Back to blog
    Pentesting

    Penetration Testing in the EU: What You Need to Know in 2026

    Sectricity Security TeamFebruary 17, 2026

    NIS2, DORA, the EU AI Act, and ISO 27001 all require security testing. This guide explains what each regulation demands, where they overlap, and how to build one testing programme that satisfies all four.

    PentestingEU AI ActNIS2DORAISO 27100

    TL;DR

    EU regulations now explicitly require organisations to test their defences, not just document them. NIS2, DORA, the EU AI Act, and ISO 27001 each impose security testing obligations, but they differ in scope, methodology, and what evidence counts. This guide explains what each regulation demands, where they overlap, and how to build one coherent testing programme that satisfies all four without duplicating effort.

    Why this guide is different

    There is already a lot written about penetration testing, including on this site. We have covered what a pentest is and how it works, what it costs across different scopes, how to prepare with a scoping checklist, and why annual testing alone is no longer enough for most organisations. This guide does not repeat any of that.

    What this guide covers is the regulatory landscape. Four major EU frameworks now interact with your security testing obligations. Most organisations manage them separately, which creates duplication and leaves gaps. This guide shows you how to read them together and build one programme that covers all four.

    The EU regulatory landscape for security testing in 2026

    Four frameworks currently drive security testing requirements across the EU. Each has a different scope, a different regulator, and a different testing standard.

    NIS2: risk management across sectors

    NIS2 entered into force across EU member states in October 2024. It applies to essential and important entities across 18 sectors, from energy and healthcare to digital infrastructure and public administration.

    Article 21 of NIS2 requires organisations to implement risk management measures that include assessing the effectiveness of their cybersecurity controls. That is the legislative basis for penetration testing under NIS2. The directive does not prescribe a specific test type, but national regulators, including the CCB in Belgium and the NCSC-NL in the Netherlands, increasingly expect evidence of structured, human-led security testing.

    A documented penetration test that covers your core systems and produces tracked remediation evidence is the clearest way to demonstrate Article 21 compliance to an auditor.

    DORA: threat-led testing for financial entities

    The Digital Operational Resilience Act applies to financial entities across the EU: banks, insurers, payment institutions, investment firms, crypto-asset service providers, and their critical ICT providers. DORA has been enforceable since 17 January 2025.

    DORA introduces two testing tiers:

    1. Basic ICT testing, required for all financial entities. This includes vulnerability assessments, gap analyses, and network security reviews conducted at least annually.
    2. Threat-Led Penetration Testing (TLPT), required for significant financial entities as designated by competent authorities. TLPT follows the TIBER-EU methodology and must be conducted by certified external testers. Results are reported directly to the competent authority.

    TLPT is not a standard penetration test. It is a structured, intelligence-led exercise that tests your people, processes, and technology simultaneously under realistic attack conditions. If you are a significant financial entity, TLPT planning needs to start well in advance of your first cycle.

    EU AI Act: security testing for AI systems

    The EU AI Act entered into force on 1 August 2024. The key deadline for high-risk AI system requirements is 2 August 2026.

    High-risk AI systems, as defined in Annex III of the Act, must be tested for robustness, accuracy, and cybersecurity before deployment. Article 15 requires that high-risk AI systems achieve appropriate levels of accuracy, robustness, and cybersecurity throughout their lifecycle.

    This creates a testing obligation that most IT security teams have not yet encountered. AI systems can be attacked via prompt injection, adversarial inputs, model manipulation, and data extraction techniques. A standard infrastructure pentest does not test these attack vectors. Specialised AI systems penetration testing does.

    ISO 27001: auditable security testing

    ISO 27001:2022 is not an EU regulation, but it is the dominant information security management standard across Europe. Annex A control 8.8, covering management of technical vulnerabilities, and clause 9.1, covering monitoring, measurement, analysis, and evaluation, both require organisations to regularly test the effectiveness of their security controls.

    Certification auditors expect evidence of penetration testing at least annually, with findings tracked through to remediation. A pentest without a documented remediation process is a gap in your ISO audit trail.

