Penetration Testing Compliance Requirements (2026)
PCI DSS · SOC 2 · ISO 27001 · HIPAA · NIS2 · DORA — what each framework demands, tester qualifications required, and cost premiums explained.
We do not sell penetration testing services. This site is not affiliated with any pentest vendor or security firm. All prices are independently researched from publicly available quotes, industry surveys, and published rate cards.
Compliance Requirements Overview
| Framework | Pentest Required? | Frequency | Tester Qualification | Cost Premium |
|---|---|---|---|---|
| PCI DSS v4.0 | Yes — explicit | Annual + post-change | CREST / QSA | +20–35% |
| SOC 2 | Expected | Annual | Auditor-approved | +10–20% |
| ISO 27001:2022 | Best practice | Annual | Certified tester | Minimal |
| HIPAA | Due diligence | Annual | BAA required | Variable |
| NIS2 (EU) | Yes — Article 21 | Annual | CREST preferred | Standard |
| DORA (EU) | Yes — TLPT (Art 26) | Every 3 years | TIBER-EU / CBEST | +200–400% |
PCI DSS v4.0
REQUIREDRequirement 11.3 · Annual + after significant changes to CDE
£8,000–£20,000
$10,000–$25,000
Typical compliance scope
Mandated
Yes — explicitly required
Qualification
CREST-accredited firm or QSA-qualified tester strongly preferred
Cost Premium
+20–35% over standard pentest
- Requirement 11.3.1: External penetration testing of CDE perimeter
- Requirement 11.3.2: Internal penetration testing of CDE
- Segmentation testing required if used to reduce scope
- Must be performed by qualified internal resource or qualified external party
- Report must document all test results, penetration testing methods, and remediation
- Re-testing required after significant changes to CDE or environment
A PCI DSS pentest report has a specific structure that a standard pentest report may not meet. Tell your provider it's for PCI compliance at scoping stage — they need to scope to the CDE boundary, test segmentation controls, and format the report to QSA requirements.
A generic pentest report often fails compliance audits. Tell your vendor the specific framework at scoping stage — they need to adjust methodology, scope, and report format accordingly.
SOC 2
EXPECTEDCC6.1, CC6.6 · Annual (evidence required for Type II period)
£6,000–£15,000
$8,000–$19,000
Typical compliance scope
Mandated
Not explicit — auditor-expected best practice
Qualification
Any qualified tester accepted by auditor
Cost Premium
+10–20% for audit-ready documentation
- CC6.1: Logical access controls — pentest provides evidence of boundary enforcement
- CC6.6: Network protection — pentest validates external boundary controls
- Type I reports rarely require pentest evidence
- Type II reports: auditors increasingly require annual pentest for tech companies
- SOC 2 report without pentest evidence is a risk finding — may generate qualified opinion
- Auditor must accept your tester — confirm this before engagement
Ask your SOC 2 auditor specifically what pentest evidence they need before selecting a tester. Some auditors require their own preferred vendor list; others are flexible. This can save you from a costly re-test.
A generic pentest report often fails compliance audits. Tell your vendor the specific framework at scoping stage — they need to adjust methodology, scope, and report format accordingly.
ISO 27001:2022
BEST PRACTICEAnnex A 8.8 / 8.29 · Annual (aligned with surveillance audit cycle)
£5,000–£14,000
$6,000–$18,000
Typical compliance scope
Mandated
Best practice — increasingly expected by certification bodies
Qualification
Certified tester preferred; ISO 27001 Lead Auditor may also expect CREST
Cost Premium
Minimal — standard pentest rates apply
- Annex A 8.8: Management of technical vulnerabilities — requires vulnerability assessment and testing
- Annex A 8.29: Secure development — penetration testing is the standard evidence mechanism
- No explicit 'penetration test required' mandate — but auditors expect technical evidence
- Vulnerability assessment + pentest together provide strongest ISO 27001 evidence
- Certification bodies (BSI, Bureau Veritas, SGS) increasingly expect annual pentest evidence
- Statement of Applicability must address controls — if A.8.8 is applicable, testing is expected
ISO 27001 does not use the phrase 'penetration test' explicitly — but Annex A 8.8 (technical vulnerabilities) and 8.29 (secure development) together make a strong case. Most certification bodies now expect a pentest as supporting evidence.
A generic pentest report often fails compliance audits. Tell your vendor the specific framework at scoping stage — they need to adjust methodology, scope, and report format accordingly.
