Compliance pentest
Pentest scoping by framework and industry
Practical guides for CISOs scoping penetration testing under DORA, NIS2, ISO 27001, SOC 2 and PCI DSS. Each guide focuses on a single regulator citation and a single industry, with concrete examples and an honest fit assessment.
DORA
Digital Operational Resilience Act
- DORA pentest for banking: a practical 2026 guide for credit-institution CISOsDORA Article 24-27 plus the SSM/EBA supervisory expectations make pentest scoping in banking different from fintech. How credit institutions scope baseline testing, TLPT designation likelihood, and ICT third-party participation.
- DORA pentest for insurance: scoping resilience testing for undertakings and IORPsDORA applies to insurance undertakings, reinsurance undertakings, and IORPs above the size thresholds. How insurance-sector CISOs scope pentest where Solvency II ORSA + DORA Article 24 stack.
- DORA pentest for payments: scoping resilience testing for PIs, EMIs, and acquirersDORA plus PSD2 plus PCI DSS layer cybersecurity requirements on payment institutions and e-money issuers. How payment-sector CISOs scope pentest where TLPT designation hits hardest.
- DORA pentest for fintech: a practical 2026 guide for CISOsDORA Article 24-27 demands resilience testing and threat-led pentests. How fintech CISOs scope it, who must do TLPT, and how continuous AI pentesting fits the regulation.
ISO 27001
ISO/IEC 27001:2022 Information Security Management
- ISO 27001 pentest for fintech: dual-certification path with DORAFintechs pursuing ISO 27001:2022 in parallel with DORA Article 24 face overlapping testing obligations. How to scope one pentest programme that satisfies both auditors and saves the test-fatigue burn.
- ISO 27001 pentest for healthcare: scoping for health-SaaS and EHR vendors selling to EU hospitalsHealth-SaaS and EHR vendors pursuing ISO 27001:2022 face hospital procurement gating on the cert. How to scope pentest with ISO 27799 health-overlay + MDR-adjacent boundaries in mind.
- ISO 27001 pentest for SaaS: what auditors expect in 2026ISO 27001:2022 does not mandate penetration testing, but auditors expect it. How SaaS companies scope pentest for Annex A.8.8, A.8.29, and the technical-vulnerability controls.
NIS2
Network and Information Security Directive 2
- NIS2 pentest for healthcare: scoping resilience testing where IT meets patient safetyNIS2 classifies healthcare providers as essential entities under Annex I sector 5. How hospital and medical-device CISOs scope pentest where IT systems overlap with patient safety and MDR/IVDR jurisdiction.
- NIS2 pentest for telecom: scoping resilience testing for digital infrastructureNIS2 classifies fixed and mobile network operators as essential entities under Annex I sector 8. How telecom CISOs scope pentest across the IT, OSS/BSS, and signalling boundaries.
- NIS2 pentest for transport: scoping resilience testing for rail, aviation, and road operatorsNIS2 classifies transport operators as essential entities under Annex I sector 2. How transport CISOs scope pentest across the IT and OT-signalling boundary in rail, aviation, and road networks.
- NIS2 pentest for water: scoping resilience testing for drinking and waste-water operatorsNIS2 classifies drinking-water and waste-water operators as essential entities under Annex I sector 1. How water-utility CISOs scope pentest at the IT, OT, and SCADA boundary.
- NIS2 pentest for energy: scoping resilience testing for an essential entityNIS2 Article 21 requires risk-based security testing for energy operators classified as essential entities. How energy CISOs map testing to OT, IT, and ICS boundaries.
SOC 2
AICPA SOC 2 Trust Services Criteria
- SOC 2 pentest for fintech: dual-track testing for EU fintech selling to US enterpriseEU fintechs selling into US enterprise customers face SOC 2 Type II as a procurement gate. How to scope pentest that satisfies SOC 2 CC4.1-CC8.1 while reusing DORA Article 24 evidence.
- SOC 2 pentest for SaaS: a practical 2026 guide for fast-shipping teamsSOC 2 Type II auditors expect penetration testing as evidence for CC4.1, CC7.1, and CC7.2. How fast-shipping SaaS teams scope testing without slowing releases.
PCI DSS
Payment Card Industry Data Security Standard 4.0
Need pentest scoping for a framework or industry not listed?Book a demo