NIS2
NIS2 Penetration Testing
Cybersecurity testing aligned to the NIS2 Directive - for essential and important entities across the EU and their UK service providers.
UK-based testers · Essential and important entity engagements · Findings tagged against Article 21 measures
Why this matters
Why NIS2 expanded who needs to test.
The NIS2 Directive (EU 2022/2555) had a Member State transposition deadline of 17 October 2024. It significantly broadens the scope of EU cybersecurity regulation - both in terms of which sectors are in scope, and which size of organisation.
Essential entities include energy, transport, banking, financial market infrastructures, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. Important entities add postal services, waste management, chemicals, food, manufacturing of certain critical products, digital providers, and research organisations.
The testing implications sit primarily in Article 21 - Cybersecurity risk-management measures - which mandates technical, operational, and organisational measures including:
- Policies on risk analysis and information system security (Article 21.2.a)
- Incident handling (Article 21.2.b)
- Business continuity and crisis management (Article 21.2.c)
- Supply chain security (Article 21.2.d)
- Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure (Article 21.2.e)
- Policies and procedures to assess effectiveness (Article 21.2.f) - this is where testing lives
- Use of cryptography (Article 21.2.h)
- Access control and asset management (Article 21.2.i)
NIS2 also tightens executive accountability - management bodies are explicitly responsible for approving and overseeing cybersecurity measures, and can be held personally liable for failures.
What gets tested - and which Pentiq service covers it.
NIS2 doesn't prescribe testing frequency in the way PCI DSS or DORA do - it requires that measures are appropriate and proportionate to the risk. In practice, competent authorities expect at minimum annual testing for essential entities, with higher-risk systems tested more frequently.
| Control area | What's assessed | Pentiq service |
|---|---|---|
| 21.2.a - Risk analysis & information system security | Periodic technical assessment of system security posture | External & Internal Infrastructure Testing |
| 21.2.e - Vulnerability handling & disclosure | Identification and management of vulnerabilities | Vulnerability Scanning Subscription, Web Application Testing |
| 21.2.f - Effectiveness assessment | Testing the effectiveness of cybersecurity measures | Red Teaming, Penetration Testing |
| 21.2.d - Supply chain security | Security of suppliers and service providers | Third-party assurance support during scoping |
| 21.2.i - Access control & asset management | Validation of access controls and asset visibility | Internal Infrastructure Testing |
| 21.2.g - Cyber hygiene & training | Tested human controls | Social Engineering & Phishing Simulation |
Scope my test
Get a tailored NIS2 test scope.
Tell us whether you're an essential or important entity, or a supplier to one, and we'll come back with a scoped engagement - usually within one working day.
What's in scope?
Select everything you'd like tested. Pick more than one if it applies.
Prefer to talk first? Book a 20-minute scoping call ->
Engagement
What a Pentiq NIS2 engagement looks like.
Scoping
A short call with your technical contact to confirm scope, agree the test plan, and book delivery dates against your NIS2 timeline.
Testing
Testing runs against the agreed scope. Findings appear in your Pentiq portal in real time, so your team can start triaging without waiting for a final report.
Reporting & remediation
Final report delivered through the portal: executive summary, technical findings mapped to NIS2 control areas, and remediation guidance for each issue.
Optional re-test
We re-test fixed findings before your NIS2 assessment so you walk in clean.
Engagement length depends entirely on scope - we confirm a realistic timeline during the scoping call.
Common questions
Frequently asked questions.
Does NIS2 apply to UK companies?
NIS2 is an EU directive, transposed into national law by each Member State. UK entities aren't directly in scope - but if you provide services to NIS2-covered EU essential or important entities (especially as an ICT supplier, MSP, or digital service provider), NIS2's supply chain security requirements (Article 21.2.d) reach you contractually. The UK's own NIS Regulations 2018 still apply and are likely to be updated to reflect NIS2's expanded scope.
Are we an essential entity or an important entity?
The distinction depends on sector and size. Essential entities are typically large operators in highly critical sectors (energy, banking, healthcare, etc.); important entities are typically medium or large operators in other critical sectors. Both have to meet Article 21 measures; essential entities face stricter supervision. Member State transpositions handle edge cases differently - your legal team will have made the determination.
Does NIS2 require penetration testing specifically?
Article 21.2.f requires "policies and procedures to assess the effectiveness" of cybersecurity measures, and Article 21.2.e requires vulnerability handling. Penetration testing is the standard evidence for both. NIS2 doesn't name pentesting explicitly, but competent authorities expect it.
How often should we test?
Annually as a baseline for essential entities, more frequently for higher-risk or rapidly changing systems. NIS2 is principles-based - appropriate and proportionate - so the cadence should be risk-justified and documented.
What about personal liability for management?
NIS2 makes management bodies explicitly responsible for cybersecurity risk decisions. This has shifted board-level engagement significantly - many organisations now want pentest reports with a Board-suitable executive summary, which our portal generates as standard.
How does NIS2 interact with DORA for financial firms?
DORA takes precedence for financial entities - it's lex specialis. If you're a financial entity, your testing programme is shaped by DORA Articles 24-27, not NIS2 Article 21. NIS2 still applies to your non-financial entity counterparties (ICT providers, suppliers), so a financial firm's supply chain assurance work often touches both.
What happens if we're not compliant?
Member State penalties under NIS2 can be substantial - up to €10m or 2% of global turnover for essential entities, €7m or 1.4% for important entities (whichever is higher). Beyond fines, supervisory authorities can require management changes for serious failures.