Does NIS2 require continuous pentesting?

NIS2 Annex I mandates regular testing of cybersecurity risk-management measures and incident-handling capability. Member State transposition (e.g., FR ANSSI) interprets 'regular' as quarterly or continuous for essential and important entities. Annual is the floor, not the bar.

Who is in scope for NIS2 in France?

FR transposition expands the regulated perimeter from around 500 to roughly 15,000 organisations. Sectors include energy, transport, banking, financial-market infrastructure, health, drinking water, digital infrastructure, public administration, manufacturing, food, and research.

How does continuous AI pentesting satisfy NIS2 reporting?

Fleuret ships weekly attack-surface coverage proofs and signed findings logs. Combined with Jira integration, the audit trail satisfies NIS2 Article 21 requirements for technical and organisational measures, including continuous validation of incident-handling readiness.

What is the fine exposure under NIS2?

Up to €10 million or 2 percent of global annual turnover for essential entities (whichever is higher). Important entities face up to €7 million or 1.4 percent. Management can be held personally liable for systemic non-compliance.

Continuous AI pentesting: why NIS2 changes the game

The problem: NIS2 asks for continuous, the market delivers one-off

NIS2 came into force in October 2024. The directive requires essential and important entities to run regular security tests, proportionate to risk. "Regular" does not mean "once a year". National regulators converge on a quarterly interpretation, sometimes continuous for critical systems.

Traditional pentesting cannot hold that cadence. Two to four weeks for a report, ten to thirty thousand euros per engagement, time slots negotiated months in advance. Multiply by four engagements per year per scope and the bill becomes unsustainable.

Between two pentests, your deployments ship to production unaudited. Three to twelve months of silent exposure. That is exactly the risk NIS2 is trying to reduce.

Agentic AI as an infrastructure answer

An AI agent that reasons like an expert pentester can launch an engagement on demand, in hours instead of weeks. The economics flip: marginal cost of one more test tends toward zero. That is the condition for turning pentest from one-off event into continuous control.

Three concrete implications:

Every production release triggers a pentest. Not a shallow scan, a real intrusion test against the changed perimeter.
Every finding ships with a PoC. Zero false positives, because the agent exploits to prove, not to alert.
The report is audit-ready. CVSS structure, reproducible evidence, prioritized remediation plan. Auditors no longer have to translate.

What it changes for a CISO

Your cybersecurity continuity plan stops being a calendar of engagements. It becomes a posture. You can present NIS2 auditors a history of tests aligned with your deployment cadence, not with a consultancy's availability.

That is what we are building at Fleuret. If you are a European company subject to NIS2 or DORA and this approach resonates with your strategy, let's talk.

DORA pentest requirements 2026: the sister regulation for EU financial entities.
Why annual pentests are broken: why SaaS now needs continuous testing.
Sovereign EU AI pentest: CLOUD Act, Schrems II, and the EU AI Act in 2026.
Pentest cost in Europe 2026: what continuous NIS2-grade testing actually costs.

Continuous AI pentesting: why NIS2 changes the game

The problem: NIS2 asks for continuous, the market delivers one-off

Agentic AI as an infrastructure answer

What it changes for a CISO

The Fleuret newsletter

Privacy Settings

The problem: NIS2 asks for continuous, the market delivers one-off

Agentic AI as an infrastructure answer

What it changes for a CISO

Related reading

The Fleuret newsletter

Privacy Settings