Pentest – Sauer on Information Security | InfoSec-Blog for IT-Professionals

NIS2 and Penetration Testing – Mandatory or Optional?

12. June 2025 by Patrick Sauer Leave a Comment

The new NIS2 Directive of the EU has been in force since early 2023. It no longer applies only to traditional critical infrastructure operators (KRITIS), but now covers a wide range of important entities, including:

medium-sized and large companies in energy, transportation, finance, and healthcare,
hosting providers, data centers, DNS service providers,
(almost) any tech company providing essential services.

The NIS2 Directive does not explicitly mandate penetration testing, but it requires measures that are hardly feasible or verifiable without it. Article 21 of the directive defines a central obligation:

Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.

While penetration testing is not explicitly mentioned, the directive clearly implies it – particularly through the requirement for regular testing of the effectiveness of measures, and the demand to follow the state of the art, which, in practice, includes conducting penetration tests.

MPA Content Security Program Requirements for Penetration Testing

9. June 2022 by Patrick Sauer Leave a Comment

The Content Security Program of the Motion Picture Association (MPA) specifies security requirements in three areas in its Content Security Best Practices Common Guidelines (Version 4.10 of February 8, 2022):

Management System
Physical Security
Digital Security

In the requirements for the management system, vulnerability scans and external penetration tests are to be carried out in number MS-2.1 in the risk management category. There a reference is made to the requirements DS-1.8 and DS-1.9.

The requirement DS-1.9 (Firewall / WAN / Perimeter Security) requires the implementation of annual penetration tests of all external IP addresses and systems. DS-1.8 also requires monthly vulnerability scans.

Furthermore, one also finds the requirement to carry out web application penetration tests (DS-15.9, Client Portal). Here are some more detailed requirements:

The pentest should also include any APIs.
The test should be carried out both with and without valid access data.
The typical guidelines such as the OWASP publications should be adhered to so that XSS, SQL injections, and CSRF can also be found.

It is generally recommended that penetration testing is performed by an independent third party.