    Where the regulations overlap and where they diverge

    All four frameworks share one fundamental requirement: they want proof that your controls actually work, not just that they exist on paper. But they diverge significantly in what that proof must look like.

    NIS2 is the broadest. It applies across 18 sectors and any credible, documented human-led pentest supports compliance. The bar is evidence of structured testing and remediation.

    DORA is the most prescriptive for financial entities. TLPT under TIBER-EU is structured, intelligence-led, scoped by the regulator, and reported to the competent authority. A standard pentest does not satisfy TLPT requirements, though it satisfies DORA's basic ICT testing tier.

    EU AI Act is the most specialised. It applies only to high-risk AI systems and requires testing for AI-specific attack vectors that a standard pentest does not cover. The scope, methodology, and timing are defined by the system's risk classification.

    ISO 27001 is the most flexible. It requires evidence of regular testing but does not prescribe methodology or certification. Any structured, documented pentest with tracked remediation satisfies the certification requirement.

    The practical implication: if you are a NIS2 entity with ISO 27001 certification, one well-scoped annual human-led pentest can satisfy both frameworks simultaneously. If you are a significant DORA financial entity, you need TLPT on top of that. If you operate high-risk AI systems, you need specialised AI testing on top of everything else.

    How to build a testing programme

    A testing programme that satisfies multiple EU frameworks does not need to be complicated. It needs to be structured. The following four-layer model covers the full regulatory spectrum.

    Layer 1: Continuous vulnerability management

    Automated scanning, conducted continuously or at minimum monthly. This is not penetration testing. It is hygiene. It catches known vulnerabilities before they become incidents and provides the baseline that makes a human-led pentest more efficient. This layer supports NIS2 Article 21 and DORA basic ICT testing requirements.

    Layer 2: Annual human-led penetration testing

    A full-scope pentest by certified ethical hackers, at minimum once per year. This is the core of your compliance evidence for NIS2 and ISO 27001. Human testers go where automated scanners cannot: business logic flaws, chained vulnerabilities, and context-specific attack paths that no automated tool will find. Findings must be documented with exploitability ratings, business impact, and remediation steps.

    Layer 3: TLPT for DORA entities

    If you are a significant financial entity under DORA, TLPT is conducted on top of Layer 2, typically every three years under the TIBER-EU framework. It is intelligence-led, involves red teaming across people, processes, and technology, and is reported directly to your competent authority. Not all penetration testing providers are qualified to conduct TLPT. Verify certification before you engage.

    Layer 4: AI systems testing

    If you deploy high-risk AI systems under the EU AI Act, you need specialised testing that covers prompt injection, adversarial inputs, data extraction, and API security. This layer runs alongside your standard pentest cycle, scoped specifically to your AI systems and their risk classification. The 2 August 2026 deadline for high-risk AI requirements makes this urgent for organisations with AI already in production.

    Shared deliverables across layers

    A well-structured programme produces findings that feed multiple frameworks at once. The same remediation evidence that satisfies your NIS2 risk management obligation also feeds your ISO 27001 audit trail and your DORA basic testing record. One remediation tracker, properly maintained, can serve all three regulators.

    Common mistakes and how to avoid them

    Most compliance gaps in security testing come from a small, predictable set of mistakes.

    Managing each regulation in isolation. NIS2 testing, DORA testing, and ISO 27001 testing are run by different teams with different providers producing separate reports. The result is duplicated cost and gaps where frameworks interact. A unified testing programme eliminates both.

    Confusing scanning with testing. Vulnerability scanners produce results. They are not penetration tests. Regulators and certification auditors know the difference. Submitting scan reports as evidence of penetration testing is a compliance risk.

    Scope that does not match regulatory scope. A pentest limited to one web application does not satisfy DORA's requirement to test operational resilience across your full ICT environment. Define your scope against the specific regulatory requirement, not against what is easiest to test.

