cloud computing service providers, data centre service providers, content delivery network providers, trust service providers, public electronic communications networks), ICT service management (managed service providers, managed security service providers), public administration, and space.

Important entities include postal and courier services, waste management, manufacturing of chemicals, food production and distribution, manufacturing (medical devices, computers and electronics, machinery, motor vehicles, other transport equipment), digital providers (online marketplaces, online search engines, social networking services), and research organisations.

The size threshold that brings entities into scope is the standard EU "medium-sized enterprise" line generally 50 or more employees, or annual turnover of €10 million or more, or annual balance sheet total of €10 million or more. Entities below this threshold can still be in scope where they are the sole provider of an essential service, hold critical roles in supply chains, or where member states designate them. For most CISOs the practical test is simple: if your sector is on the list and your headcount is around fifty or more, plan to be in scope.

The practical difference between essential and important is supervisory: essential entities are subject to proactive supervision (planned inspections, regular audits), while important entities are subject to reactive supervision (action triggered by an incident or evidence of non-compliance). Both face the same security obligations under Article 21; only the intensity of oversight differs. Both face substantial penalties up to €10 million or 2% of global turnover for essential entities, and €7 million or 1.4% for important entities.

NIS2 Implementation by Country

The transposition deadline set by the directive was 17 October 2024. As of mid-2026, that deadline has passed by more than eighteen months and the picture across the EU is uneven. The practical implication is that your operational obligation depends on the directive's text first, and your national framework's specific provisions second and in some major economies, the national framework is still settling.

Germany. Germany's NIS2 implementing legislation the NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG) moved through the federal parliamentary process during 2025 after extended debate, particularly around the scope of application to federal and state institutions. The competent authority is the Bundesamt für Sicherheit in der Informationstechnik (BSI). German entities should confirm the precise current operational status of NIS2UmsuCG with the BSI for their specific sector, and in the interim rely on the directive's text directly.

Netherlands. The Netherlands is transposing NIS2 through the Cyberbeveiligingswet (Cbw), the Cybersecurity Act, which was submitted to the Tweede Kamer in July 2024. The Dutch National Cyber Security Centre (NCSC) has indicated the Cbw is expected to enter into force around 1 July 2026, although the precise date depends on completion of the parliamentary process and adoption of implementing regulations. In the interim, the NCSC has published the CBw NIS2 Control Framework, which essential and important Dutch entities are using as the operational control standard. SaaS organisations in the Netherlands should also see our guide to SOC 2 penetration testing for Dutch SaaS.

Spain. Spain has not yet completed formal transposition of NIS2 into national law. The European Commission issued a reasoned opinion on 7 May 2025 for failure to notify full transposition a formal infringement-proceeding step that signals the Commission's intent to pursue the matter further if transposition is not completed. The Spanish single point of contact is the National Security Council, through the National Security Department (DSN). Spanish essential and important entities should operate on the directive's text directly and prepare to comply with the Spanish national framework once enacted.

Italy. Italy is among the relative leaders having transposed NIS2 via Legislative Decree 138/2024, which entered into force in October 2024. The Agenzia per la Cybersicurezza Nazionale (ACN) is the competent authority.

Belgium. Belgium was the first-mover, with its NIS2 law fully active since October 2024. The Centre for Cybersecurity Belgium (CCB) operates a central registration portal Safeonweb@work and the initial registration deadline has already passed.

The practical takeaway is the same in every country: build to the directive's text, hold against your competent authority's national framework, document obsessively, and assume supervisors expect operational evidence not just policy documents. Where the national framework is settled, follow it; where it is not, the directive itself remains the binding standard.

What a NIS2-Aligned Penetration Test Must Cover

There is no single official NIS2 pentest methodology but national supervisors, ENISA guidance, and emerging consensus across consultancies converge on a clear set of expectations.

