NIS2 Penetration Testing Requirements: What the Directive Actually Demands (2026)
NIS2 does not say the word "penetration test" anywhere in its text. It does require you to test the effectiveness of your security measures, and a pentest is the standard way to prove you did. If you are an essential or important entity under NIS2, an auditor will expect documented testing evidence, and the directive has been in force across the EU since 2024 with national enforcement landing through 2026. So the honest answer to "does NIS2 require a pentest" is: not by name, yes in practice. Below is what the directive actually asks for, how auditors read it, and what a NIS2-aligned pentest needs to cover.
Who NIS2 Applies To
NIS2 splits regulated organizations into two tiers.
Essential entities are larger or higher-risk operators: energy, transport, banking, financial market infrastructure, health, drinking and waste water, digital infrastructure, public administration, and space. These typically have 250+ employees or significant turnover.
Important entities are a broader middle band: postal and courier services, waste management, chemicals, food production, manufacturing of critical products, digital providers, and research. These are generally medium-sized companies, often 50 to 249 employees.
The practical takeaway for an SMB: if you operate in one of the covered sectors and you are medium-sized or larger, you are almost certainly in scope. Plenty of companies that never thought of themselves as "critical infrastructure" are now important entities. The threshold caught tens of thousands of mid-sized EU businesses that have never bought a pentest before.
If you are unsure which tier you fall into, the deciding factors are your sector, your headcount, and your turnover. Check those three against your national NIS2 transposition law, because each member state implements the directive locally.
Does NIS2 Explicitly Require a Penetration Test?
No clause says "you must run a penetration test." The requirement is functional, not prescriptive. NIS2 tells you to manage risk and to verify that your controls work. How you verify is left to you, but a pentest is the recognized, auditable method.
What Article 21 says about testing and risk measures
Article 21 is the heart of the obligation. It requires essential and important entities to take "appropriate and proportionate technical, operational and organisational measures" to manage the risks to their network and information systems.
The article lists a baseline set of measures, including:
- Risk analysis and information system security policies
- Incident handling
- Business continuity and crisis management
- Supply chain security
- Security in the acquisition, development and maintenance of systems, including vulnerability handling and disclosure
- Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
That last point is where pentesting lives. You cannot credibly assess the effectiveness of your security measures without testing them against a real attacker's approach. A vulnerability scan tells you what is missing. A pentest tells you what an attacker can actually do with what is there.
How auditors interpret "appropriate technical measures"
"Appropriate and proportionate" is the phrase auditors and regulators lean on. It means the depth of your testing should match the risk of your systems. A company processing patient data or running operational technology is held to a higher bar than a low-risk digital service.
In practice, auditors and supervisory authorities expect to see:
- Evidence that you actively look for exploitable weaknesses, not just patch known ones
- A documented, repeatable testing process rather than a one-off
- Findings tied to a remediation plan with owners and dates
- Re-testing to confirm fixes worked
Management is also personally accountable under NIS2. Boards must approve and oversee the risk measures, which means leadership wants clear, defensible proof that testing happened and that gaps got closed.
Need a NIS2-ready pentest? Scope it in minutes and see your test plan and price before you commit.
Get a NIS2-ready pentestWhat a NIS2-Aligned Pentest Must Cover
There is no official NIS2 pentest checklist, so coverage follows the risk-based logic of Article 21. The scope should map to the systems whose compromise would disrupt your service or expose regulated data.
Scope: network, web app, internal infrastructure
A defensible NIS2 pentest usually covers three layers:
- External network and perimeter. Internet-facing systems, exposed services, and the front door an attacker hits first.
- Web applications and APIs. The interfaces that handle data and business logic, where most real breaches start.
- Internal infrastructure. What an attacker can reach after a foothold: lateral movement, privilege escalation, access to sensitive systems and data.
If you run operational technology or industrial systems, that environment is in scope too, tested with care for its fragility.
Frequency and evidence the auditor expects
NIS2 does not set a fixed interval, but "assess the effectiveness" implies recurring testing, not a single historical test. The widely accepted compliance practice is at least annually, and again after any significant change to your systems, architecture, or threat exposure.
The evidence an auditor wants is concrete:
- A scoped, dated test report from a qualified tester
- Findings rated by severity with clear technical detail
- A remediation log showing what was fixed and when
- Confirmation that fixes were re-tested and held
A PDF that sits in a folder is weak evidence. A living record that shows testing, remediation, and re-testing over time is what demonstrates an effective, ongoing program. For a fuller breakdown of timing by framework, see how often you should run a pentest.
How Budget Security Scopes a NIS2 Pentest
This is where a platform beats a generic compliance checklist. The hard part of NIS2 is not knowing that you need to test. It is scoping the test so it actually maps to the directive's objective and producing evidence an auditor accepts.
Our AI goal-based scoping does exactly that. You register your assets once, then pick the goal: "NIS2 readiness." The scoping engine proposes a test plan tied to the directive's risk logic: which network, which applications, which internal systems, how many days each layer needs. Then it shows the tradeoff live. Add days and you see what gets deeper coverage. Remove days and it tells you specifically what gets cut and whether the scope still meets the NIS2 objective. No subjective sales-call estimate, no over-scoping to pad the invoice.
Every finding lands in your dashboard, not an encrypted PDF over email. You get an issue tracker with severity ratings, a remediation log with owners and dates, re-test workflow, and full engagement history. That dashboard is your NIS2 evidence. When the auditor asks "show me that you assess the effectiveness of your measures," you hand over a living record of testing, fixing, and re-testing, exactly the proof Article 21 implies.
The team behind it is 30 OSCP-certified testers who have collectively delivered thousands of pentests. NIS2-ready depth, modern scoping and delivery.
NIS2 Pentest Cost and Timeline
NIS2 pentests are priced by scope, not by a fixed package, because the directive is risk-based and your risk is specific to your systems. Day rates start from €849/day, published openly, with the number of days set by the assets and goal you scope. A focused readiness test is a handful of days. A broad essential-entity scope across external, web, and internal layers runs longer.
Timeline is the other half. Budget Security starts within 7 days of booking, not the 4 to 8 weeks a traditional consultancy quotes. With the NIS2 enforcement window tightening through 2026, that speed is the difference between being ready and explaining to your board why you are not.
For a full breakdown of what drives pentest pricing across scopes, read what a pentest costs.
The NIS2 Evidence Checklist
When the auditor asks how you assess the effectiveness of your measures, these are the artifacts that hold up. Missing any one of them weakens the whole record.
Scoped, dated test report
A report from a qualified tester that names exactly which systems were in scope and when the test ran. Undated or vague-scope reports are easy for an auditor to discount.
Severity-rated findings
Each issue rated by severity with clear technical detail, so a reviewer can see you understand the real risk, not just a raw scan output.
Remediation log with owners and dates
Proof that findings were assigned, worked, and closed. Owners and dates turn a list of problems into a managed process.
Confirmed re-testing
Evidence that fixes were re-tested and held. This is what separates 'we ran a test' from 'we assess effectiveness over time.'
Management is personally accountable under NIS2. A living record of testing, remediation, and re-testing is the defensible proof boards need, not a one-off PDF sitting in a folder.
Prove Your Security Measures Actually Work
Get a NIS2-ready pentest, scoped in minutes. See your test plan and price before you commit. No sales call, no over-scoping.