Key Takeaways
- Six major regulatory frameworks either mandate or strongly recommend penetration testing: NIS2, PCI DSS 4.0, ISO 27001, DORA, GDPR, and SOC 2
- PCI DSS 4.0 is the most prescriptive, requiring annual network pentests and testing after significant changes
- NIS2 requires "regular testing" for essential and important entities across 18 sectors in the EU
- DORA mandates advanced threat-led penetration testing (TLPT) at least every 3 years for financial institutions
- Non-compliance penalties range from EUR 7 million (NIS2 important entities) to EUR 20 million or 4% of global turnover (GDPR)
Penetration testing is no longer just a security best practice — for many European organizations, it is a legal requirement. The regulatory landscape has shifted dramatically since 2024, with NIS2, PCI DSS 4.0, and DORA all strengthening their penetration testing mandates. According to Gartner (2025), 78% of European organizations now cite regulatory compliance as the primary driver for their penetration testing programs, up from 54% in 2022. This guide maps out exactly which regulations require penetration testing, what specific testing they mandate, how often, and the consequences of non-compliance.
Regulatory Requirements at a Glance
| Regulation | Pentesting Required? | Frequency | Scope | Penalty for Non-Compliance |
|---|---|---|---|---|
| NIS2 | Strongly implied (Article 21) | Regular (at least annual) | Essential and important entities in 18 sectors | Up to EUR 10M or 2% of turnover |
| PCI DSS 4.0 | Explicitly required | Annual + after changes | All entities handling payment card data | Fines up to USD 500K/month + loss of processing rights |
| ISO 27001:2022 | Expected (A.8.8) | Regular (typically annual) | Certified organizations | Certification loss |
| DORA | Explicitly required | Annual + TLPT every 3 years | EU financial entities | Up to EUR 10M or 5% of turnover |
| GDPR | Implied (Article 32) | Regular | All EU data controllers/processors | Up to EUR 20M or 4% of global turnover |
| SOC 2 | Expected (CC7.1) | Annual | Service organizations | Audit qualification / report failure |
NIS2 Directive (EU 2022/2555)
The NIS2 Directive, effective since October 2024, is the most significant European cybersecurity regulation to date. It expands the scope of the original NIS Directive to cover 18 sectors and introduces stricter security requirements and enforcement.
Pentesting Requirements
Article 21(2) requires essential and important entities to implement "policies on risk analysis and information system security" and "policies and procedures to assess the effectiveness of cybersecurity risk-management measures" — which EU member state transpositions and supervisory authorities consistently interpret as requiring regular penetration testing.
The European Commission's implementation guidance specifically references "vulnerability assessments and penetration testing" as expected security measures. The Dutch, German, and Italian national transpositions all include penetration testing in their recommended security measures.
Who Must Comply
- Essential entities: Energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space
- Important entities: Postal services, waste management, chemicals, food, manufacturing, digital providers, research
Penalties
- Essential entities: up to EUR 10 million or 2% of worldwide annual turnover, whichever is higher
- Important entities: up to EUR 7 million or 1.4% of worldwide annual turnover
- Personal liability for senior management who fail to ensure compliance
For a complete analysis of NIS2 compliance, see our comprehensive NIS2 guide.
PCI DSS 4.0
PCI DSS 4.0, fully effective since March 2025, contains the most explicit and detailed penetration testing requirements of any major regulation.
Specific Requirements
Requirement 11.4: External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.
- 11.4.1: A penetration testing methodology is defined, documented, and implemented
- 11.4.2: Internal penetration testing at least once every 12 months and after any significant change
- 11.4.3: External penetration testing at least once every 12 months and after any significant change
- 11.4.4: Exploitable vulnerabilities found during testing are corrected and retesting confirms fixes
- 11.4.5: Network segmentation controls are tested at least once every 12 months (every 6 months for service providers)
- 11.4.6: (Service providers only) Testing performed at least every 6 months and after significant changes
Methodology Requirements
PCI DSS 4.0 requires the pentesting methodology to include:
- Industry-accepted penetration testing approaches (e.g., NIST SP 800-115, OWASP Testing Guide, PTES)
- Coverage for the entire CDE perimeter and critical systems
- Testing from both inside and outside the network
- Testing to validate network segmentation and scope-reduction controls
- Application-layer testing including the OWASP Top 10 at minimum
- Network-layer testing including operating systems, firmware, and databases
Qualified Tester Requirements
PCI DSS requires pentesting to be performed by a "qualified internal resource or qualified external third party." The tester must be organizationally independent of the environment being tested. The PCI Council recommends testers hold certifications such as OSCP, GPEN, CREST CRT, or equivalent.
ISO 27001:2022
ISO 27001 does not explicitly mandate penetration testing, but control A.8.8 (Management of technical vulnerabilities) and the broader requirement for risk assessment make it an expected practice for certification.
