NIS2 Implementation Act · Penetration Testing

NIS2 compliance through
targeted penetration testing

The NIS2 directive obliges over 29,000 companies in Germany to implement demonstrable security measures. A penetration test is the recognised instrument to meet these requirements – and to find real vulnerabilities before attackers do.

Request NIS2 pentest now View requirements
NIS2 compliance evidence included Report suitable for regulators Free initial consultation
What you get
Evidence for regulators
Every finding is mapped to Art. 21 NIS2 – the report is directly usable for BSI audits.
All relevant attack vectors
Physical, social engineering, infrastructure, AD – we test what NIS2 requires.
Management summary included
Understandable for board and management, not just technical teams.
Prioritised remediation plan
Clear recommendations, prioritised by risk and feasibility.
Our final report is suitable for internal audits, BSI notifications, and board-level reporting.
NIS2 requirements

Which articles does our pentest cover?

Article 21 NIS2 defines specific technical and organisational measures. A penetration test provides measurable evidence for the most important ones.

ART. 21 ABS. 2 (a)

Risk analysis & security concept

NIS2 requires systematic identification and assessment of risks. Our pentest delivers a realistic risk picture based on actual attack vectors.

Physical, Infra, AD pentest
ART. 21 ABS. 2 (b)

Incident management

To be able to report incidents, you need to know where vulnerabilities are. The pentest uncovers potential entry points before a real incident occurs.

All pentest modules
ART. 21 ABS. 2 (c)

Business continuity & backup

We test whether critical systems and backups are protected against real attacks – including ransomware scenarios and network segmentation.

Infrastructure pentest
ART. 21 ABS. 2 (i)

Supply chain security

NIS2 requires risk assessment of service providers and suppliers. Social engineering and OSINT show how attackers can enter your organisation via third parties.

Social engineering, OSINT
ART. 21 ABS. 2 (e)

Network security & access control

Segmentation, firewall rules, privileged access: we test whether your network is a real attack barrier or only secure on paper.

Infrastructure, AD pentest
ART. 21 ABS. 2 (h)

MFA & encryption

Weak authentication and missing encryption are the most common entry points. We systematically test all exposed access points for vulnerabilities.

Web app, AD pentest

What are the consequences of non-compliance?

Fines of up to €10m or 2% of global annual turnover for essential entities
Personal liability of management in cases of proven negligence
Orders for immediate remediation from the competent authority (BSI)
Public disclosure of violations in serious security incidents
Affected sectors

Is your company subject to NIS2?

NIS2 covers essential and important entities with 50+ employees or €10m+ turnover in critical sectors – significantly broader than the old NIS1.

Energy
🏥Healthcare
💧Water & Wastewater
🏢Finance & Insurance
🚂Transport & Logistics
🏭Manufacturing & Industry
📬Postal & Courier
💻ICT & Digital Infrastructure
🌐DNS & TLD Providers
🔬Research
🗑Waste Management
🛰Space
Our approach

NIS2 pentest in 5 steps

From scoping to NIS2-compliant final report – structured, documented, and designed for demonstrability.

SCHRITT 01

Scoping & NIS2 mapping

We jointly define the test scope and map it to the relevant NIS2 requirement articles. This ensures the report delivers the right compliance evidence from the start.

SCHRITT 02

Reconnaissance & attack preparation

Information gathering via publicly available sources (OSINT), network scans and attack planning according to the state of the art.

SCHRITT 03

Test execution

Manual exploitation within the agreed scope – physical, digital or both. We communicate critical findings immediately so you can act.

SCHRITT 04

Analysis & risk assessment

Every finding is rated by severity, exploitability and business impact – with direct reference to the NIS2 requirements catalogue.

SCHRITT 05

NIS2 final report & presentation

Complete documentation of all findings with recommendations, management summary and NIS2 compliance mapping. Suitable for BSI audits and internal evidence.

NIS2-Pentest Report · Acme Corp GmbHNIS2-konform ✓
Server room: no access control (physical)
Art. 21(2)(a) ✓
AD: Kerberoasting – 4 accounts compromised
Art. 21(2)(h) ✓
Phishing: 38% click-through rate
Art. 21(2)(b) ✓
No network segmentation in place
Art. 21(2)(e) ✓
VPN: deprecated protocol (IKEv1)
Art. 21(2)(h) ✓
Backup: no encryption
Art. 21(2)(c) ✓
6 findings · remediation plan includedNIS2 mapping Art. 21 para. 2 (a–j)
29,000+
Affected companies in Germany
€10m
Max. fine for essential entities
24 h
Reporting deadline for incidents
100%
Of our reports NIS2-ready
Our NIS2 pentest modules

Which tests do you need for NIS2?

NIS2 does not prescribe a specific testing method – but the following modules cover the most relevant requirements and provide the strongest evidence.

Physical pentest

Simulated break-in attempt at your company premises. Covers Art. 21(2)(a) risk analysis and physical security measures – often the underestimated attack vector.

Learn more

Infrastructure & Active Directory

Network segmentation, firewall rules, privileged access, AD hardening. Directly relevant for Art. 21(2)(e) network security and (h) cryptography & access control.

Learn more

Social engineering

Phishing, vishing, pretexting. Shows how vulnerable your organisation is to the human factor – NIS2 Art. 21(2)(b) supply chain security and staff awareness.

Learn more
Frequently asked questions

NIS2 & penetration testing – your questions

NIS2 does not prescribe a specific testing method, but requires demonstrable technical security measures (Art. 21). A penetration test is the instrument recognised by supervisory authorities and BSI to meet and document these requirements. Companies without regular security testing risk being unable to demonstrate that adequate measures were in place in the event of an incident.
NIS2 requires continuous risk assessment. As a general rule, the BSI recommends at least one full penetration test per year and after significant IT changes (new systems, restructuring, incidents). We also offer ongoing support and re-tests after findings have been remediated.
Yes. Our final report includes an explicit NIS2 compliance mapping that assigns each finding to the relevant articles of Art. 21 para. 2 NIS2. This makes the report directly usable for BSI audits, internal evidence, and board-level reporting. Management summary included.
The price depends on scope – which systems, how many sites, which modules. A focused NIS2 pentest (infrastructure + AD) typically starts from €4,500. A combined assessment with physical and social engineering from approx. €7,500. After a free initial consultation you receive a transparent fixed-price offer.
The technical process is identical – the difference is in the reporting. Our NIS2 pentest includes structured compliance mapping to Art. 21 NIS2, a risk-prioritised remediation plan, and a management summary suitable for regulatory authorities. A standard pentest delivers technical findings without this compliance framework.
Yes. The NIS2 directive applies EU-wide. We conduct remote pentests (infrastructure, web app, AD) regardless of location. For physical assessments and social engineering we travel to your site – including outside Germany. Let us know your location and we will find a solution.

Ready for your NIS2 pentest?

In 30 minutes we discuss your scope, clarify which NIS2 articles are relevant, and you receive a no-obligation quote – at no cost.

Book your free initial consultation hello@access-granted.de

About Access Granted

Address
Albert-Einstein-Straße 1, 95028 Hof
E-Mail
hellonospam@access-granted.de
Phone
+49 9281 5918506

Useful Links

Pentest Portfolio

Think like an Attacker, Act as a Partner

© AccessGranted X GmbH