What is NIS2?
NIS2 stands for “Network and Information System Security Directive 2” and is an EU directive designed to improve the security of network and information systems in the EU. With its second iteration, the directive is making big waves as it affects many companies. The directive forces companies to assess their IT security and improve it where necessary. Risk management and vulnerability management are key issues here. Cybersecurity incidents must be reported within 24 hours. Another new feature is that management can be held personally liable for negligent breaches. In general, companies can be forced to pay fines in the millions on the basis of this directive.
Are penetration tests mandatory under NIS2?
Article 21 of the NIS2 Directive is interesting here (see here). This states that companies must implement “risk management measures in the area of cybersecurity”. More specifically, “technical, operational and organizational measures” are required to minimize the “impact of security incidents on the recipients of their services”. Vulnerability management is also explicitly mentioned here, which generally includes penetration tests. However, “penetration testing” as a word is not mentioned in the directive, so it can be assumed that many companies are more likely to carry out vulnerability scans. Legally, this should be fine, but in terms of effectiveness, it is questionable. A penetration test is generally much more effective than a vulnerability scan, finds more security gaps and can also assess them better.
Who is affected by NIS2?
There are several criteria here. Firstly, the sectors that must implement the directive are listed: Energy, transportation, banking, financial market infrastructures, healthcare, water management, digital infrastructures, public administration, space, postal services, waste, chemicals, food, general manufacturing, digital services, research.
Another criterion is the size of the company. In general, this refers to large companies with more than 250 employees and a turnover of 50,000,000 euros or more, as well as medium-sized companies with more than 50 employees and a turnover of more than 10,000,000 euros. There are further details regarding the annual balance sheet. However, this text should suffice as a rough guide.

"NIS2 poses major challenges for many companies - we can help you master them."
Damian Strobel - Founder of DSecured
Don't let it come to that and protect your systems from cyber attacks.
How can DSecured help you with the implementation of NIS2?
Vulnerability scans
Although vulnerability scans cannot be compared with penetration tests in terms of effectiveness and depth, they are a good start to finding initial vulnerabilities.
Penetration testing
We can check your critical systems and applications for vulnerabilities and help you to close them.
Documentation
We provide you with a comprehensive report containing all the weaknesses found and possible solutions.
Employee awareness
Our phishing offer helps to raise your employees' awareness of the dangers of phishing - the number 1 gateway for attackers.
Analyze the minimum requirements
Article 21 of the NIS2 regulates what the minimum requirements are - we help you to meet them.
Risk analysis
We help you to identify and assess the risks for your company.
How much does a NIS2 penetration test cost?
A pentest within the scope of NIS2 is usually an extensive manual penetration test against a specific application or a composition of various applications and digital systems. Accordingly, the costs of a NIS2 pentest depend on the size of the scope, the depth of the test and the complexity of the applications and systems to be tested.
In general, a NIS2 pentest is a “normal” penetration test that is carried out, for example, as a web app pentest or a pentest of external infrastructure. The costs for a NIS2 pentest are therefore comparable to the costs for a “normal” penetration test. We recommend our article “Pentest costs”.

Some companies we have been able to help


Further questions and answers on the topic
"NIS2 Pentest"
When does the NIS2 directive come into force?
At EU level, the NIS2 Directive has been in force since January 16, 2023. However, EU member states have until October 18, 2024 to transpose the directive into national law. This is the date from which companies in Germany must comply with the NIS2 Directive.
Which sectors must now act according to the new NIS2 regulation?
The regulation lists various critical sectors as relevant. These include utilities, waste management, food producers, banks, the digital economy, healthcare, energy companies and transportation companies. In addition, there are companies that are considered “essential” for maintaining public safety, regardless of their size or sector.
Is the managing director liable for non-compliance with the NIS2 Directive?
Yes, the amendment of the NIS to NIS2 explicitly regulates the liability of the managing director in the event of non-compliance with the directive. They are even personally liable.
What are the penalties for non-compliance with the NIS2 directive?
The penalties depend on the size of the company. In general, the penalty can amount to up to 2% of annual worldwide turnover or up to 10 million euros.
Does NIS2 also apply to small companies?
No. It is primarily aimed at companies with 50 or more employees. Small companies in very critical sectors may be an exception. However, this should be examined on a case-by-case basis.
What is the best way to prepare for NIS2?
Check whether you are affected. Have a risk analysis carried out and develop a security concept. This should include vulnerability management - this includes regular security tests in the form of scans and penetration tests. Your employees should be trained and you should have an emergency plan ready. As the person responsible, it is generally worth taking a look at Article 21 of the directive and checking where you still need to make improvements.
What service does DSecured offer in the context of NIS2?
Vulnerability scans, penetration tests and red teaming - to identify problem areas. Phishing to sensitize employees. General risk analyses and advice on the minimum standards from Article 2 NIS2.
Request a quote