NIS 2 Penetration Testing Providers
Network and Information Security Directive 2 · Europe
NIS 2 is the EU's updated cybersecurity directive that significantly expands the scope and requirements of the original NIS Directive. Effective from October 2024, NIS 2 applies to essential and important entities across 18 sectors and introduces stricter security requirements, incident reporting obligations, and supply chain security measures.
Article 21 requires entities to implement risk-based cybersecurity measures including vulnerability handling and disclosure, security testing, and security audits. NIS 2 explicitly recognises penetration testing as a key security measure and encourages regular testing of network and information systems.
The directive also introduces personal accountability for management bodies, making senior leadership directly responsible for approving and overseeing cybersecurity risk management measures. Non-compliance can result in fines of up to 10 million euros or 2% of global annual turnover for essential entities. Penetration testing helps organisations meet NIS 2 requirements by identifying vulnerabilities, testing incident response capabilities, and demonstrating a proactive approach to cybersecurity risk management.
Aon Cyber Solutions
Cybersecurity consulting division of global insurance leader Aon, uniquely combining penetration testing with cyber risk quantification and insurance expertise.
Aristi
CHECK and CREST-accredited Birmingham-based cyber security consultancy with over 15 years of experience delivering penetration testing, red teaming, and OT security assessments for government and private sector clients.
Bridewell
Fast-growing CREST and CHECK-accredited UK cybersecurity consultancy with deep expertise in critical national infrastructure sectors.
Cyphere
CREST-accredited Manchester-based cyber security firm delivering penetration testing, managed security services, and compliance consultancy across the UK, Europe, and the USA.
Dionach
Global enterprise cybersecurity consultancy founded in 1999 in Oxford, holding rare CREST STAR-FS accreditation and delivering penetration testing, red and purple teaming, and PCI QSA services across five international offices.
Integrity360
CREST-accredited pan-European cybersecurity services provider delivering penetration testing and managed security from Dublin with a strong UK and Ireland presence.
IOActive
Elite boutique security consultancy specializing in IoT, SCADA/ICS, embedded systems, and hardware security research with world-renowned researchers.
IT Governance
Established Ely-based compliance and cybersecurity consultancy offering CREST-approved penetration testing as part of a comprehensive governance, risk management, and compliance portfolio.
JUMPSEC
Full-service London-based cybersecurity consultancy with CREST, CHECK, and NCSC accreditations delivering offensive testing, managed detection, and strategic advisory services.
LRQA
The only organisation worldwide with a full suite of CREST accreditations. 250+ cybersecurity specialists operating in 55+ countries across pen testing, red teaming, and incident response.
MDSec
Elite UK offensive security consultancy specialising in CBEST/STAR/TIBER red teaming, advanced adversary simulation, and CREST-accredited penetration testing for FTSE 100 clients.
NCC Group
Global cybersecurity consultancy with CREST, CHECK, and CBEST accreditation, renowned for deep technical research and comprehensive penetration testing services.
Nettitude
CREST, CHECK, and CBEST accredited UK consultancy within Lloyd's Register, delivering premium penetration testing for government and critical infrastructure.
Pen Test Partners
The UK's largest independent security testing firm, renowned for IoT/OT research, CBEST red teaming, and CHECK/CREST-accredited penetration testing across all sectors.
PwC Cyber Security
Global Big Four professional services firm delivering CREST, CHECK, and CBEST-accredited penetration testing and red teaming services from London, serving the UK's largest enterprises and regulated organisations.
Redscan (A Kroll Business)
London-based cybersecurity provider, now part of Kroll, delivering CREST-accredited penetration testing, managed detection and response, and incident response with a 550-strong cyber team.
Salus Cyber
Award-winning Cheltenham-based cybersecurity consultancy with NCSC CHECK Green Light status and CREST approval, specialising in defence, government, and critical national infrastructure security.
SEC Consult
Leading European cybersecurity consultancy from Vienna with a prolific vulnerability research program and deep expertise in IoT and embedded systems security.
SECFORCE
Leading UK offensive security consultancy based in Canary Wharf, delivering CREST-accredited penetration testing and adversary simulation to organisations with the most demanding security requirements.
Securing (SecuRing)
Poland's longest-running independent pen testing firm with 50+ consultants. Specialises in application security, cloud testing, and red teaming.
Shielder
Independent Italian offensive security firm specialising in web, mobile, network, and embedded security assessments with a strong research focus.
Stripe OLT
Award-winning CREST-certified managed cyber security and IT support provider with offices in Bristol, London, and Manchester, specialising in penetration testing and Microsoft security technologies.
Swascan
Italian cloud-based security testing firm offering black, white, and grey box pen testing with strong European compliance expertise.
WithSecure
Leading European cybersecurity firm offering penetration testing with deep expertise in EU regulatory compliance including GDPR, NIS 2, and TIBER-EU.
NIS 2 FAQs
Who does NIS 2 apply to?+
NIS 2 applies to essential entities (energy, transport, health, digital infrastructure, etc.) and important entities (manufacturing, food, chemicals, digital providers, etc.) with more than 50 employees or 10M EUR turnover.
What security testing does NIS 2 require?+
Article 21 requires risk-based cybersecurity measures including vulnerability handling, security testing, and cyber hygiene practices. Penetration testing is the primary method for meeting security testing requirements.
When does NIS 2 take effect?+
NIS 2 entered into force in January 2023 with EU member states required to transpose it into national law by October 2024. Most member states have implemented or are implementing national legislation.