In an increasingly hostile cyber landscape, regulatory expectations are also rising.
Frameworks such as the UK’s pending Cyber Security and Resilience Bill and Europe’s Digital Operational Resilience Act (DORA), NIS2, and the General Data Protection Regulation (GDPR) are pushing organisations beyond merely withstanding cyberattacks; they now require ongoing demonstration of diligent security practices.
The cost of a lax approach to compliance is financial. Regulators are unflinching in imposing penalties on non-compliant companies. In 2023, due to unlawful data processing and profiling practices, the French advertising giant Criteo was fined €40 million. The case was not triggered by a dramatic breach but by weak compliance practices and lack of transparency, a reminder that resilience depends as much on proof of controls as on responding to attacks.
By contrast, after major cyberattacks this year, Co-Op and M&S are now under investigation by the UK’s Information Commissioner’s Office to assess whether their preventive measures were sufficient. In these situations, scrutiny arises after an incident, and organisations that can demonstrate proactive risk identification and remediation are better positioned to reassure regulators and limit potential penalties.
Against this backdrop, penetration testing is increasingly recognised as central to compliance. It offers regulators and auditors tangible proof that security controls are both effective and routinely tested, while also reinforcing an organisation’s resilience against future attacks.
Rising regulatory pressures in EMEA
Across Europe, organisations face a growing thicket of overlapping and evolving laws. Regulations such as GDPR, NIS2, and DORA, soon to be joined by the UK Cyber Security and Resilience Bill, demand diligent risk management, breach reporting, and resilience testing.
While their scopes differ, these regulations share common expectations: companies must show that they are implementing robust measures against cyberattacks and ensuring that third-party partners do not introduce weaknesses.
Compliance is therefore not just a box-ticking exercise, but an ongoing demonstration of cyber resilience. Many of these regulations either require or imply the need for penetration testing. GDPR’s Article 32 calls for regular testing of security measures, NIS2 requires organisations to demonstrate cyber risk management and supply chain assurance, and DORA goes further, mandating threat-led penetration testing for certain financial firms. Together, they set a clear expectation: testing resilience is not optional, it is central to compliance.
Pentesting as proof of resilience
A well-structured pentesting programme does more than uncover vulnerabilities. It generates concrete evidence (findings, reports, and remediation records) that can be directly mapped to compliance clauses.
For example, discovering and fixing a critical database flaw becomes tangible proof of GDPR risk reduction. Simulated attacks on critical systems provide validation, under NIS2, that resilience measures are working as intended. Advanced red team exercises not only satisfy DORA but also give boards confidence in their organisation’s readiness, or reveal where improvements are still needed.
For CISOs, penetration testing functions as a practice audit. It highlights weaknesses before official auditors arrive, reduces the risk of surprises, and demonstrates a continuous cycle of testing, remediation, and improvement. It also helps prioritise risks by showing which vulnerabilities would have the greatest business impact if exploited. In this way, pentesting strengthens both the compliance posture and technical security.
Embedding pentesting into security strategy
To unlock these benefits, penetration testing must be integrated into the broader security strategy rather than treated as an ad-hoc annual exercise. Scheduling tests to align with compliance reporting cycles ensures that evidence presented to regulators is current and relevant.
For sectors subject to higher scrutiny, such as finance and critical infrastructure, incorporating advanced threat simulations is increasingly essential. These exercises, often based on real-world threat intelligence, move beyond basic vulnerability checks to test detection and response capabilities, offering regulators the kind of resilience evidence they find most compelling.
The rise of Pentesting-as-a-Service platforms has also transformed how organisations can approach testing. Instead of waiting for an annual review, CISOs can commission ongoing or on-demand pentests, with results delivered in real time. This model supports a stronger compliance narrative by showing continuous monitoring rather than periodic validation, and helps identify new vulnerabilities introduced by updates or infrastructure changes before they can be exploited.
Another powerful way to operationalise pentesting is to link findings directly to compliance frameworks. Mapping vulnerabilities and remediation actions to specific clauses in GDPR, ISO 27001, PCI DSS or other standards creates a clear audit trail. Over time, this builds an evidence library that demonstrates not just one-off compliance, but a sustained commitment to resilience.
Transforming compliance into resilience
By integrating penetration testing into compliance programmes, organisations can transform regulatory pressure into a strategic advantage. Rather than scrambling to produce evidence at the time of an audit, CISOs can demonstrate an ongoing narrative of security hygiene and diligence, while actively strengthening their defences. This not only reinforces technical defences but elevates compliance into a driver of resilience and assurance.
About the Author
Sam Kirkman is Director of Services for EMEA at NetSPI. NetSPI® pioneered Penetration Testing as a Service (PTaaS) and leads the industry in modern pentesting. Combining world-class security professionals with AI and automation, NetSPI delivers clarity, speed, and scale across 50+ pentest types, attack surface management, and vulnerability prioritization. The NetSPI platform streamlines workflows and accelerates remediation, enabling our experts to focus on deep dive testing that uncovers vulnerabilities others miss. Trusted by the top 10 U.S. banks and Fortune 500 companies worldwide, NetSPI has been driving security innovation since 2001. NetSPI is headquartered in Minneapolis, MN, and available on AWS Marketplace.
