CYSSDE has developed a white paper indicating the role of penetration testing in aligning with European cybersecurity regulations. The white paper developed by CYSSDE partner DNSC in collaboration with other CYSSDE partners will be released in 09.2024 and available for download highlighting the following:

  • new regulations call for the diversification and increased effectiveness of cybersecurity measures, with an accent on proactive measures to prevent and limit the effects of a cyber-attack and to identify vulnerabilities that could be exploited by perpetrators
  • key are Directives (EU) 2022/2555 (NIS 2)[i], 2022/2557 (CER), Regulation (EU) 2022/2554 (DORA), 2024/1689 (AI Act) and the proposed Regulation on horizontal cyber security requirements for products with digital elements (CRA); [i] DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)
  • NIS2 requires organizations to implement more comprehensive risk management practices, ensuring that cybersecurity is not just an IT issue but a core aspect of their overall risk strategy.
  • CRA introduces mandatory security requirements for digital products, covering everything from consumer electronics to industrial control systems.
  • CER Directive has emphasis on resilience, not only defend against attacks but also to ensure that they can continue operating even under adverse conditions
  • DORA aims to ensure that these entities can withstand, respond to, and recover from all types of ICT-related disruptions and threats
  • AI Act emphasizes the need for continuous monitoring and oversight of AI systems to ensure that they operate as intended and do not pose unforeseen risks

Pentesting is a preventive activity that helps organizations to continuously assess their cybersecurity landscape. Regular penetration testing activities are required to maintain security capabilities. By using penetration testing techniques, a thorough understanding of the organization’s risk profile can be achieved. Penetration testing and vulnerability assessment serve as the bridge between regulatory requirements and practical security implementations.

Pentest relevance

Penetration testing is a tool for ensuring that an organization’s security measures comply with the stringent requirements imposed by European cybersecurity regulations. These regulations not only demand robust security practices but also require organizations to demonstrate that their defenses are effective in mitigating real-world threats. That’s how Penetration testing aligns with the key European regulations.

Pentest importance

Pentesting is a preventive activity, part of a defensive strategy, that helps organizations to continuously assess their cybersecurity landscape. Regular penetration testing activities can be used to maintain security capabilities. The use of known tactics and techniques used by malicious actors in pentesting allows organizations to identify and objectively evaluate the security measures in place and those that need to be implemented to ensure an appropriate cybersecurity climate. By using penetration testing techniques, a thorough understanding of the organization’s risk profile can be achieved. Thus, decision makers of organizations can observe in an easy way the critical cyber security investment needs.

Pentest necessity

The NIS2 Directive expands the scope of cybersecurity obligations for essential and important entities, making regular penetration testing an important component of compliance.

The Cyber Resilience Act places a strong emphasis on ensuring that digital products maintain security across their entire lifecycle. This means that from the development phase through to post-market monitoring, products must remain resilient against cyber threats. Penetration testing aligned with CRA regulations ensures that vulnerabilities are identified and mitigated before products are released to the market.

For the CER Directive, conducting thorough tests that simulate both physical and cyberattacks, organizations can ensure that their critical infrastructures can continue operating even under adverse conditions.

For more information, please access the CYSSDE Importance and Necessity of Penetration Testing for Compliance with European Cybersecurity Regulations white paper.