HIPAA
DUE DILIGENCESecurity Rule §164.308(a)(8) · Annual recommended; after significant system changes
£6,000–£18,000
$8,000–$22,000
Typical compliance scope
Mandated
Not explicit — OCR breach settlements cite it as expected due diligence
Qualification
BAA required with tester — they will access PHI-adjacent systems
Cost Premium
Variable — BAA and HIPAA scope complexity adds time
- §164.308(a)(8): Evaluation — requires periodic technical and non-technical evaluations
- OCR breach investigations consistently cite lack of penetration testing as a contributing factor
- Covered entities and Business Associates both carry security obligations
- HIPAA does not define 'evaluation' as penetration testing — but OCR guidance and settlements do
- Your tester is a Business Associate — a Business Associate Agreement (BAA) is required
- Scope: any system storing, transmitting, or processing Protected Health Information (PHI)
HIPAA is unusual in that penetration testing is not explicitly required, but the OCR has cited its absence in multiple enforcement actions. The safe harbour is demonstrating reasonable due diligence — an annual pentest is the clearest evidence of this.
A generic pentest report often fails compliance audits. Tell your vendor the specific framework at scoping stage — they need to adjust methodology, scope, and report format accordingly.
NIS2 Directive
REQUIREDArticle 21 — risk management measures · Annual (implied — regulators expect regular testing)
£6,000–£20,000
$8,000–$25,000
Typical compliance scope
Mandated
Yes — Article 21 mandates comprehensive cybersecurity measures including testing
Qualification
Qualified security tester; CREST preferred for essential entities
Cost Premium
Standard rates apply — no defined NIS2 premium yet
- Article 21(2)(e): Vulnerability handling and disclosure policies
- Article 21(2)(g): Basic cyber hygiene practices and cybersecurity training
- Article 21(2)(h): Policies and procedures for cryptography and encryption
- Applies to essential entities (energy, transport, banking, health, digital infrastructure) and important entities
- Member states must transpose into national law — UK has separate (but equivalent) updated NIS Regulations
- Enforcement: supervisory authorities can impose fines up to €10M or 2% of global turnover
NIS2 came into force across EU member states in October 2024. If your organisation qualifies as an essential or important entity, regulators will expect evidence of systematic vulnerability management including penetration testing. There is currently no formal NIS2 tester certification scheme — CREST accreditation is the best proxy.
A generic pentest report often fails compliance audits. Tell your vendor the specific framework at scoping stage — they need to adjust methodology, scope, and report format accordingly.
DORA (EU)
TLPT REQUIREDArticle 26 — Threat-Led Penetration Testing · Every 3 years for TLPT; annual standard testing expected
£40,000–£150,000+
$50,000–$190,000+
Typical compliance scope
Mandated
Yes — TLPT explicitly mandated for significant financial entities
Qualification
TIBER-EU or CBEST qualified external provider — strict requirements
Cost Premium
+200–400% — TLPT is a full adversary simulation, not a standard pentest
- DORA applies to financial entities: banks, insurers, investment firms, crypto asset service providers
- Applies to significant entities only — competent authority determines scope
- Article 26(2): TLPT must cover at least 3 critical or important functions
- Article 26(8): Tester must be independent, have specific capabilities, be TIBER-EU or CBEST qualified
- TLPT is a live adversarial simulation on production systems — requires senior management sign-off
- Results shared with competent authority under Article 26(7)
- DORA came into force January 2025 — first TLPT cycle expected 2025–2026
DORA TLPT is in a different category to standard penetration testing. It is a live adversary simulation on production systems following TIBER-EU or CBEST methodology, involving your competent authority (ECB, FCA equivalent) and requiring a qualified external threat intelligence provider. Only Tier 3 (Big 4 / specialist red team firms) are qualified to deliver DORA TLPT.
A generic pentest report often fails compliance audits. Tell your vendor the specific framework at scoping stage — they need to adjust methodology, scope, and report format accordingly.
Compliance Buying Guide
If you are testing for compliance, always tell your vendor upfront. The report format, evidence requirements, and scoping methodology differ significantly from a standard pentest. A generic CVSS-scored technical report will often not satisfy a PCI QSA, SOC 2 auditor, or NIS2 regulator. The additional cost premium (10–35%) is worth paying — a failed audit costs more than the difference.