PASSI, CREST, OSCP: choosing a pentest provider in Europe
Too long?
Ask an AI to summarize this article.
Three labels, three different things
Buyers regularly ask "are you PASSI certified or CREST certified or OSCP?". The honest answer starts with "those are not comparable."
PASSI is a French government accreditation issued by ANSSI for pentest service providers. Mandatory for engagements with French operators of vital importance (OIVs), essential services operators (OSEs) under NIS2, and most public-sector buyers. The label binds the company, not the individual.
CREST is a UK-headquartered industry body. CREST-accredited firms have passed organisational audits. Used heavily in the UK financial sector, increasingly accepted across Europe. Like PASSI, the label binds the company.
OSCP is an individual offensive-security certification from Offensive Security. It binds a person, not a firm. A senior pentester typically holds OSCP and several others (OSEP, OSWE, GPEN). It is a hiring signal, not a procurement label.
When each one actually matters
| Buyer | What they require |
|---|---|
| French OIV / OSE under NIS2 | PASSI mandatory |
| French public sector | PASSI mandatory |
| EU bank under DORA TLPT | TIBER-EU accredited red team (CREST or equivalent) |
| UK or Ireland regulated | CREST strongly preferred |
| EU SaaS vendor selling to public sector | PASSI for the FR market, CREST for the UK |
| Mid-market private SaaS in EU | None legally required, but procurement asks |
Most mid-market private buyers ask the question because they have seen it on a list, not because it is contractually required. A serious provider can usually demonstrate equivalent competence through OSCP-holders on staff plus reference clients.
The accreditation that matters for you is the one your auditor accepts. Ask the auditor first, not the salesperson.
What PASSI accreditation actually involves
For a French pentest firm, PASSI is a multi-year process:
- Documented quality management system aligned with ANSSI requirements.
- Audited methodology covering scoping, execution, reporting, and evidence handling.
- Background-checked staff, named lead pentesters, training records.
- On-site audit by an accredited auditor, then ANSSI review.
- Renewal every three years, with surveillance audits in between.
Cost: €100,000 to €300,000 of staff time and audit fees. Twelve to eighteen months. Real moat for serious vendors. We are pursuing it.
How to evaluate a provider when no accreditation is mandatory
Five questions that filter most of the noise:
- Show me a redacted report from a similar engagement. A provider who refuses is not serious.
- What is your false positive rate, and how do you measure it? Anyone who says "zero" without explaining how is selling marketing.
- Who runs the engagement, and what are their certifications? OSCP plus relevant niche certs (OSEP for AD, OSWE for web, GPEN for general).
- How is evidence preserved and signed? Reproducible PoCs are the audit currency, not narrative.
- What is your cadence model? Annual is a 2018 answer. Continuous is 2026.
Where Fleuret fits
We pursue PASSI accreditation. We list reference engagements in regulated mid-market. Our reports are signed with Ed25519 for offline auditor verification, mapped to DORA, NIS2, and ISO 27001 control families. Continuous cadence is our default, not a premium tier.
If you are evaluating providers and want to compare, request a demo.
Related reading
- Sovereign EU AI pentest: why FR sovereignty matters in the procurement decision.
- The compliance workflow moat: Jira plus signed audit PDF plus board export.
- DORA pentest requirements 2026: why DORA scope rarely requires PASSI.
- XBOW alternative in Europe: the FR-first EU shortlist.