Penetration Testing in Germany: Providers, Regulations, and Pricing (2026)

Germany has one of the most rigorous cybersecurity regulatory environments in Europe, and 2026 marks a turning point. The new BSI Act transposing the NIS 2 Directive came into force in December 2025, expanding the number of regulated organisations from roughly 4,500 to nearly 29,500. For tens of thousands of German businesses, penetration testing has shifted from best practice to regulatory expectation.

This guide covers the German pen testing market in detail: the regulatory landscape, what certifications matter, which providers to consider, and what to expect on pricing.

The Regulatory Landscape

Understanding German cybersecurity regulation requires familiarity with several overlapping frameworks. Here is what drives penetration testing demand in Germany today.

The New BSI Act and NIS 2

Germany transposed the EU NIS 2 Directive by amending its existing BSI Act (BSIG) rather than creating standalone legislation. The amended act entered into force on 6 December 2025, and in-scope organisations had until April 2026 to register with the BSI via its new portal.

The scope expansion is dramatic. The new BSI Act introduces two categories of regulated entities: besonders wichtige Einrichtungen (particularly important establishments) and wichtige Einrichtungen (important establishments). Affected sectors include energy, transport, banking, health, digital infrastructure, ICT service management, public administration, manufacturing of critical products, food, chemicals, and waste management.

For penetration testing specifically, the new BSI Act does not mandate a single compliance framework. Instead, it relies on the principle of Stand der Technik (state of the art), meaning organisations must implement appropriate, proportionate, and effective technical and organisational measures. In practice, regular penetration testing is the most credible way to demonstrate that technical vulnerabilities are being actively identified and managed.

Operators of critical facilities (KRITIS) must demonstrate compliance to the BSI every three years through audits, inspections, or certifications. Penetration testing is a core component of these compliance demonstrations.

Penalties are substantial. Particularly important entities face fines of up to ten million euros or two percent of global annual turnover. Important entities face fines of up to seven million euros or 1.4 percent of global turnover. The BSI Act also introduces personal liability for management bodies, making cybersecurity a board-level concern.

IT-Grundschutz

The BSI's IT-Grundschutz (IT Baseline Protection) framework remains the foundation for implementing information security in Germany. It provides a comprehensive, structured approach to implementing ISO 27001, and many German organisations pursue ISO 27001 certification on the basis of IT-Grundschutz, which is more prescriptive than the international standard alone.

Several IT-Grundschutz modules explicitly require or recommend penetration testing. NET.3.2 (Firewall) requires regular penetration tests as part of its standard requirements. Other modules recommend security testing for web applications, network infrastructure, and cloud environments.

TISAX for Automotive

Germany's automotive industry, anchored by Volkswagen, BMW, Daimler, and their vast supply chains, has its own security testing framework. TISAX (Trusted Information Security Assessment Exchange) is administered by the ENX Association on behalf of the VDA (German Association of the Automotive Industry).

While penetration testing is not mandatory for all TISAX assessment levels, it becomes a requirement for systems with high protection needs under VDA ISA version 6.0.3, specifically control 5.2.6, which requires service-specific tests including human penetration tests at risk-based intervals. Level 3 TISAX assessments require third-party penetration testing and vulnerability assessments alongside external validation and site visits.

Any supplier in the German automotive ecosystem should consider TISAX-aligned penetration testing, particularly if they handle prototype data, personal data, or connect to OEM networks. Providers experienced in TISAX can map their findings directly to VDA ISA controls, streamlining the assessment process.

DORA for Financial Services

German banks, insurers, and financial market infrastructure operators are now subject to DORA (Digital Operational Resilience Act), which mandates Threat-Led Penetration Testing (TLPT) for significant financial entities. DORA aligns with the TIBER-EU framework, meaning German financial institutions must commission sophisticated red team engagements modelled on real threat intelligence.

BaFin, Germany's financial supervisory authority, oversees DORA implementation alongside the ECB. Providers delivering DORA-compliant TLPT must demonstrate advanced red teaming capabilities and threat intelligence expertise.

BSI Certification for Penetration Testers

Germany has its own national penetration tester certification programme run by the BSI. This is one of the most rigorous programmes in Europe and is particularly relevant for public sector and KRITIS work.

As of early 2026, 18 companies appear on the BSI's official list of certified penetration testing providers. To earn a place on this list, a company must complete the IS penetration test certification programme and employ at least two individually certified testers.

Individual BSI certification requires holding a recognised practical certification that is no older than three years. The BSI accepts OSCP and OSWE from Offensive Security, GPEN and GXPN from GIAC, CRTO from Zero-Point Security, CPTS from HackTheBox Academy, CompTIA PenTest+, CREST CRT, and EC-Council CEH Practical and CPENT. The critical requirement is that the certification must include at least 60 percent practical assessment with a hands-on final exam.