• Adversarial, manual testing by a qualified, independent third party. Automated scanning and AI-only PTaaS are not sufficient on their own. Supervisors expect testers who can find business-logic flaws, chain exploits, and exercise the controls in ways automation cannot.
• Scope that mirrors your Article 21 attack surface. External infrastructure, internal networks, web applications and APIs, cloud environments, third-party integrations identified in your supply-chain analysis, and the systems that process the data underlying your essential or important service.
• Methodology stated and defensible. OWASP testing standards for application layers, NIST SP 800-115 for infrastructure, PTES for general engagement structure combined as appropriate to the scope. Vague methodology sections are a common reason supervisors request supplemental evidence.
• Reproducible findings with evidence. Each finding should include reproduction steps, evidence (screenshots, request/response samples), CVSS or equivalent severity scoring, business-impact framing, and clear remediation guidance.
• Effectiveness validation not just vulnerability listing. Article 21(2)(f) asks whether your measures are effective. A list of vulnerabilities is necessary; an attack narrative that demonstrates whether your detection, response, and recovery actually function is what makes the report supervisory-grade.
• Retesting after remediation. A finding is not "closed" until it has been retested. Reports should include a retest section, dated, with original and post-remediation status.
• Integration with your incident-handling and disclosure processes. Findings should feed your Article 21(2)(b) incident-handling artefacts and your Article 21(2)(e) vulnerability-disclosure process.

For higher-risk environments or where supervisors expect deeper assurance, an assumed-breach engagement assuming initial foothold and testing what attackers can do post-compromise provides the kind of operational realism that satisfies "effectiveness" challenges more convincingly than a perimeter-only test. See our assumed-breach methodology guide for the structure.

How Often Must NIS2 Entities Test?

The directive does not specify a frequency in numerical terms. The emerging consensus across ENISA materials, national guidance, and supervisory practice is at least annually, plus targeted retests after significant changes.

• Annual full-scope penetration testing the baseline cadence for essential and important entities
• Targeted retesting after material changes significant architectural changes, new product launches, large infrastructure migrations, major version upgrades
• Targeted retesting after security incidents particularly where remediation has been applied and you need evidence the issue is closed
• More frequent testing for high-risk environments public-facing critical services, regulated financial services, healthcare with patient data, and entities where the supervisor has flagged specific concerns

The mistake to avoid is treating "annual" as a ceiling. Article 21 sets minimums; supervisors expect a testing cadence proportionate to your risk profile. Mid-sized energy distributors, healthcare operators, and digital infrastructure providers commonly run more frequent engagements quarterly for the most critical surfaces, annual for the broader scope.

NIS2 vs GDPR vs ISO 27001 Do You Need All Three?

The honest answer is that they overlap substantially, but they answer different questions and yes, in most cases, you do need all three.

For most in-scope organisations, an ISO 27001 ISMS supplies the underlying control library; GDPR adds the personal-data-specific obligations (lawful basis, data subject rights, cross-border safeguards); and NIS2 adds the operational-security obligations for network and information systems specifically, with national supervisory teeth. Financial entities additionally face DORA — see our DORA compliance overview — which is its own prescriptive regime for threat-led penetration testing in the financial sector.

The good news: a well-scoped penetration test produces evidence for all three regimes at once. The scope work matters more than the test count.

SecurityWall's NIS2-Aligned Penetration Testing

SecurityWall is a CREST-aligned, PCI-QSA-and-ASV-accredited cybersecurity firm delivering NIS2-aligned penetration testing across the EU for organisations operating in Germany, the Netherlands, Spain, and the wider EU member states. Our offensive-security team holds OSCP, OSWE, CREST, CRT, CISM, and CISSP credentials, and our reports are structured for direct use as Article 21 effectiveness-assessment evidence.

