NIS2 never names a "penetration test" outright. But § 30 BSIG requires vulnerability management (Nr. 5) and an assessment of how effective your security measures are (Nr. 6) — and in practice, recurring evidence-producing tests are the most reliable way to satisfy both. Germany's NIS2 implementation act (NIS2UmsuCG) has been in force since 6 December 2025, with no transition period, and affects roughly 30,000 companies across 18 sectors. A focused DeepMantis pentest starts at €890 — with a proof of concept for every finding.
Does NIS2 require a penetration test?
No — not verbatim. Neither the NIS2 directive nor Germany's implementation act names "penetration test" as an obligation. Anyone telling you otherwise is overstating the statute. The honest answer is more precise: two of the ten minimum measures in § 30 BSIG are hard to satisfy cleanly without evidence-producing tests.
§ 30 Abs. 2 Nr. 5 requires (German original):
"Sicherheitsmaßnahmen bei Erwerb, Entwicklung und Wartung von informationstechnischen Systemen, Komponenten und Prozessen, einschließlich Management und Offenlegung von Schwachstellen"
— § 30 Abs. 2 Nr. 5 BSIG ("security in acquisition, development and maintenance of IT systems, components and processes, including management and disclosure of vulnerabilities")
§ 30 Abs. 2 Nr. 6 requires (German original):
"Konzepte und Verfahren zur Bewertung der Wirksamkeit von Risikomanagementmaßnahmen im Bereich der Sicherheit in der Informationstechnik"
— § 30 Abs. 2 Nr. 6 BSIG ("policies and procedures to assess the effectiveness of risk-management measures in information security")
"Management of vulnerabilities" (Nr. 5) presupposes that you know your vulnerabilities — so you have to actively look for them. "Assessment of effectiveness" (Nr. 6) presupposes that you can prove whether your measures actually hold. That is exactly what a penetration test delivers: it finds vulnerabilities and checks whether the controls in place withstand a real attack. That is why the pentest is the practical path to satisfying Nr. 5 and Nr. 6 — not because the law prescribes it, but because no cheaper method produces the same evidence.
Who does NIS2 affect in Germany?
NIS2 affects roughly 30,000 companies across 18 sectors — from energy and healthcare to digital infrastructure, food, and manufacturing. Whether your company is in scope depends on size and sector. The BSI publishes the regulated sectors and thresholds.
The size thresholds follow an AND criterion:
| Entity type | Employees | Revenue / balance sheet |
|---|---|---|
| Important entity (medium) | ≥ 50 | ≥ €10M revenue |
| Essential entity (large) | ≥ 250 | ≥ €50M revenue |
Both criteria must be met — a medium company with 60 employees but €8M revenue does not automatically cross the standard threshold. In some sectors (for instance qualified trust service providers or certain digital infrastructure) the obligation applies regardless of size. Check your sector individually; the classification as an "important" or "essential" entity later determines the level of potential fines.
One point matters: the NIS2UmsuCG has been in force since 6 December 2025 — with no transition period. If you are in scope, you must already be implementing the measures in § 30 BSIG. There is no grace year.
What counts as effectiveness evidence under Nr. 6?
Not every test proves effectiveness. § 30 Abs. 2 Nr. 6 requires an assessment of effectiveness — and an automated vulnerability scan does not assess effectiveness, it lists potential vulnerabilities. The distinction is decisive for NIS2: a scanner reports "port open, version outdated, possibly vulnerable". It does not check whether an attacker can actually exploit that vulnerability.
The defensible effectiveness evidence is the proof of concept per finding. A penetration test goes the step further that the BSI describes in its practitioner guide: it actively tries to "bypass the security measures in place" and proves vulnerabilities rather than merely suspecting them (see the BSI quotes in the pentest cost article). Only demonstrated exploitability turns an alert into a finding — and a suspicion into effectiveness evidence that holds up in front of a supervisory authority.
DeepMantis delivers exactly that level of proof: every finding is backed by a reproducible proof of concept, and verification runs in isolated browser instances per finding. The audit-ready PDF report documents the attack path, the reproduction steps, and the proven impact per vulnerability — precisely what you have to show for Nr. 6. A scan report without verification does not meet this requirement; at best it satisfies the part of Nr. 5 that concerns detecting vulnerabilities.
How often do you have to test?
A single pentest is a snapshot. But § 30 BSIG does not call for a one-off check — it calls for "policies and procedures", meaning a recurring process. A company that tests once a year and deploys weekly in between carries up to 50 untested releases in production between two tests. Each one can introduce a new vulnerability, and none of them is covered by last year's snapshot.
The BSI notes in its practitioner guide that after every relevant change to an IT system, it should be re-verified whether the required quality and security level is met (BSI guide, cf. pentest cost article). For a sensible frequency, that means:
- Quarterly as a floor for applications with a moderate change rate.
- Monthly for products with sensitive or regulated data under active development.
- Per release for teams shipping weekly — continuous testing instead of a yearly snapshot.
The person-day model makes high frequencies economically unattractive: four manual tests a year at €10,000 each add up to €40,000 per application. Autonomous platforms decouple price from human hours — which is why monthly pentests at DeepMantis start at €99 per month (billed annually). For the recurring effectiveness assessment under Nr. 6, that is the economically viable path.
What does a NIS2 pentest cost against the fine risk?
The economics are unambiguous: the cost of an evidence-producing test is a fraction of the fine ceiling NIS2 sets. Essential entities face up to €10M or 2% of worldwide annual turnover (whichever is higher); important entities up to €7M or 1.4%.
The public DeepMantis price list names three tiers: €890 for a single-surface application, €3,800 for a connected product with sensitive data, and €7,500 for a distributed system with regulated data. Even the most expensive on-demand test sits three orders of magnitude below the fine ceiling for an important entity — and delivers the documented effectiveness evidence § 30 Nr. 6 demands. The fine is only the direct consequence; on top come liability risks for management, which under NIS2 is personally responsible for implementing the measures.
Frequently asked questions
Is a penetration test mandatory under NIS2?
Not verbatim. NIS2 and § 30 BSIG never name a penetration test outright. But § 30 Abs. 2 Nr. 5 (vulnerability management) and Nr. 6 (effectiveness assessment) make evidence-producing, recurring tests the practical way to demonstrate the required measures. Anyone proving effectiveness without a test carries the burden of proof — and has no cheaper means to discharge it.
Is a vulnerability scan enough for NIS2?
A scan helps with the detection part of Nr. 5, but it does not suffice for the effectiveness assessment under Nr. 6. A scanner identifies potential vulnerabilities but does not verify whether they are exploitable. You prove the effectiveness of your controls only by testing them against a real attack — with a proof of concept per finding.
Is there a transition period for NIS2?
No. The NIS2UmsuCG has been in force since 6 December 2025, with no transition period. Companies in scope must already be implementing the measures in § 30 BSIG. A late start does not shorten the obligation — it raises the risk.
How often do I have to test for NIS2?
§ 30 BSIG calls for "policies and procedures" — a recurring process, not a one-off test. The sensible frequency depends on your change rate: quarterly as a floor, monthly for sensitive data, per release for teams shipping weekly.
As of June 2026. The cited statutory provisions are from § 30 BSIG (gesetze-im-internet.de). This page is not legal advice — verify the specific classification of your company with qualified counsel. DeepMantis methodology and scope limits are documented on the security page.
