Vulnerability Scanning & Pentesting for NIS2 & DORA: What You Need to KnowVulnerability Scanning & Pentesting for NIS2 & DORA: What You Need to Know

2025 marks a new chapter in the EU. The Digital Operational Resilience Act (DORA) is now live, and in the second half of 2025, the Network and Information Security Directive 2 (NIS2) will take effect for most, if not all, EU Member States.

Björn Leenen, Senior Solutions Engineer

March 28, 2025

3 Min Read
A screen showing futuristic corridor with glowing lights and rows of servers, creating a high-tech and digital atmosphere.
Pixabay, Istock, Vonahi Security

NIS2 and DORA: A Brief Overview

As cyber threats evolve, regulatory frameworks like NIS2 and DORA are tightening security requirements for organizations in Important and Critical sectors. Compliance requires a proactive cybersecurity approach. Two essential practices are vulnerability scanning and penetration testing. These regulations impact not only organizations themselves but also their entire supply chain.

Both regulations emphasize proactive security testing, making vulnerability scanning and penetration testing key requirements. A (Continuous) Compliance Monitoring platform is needed to provide tools for regulatory controls, technical requirements, frequent scans, evidence collection, and risk registers.

Aligning With Other Security Standards

Organizations familiar with frameworks like FedRAMP, HIPAA, SOC 2, and ISO 27001 can leverage best practices to align with NIS2 and DORA. For example:

  • SOC 2 security controls align with DORA’s risk management requirements.

  • FedRAMP’s continuous monitoring approach is similar to both DORA’s and NIS2’s security assessment requirements.

  • ISO 27001’s risk-based security measures support compliance with both NIS2 and DORA.

NIS2 Directive

NIS2 aims to improve resilience across the EU by imposing stricter security measures on Essential and Important entities. It covers sectors such as Energy, Banking, Healthcare, Food, Transportation, Postal, and Digital Infrastructure. Organizations must implement risk-based security measures and report security incidents promptly.

Related:The Network Impact of Cloud Security and Operations

DORA

DORA focuses on the financial sector, ensuring that Banks, Insurers, and other Financial Institutions can withstand, respond to, and recover from cyber threats. It mandates continuous monitoring, incident reporting, and third-party risk management to strengthen operational resilience.

Vulnerability Scanning in NIS2 and DORA Compliance

Vulnerability scanning should be automated to identify security weaknesses in networks, applications, and systems. It helps organizations proactively address threats before they turn into exploitable vulnerabilities.

How It Supports Compliance

  • Continuous Risk Assessment – Both NIS2 and DORA require risk-based cybersecurity. Regular vulnerability scanning helps detect and mitigate security weaknesses.

  • Regulatory Reporting & Incident Management – Organizations must report security incidents. Scanning for vulnerabilities helps identify and issues proactively, reducing the risk of breaches.

  • Third-Party and Supply Chain Security – DORA emphasizes monitoring third-party service providers. Running scans on external assets and third-party connections ensures compliance.

Related:NVIDIA Beefs up its AI Security Capabilities with DOCA Argus

Best Practices for Vulnerability Scanning

As an organization, you should:

  • Conduct regular, automated scans (weekly or monthly) to maintain strong security. Don’t forget roaming endpoints.

  • Prioritize remediation efforts based on severity and exploitability.

  • Integrate scanning into continuous monitoring and threat intelligence processes, reporting results to your Compliance Management platform.

Penetration Testing in NIS2 and DORA Compliance

Penetration testing (pentesting) goes beyond scanning by simulating real-world attacks to uncover exploitable weaknesses. It also involves human expertise to assess security defenses from an attacker’s perspective.

How It Supports Compliance

  • Demonstrating Cyber Resilience – Both regulations require organizations to prove resilience against cyber threats. Pentesting validates security controls and uncovers attack vectors that scans may miss.

  • Testing Incident Response Capabilities – Simulated attacks help evaluate an organization’s detection and response mechanisms, ensuring quick reactions in real attack scenarios.

  • Meeting Regulatory Testing Requirements – DORA mandates regular testing of digital operational resilience through security assessments. Pentesting verifies security controls and policies.

Related:Edge Computing and the Burgeoning IoT Security Threat

Best Practices for Penetration Testing

As an organization, you should:

  • Conduct at least annual or biannual pentests, focusing on critical infrastructure and applications.

  • Perform both internal and external tests to assess different attack vectors.

  • Ensure remediation of identified weaknesses and validate fixes with re-testing.

Bridging the Gap

While vulnerability scanning and penetration testing are essential for compliance, their true value lies in strengthening security beyond regulatory requirements. Scanning alone isn’t enough—organizations must integrate these practices into a holistic cybersecurity strategy to achieve real cyber resilience.

Conclusion

Regulatory compliance shouldn’t be a checkbox exercise but an opportunity to strengthen cybersecurity defenses. Vulnerability scanning and penetration testing are crucial for NIS2 and DORA compliance but also critical for proactive threat mitigation. No organization wants to make headlines for a breach or data .

By integrating these practices into a continuous security program, organizations can:

  • Stay ahead of emerging cyber threats.

  • Improve incident detection and response.

  • Demonstrate compliance with regulatory requirements while strengthening overall cybersecurity.

As European regulations evolve, investing in robust security testing strategies will help organizations stay compliant and secure in an increasingly complex threat environment.

About the Author

Björn Leenen

Björn Leenen

Senior Solutions Engineer, Kaseya

Björn has over 25 years of experience in IT channel and IT distribution. Since 2014, Björn has been CISSP Certified, which is one of the leading certifications in the field of Security. From 2015-2018, he was an IT service provider himself and with that knowledge he ended up at Datto/Kaseya.

In 2019 and 2024, Björn received the title of Most Valuable Person during the Presidents Club that he achieved that same year. In his career at Datto/Kaseya, honesty, openness, Business Continuity, IT Security and Accountability have always been the spearhead of the conversations.

Björn regularly speaks at (inter)national events about his (work) passions such as IT Security and Business Continuity.

See more from Björn Leenen
More Insights
Webinars
More Webinars
Reports
More Reports
SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox
Sign-Up

You May Also Like

Editor's Choice

Brendan Carr appears before a Senate Committee on Commerce, Science, and Transportation hearing in 2023
Enterprise Connectivity
A New Administration and a New Direction for Networks
A New Administration and a New Direction for Networks

Jan 6, 2025

Wi-Fi 7 promises to deliver the additional performance and lower latency modern enterprise apps need today.
Wireless Networking
Wi-Fi 7: The State of the Market
Wi-Fi 7: The State of the Market

Jan 2, 2025

Organizations that modernize their networking and security infrastructure fast will be in pole position to seize AI opportunities
Enterprise Connectivity
Your Network is the Key to Surviving AI
Your Network is the Key to Surviving AI

Jan 9, 2025

Webinars
More Webinars
White Papers
More White Papers
Reports
More Reports
Live Events
More Live Events