NIS2 & ISO 27001:
Do You Legally Need a Penetration Test?
You keep hearing about penetration tests. Your competitors are getting them. Your clients are asking if you’ve had one. But do you actually legally need one?
The answer depends on who you are, where you operate, and what data you handle. Let me break it down โ no fluff, just the legal reality.
For some companies, a pentest is legally required. For others, it’s the difference between surviving a breach and going under.
๐ When Is a Penetration Test LEGALLY Required?
๐ช๐บ NIS2 Directive (EU โ Applies from October 2024)
NIS2 is the EU’s cybersecurity law that replaced the original NIS Directive. It covers essential and important entities across the EU.
| Sector | Examples | Pentest Requirement |
|---|---|---|
| Essential Entities | Energy, transport, banking, healthcare, digital infrastructure, water supply | โ REQUIRED โ Regular security testing including penetration tests |
| Important Entities | Postal services, waste management, food production, manufacturing, digital providers | โ REQUIRED โ Risk-based security testing (pentests strongly recommended) |
| Other Companies | Outside NIS2 scope | โ ๏ธ Not legally required by NIS2, but may be required by other laws |
Penalties for non-compliance: Fines up to โฌ10 million or 2% of global annual turnover for essential entities.
๐ ISO 27001 (Certification Requirement)
ISO 27001 is not a law โ it’s a certification standard. But many clients, partners, and government contracts require ISO 27001 certification.
Under ISO 27001, clause 12.6.1 explicitly requires:
Bottom line: If you want ISO 27001 certification, you need regular pentests. No exceptions.
๐ GDPR (Indirect Requirement)
The GDPR doesn’t say “thou shalt pentest.” But Article 32 requires “appropriate technical and organizational measures” to ensure data security.
If you suffer a data breach and cannot prove you performed regular security testing (including pentests), regulators can fine you up to โฌ20 million or 4% of global turnover.
In practice: GDPR makes pentests legally advisable for any company processing personal data.
๐ฅ High-Risk Sectors: Semi-Annual Testing Recommended
For organizations in these sectors, experts and regulators strongly recommend penetration testing at least twice per year:
Why semi-annual? Because your infrastructure changes constantly. New code, new configurations, new employees. A pentest is a snapshot โ and snapshots expire.
๐ What About Other Companies?
If you don’t fall under NIS2, ISO 27001, or GDPR requirements, a penetration test is not legally mandatory.
But here’s what happens to companies who skip pentests:
- ๐ด 60% of small businesses close within 6 months of a cyberattack (National Cyber Security Alliance)
- ๐ด Average data breach cost for small businesses: $200,000 – $500,000
- ๐ด Ransomware demands increased 300% in the last 2 years
A penetration test is not a legal checkbox. It’s insurance. You don’t buy insurance because you expect a fire. You buy it because the cost of a fire will destroy you.
๐ When Should You Pentest? (Even If Not Required)
- Before launching a new product or application โ Don’t put vulnerable code into production
- After major infrastructure changes โ New cloud setup? New network? New API? Test it.
- When you add third-party integrations โ Every integration is a potential backdoor
- After a security incident โ Find what else the attacker touched
- Annually as a baseline โ Even if not required, once per year is minimum
- When a client or partner asks for proof of security โ Many contracts now require pentest reports
๐ Quick Reference: Do YOU Need a Pentest?
| Your Situation | Pentest Required? | Frequency |
|---|---|---|
| Essential entity under NIS2 (energy, banking, healthcare, transport) | โ LEGALLY REQUIRED | At least annually, often semi-annual |
| Important entity under NIS2 (postal, manufacturing, food, digital providers) | โ REQUIRED (risk-based) | At least every 2 years |
| Seeking ISO 27001 certification | โ REQUIRED for certification | Annually or after major changes |
| Processing personal data under GDPR | โ ๏ธ Advisable (avoids breach fines) | Risk-based, minimum annually |
| Finance, crypto, payment processing | โ REQUIRED by regulators | Semi-annual |
| Healthcare (even small clinics) | โ REQUIRED by HIPAA / EU equivalents | Annually |
| SaaS, e-commerce, tech startup | โ ๏ธ Not legally required but highly recommended | Annually + after major releases |
| Small business with no sensitive data | โ ๏ธ Not required, but smart business | Every 1-2 years |
๐ What Does a Penetration Test Actually Include?
Not all pentests are equal. A proper pentest should include:
- โ External infrastructure scanning (what attackers see from the internet)
- โ Internal network testing (if you have internal assets)
- โ Web application testing (if you run websites or APIs)
- โ Social engineering / phishing simulation (your employees are the weakest link)
- โ API security testing (most overlooked area)
- โ Detailed report with prioritized fixes
- โ Retesting to confirm fixes work
๐จ What Happens If You Don’t Pentest and Get Breached?
Legal consequences:
- GDPR fines: Up to โฌ20 million or 4% of global turnover
- NIS2 fines: Up to โฌ10 million or 2% of global turnover
- Lawsuits from affected customers or partners
- Regulatory sanctions or license revocation (finance, healthcare)
Business consequences:
- Loss of customer trust (80% of customers stop using a company after a breach)
- Loss of contracts (many B2B contracts require security attestation)
- Insurance premium hikes or policy cancellation
- 60% of small businesses close within 6 months of a breach
๐ผ The Business Case for Pentesting
Let’s do simple math:
That’s not an expense. That’s an investment.
๐ฆ How Stack of Truths Can Help
I specialize in pentesting for small to medium businesses, AI agents, and crypto projects. I don’t sell expensive annual contracts. I deliver actionable reports that won’t gather dust.
What you get:
- โ Clear, non-technical executive summary
- โ Prioritized fixes (what to fix first)
- โ Technical details for your developers
- โ Compliance-ready report for auditors
- โ GPG-signed, tamper-proof PDF with watermark
- โ 30-day retesting to confirm fixes
Not Sure If You Need a Pentest?
DM me on X. Tell me about your company. I’ll tell you what’s required and what’s smart. No hard sell. Just honest advice.
๐ฉ DM @StackOfTruths on XOr email: info@stackoftruths.com
๐ฆ Stack of Truths โ AI Penetration Testing for Small Entrepreneurs
KVK 94992266 ยท Registered in Amsterdam, Netherlands
Leave a Reply