Turning regulatory demands into cyber resilience through pentesting

As the cyber landscape becomes increasingly hostile, regulatory demands are also tightening. An influx of new requirements, including the UK’s pending Cyber Security and Resilience Bill, Europe’s Digital Operational Resilience Act (DORA), NIS2, and the General Data Protection Regulation (GDPR) is raising the stakes for organisations across the region. Organisations are now expected to not only withstand attacks but also demonstrate ongoing diligence in their security practices. 

Regulators have already demonstrated that failures carry financial consequences. In 2023, the French advertising giant Criteo was fined €40 million for unlawful data processing and profiling practices. The case was not about a dramatic breach but about a weak compliance culture and lack of transparency, a reminder that resilience depends as much on proof of controls as on responding to attacks.  

By contrast, after major cyberattacks this year, Co-Op and M&S now face investigation by the UK’s Information Commissioner’s Office to determine whether they had adequate preventive measures in place. Here, scrutiny follows an actual incident, and organisations that can demonstrate proactive risk identification and remediation are better placed to satisfy regulators and limit potential penalties. 

In this context, penetration testing has emerged as a critical compliance enabler. It provides regulators and auditors hard evidence that security controls are effective and continuously tested, while simultaneously strengthening an organisation’s defences. 

The compliance challenge in EMEA  

Across Europe, organisations face a growing thicket of overlapping and evolving laws.  Regulations such as GDPR, NIS2, and DORA, soon to be joined by the UK Cyber Security and Resilience Bill, demand diligent risk management, breach reporting, and resilience testing.  

While their scopes differ, these regulations share common expectations: companies must show that they are implementing robust measures against cyberattacks and ensuring that third-party partners do not introduce weaknesses.  

Compliance is therefore not just a box-ticking exercise, but an ongoing demonstration of cyber resilience. Many of these regulations either require or imply the need for penetration testing. GDPR’s Article 32 calls for regular testing of security measures, NIS2 requires organisations to demonstrate cyber risk management and supply chain assurance, and DORA goes further, mandating threat-led penetration testing for certain financial firms. Together, they set a clear expectation: testing resilience is not optional, it is central to compliance. 

Pentesting as a compliance multiplier 

A well-structured pentesting programme does more than uncover vulnerabilities. It generates concrete evidence (findings, reports, and remediation records) that can be directly mapped to compliance clauses.  

For example, discovering and fixing a critical database flaw becomes tangible proof of GDPR risk reduction. Simulated attacks on critical systems provide validation, under NIS2, that resilience measures are working as intended. Advanced red team exercises not only satisfy DORA but also give boards confidence in their organisation’s readiness, or reveal where improvements are still needed. 

For CISOs, penetration testing functions as a practice audit. It highlights weaknesses before official auditors arrive, reduces the risk of surprises, and demonstrates a continuous cycle of testing, remediation, and improvement. It also helps prioritise risks by showing which vulnerabilities would have the greatest business impact if exploited. In this way, pentesting strengthens both the compliance posture and technical security. 

Operationalising pentesting for compliance  

To unlock these benefits, penetration testing must be integrated into the broader security strategy rather than treated as an ad-hoc annual exercise. Scheduling tests to align with compliance reporting cycles ensures that evidence presented to regulators is current and relevant. 

For sectors subject to higher scrutiny, such as finance and critical infrastructure, incorporating advanced threat simulations is increasingly essential. These exercises, often based on real-world threat intelligence, move beyond basic vulnerability checks to test detection and response capabilities, offering regulators the kind of resilience evidence they find most compelling. 

The rise of Pentesting-as-a-Service platforms has also transformed how organisations can approach testing. Instead of waiting for an annual review, CISOs can commission ongoing or on-demand pentests, with results delivered in real time. This model supports a stronger compliance narrative by showing continuous monitoring rather than periodic validation, and helps identify new vulnerabilities introduced by updates or infrastructure changes before they can be exploited. 

Another powerful way to operationalise pentesting is to link findings directly to compliance frameworks. Mapping vulnerabilities and remediation actions to specific clauses in GDPR, ISO 27001, PCI DSS or other standards creates a clear audit trail. Over time, this builds an evidence library that demonstrates not just one-off compliance, but a sustained commitment to resilience.  

Turning compliance into resilience 

By embedding penetration testing into compliance programmes in this way, organisations can turn regulatory pressure into strategic advantage. Instead of scrambling to generate evidence at audit time, CISOs can present a continuous story of security diligence and demonstrate that they are treating compliance as an active, measurable, and evolving practice. 

This approach not only strengthens technical defences but also transforms compliance into a lever for resilience and assurance. For regulators, auditors, boards, and customers alike, the message is clear: companies that embed pentesting are not just meeting minimum requirements, they are actively testing and improving their ability to withstand cyber threats.