GDPR and NIS2 Penetration Testing Requirements: A Practical Compliance Checklist for EU and UK Enterprises
GDPR and NIS2 require organizations to proactively assess cybersecurity risks. This blog provides a practical penetration testing checklist to help EU and UK enterprises strengthen security, support compliance, and reduce regulatory risk.

Introduction
If you are an EU or UK enterprise reading this, there is a reasonable chance a compliance deadline, not curiosity, brought you here. GDPR Article 32 and the expanded scope of NIS2 have made penetration testing less of a best practice recommendation and more of a documented, auditable obligation for a much wider range of organizations than was true even three years ago. This post is a practical, audit ready checklist that translates the regulatory language into concrete testing scope, frequency, and documentation requirements, written by Nuage Security's compliance and offensive security team based on engagements we run for clients navigating exactly these requirements.
The Regulatory Landscape: What Actually Changed
GDPR Article 32 requires organizations to implement "appropriate technical and organizational measures" to ensure a level of security appropriate to the risk, and explicitly calls out a process for regularly testing, assessing, and evaluating the effectiveness of those measures. Notably, the regulation does not specify exact testing frequency or methodology, which has historically left organizations interpreting "appropriate" in whatever way suited their existing budget and risk appetite. Regulators and auditors have increasingly closed that gap in practice, treating an absence of regular, documented penetration testing as a red flag during breach investigations and audits.
NIS2, which EU member states have been transposing into national law, significantly expanded the scope of organizations considered "essential" or "important" entities, pulling in mid sized companies across sectors including healthcare, digital infrastructure, manufacturing, and managed service providers that previously sat outside critical infrastructure regulation entirely. NIS2 is considerably more explicit than GDPR about expectations, including requirements around vulnerability handling, incident reporting timelines, and supply chain security, all of which penetration testing evidence directly supports.
For UK organizations, while NIS2 itself is an EU directive, UK companies operating in the EU market or processing EU resident data remain in scope, and the UK's own NIS Regulations are undergoing a parallel expansion that mirrors much of the same intent.
What "Appropriate Technical Measures" Actually Means in Audit Terms
Auditors and regulators generally look for evidence across four areas when assessing whether an organization's penetration testing program meets GDPR Article 32 and NIS2 expectations.
First, documented testing scope that covers all systems processing personal data or supporting essential services, not just the customer facing website. This includes internal applications, APIs, and third party integrations that touch regulated data.
Second, testing performed by qualified, ideally independent testers, with documentation of tester certifications such as OSCP or CEH, since auditors increasingly ask not just whether testing happened but who performed it and what their qualifications were.
Third, a documented remediation process with evidence that findings were actually fixed and retested, not just identified. A report listing vulnerabilities with no corresponding closure evidence is one of the most common gaps auditors flag.
Fourth, testing frequency that is risk based and regular, generally interpreted as at minimum annual for most organizations, with more frequent testing, often biannual or after any significant infrastructure change, expected for organizations processing high volumes of sensitive data or classified as essential entities under NIS2.
The Practical Compliance Checklist
Confirm your data inventory identifies every system that processes, stores, or transmits personal data or supports an essential service, and ensure your penetration test scope explicitly includes all of them, not just the primary application.
Schedule penetration testing at minimum annually, and move to biannual testing if you process special category data under GDPR or qualify as an essential or important entity under NIS2.
Require that testing reports document tester qualifications, methodology used, and a clear severity rating system, since vague reports without methodology detail are increasingly questioned during audits.
Maintain a documented remediation log tied to each finding, including the date identified, the date fixed, and evidence of retesting, since this closure evidence is what regulators ask for first during an incident investigation.
Include third party and supply chain systems in your testing scope where they have access to regulated data, since NIS2 specifically calls out supply chain security as an area of accountability, even when the vulnerability originates with a vendor.
Test incident response procedures alongside technical penetration testing, since NIS2 requires defined incident reporting timelines, and a technical assessment alone does not demonstrate readiness to meet those reporting obligations.
Retain all penetration testing reports, remediation evidence, and retest confirmations for a minimum of the period required under your applicable national data protection authority guidance, generally several years, so documentation is available if a regulator requests it after an incident.
How NuageSec's Testing Maps to These Requirements
Nuage Security's engagements are structured specifically to produce the audit evidence outlined above. Every report includes documented methodology, tester certifications, and a clear severity framework. We provide a structured remediation tracking process and conduct retesting to confirm closure, so the evidence trail an auditor or regulator asks for already exists by the time you need it, rather than being assembled after the fact under pressure.
For organizations newly in scope under NIS2's expanded definitions, we also help define appropriate testing scope and frequency based on your specific sector and data processing activities, since a one size fits all annual test is often insufficient for essential entities but more than required for lower risk organizations, and getting that scoping right affects both your compliance posture and your budget.
Download the Full Compliance Checklist
The checklist above covers the essentials, but a full audit ready compliance package includes additional detail on documentation templates, sample remediation tracking formats, and a self assessment to determine your required testing frequency under both GDPR and NIS2. Download the complete checklist to get your team audit ready, and reach out if you want NuageSec to scope a compliance aligned penetration test for your organization.