    No remediation tracking. Finding vulnerabilities is not enough. ISO 27001 clause 10 and NIS2 Article 21 both expect evidence of remediation. A pentest without tracked follow-up leaves a material gap in your audit evidence.

    Selecting providers based on price alone. TIBER-EU requires certified testers. EU AI Act testing requires specialised expertise in AI security. Not every provider has both. Verify qualifications and ask for sector-specific references before you engage.

    What this means for your organisation in practice

    If you are a NIS2 entity without a structured testing programme, start with Layer 2: an annual human-led pentest with documented scope, methodology, findings, and remediation tracking. That single step addresses the core of your NIS2 and ISO 27001 obligations.

    If you are a financial entity, confirm whether you qualify as a significant entity under DORA. If you do, TLPT planning should begin now. The first TIBER-EU cycle involves regulatory coordination that takes longer than most organisations anticipate.

    If you operate AI systems that may qualify as high-risk under Annex III of the EU AI Act, the August 2026 deadline is close. AI security testing needs to be scoped and planned before your system goes into production, not after.

    For most organisations, the right starting point is a scoping conversation: which systems are in scope, which regulations apply, and what evidence you need to produce. A coherent programme follows from that.

    FAQ

    What is penetration testing and why does it matter in 2026?

    Penetration testing is a structured security assessment in which certified ethical hackers attempt to find and exploit vulnerabilities in your systems, using the same techniques and tools that real attackers use. In 2026, it matters because NIS2, DORA, the EU AI Act, and ISO 27001 all require evidence that your security controls actually work, not just that they are documented.

    Which EU regulations require penetration testing?

    NIS2 requires security testing as part of risk management for essential and important entities across 18 sectors. DORA requires vulnerability testing for all financial entities and Threat-Led Penetration Testing (TLPT) for significant financial entities. The EU AI Act requires security testing for high-risk AI systems before deployment. ISO 27001 requires regular testing of technical security controls.

    How is DORA's TLPT different from a standard pentest?

    A standard penetration test is scoped by the client, conducted by a tester of the client's choice, and the report stays with the client. TLPT under the TIBER-EU methodology is intelligence-led, involves red teaming across people, processes, and technology, must be conducted by certified testers, and results are reported directly to the competent financial authority. TLPT typically takes longer, costs more, and requires more regulatory coordination than a standard pentest.

    What does a 4-layer security testing programme look like?

    Layer 1 is continuous vulnerability management: automated scanning to catch known vulnerabilities on an ongoing basis. Layer 2 is annual human-led penetration testing covering your core infrastructure and applications. Layer 3 is TLPT for significant financial entities under DORA, conducted every three years under TIBER-EU. Layer 4 is AI systems testing for organisations deploying high-risk AI systems under the EU AI Act. Layers can be combined into a single reporting framework to reduce duplication.

    How do I choose a penetration testing provider in the EU?

    Look for a provider with certified ethical hackers (OSCP, CEH, or equivalent), a clear methodology aligned to your regulatory obligations, transparent reporting with exploitability ratings and remediation guidance, experience in your sector, and the ability to conduct TLPT if you are a significant financial entity under DORA. Ask for sample reports and ask specifically who validates findings before they reach you.

    How often should my organisation run a penetration test?

    Most EU regulations and frameworks expect at least annual penetration testing. NIS2, DORA basic testing, and ISO 27001 all point in this direction. Significant financial entities under DORA must conduct TLPT at least every three years, on top of annual testing. High-growth organisations, those that frequently change their infrastructure, or those that have experienced a security incident should consider more frequent testing. Continuous security validation via a PTaaS model is an option for organisations that need ongoing assurance.

    Related services and resources

    Sectricity delivers professional penetration testing across Belgium, the Netherlands, and the UK. We cover web application pentesting, network security testing, cloud and API assessments, and AI systems penetration testing. For organisations subject to NIS2, DORA, or the EU AI Act, we offer audit-ready penetration testing mapped to your specific regulatory framework. Prefer continuous security validation? Explore our RedSOC PTaaS platform or start with a free security scan.