NIS2-Mapped Scope

• Scoping that maps the engagement to Article 21(2)(f) effectiveness assessment plus (e) vulnerability handling and (i) access control as primary regulatory anchors
• Coverage of external infrastructure, internal networks, web applications, APIs, cloud environments, and third-party integrations identified in your supply-chain analysis
• Defensible methodology OWASP testing standards, NIST SP 800-115, PTES explicitly stated in the report

Supervisory-Grade Reporting

• Findings with reproduction steps, severity, business-impact framing, and remediation guidance
• Attack-narrative effectiveness validation, not just a vulnerability list
• Report structure built to satisfy national competent authorities BSI in Germany, NCSC in the Netherlands, the National Security Council in Spain, and equivalent supervisors EU-wide
• Retest section included; findings are demonstrably closed, not just listed

EU-Wide Service

• Engagements delivered remotely or on-site across Germany, the Netherlands, Spain, and the wider EU
• Testing teams familiar with national-framework specifics BSI guidance, Dutch CBw NIS2 Control Framework, Spanish DSN coordination
• For Dutch SaaS organisations stacking SOC 2 alongside NIS2, see our SOC 2 penetration testing guide for Dutch SaaS

One Test, Multiple Frameworks

• Scope your NIS2 engagement to also produce evidence for ISO 27001 A.8.8 and GDPR Article 32
• Add SOC 2 or PCI DSS coverage where the same systems are in scope for those regimes
• One engagement, one evidence pack, multiple regulators satisfied

Related reading:

• Penetration Testing Cost Guide 2026
• Assumed-Breach Penetration Testing Methodology
• SOC 2 Penetration Testing for Dutch SaaS
• SOC 2 Penetration Testing Requirements
• Penetration Testing for SOC 2, ISO 27001 and PCI DSS

Frequently Asked Questions

Does NIS2 require penetration testing?

Practically yes, although the directive does not name penetration testing explicitly. Article 21(2)(f) of Directive (EU) 2022/2555 requires "policies and procedures to assess the effectiveness of cybersecurity risk-management measures." National supervisors, ENISA, and consultancies across the EU interpret this as requiring independent adversarial testing which is precisely what a penetration test produces.

What does NIS2 Article 21 require?

Article 21(2) sets out ten minimum cybersecurity risk-management measures: risk analysis policies, incident handling, business continuity, supply chain security, security in acquisition and development including vulnerability handling, policies to assess effectiveness, cyber hygiene and training, cryptography policies, human resources security and access control, and multi-factor authentication with secured communications.

Who is in scope of NIS2?

Essential entities across eighteen sectors including energy, transport, banking, healthcare, drinking water, digital infrastructure, ICT service management, public administration, and space; and important entities including postal services, waste management, chemicals, food, manufacturing, digital providers, and research. The size threshold is generally medium-sized enterprises 50 or more employees, or €10 million in turnover or balance sheet with smaller entities included where they are sole providers of essential services or hold critical supply-chain roles.

Is NIS2 in force in Germany, the Netherlands, and Spain?

Implementation varies. Germany's NIS2UmsuCG has progressed through the federal parliamentary process; entities should confirm current status with the BSI. The Netherlands is transposing via the Cyberbeveiligingswet (Cbw), expected to enter into force around 1 July 2026; the Dutch NCSC has published the CBw NIS2 Control Framework as the interim operational standard. Spain has not yet completed transposition; the European Commission issued a reasoned opinion on 7 May 2025 for failure to notify full transposition, and Spanish entities should operate on the directive's text directly.

How often must NIS2 entities conduct penetration testing?

The directive does not specify a frequency. The emerging consensus is at least annually, plus targeted retests after significant changes and after security incidents. High-risk environments and entities flagged by supervisors should expect to test more frequently quarterly for the most critical surfaces is common in practice.

What are NIS2 penalties for non-compliance?

For essential entities, up to €10 million or 2% of global annual turnover, whichever is higher. For important entities, up to €7 million or 1.4% of global annual turnover. National competent authorities can also issue binding instructions, suspend services, and in serious cases hold management bodies personally liable.

Do I still need ISO 27001 and GDPR compliance if I am NIS2-compliant?

In most cases, yes. NIS2 governs the cybersecurity of network and information systems; GDPR governs personal data; ISO 27001 is the international ISMS standard. They overlap substantially on the security side, but each addresses different obligations. A well-scoped penetration test can produce evidence for all three at once, but the underlying programmes remain separate.