NIS2 demands Evidence. Not a Plan.

    Your auditor will not accept a policy document as proof of penetration testing. Sectricity delivers the NIS2 Article 21 compliant pentest report your regulator expects, with full remediation tracking and a retest before your audit date.

    Request your NIS2 pentest

    The NIS2 enforcement window is open

    EUR 850,000
    First NIS2 penalty in Europe, issued in Germany in February 2026
    June 2026
    NIS2 self-assessment deadline for entities in the Netherlands
    18 sectors
    Sectors covered by NIS2 in Belgium and the Netherlands
    72 hours
    Maximum time to report a significant security incident under NIS2

    Not all pentest evidence holds up with your auditor

    The difference between what gets rejected and what actually works

    What your auditor won't accept

    An automated vulnerability scan with no human validation of findings

    What actually works for NIS2

    External pentest by certified ethical hackers using OWASP/PTES methodology

    What your auditor won't accept

    A policy document or compliance checklist presented as evidence of security testing

    What actually works for NIS2

    Internal test of network, Active Directory, cloud environments, and applications

    What your auditor won't accept

    A report with no remediation trail or tracked follow-up

    What actually works for NIS2

    Remediation tracking via the RedSOC dashboard, demonstrable evidence for your auditor

    What your auditor won't accept

    No proof that vulnerabilities were fixed before your audit date

    What actually works for NIS2

    Retest per vulnerability after remediation, included as standard, no separate invoice

    What your auditor won't accept

    An outdated report or one scoped for the wrong systems

    What actually works for NIS2

    Complete audit file ready for your regulator, in the format Belgian and Dutch regulators expect

    Built for your NIS2 audit

    Every deliverable is designed to satisfy your regulator, not just your IT team.

    NIS2 Article 21 mapped

    Every finding is explicitly linked to the NIS2 obligation it demonstrates. Your auditor gets evidence, not a generic report.

    Human-validated results

    Every finding is manually confirmed by a certified ethical hacker. No false positives. No scanner noise that wastes your time.

    Remediation tracker included

    We deliver a structured remediation tracker alongside the report. Show progress to your auditor at any stage of the process.

    Two-week turnaround

    Most scopes are completed and reported within two weeks. We understand audit deadlines and structure our work around yours.

    Retest at no extra cost

    Once you have remediated findings, we retest to confirm fixes before your audit. Included as standard, not as a separate invoice.

    Full NIS2 attack surface

    Web applications, networks, APIs, cloud environments and social engineering vectors. All in one coordinated scope, one report.

    Who benefits most from this?

    Compliance officers

    You need documented penetration testing evidence for your NIS2 submission. We deliver exactly that, in the format regulators expect.

    IT managers

    You know you need a pentest but are unsure what to include in scope. We define it with you and deliver clear, actionable technical findings.

    CISOs

    You need a credible, human-led test your board and auditor will accept. Not a scanner report repackaged as a penetration test.

    CEOs and board members

    NIS2 makes management personally liable for non-compliance. A documented pentest protects both your organisation and you personally.

    Frequently asked questions

    NIS2 Article 21 requires organisations to implement risk management measures and assess the effectiveness of their cybersecurity controls. National regulators in Belgium and the Netherlands increasingly expect documented, human-led security testing as evidence of Article 21 compliance. A penetration test with tracked remediation is the most widely accepted form of that evidence.

    Most engagements are completed and reported within two weeks of scoping confirmation. The exact timeline depends on the complexity of the environment. We provide a fixed delivery date before work begins so you can plan your audit schedule around it.

    Yes. Both essential and important entities are required to implement Article 21 security measures, including evidence of security testing. The depth and frequency of testing may vary based on your entity classification, but the requirement to document your security posture applies to both categories.

    A vulnerability scan identifies known weaknesses using automated tools. A penetration test actively attempts to exploit those weaknesses using human intelligence and real attack techniques. NIS2 auditors expect evidence of active testing, not just a list of CVEs. A scan alone will not satisfy an Article 21 compliance requirement in most cases.

    Each finding in our report is tagged to the specific NIS2 Article 21 security measure it relates to, such as access control, incident handling, supply chain security or cryptography. This allows your auditor to directly validate which obligations are met, which are partially met, and which require further remediation.

    Your NIS2 audit needs test evidence. We deliver it.

    Join organisations across Belgium and the Netherlands using Sectricity to close their NIS2 penetration testing gap before the audit arrives.

    Request your NIS2 pentestView all pentest services