BSI-certified providers include names like SySS, secuvera, USD AG, HiSolutions, Deutsche Telekom Security, PwC, and EY, among others. For any organisation working with the German public sector or KRITIS operators, engaging a BSI-certified provider is strongly recommended and often expected.

Other Certifications That Matter in Germany

Beyond BSI certification, several other accreditations carry weight in the German market.

CREST accreditation is increasingly recognised in Germany, particularly by international organisations and firms with UK or pan-European operations. CREST's methodology standards align well with BSI expectations, and several providers active in Germany hold both CREST and BSI certifications.

ISO 27001 certification of the testing provider demonstrates formal information security management. Combined with BSI certification, this provides the strongest assurance of provider quality in the German market.

TÜV and DEKRA certifications carry particular weight in Germany due to the country's strong tradition of independent technical assessment. TÜVIT, the cybersecurity arm of TÜV, is itself a penetration testing provider and certifier.

The German Pen Testing Market

Germany's penetration testing market is characterised by a mix of domestic specialists, international providers with German offices, and the Big Four consultancies.

Domestic Specialists

Germany has a strong base of homegrown pen testing firms. Cure53, based in Berlin, is internationally renowned for web application and cryptographic security assessments, with an impressive track record of auditing major open-source projects. SySS GmbH is widely regarded as the German market leader for BSI-aligned testing, with deep government and critical infrastructure expertise. SCHUTZWERK in Ulm offers comprehensive security assessments across web, network, and cloud environments. turingpoint in Hamburg is a boutique consultancy known for OWASP and BSI-aligned testing methodologies. binsec in Dortmund has specialised in professional penetration testing since 2013, covering web applications, APIs, networks, mobile applications, and medical devices. SEC Consult, with offices in Berlin, provides security consulting across the DACH region.

International Providers

Several international firms maintain significant German operations. Blaze Information Security operates from Berlin with CREST accreditation. Orange Cyberdefense, through its SensePost team, serves German clients from European offices. WithSecure, the Finnish cybersecurity firm formerly known as F-Secure, has a strong presence in Germany. NCC Group and other UK-based CREST providers increasingly serve the German market.

Big Four and Large Consultancies

PwC, EY, Deloitte, and KPMG all have substantial cybersecurity practices in Germany, with some holding BSI certification. They serve large enterprises and regulated industries where penetration testing is integrated with broader advisory, audit, and compliance work.

Pricing in Germany

German penetration testing prices reflect the country's position as a mature Western European market.

Typical day rates for penetration testing consultants in Germany range from 1,000 to 1,800 euros. Senior specialists and red team operators can command up to 2,200 euros per day.

For fixed-price engagements, expect the following ranges. A web application penetration test for a mid-complexity application typically costs 5,000 to 15,000 euros. An external network penetration test covering a moderate number of IPs runs 4,000 to 12,000 euros. An internal network assessment costs 5,000 to 15,000 euros. A cloud security assessment for AWS or Azure falls between 6,000 and 18,000 euros. A TISAX-aligned assessment with penetration testing ranges from 8,000 to 25,000 euros. Red team engagements start from 25,000 euros and can exceed 100,000 euros for comprehensive campaigns.

BSI-certified providers may command a premium of 10 to 20 percent over non-certified firms, reflecting the additional quality assurance and the value of BSI recognition in regulated contexts.

Language Considerations

While many German pen testing providers deliver reports in English, German-language reporting is often expected or preferred, particularly for public sector work, KRITIS compliance, and engagements involving German management or board review.

When evaluating providers, confirm their ability to deliver complete reports in German, including executive summaries, technical findings, and remediation guidance. Some international providers can conduct testing but may deliver English-only reports, which can create friction in organisations where German is the working language.

How to Choose a Provider in Germany

For KRITIS operators and public sector organisations, start with the BSI's official list of certified providers. This ensures the provider meets Germany's specific quality standards and can deliver testing aligned with IT-Grundschutz requirements.

For automotive suppliers subject to TISAX, choose a provider with explicit TISAX experience who can map findings to VDA ISA controls. Ask for references from automotive clients and confirm they understand the specific requirements at your assessment level.

For financial services organisations subject to DORA, you need a provider with TLPT and TIBER-EU experience. This is a specialised requirement that only a subset of providers can deliver.

For all other organisations, CREST accreditation or BSI certification provides a reliable quality baseline. Evaluate providers on their experience with your specific technology stack, their familiarity with German regulatory requirements, the certifications of the individual testers who will be assigned, and their ability to deliver German-language reports.

Browse our directory of penetration testing providers in Germany and Berlin to compare companies by accreditations, services, and reviews. For broader European coverage, see our guide to penetration testing providers across Europe.