Pentest NIS2: How to meet the requirements of the European Directive
In April 2024, a malicious backdoor was discovered in XZ Utils, a compression library present on millions of Linux systems. Its author had infiltrated the open-source project for two years, gradually gaining the trust of legitimate maintainers before injecting his malicious code. The result: a critical vulnerability in the SSH servers of thousands of organizations worldwide. It is precisely this type of risk that the NIS2 directive targets. Since its transposition into French law, thousands of companies have been faced with legal cybersecurity obligations – including regular security testing. Here’s what NIS2 requires in concrete terms, and how a pentest meets them.
NIS2 in France: Mandatory sectors, timetable and technical requirements
The Network and Information Security Directive 2 (NIS2) considerably extends the scope of NIS1. It concerns two categories of entities:
- Essential Entities (EE): energy, transport, health, water, digital infrastructure, public administration, space – more than 250 employees or sales of over 50 million euros
- Large-scale entities (LSEs): postal services, waste management, chemicals, food, manufacturing industry, digital suppliers – over 50 employees or sales of over €10 million
This information comes from the European definition of company size, but NIS2 qualification also depends on the exact sector, type of activity, sometimes critical role and national designations. For example, certain entities are covered regardless of their size (TLD registries, DNS providers, certain public administrations, etc.).
Article 21 of NIS2 lists the mandatory technical measures for all these entities:
- SSI risk management
- incident management
- business continuity
- supply chain security
- development security and maintenance
- policies for evaluating the effectiveness of measures
- cyber hygiene
- cryptography and encryption
- access control and authentication
- MFA and secure communications
ANSSI provides a comprehensive guide to determine whether your organization falls within the scope of NIS2, and to identify your precise obligations. Penalties for non-compliance reach 10 million euros or 2% of worldwide sales for essential entities, and 7 million euros or 1.4% for important entities. For the organizations concerned, the question is no longer “should a pentest be carried out?” but “when and how should it be documented for the auditor?”
How a penetration test covers NIS2 requirements
To find out more about the complete intrusion test procedure: https: //www.hackmosphere.fr/test-intrusion
A NIS2 pentest follows four phases, each of which is documented for the compliance audit.
Phase 1 – Reconnaissance: mapping of exposed infrastructure, cloud services, subdomains and digital assets. Nmap enables network discovery and identification of active services, software versions and open ports. Amass provides advanced enumeration of sub-domains and complete mapping of the external attack surface.
Phase 2 – Vulnerability identification: analysis of active CVEs, misconfigurations and business logic vulnerabilities. OpenVas performs a vulnerability scan to identify critical CVEs and misconfigurations. In internal pentesting, BloodHound analyzes Active Directory relationships to map privilege escalation paths – a direct focus of NIS2 on access control.
Phase 3 – Exploitation: demonstration of real impact to prioritize remediation. Metasploit Framework enables controlled exploitation of vulnerabilities, with proof of compromise. The Impacket suite tests the resistance of Windows protocols (SMB, NTLM, Kerberos) to assess the robustness of the Active Directory infrastructure.
Phase 4 – Reporting and retesting: the pentest report is the main supporting document for the NIS2 audit. It documents each vulnerability with its CVSS 3.1 score, business impact and prioritized remediation recommendations. The retest validates the corrections before submission to the competent authority.
XZ Utils and SolarWinds: When the supply chain becomes an NIS2 attack vector
The XZ Utils attack of 2024 is a perfect example of why NIS2 devotes an entire article to supply chain risk management. A single malicious contributor, two years of gradual infiltration of a trusted open-source project, and an SSH backdoor on millions of Linux servers. The attack didn’t come from outside – it came from inside the software supply chain.
SolarWinds, in 2020, followed the same pattern on a much larger scale. A corrupted Orion update compromised 18,000 organizations, including several US government agencies. The attackers had remained in the systems for months without being detected.
The T1195 Supply Chain Compromise technique documented by MITRE ATT&CK refers precisely to these attack vectors. NIS2 article 21 responds directly to this by imposing supplier risk assessment. A supply chain oriented pentest concretely tests :
- Third-party integrations and their levels of access to internal systems
- Open-source dependencies and their known CVEs
- APIs exposed to partners and subcontractors
- Data flows between internal systems and external services
Leaving the supply chain out of the pentest perimeter is like securing the facade of a building while leaving the service door open.
NIS2 compliance plan: From technical audit to correction
Concrete steps to achieve NIS2 compliance through penetration testing :
- Identify the NIS2 perimeter – systems, networks, critical suppliers, exposed digital assets
- Initial pentest – complete inventory with CVSS 3.1 scoring
- Prioritize remediations – critical (CVSS ≥ 9) within 72 hours, high (CVSS 7-8) within 30 days
- Document each correction – traceability for the ANSSI auditor
- Validation retest – confirmation of corrections before submission
| NIS2 obligation (art. 21) | Contribution of pentesting |
|---|---|
| Risk assessment and IS security policies | Complementary: the pentest validates the risk scenarios identified in the SSI analysis and measures the actual exploitability of vulnerabilities. |
| Incident management | Partial: tests the SOC/CSIRT’s detection, warning and response capabilities in the face of a simulated attack. |
| Business continuity and crisis management | Complementary: measures the possible business impact of a compromise and tests recovery and resilience scenarios |
| Supply chain security | Partial: identifies weaknesses in suppliers, APIs, third-party access, open source components and interconnections |
| Security in acquisition, development and maintenance | Comprehensive: checks for application vulnerabilities and configuration errors before going into production |
| Evaluating the effectiveness of cybersecurity measures | Complete: central objective of pentesting; verifies the actual effectiveness of technical and organizational controls |
| Cyber hygiene and security training | Partial: phishing or social engineering campaigns assess users’ level of awareness |
| Cryptography and encryption | Partial: checks for bad cryptographic implementations and TLS/VPN configuration faults |
| Access control and identity management (IAM) | Complete: identifies excessive privileges, escalations, lateral movements and MFA defects |
| Strong authentication and secure communications | Comprehensive: checks the robustness of MFA mechanisms, sessions, secrets and secure protocols |
Conclusion
Hackmosphere supports companies subject to NIS2 in carrying out documented penetration tests, with deliverables adapted to ANSSI audit requirements. Find out more about our cyber pentest offer.
NIS2 compliance is not an administrative constraint: it’s an opportunity to really map your exposure to cyber risks. Organizations that anticipate will emerge stronger. Those that wait for the audit face critical feedback in a hurry. A well-executed penetration test transforms a regulatory obligation into a lasting security advantage.

