Penetration Testing for NIS2 Compliance: What European Organizations Must Do
What Is Penetration Testing? A Plain-Language Guide for Organizations
Penetration testing — often called a "pentest" — is a structured, authorized attempt to breach your organization's systems, applications, or network in order to identify security weaknesses before a real attacker does. It is one of the most effective methods for validating that your security controls actually work, not just that they exist on paper.
This guide explains what penetration testing is, how it works, what it covers, and when your organization should consider it — without unnecessary jargon.
The Short Definition
A penetration test simulates a cyberattack against your infrastructure using the same tools, techniques, and mindset that real attackers use. The difference: it is conducted by authorized professionals, within agreed boundaries, with the goal of finding and documenting vulnerabilities so you can fix them.
Where a vulnerability scan uses automated tools to identify known weaknesses, a penetration test goes further — the tester actively attempts to exploit those weaknesses to determine what a real attacker could actually access, extract, or disrupt.
The output is a structured report that tells you what was found, how severe each finding is, what an attacker could do with it, and how to fix it.
What Penetration Testing Is Not
There are a few common misconceptions worth clearing up:
- Not a vulnerability scan. Automated scanners check for known issues against a database of signatures. Penetration testers use judgment, creativity, and chained exploits that automated tools can't replicate. Both are useful — they're not the same thing.
- Not a one-time activity. Infrastructure changes, new applications, and evolving attack techniques mean last year's test is not a reliable picture of today's security posture. Penetration testing should be periodic — typically annual at minimum.
- Not a guarantee of security. A penetration test tells you what was found within scope and within the time allocated. It does not mean everything else is secure. It significantly reduces risk — but risk is never zero.
- Not a red team exercise. A red team engagement is a longer, broader, and more adversarial simulation that tests your detection and response capabilities as well as your defenses. A standard penetration test is scoped, time-bounded, and focused on finding vulnerabilities. Both have value; they serve different purposes.
How a Penetration Test Works: The Five Phases
Professional penetration tests follow a structured methodology. The most widely used framework is the Penetration Testing Execution Standard (PTES). The five core phases are:
1. Scoping and Rules of Engagement
Before any testing begins, the scope is defined in writing: which systems are in scope, which are explicitly out of scope, what testing methods are permitted, and how findings will be communicated. This protects both your organization and the testing team, and ensures the test focuses where it matters most.
A good scoping discussion will also identify your key assets — what would cause the most damage if compromised — so the test prioritizes the right targets.
2. Reconnaissance
The tester gathers information about the target environment, much as an attacker would. This includes passive reconnaissance (publicly available information — DNS records, WHOIS data, job postings, certificate transparency logs) and active reconnaissance (probing network ranges, enumerating services). The goal is to understand the attack surface before starting to exploit it.
3. Vulnerability Analysis
The tester identifies potential weaknesses: unpatched software, misconfigured services, exposed credentials, weak authentication mechanisms, and insecure application logic. This phase combines automated scanning with manual review — because automated tools miss context-dependent vulnerabilities that trained engineers catch.
4. Exploitation
The tester attempts to exploit identified vulnerabilities to gain unauthorized access. This might involve gaining a foothold on a server, escalating privileges to administrator level, moving laterally through the network, or accessing sensitive data. The goal is to determine real-world impact — not just flag that a vulnerability exists, but show what it actually enables.
5. Reporting
Every finding is documented with technical detail, evidence of successful exploitation, risk rating (typically Critical / High / Medium / Low / Informational), and specific remediation guidance. Reports are typically structured in two sections: an executive summary for leadership and a detailed technical section for engineers. Quality reporting is what turns a pentest into actionable improvement.
What Can Be Tested?
Penetration testing can be applied to virtually any part of your technology environment:
- External network: Internet-facing systems — firewalls, VPNs, remote access portals, DNS, email infrastructure
- Internal network: Internal systems, lateral movement paths, domain controllers, segmentation between network zones
- Web applications: Authentication flows, session management, injection vulnerabilities, API security, business logic flaws
- Mobile applications: iOS and Android apps — local data storage, API communication, authentication
- Cloud environments: AWS, Azure, GCP — misconfigured storage buckets, IAM policy weaknesses, public-facing services
- Social engineering: Phishing simulations to test employee awareness and email security controls
- Physical security: Physical access controls, tailgating, hardware attacks — less common but relevant for certain sectors
Most engagements focus on external and internal network testing, web application testing, or a combination. Q-Sec scopes engagements based on what matters most to your organization's risk profile — not a generic checklist.