How Pentesting Supports Certification
- A.8.8: Requires identification of technical vulnerabilities, evaluation of exposure, and appropriate measures — pentesting is the most effective method for this
- A.5.36: Compliance with policies, rules, and standards — pentesting verifies that security policies are actually effective
- A.8.34: Protection of information systems during audit testing — penetration testing falls under this control
- Clause 9.1: Monitoring, measurement, analysis, and evaluation — pentesting provides measurable security assessment data
Certification Audit Expectations
ISO 27001 certification auditors consistently expect to see evidence of regular penetration testing. While the frequency is not prescribed, annual testing is the widely accepted minimum. Organizations in high-risk environments should test more frequently. Failure to demonstrate regular security testing is a common reason for audit non-conformities.
DORA (Digital Operational Resilience Act)
DORA, applicable to EU financial entities since January 2025, introduces the most rigorous pentesting requirements for the financial sector.
Two Levels of Testing
Basic resilience testing (Article 25): All financial entities must perform ICT resilience testing at least annually, including vulnerability assessments and scans, open-source analyses, network security assessments, gap analyses, physical security reviews, and penetration testing.
Advanced Threat-Led Penetration Testing (TLPT) (Article 26): Financial entities identified by competent authorities as significant must conduct TLPT at least every 3 years. TLPT must:
- Be based on the TIBER-EU framework or equivalent national frameworks
- Be performed by qualified external testers (with limited internal team involvement allowed)
- Cover critical ICT systems that support critical or important functions
- Include threat intelligence-based attack scenarios
- Result in a report validated by the relevant competent authority
Who Must Comply
DORA applies to: credit institutions, investment firms, insurance undertakings, payment institutions, electronic money institutions, crypto-asset service providers, central securities depositories, trade repositories, and ICT third-party service providers to financial entities.
GDPR (General Data Protection Regulation)
GDPR does not explicitly mention penetration testing, but Article 32 establishes a clear legal basis for requiring it.
Article 32: Security of Processing
Article 32(1)(d) requires controllers and processors to implement "a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing." European Data Protection Authorities have consistently interpreted this as including penetration testing, particularly for organizations processing sensitive personal data at scale.
Regulatory Guidance
The European Data Protection Board (EDPB) and national DPAs including the Italian Garante, Spanish AEPD, and French CNIL have all referenced penetration testing in their enforcement decisions and guidance documents as an expected security measure under Article 32. In several breach enforcement actions, the absence of regular penetration testing has been cited as a factor in determining the level of negligence and corresponding fines.
SOC 2 (Service Organization Control 2)
SOC 2, developed by the AICPA, does not explicitly mandate pentesting but includes criteria that effectively require it.
Relevant Trust Service Criteria
- CC7.1: The entity uses detection and monitoring procedures to identify changes that could significantly affect the system of internal control — pentesting is a primary method for this
- CC4.1: COSO Principle 16 — The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether components of internal control are present and functioning
- CC7.2: The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts
SOC 2 auditors routinely expect penetration testing evidence as part of the audit process. Organizations without recent pentest reports face a high risk of qualified audit reports.
Building a Compliance-Aligned Testing Program
For organizations subject to multiple regulations, here is how to build a testing program that satisfies all requirements simultaneously:
| Requirement | Minimum Action | Recommended Action |
|---|---|---|
| Annual network pentest | PCI DSS, NIS2, ISO 27001, DORA, SOC 2 | External + internal, quarterly for high-risk |
| Web application testing | PCI DSS (OWASP Top 10), NIS2 | Before every major release + annual |
| After significant changes | PCI DSS, NIS2 | Within 30 days of any major change |
| Segmentation testing | PCI DSS (annual, 6-monthly for SPs) | Semi-annual for all |
| TLPT / Red team | DORA (every 3 years) | Annual red team exercises |
| Social engineering | NIS2 (human factor), DORA | Quarterly phishing simulations |
Consequences of Non-Compliance
Beyond direct financial penalties, failing to meet pentesting requirements can result in:
- Loss of certifications: ISO 27001, PCI DSS compliance status
- Insurance implications: Cyber insurance policies increasingly require evidence of regular pentesting; claims may be denied without it
- Customer and partner trust: Enterprise customers increasingly require pentest reports as part of vendor due diligence
- Personal liability: NIS2 and DORA both include provisions for personal liability of senior management
- Increased breach costs: Organizations without regular testing face higher average breach costs (IBM Security, 2025)
Getting Started
Orizon Fireline provides compliance-aligned penetration testing services designed to meet the requirements of NIS2, PCI DSS 4.0, ISO 27001, DORA, and SOC 2 simultaneously. Our methodology covers all mandated testing types with reports structured to satisfy multiple compliance frameworks, reducing the cost and complexity of your testing program.
For guidance on how often to test based on your industry and regulatory requirements, see our pentesting frequency guide. For a complete overview of the NIS2 directive, read our NIS2 compliance guide.