NIS2 and penetration testing: what changes for your company

NIS2 is an EU directive that raises the bar on cybersecurity and pulls in far more companies than the rule it replaces. For many organizations it brings new duties, fines when those duties go unmet, and personal liability for management. Regular penetration testing has moved from good practice to a compliance requirement. Here is who NIS2 applies to, what it changes, and how to prepare for testing.
What NIS2 is
NIS2 is the updated EU directive on the security of network and information systems. Its goal is a consistent, higher level of cybersecurity across the EU, built on common requirements for key sectors.
Who NIS2 applies to
The directive widens the list of entities that carry obligations. If you operate in one of the key sectors, or supply services to them, it probably applies to you. The main areas:
- energy, transport, banking and financial markets,
- health, drinking water, and wastewater,
- digital infrastructure, cloud, and data centers,
- public administration,
- food production, pharmaceutical and chemical manufacturing, postal and courier services.
NIS2 also covers smaller companies when they matter for the continuity of essential services. Size alone does not get you off the hook.
When NIS2 takes effect
The deadline to transpose NIS2 into national law passed on October 17, 2024. In Poland the directive is implemented through the amended National Cybersecurity System Act (KSC).
The takeaway is simple: this is not a plan for later, it is an obligation that already applies to you. The longer you wait, the greater the risk you run out of time before an inspection.
What NIS2 actually changes
- Wider scope. More sectors and companies fall under security and incident-reporting duties.
- Tougher requirements. Risk management, response procedures, regular security testing, and audits.
- Fines and board liability. Supervisors can impose financial penalties, and responsibility for non-compliance lies with management.
- Cooperation and reporting. You must report significant incidents and share threat information.
For the board, this moves the risk into a new category. Non-compliance stops being an IT problem and becomes a financial and personal one.
Where penetration testing fits
NIS2 expects companies to check regularly that their defenses actually work. A penetration test is the most concrete way to show it: instead of a list of possible gaps, you get the real attack paths.
The directive puts particular weight on critical sectors: finance, energy (including SCADA control systems), transport, and digital services. That is where a successful attack hits hardest.
How to run the tests so they meet the requirements
Standards and methodology. NIS2 does not force one methodology, but it expects work aligned with recognized frameworks. In practice that means ISO/IEC 27001, OWASP, and PTES.
Frequency. Test regularly, at least once a year and after every significant change to your systems.
Reporting and response. Report significant vulnerabilities and incidents to the relevant authorities, and fold the findings from your tests into your response plan.
Compliance that actually protects you
NIS2 is a burden, but it is also an opening. Companies that take it seriously avoid the fines and come out genuinely more resilient, and more credible to their customers.
Not sure whether NIS2 applies to you, or how to plan the tests it requires? Book a free consultation. In a call with a security consultant we will map your obligations and put together a test plan ready for an inspection.
Book a free consultation and we will map your obligations and build a penetration testing plan ready for an inspection.