Digitalisation World: Turning regulatory demands into cyber resilience through pentesting

Digitalisation World shows how penetration testing is becoming central to regulatory compliance and resilience, in an article by Sam Kirkman, Director of Services for EMEA at NetSPI. Read the preview below or view it online.

+++

From regulation to resilience

Regarding “Turning regulatory demands into cyber resilience through pentesting” (Digitalisation World, October 2025): As new frameworks such as the UK’s Cyber Security and Resilience Bill, DORA, NIS2 and GDPR raise expectations, organisations across Europe are under pressure to demonstrate not only strong defences but also continuous diligence.

Sam Kirkman, Director of Services for EMEA at NetSPI, explained that compliance failures already carry heavy costs. The €40 million GDPR fine against Criteo in 2023 underscored how weak governance and transparency, not just breaches, can trigger penalties. Meanwhile, Co-op and M&S are now under investigation by the UK’s Information Commissioner’s Office following cyber incidents, highlighting regulators’ growing focus on prevention and proof of control.

Kirkman emphasised that penetration testing (pentesting) has evolved into a vital compliance enabler. Beyond finding vulnerabilities, it provides hard evidence that controls are tested, effective, and continuously improved. Regulations such as GDPR’s Article 32, NIS2 and DORA either require or imply regular security testing, making pentesting central to compliance rather than optional.

The article explains how structured pentesting generates clear audit trails that can be mapped to compliance clauses. For CISOs, these exercises act as a proactive audit, identifying weaknesses before regulators do, reducing surprises, and demonstrating ongoing remediation. The rise of Pentesting-as-a-Service (PtaaS) now enables continuous validation and real-time results, supporting a stronger compliance narrative.

Kirkman concludes that embedding pentesting within compliance programmes turns regulatory pressure into strategic advantage. By linking findings directly to standards such as GDPR, ISO 27001 and PCI DSS, organisations can show not just one-off adherence, but a living commitment to resilience. Companies that operationalise testing, he noted, don’t just meet minimum requirements, they prove their readiness to withstand evolving threats.

You can read the full article here.