Globally and in Europe specifically, there are many different regulatory frameworks where the subject and means of penetration testing are being considered and can support the objectives of the law, acts, directives and the regulations. In another series of CYSSDE public documents and on the CYSSDE.eu website, the regulatory background relating to Critial Infrastructure (CER – Critical Entities Resilience Directive), Medical Devices (MDR – Medical Device Regulation), financial services (DORA – Digital Operations Resilience Act), artificial intelligence (AI Act – Artificial Intelligence Act), products with digital elements (CRA – Cyber Resilience Act) … can be found. In this document, we’ll limit to only the NIS2 directive and its Member State transposition.

Regulatory Framework – NIS2 Directive  

The NIS2 Directive (Network and Information Systems Directive 2), aims to strengthen cybersecurity across the European Union. It defines the difference between essential entities and important entities (often referred to as critical entities) based on their role and impact on the economy and society, as well as the specific sectors they operate in.