Penetration Testing in Cyprus: Regulatory Requirements and Practical Guidance

Penetration testing — the controlled simulation of cyberattacks to identify exploitable vulnerabilities — has evolved from an optional best practice to a regulatory expectation for businesses in Cyprus. Under NIS2, GDPR and ISO 27001, organisations must demonstrate that they actively assess the effectiveness of their technical security controls. Regular penetration testing is the most credible way to do so.

The Regulatory Driver: Why Cyprus Businesses Must Test

Several overlapping regulatory frameworks now create clear expectations for security testing in Cyprus:

NIS2 Directive

NIS2 Article 21(2)(e) requires in-scope organisations to implement processes for handling and disclosing vulnerabilities, and Article 21(2)(a) requires policies and procedures to assess the effectiveness of cybersecurity risk management measures. While NIS2 does not mandate penetration testing by name, supervisory authorities — including the Digital Security Authority in Cyprus — will expect to see evidence of technical security testing as part of any compliance assessment. Regular penetration testing is the standard mechanism for fulfilling this expectation.

GDPR Article 32

GDPR requires organisations to implement technical and organisational measures appropriate to the risk, and to have a process for regularly testing, assessing and evaluating the effectiveness of those measures. Penetration testing directly satisfies this requirement for the technical layer of a GDPR compliance programme. The Commissioner for Personal Data Protection in Cyprus may request evidence of security testing as part of an investigation following a data breach.

ISO 27001:2022 Annex A Control 8.8

ISO 27001 Annex A control 8.8 (Management of technical vulnerabilities) requires organisations to identify, assess and remediate vulnerabilities in information systems. A Penetration Testing Policy, regular test execution and documented remediation are core components of fulfilling this control.

CySEC-Regulated Firms

Investment firms, payment institutions and other CySEC-regulated entities in Cyprus are subject to DORA (the Digital Operational Resilience Act) from January 2025. DORA introduces explicit requirements for Threat-Led Penetration Testing (TLPT) for significant financial entities — the most rigorous form of adversarial testing, based on real threat intelligence targeting the specific institution.

What Should Be Tested in Cyprus Organisations

The scope of penetration testing should reflect the organisation's attack surface and risk profile. Common test types and their relevance:

• External network penetration test: Tests the perimeter — internet-facing systems, firewalls, VPN endpoints, web applications and APIs. This is the baseline test every organisation should conduct annually
• Web application penetration test: Focuses on web applications and APIs using the OWASP Web Security Testing Guide methodology. Essential for any organisation operating a customer-facing web platform or API
• Internal network penetration test: Simulates an attacker with access to the internal network (insider threat or post-breach lateral movement). Recommended every one to two years for organisations with significant on-premise infrastructure
• Social engineering / phishing simulation: Tests employee susceptibility to phishing and social engineering attacks. Highly relevant given that credential theft is the leading initial access vector for incidents in Cyprus
• Cloud security review: Assesses configuration of cloud environments (AWS, Azure, GCP). Increasingly important as Cyprus businesses adopt cloud-first architectures
• TLPT (DORA): Applies to significant financial entities under DORA. A structured, intelligence-led test simulating the TTPs of real threat actors targeting the specific institution

Selecting a Penetration Testing Provider in Cyprus

The quality of a penetration test depends heavily on the skill and methodology of the testing team. When engaging a provider in Cyprus or internationally, evaluate:

• Certifications: OSCP (Offensive Security Certified Professional), CREST, or CHECK are the most widely recognised credentials for individual testers. For web application testing, OWASP or GWAPT certification is relevant
• Methodology: The provider should follow a recognised methodology — OWASP WSTG for web applications, PTES or OSSTMM for network testing
• Report quality: A high-quality penetration test report provides clear finding descriptions, CVSS severity scores, reproduction steps and specific, actionable remediation guidance — not just automated scanner output
• Independence: For ISO 27001 and NIS2 compliance purposes, the test must be conducted by an independent party — not internal IT staff testing their own infrastructure
• Contractual protections: Ensure a signed Non-Disclosure Agreement (NDA) and written Rules of Engagement (RoE) are in place before testing begins

Managing Findings Effectively

The value of a penetration test is realised through effective remediation, not the test itself. A structured approach to finding management includes:

1. Prioritise by severity: Critical findings require immediate attention — typically within 7 days. High severity within 30 days, medium within 90 days
2. Assign ownership: Each finding should have a named owner responsible for remediation or risk acceptance
3. Track progress: Use a dedicated finding management tool to track status, evidence of remediation and retest results
4. Retest critical and high findings: Engage the test provider to verify that critical and high severity findings are genuinely resolved
5. Document risk acceptance: Where immediate remediation is not possible, document the business rationale, residual risk level and compensating controls
6. Report to management: Present a summary of test results, remediation status and trend data to senior management as part of the ISMS performance reporting cycle

Building a Recurring Programme

A single penetration test provides a point-in-time snapshot. Sustained security improvement requires a recurring programme aligned to the organisation's risk profile and regulatory obligations:

• Annual external perimeter and web application test as a minimum baseline
• Additional tests triggered by major infrastructure changes, new product launches or significant security incidents
• Social engineering exercises at least annually, ideally quarterly for organisations in high-risk sectors
• TLPT at the frequency required by DORA for applicable financial entities

Conclusion

Penetration testing is no longer optional for Cyprus businesses operating in regulated sectors. NIS2, GDPR, ISO 27001 and DORA each create clear expectations for regular, independent security testing. Organisations that invest in a structured, recurring penetration testing programme — with disciplined finding management — significantly reduce their exposure to both cyber incidents and regulatory enforcement action.