Black Box, Grey Box, White Box: The Testing Approaches
Penetration tests vary in how much information the tester is given about the target environment:
| Approach | Information Given | Best For |
|---|---|---|
| Black Box | No prior knowledge — tester starts as an external attacker would | Realistic simulation of external attacker; tests what is visible from the internet |
| Grey Box | Partial knowledge — credentials, network diagrams, or application documentation | Most common approach; efficient coverage without wasting time on reconnaissance |
| White Box | Full knowledge — source code, architecture diagrams, all credentials | Deep application security review; maximum coverage of codebase and logic flaws |
Grey box testing is the most common choice for mid-sized organizations — it balances realism with efficiency, maximizing the depth of coverage within a fixed engagement window.
When Should You Run a Penetration Test?
There is no single right answer, but there are clear triggers:
- Annually: Annual testing is the minimum accepted by ISO 27001 auditors, NIS2 supervisors, PCI DSS QSAs, and cyber insurers. If you haven't tested in the past 12 months, you're overdue.
- After significant infrastructure changes: New network segments, cloud migrations, major application releases, or M&A activity all change your attack surface. Test after significant changes, not just on a calendar schedule.
- Before a compliance audit: Testing before your ISO 27001 surveillance audit, PCI DSS assessment, or SOC 2 observation period gives you time to remediate findings and present clean evidence.
- After a security incident: Post-incident testing identifies whether the same attack vectors remain open and whether remediation was effective.
- Before launching a new product or application: External-facing applications are primary attack targets. Testing before launch prevents your customers from being the ones who discover your vulnerabilities.
What Does a Penetration Test Cost?
Cost varies by scope, methodology, and depth of engagement. As a rough guide for European mid-sized organizations:
- Focused external network test: €3,000 – €8,000
- Web application penetration test: €5,000 – €12,000
- Combined external + internal + web application: €10,000 – €25,000+
- DORA TLPT or extended red team engagement: Priced separately; significantly higher
Q-Sec provides flat-fee scoping — you receive a fixed price before signing, with no per-finding surprises. Contact team@q-sec.com for a scoping call.
Penetration Testing and Compliance
If your organization is subject to European security regulations, penetration testing is directly relevant to your compliance obligations:
- NIS2: Article 21 requires risk-based security measures and regular evaluation of their effectiveness. Penetration testing is the primary way to demonstrate this to national competent authorities. Read our guide on NIS2 penetration testing.
- DORA: Requires annual penetration testing of critical applications for most financial entities, and full TLPT for designated significant institutions. Read our guide on DORA TLPT.
- ISO 27001: Auditors expect penetration test evidence for Annex A control verification. Read our ISO 27001 guide.
- PCI DSS: Section 11.4 explicitly requires annual external and internal penetration testing. Read our PCI DSS guide.
- SOC 2: Not mandated, but increasingly expected by auditors and enterprise customers. Read our SOC 2 guide.
Frequently Asked Questions
Will a penetration test disrupt our operations?
A professional engagement is designed to avoid operational disruption. Rules of Engagement define testing windows, and experienced testers understand the difference between demonstrating an exploit and causing an outage. That said, for critical production systems, certain destructive tests may be excluded from scope or scheduled during maintenance windows. This is discussed and agreed before testing begins.
How long does a penetration test take?
Most external network or web application tests run 3–10 days of active testing, with reporting typically delivered within 5 business days of test completion. Full-scope engagements covering external, internal, and application layers may run 2–3 weeks. Q-Sec's standard commitment: most engagements are scoped, executed, and reported within 15 business days from contract signing.
Do we need to fix everything in the report?
Not necessarily all at once. Findings are risk-rated — Critical and High findings should be remediated promptly; Medium and Low findings can be scheduled based on your risk tolerance and resource capacity. What matters for compliance purposes is that findings are tracked, owned, and worked toward remediation — not that everything is fixed before the ink is dry on the report.
What certifications should penetration testers hold?
Industry-recognized certifications include OSCP (Offensive Security Certified Professional), CEH (Certified Ethical Hacker), CREST CRT/CCT, and CHECK Team Member/Team Leader for organizations operating in regulated UK/EU sectors. Q-Sec's engineers hold relevant certifications and follow documented methodologies (PTES, OWASP) on every engagement.
Ready to find out what an attacker would find in your environment? Q-Sec delivers scoped penetration tests with compliance-grade reporting — from Rotterdam to Warsaw and across the EU.
Contact team@q-sec.com or visit q-sec.com/services/penetration-testing
_%20%20What%20Financial%20Entities%20Must%20Know%20in%202025.png?width=500&height=500&name=DORA%20Penetration%20Testing%20(TLPT)_%20%20What%20Financial%20Entities%20Must%20Know%20in%202025.png)
