What evidence does a pentest provide for NIS2?

A NIS2-ready pentest provides a dated report with an executive summary, a methodology description, per-vulnerability technical detail with risk ratings, and remediation guidance. Together with proof that findings were remediated and retested, this documents both that you tested control effectiveness and that you acted on the results, which is what an auditor or supervisory authority will ask to see.

What a NIS2-Ready Pentest Looks Like for a 50 to 500 Person Company

Q: Does NIS2 require a penetration test?

NIS2 does not name penetration testing as a literal line item, but it requires risk-based technical and organizational measures and policies for assessing their effectiveness (Article 21). A penetration test is the standard, defensible way to demonstrate that you actively test the effectiveness of your security controls. In practice, regulators and auditors expect regular technical security testing, and a pentest is the most common form of evidence.

Q: What should be in scope for a NIS2-ready pentest?

Scope should follow your risk assessment, not a generic template. For most 50 to 500 person companies that means the internet-facing perimeter, the internal network and Active Directory or Entra ID, the business-critical applications, and any systems supporting essential services. The goal is to test the assets whose compromise would most affect service continuity and data, which is exactly what NIS2 asks you to protect.

Q: How often does a NIS2-ready company need to test?

At least annually, and after significant changes to your infrastructure or applications. NIS2 frames security as an ongoing risk-management process rather than a one-time certification, so a single test is not enough. Annual testing plus retests after major changes is the defensible baseline for a mid-sized company.

Jun 11, 2026 (Updated: Jun 15, 2026)

#Pentest #NIS2 #Compliance

What a NIS2-ready penetration test looks like for a mid-sized 50 to 500 person company in the DACH region

Diese Seite ist auch auf Deutsch verfügbar.

NIS2 has pulled thousands of mid-sized companies into a compliance regime they never had to think about before. If you run IT at a 50 to 500 person company in the DACH region, you have probably been told you need to “do something about NIS2,” and that a penetration test is part of it. This article explains, plainly, what a NIS2-ready pentest actually looks like and what auditors expect to see.

Does NIS2 require a penetration test?

NIS2 does not list “penetration test” as a mandatory line item, but it effectively requires one in practice. Article 21 obliges essential and important entities to implement risk-based technical and organizational measures and, crucially, to have policies and procedures for assessing the effectiveness of those measures. A penetration test is the standard, well-understood way to demonstrate that you actively test whether your security controls work, rather than just assuming they do.

So the honest answer is: NIS2 requires you to test the effectiveness of your security measures, and a penetration test is the most common and most defensible way to do that. Treat it as expected, not optional.

What should be in scope for a NIS2-ready pentest?

Scope should follow your risk assessment, not a generic checklist. For a typical 50 to 500 person company, a NIS2-ready scope covers four areas: the internet-facing perimeter (everything an external attacker can reach), the internal network including Active Directory or Entra ID (where a phishing victim or insider would operate), the business-critical applications, and any systems that support the essential or important service you are regulated for.

The logic is direct. NIS2 asks you to protect the continuity of your service and the data behind it, so you test the assets whose compromise would most damage that service. A test scoped to one marketing website while your domain controllers go untested is not a NIS2-ready test, regardless of what the certificate says.

How often does a NIS2-ready company need to test?

At least once a year, and again after any significant change to your infrastructure or applications. NIS2 frames cybersecurity as a continuous risk-management process, not a one-time hurdle, so a single pentest filed away in a drawer does not satisfy the spirit or the practice of the directive. Networks change, new applications ship, and the attack surface shifts with them.

The defensible baseline for a mid-sized company is annual testing plus retests after major changes (a new ERP rollout, a cloud migration, a merger). If your risk assessment flags a particular system as high-impact, test it more often.

What does a NIS2-ready pentest report need to contain?

A NIS2-ready report needs to function as audit evidence, which means it must be dated, attributable, and complete. At minimum it contains an executive summary written for management, a clear description of the methodology and scope, a per-vulnerability technical section with description, evidence, risk rating, and reproduction steps, and concrete remediation guidance for each item.

This is more than a courtesy. When a supervisory authority or an ISO 27001 auditor asks how you assess the effectiveness of your controls, you hand them a dated report that shows exactly what was tested, what was found, and how serious each issue was. A scanner export with a thousand unverified entries does not serve this purpose: it shows you ran a tool, not that you tested your defenses.

Is the report enough, or do you also need to fix and retest?

The report is only half the evidence. NIS2 cares that you assess control effectiveness and then act on the results, so you also need to show that findings were remediated and, ideally, that a retest confirmed the fixes. A report full of unaddressed critical vulnerabilities, a year later, is worse than no report: it documents that you knew and did nothing.

The clean loop an auditor wants to see is: test, report, remediate, retest, document. That cycle demonstrates an active, functioning risk-management process, which is precisely what NIS2 is asking for.

How does a NIS2 pentest relate to ISO 27001, TISAX, and DORA?

A single well-scoped penetration test can serve as technical security testing evidence across several frameworks at once. The same test that supports NIS2 also provides documented evidence for ISO 27001 (control A.8.8 / technical vulnerability management and testing), TISAX, and DORA Article 25 for financial entities. The frameworks differ in their paperwork and their formal certification bodies, but they share the underlying requirement: regular, documented, independent technical testing.

One caveat worth knowing: DORA Article 26 TLPT (Threat-Led Penetration Testing for significant financial entities) is a separately regulated, heavier process and is not the same as a standard NIS2-oriented pentest.

What does a NIS2-ready engagement look like in practice?

In practice, a NIS2-ready engagement for a mid-sized company runs like this: a scoping call maps your essential systems to a test scope driven by your risk assessment, the active testing runs over several days (typically a greybox internal and external test, since that reflects realistic attacker positions), and you receive a dated report structured as audit evidence. Findings are manually verified, risk-rated, and accompanied by remediation steps. An optional retest after remediation closes the loop and gives you the documentation an auditor will ask for.

For a 50 to 500 person company this is usually a multi-day engagement rather than a quick scan, and it is run by a senior tester who understands both the technical attack paths and what the framework actually demands.

Where VidraSec fits

VidraSec runs exactly this kind of engagement for mid-sized DACH companies. Tests are scoped to your essential systems, run personally by Martin Grottenthaler, and delivered as dated, audit-ready reports that hold up as NIS2, ISO 27001, TISAX, and DORA Article 25 evidence. VidraSec does not issue compliance certificates (that is the role of your certification or audit body), but it provides the documented technical testing those bodies require. The FAQ covers how this maps to specific frameworks, and the Penetration Testing Buyer’s Guide covers scoping in depth.

Need a NIS2-ready pentest scoped to your essential systems? Get in touch.

martin@vidrasec.com

+43 670 3081275

Book appointment