Compliance is today the most common reason companies order security testing — usually with a hard deadline and the risk of penalties. I deliver penetration tests that meet the requirements of key regulations and standards, and provide a report ready to present to your auditor or supervisory authority.
The NIS2 directive (transposed into national law across the EU) covers "essential and important entities" across many sectors of the economy. It mandates risk management, regular testing and assessment of the effectiveness of security measures, and incident handling and reporting. Non-compliance carries heavy fines — up to EUR 10M or 2% of annual turnover for essential entities.
I run penetration tests of applications, infrastructure and networks that provide the required evidence of security effectiveness, plus a report with concrete recommendations — ready for an audit or inspection.
The DORA regulation (in force since 17 January 2025) requires financial-sector entities to regularly test their digital operational resilience, including penetration testing; for the largest institutions — advanced threat-led penetration testing (TLPT).
I have hands-on experience in the financial sector (banking, investment funds). I perform the security testing required by DORA and provide documentation supporting your compliance.
The PCI DSS standard (for organizations handling payment card data) requires regular penetration testing — external and internal, at network and application level (e.g. requirement 11.4) — at least annually and after significant changes.
I perform PCI DSS-aligned pentests and deliver a report you can present to your QSA during the assessment.
ISO/IEC 27001 (Information Security Management System) expects regular technical vulnerability assessment — penetration testing is the standard way to demonstrate the effectiveness of controls (e.g. controls A.8.8 and A.8.29).
I provide the testing and report that support ISO 27001 certification and ongoing maintenance.
I act as an independent penetration testing provider — I deliver tests and reports that support compliance with the above regulations and standards. I am not a certification body or a QSA; the final compliance assessment is issued by the appropriate auditor or supervisory authority.
