NIS2, DORA and the End of the Annual Pentest

The European regulatory machine has spent the last three years quietly aligning on a single idea: cybersecurity assurance must be continuous and evidence-backed, not point-in-time. NIS2 says it. DORA says it more explicitly. The AI Act is starting to say it about model risk. Most enterprises have not updated their pentest cadence to match.

This piece is for the CISOs and compliance leads who keep reading "appropriate measures" in a directive and wondering what their auditor will actually want to see in 2026.

What NIS2 actually requires

NIS2 (Directive (EU) 2022/2555) entered Italian law via the decreto legislativo in late 2024. Article 21 demands "appropriate, proportionate and effective technical, operational and organisational measures." Vague on paper, very specific in practice once the implementing acts arrived. The measures must cover, among others:

• Risk analysis and information system security policies
• Vulnerability handling and disclosure — note the word handling, not audit
• Security of network and information systems including software acquisition, development and maintenance
• Effectiveness of cybersecurity risk-management measures

The Italian ACN guidance is even more direct: organisations are expected to demonstrate that the measures remain effective over time, not that they were effective at the time of last audit. A clean pentest report from 18 months ago does not satisfy this requirement.

What DORA adds on top

For financial entities, DORA (Reg. (EU) 2022/2554) layered on top of NIS2 in January 2025 and is far less ambiguous. Article 24-26 introduces:

• Threat-led penetration testing (TLPT) for significant entities, at least every 3 years.
• The TIBER-EU methodology became the implementing standard via the RTS 2025.
• Continuous testing of ICT systems supporting critical functions — Art. 25(1) — using a risk-based approach updated annually.

Two things are notable here. First, TLPT is the minimum: continuous testing is the actual day-to-day requirement. Second, the RTS requires the testing programme to incorporate "the latest threat intelligence" — which is to say, signature-based scanners are not enough.

If you read NIS2 and DORA together, the picture is clear: regulators want to see security testing that runs as a function of the calendar and as a function of changes in your environment and the threat landscape.

Why the annual pentest is dying

The annual pentest survived for two decades for one reason: it was the only thing organisations could buy. The unit economics of human-led testing forced a cadence of months between engagements. A team that just shipped a feature in week one of January has a 49-week wait before their next assurance event.

That model breaks under any of the modern regulatory regimes for the same boring reason: software changes weekly, the threat landscape changes daily, and your evidence base ages out faster than the next audit cycle.

What replaces it is not "more pentests." It is a fundamentally different model.

The continuous AI pentest model

Continuous testing means three things that the annual pentest could never deliver:

1. The campaign runs while you sleep. Schedule-driven and change-triggered. A new IP appears in the perimeter? It is fingerprinted, scanned, and exploited in the same hour, with the same rigour as the rest of your infrastructure.
2. Findings carry their own chain of custody. Every action is logged at write time, every artefact (PoC script, evidence file, screenshot, traffic capture) is cryptographically signed. The auditor receives a verifiable bundle, not a PDF.
3. The threat intel comes for free. The engine syncs CVE, MITRE ATT&CK, EPSS, KEV, exploit feeds continuously. There is no human bottleneck deciding "should we test for CVE-2026-XYZ this quarter?" — the answer is always yes, automatically.

This is what Zero Hunt is built to deliver, but the model itself is independent of any one product. What matters is the architecture: campaigns that run in response to events, evidence that is signed at source, intel that flows in without human review.

What the audit actually looks like

If you adopt the continuous model, the auditor experience changes shape.

Under the old model:

Auditor: "Show me the pentest from this period." You: hands over a PDF dated 11 months ago. Auditor: "Has anything changed since then?" You: "Many things." Awkward.

Under the continuous model:

Auditor: "Show me the pentest evidence for asset X for the period Y to Z." You: runs a query. "Here are 47 campaigns covering that asset in that window. Each finding is signed. Here is the cross-mapping to your NIS2 Title 13 control." Auditor: moves on to the next control with no further questions.

The second exchange is shorter, cheaper, and demonstrably aligned with what the directive asks for.

Where Zero Hunt fits

We built Zero Hunt because no existing tool combined continuous AI pentesting with automatic compliance mapping. The platform covers 32 frameworks out of the box including the full NIS2 (Title 13 added in our 2026-05-07 release) and the DORA TLPT RTS 2025 ruleset. Evidence is ECDSA-signed at generation; the Trust Center exports auditor-ready bundles in one click.

If you have an upcoming NIS2 or DORA audit and your evidence base is "the last annual pentest", the conversation is worth having now, not after. The features section details how evidence collection, ECDSA signing and Trust Center export are wired; the platform overview covers the three pillars end-to-end; or request a demo and we walk through your specific audit scope with you.

In the meantime, the meta-point: regulators are not asking for more documents. They are asking for living security. The tooling has finally caught up.