1 July 2026 · 8 min read
NIS2 Compliance and Penetration Testing: Requirements, Scope, and How to Prepare
NIS2 raises the bar on cybersecurity risk management for thousands of organisations across the EU. Here is what it requires, who it covers, and where security testing fits in.
What is NIS2?
NIS2 is the EU Network and Information Security Directive (Directive (EU) 2022/2555), the successor to the original 2016 NIS Directive. It significantly widens the range of sectors in scope, raises the baseline for cybersecurity risk management, and introduces stricter incident-reporting duties and direct accountability for company management. Each member state implements NIS2 in national law.
In the Netherlands, NIS2 is implemented through the Cyberbeveiligingswet (Cbw). The Dutch bill was passed by the Tweede Kamer on 15 April 2026 and, at the time of writing, sits before the Eerste Kamer, with entry into force expected around mid-2026. Organisations that fall in scope should prepare now rather than wait for the final commencement date, because the risk-management and reporting obligations take real work to put in place.
Does NIS2 apply to my organisation?
NIS2 splits in-scope organisations into essential and important entities, based mainly on sector and size (generally medium-sized and larger, from 50 staff or EUR 10M turnover, with some sector exceptions). You are likely in scope if you operate in one of these areas.
- Energy, transport, banking, and financial market infrastructure
- Health, drinking water, waste water, and digital infrastructure
- ICT service management, public administration, and space
- Postal and courier services, waste management, and chemicals
- Food production and processing, and manufacturing (incl. medical devices, electronics, machinery)
- Digital providers such as online marketplaces, search engines, and social platforms
What does NIS2 require?
NIS2 requires in-scope entities to take appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risk. These include risk analysis and information-system security policies, incident handling, business continuity and backup, supply-chain security, secure development and vulnerability handling, and policies to assess the effectiveness of security measures. That last point is where testing matters: you are expected to verify that your controls actually work, not just that they exist.
NIS2 also introduces a phased incident-reporting duty (an early warning within 24 hours, a fuller notification within 72 hours, and a final report within a month), and it makes management bodies directly responsible for approving and overseeing cybersecurity measures. Non-compliance carries significant penalties: for essential entities, fines up to EUR 10 million or 2% of global annual turnover; for important entities, up to EUR 7 million or 1.4%.
How penetration testing supports NIS2 compliance
NIS2 does not prescribe a specific test, but its requirement to assess the effectiveness of your security measures is difficult to satisfy without independent testing. A penetration test is one of the clearest ways to produce that evidence.
Evidence that controls work
NIS2 expects policies to assess the effectiveness of cybersecurity risk-management measures. A penetration test provides concrete, independent evidence of whether your controls hold against a realistic attacker, not just a checklist that says they should.
Vulnerability handling and secure development
The directive calls for vulnerability handling and disclosure and secure development practices. Regular testing of your applications and infrastructure feeds directly into that process, surfacing exploitable issues before an attacker does.
Supply-chain and risk analysis
Testing your external perimeter and internal segmentation informs the risk analysis NIS2 requires, and helps you understand the blast radius of a compromised supplier or account.
Board-ready assurance
Because NIS2 makes management directly accountable, leadership needs credible assurance. A clear penetration-test report gives your management body the independent view of security posture the directive expects them to oversee.
Frequently asked questions
Preparing for NIS2?
We help in-scope organisations get ready, from a readiness assessment through to the security testing that proves your controls work. Talk to our team.