Digitalisation World: Turning regulatory demands into cyber resilience through pentesting
Digitalisation World shows how penetration testing is becoming central to regulatory compliance and resilience, in an article by Sam Kirkman, Director of Services for EMEA at NetSPI. Read the preview below or view it online.
+++
From regulation to resilience
Regarding “Turning regulatory demands into cyber resilience through pentesting” (Digitalisation World, October 2025): As new frameworks such as the UK’s Cyber Security and Resilience Bill, DORA, NIS2 and GDPR raise expectations, organisations across Europe are under pressure to demonstrate not only strong defences but also continuous diligence.
Sam Kirkman, Director of Services for EMEA at NetSPI, explained that compliance failures already carry heavy costs. The €40 million GDPR fine against Criteo in 2023 underscored how weak governance and transparency, not just breaches, can trigger penalties. Meanwhile, Co-op and M&S are now under investigation by the UK’s Information Commissioner’s Office following cyber incidents, highlighting regulators’ growing focus on prevention and proof of control.
Kirkman emphasised that penetration testing (pentesting) has evolved into a vital compliance enabler. Beyond finding vulnerabilities, it provides hard evidence that controls are tested, effective, and continuously improved. Regulations such as GDPR’s Article 32, NIS2 and DORA either require or imply regular security testing, making pentesting central to compliance rather than optional.
The article explains how structured pentesting generates clear audit trails that can be mapped to compliance clauses. For CISOs, these exercises act as a proactive audit, identifying weaknesses before regulators do, reducing surprises, and demonstrating ongoing remediation. The rise of Pentesting-as-a-Service (PtaaS) now enables continuous validation and real-time results, supporting a stronger compliance narrative.
Kirkman concludes that embedding pentesting within compliance programmes turns regulatory pressure into strategic advantage. By linking findings directly to standards such as GDPR, ISO 27001 and PCI DSS, organisations can show not just one-off adherence, but a living commitment to resilience. Companies that operationalise testing, he noted, don’t just meet minimum requirements, they prove their readiness to withstand evolving threats.
You can read the full article here.
Explore More News
Proof Over Promises: A New Doctrine for Cybersecurity
As cyberattacks grow in frequency and sophistication, traditional assurances like contracts and certifications are no longer sufficient. Instead, vendors must actively demonstrate their security resilience through measurable and continuous validation, such as penetration testing. This proactive approach not only strengthens vendor-customer relationships but also mitigates risks in an increasingly interconnected and vulnerable digital landscape.
The Age of Promises is Over, Vendors Must Now Lead with Evidence-Based Assurances
In today’s evolving cyber threat landscape, traditional vendor assurances like contracts and periodic audits are no longer sufficient. Sam Kirkman emphasizes the need for vendors to shift from trust-based compliance to evidence-based security, where measurable and continuous validation replaces outdated promises.
NetSPI Redefines Pentesting with New User Experience
NetSPI, the global leader in modern penetration testing, today announced a new, modern user experience for the NetSPI platform, reimagining what penetration testing should feel like for today’s enterprise: focused, fast, and easy.