NIS2 · ENSIA · BIO

Penetration Testing for Municipalities, NIS2-compliant.

Citizen portals and internal municipal applications are both targets and obligations. Resync delivers a manual penetration test with a report that is directly usable for ENSIA, BIO assessment and with the regulator. For the full pentest offering, including scope categories and pricing model, see the overview page.

Book a free intake → What does NIS2 say?
NIS2-compliant reporting Usable in ENSIA Retest included Fixed price
⚡ NIS2 is in force — including for municipalities

Municipalities are explicitly included as "essential entities" in the Cybersecurity Act (NIS2 implementation). Executive liability is enshrined in law. Demonstrable technical verification — such as a penetration test — is no longer optional, it is expected.

Check your obligations →
NIS2 in the municipal context

What the law actually requires.

NIS2 (Network and Information Security Directive 2) has been implemented in the Netherlands through the Cybersecurity Act. Municipalities fall under the heaviest regime as "essential entities". The law demands four things directly relevant to penetration testing:

  • Appropriate technical measures, demonstrably in place, not just on paper
  • Periodic assessment of the effectiveness of those measures
  • Risk analysis based on current threat intelligence
  • Executive liability — aldermen and municipal secretaries are personally liable for negligence

An independent penetration test is in practice the most robust way to demonstrably meet requirements 1 and 2. The Resync report is structured so it can be used directly in ENSIA self-evaluations, BIO assessments and in NIS2 incident reports to the National Cybersecurity Centre (NCSC).

Did you know

Municipality size does not determine whether NIS2 applies — for municipalities, the obligation is independent of population count. A municipality of 12,000 inhabitants has the same obligation as the G4 cities.

Scope

What Resync tests in municipal environments.

Citizen portals & "My Municipality"

DigiD integrations, IDOR on BSN-based resources, record access and application flows.

Permit & subsidy systems

Environmental permits, subsidy applications, WMO forms — often with file uploads and sensitive metadata.

Internal employee applications

Case management systems, base registers (BRP, BAG, BRK), DSO connections and mid-office components.

Public websites

The municipal website itself, council information systems, email campaigns and forms — often primary attack paths.

External chain connections

Diginetwerk, Haal Centraal, environmental agency integrations and joint public arrangements.

Cloud & SaaS vendors

Configuration of vendor environments (Azure tenants, M365, specialist SaaS) and SSO connections.

The report

Directly usable in ENSIA and with regulators.

The report is structured in three blocks, suitable for both the executive team and the CISO/IBO:

  • Executive summary — 1 page, readable by an alderman or municipal secretary
  • NIS2/BIO mapping — findings linked to BIO themes and NIS2 categories
  • Technical detail — reproduction steps, screenshots, priority and remediation path for the development team
  • Retest declaration — after patching, as formal proof of remediation
Real delivery

At a Dutch municipality, Resync delivered a NIS2-compliant report including retest evidence. The report was used in the ENSIA self-evaluation process and as evidence to the Rijksinspectie Digitale Infrastructuur (RDI), without additional follow-up questions.

Frequently asked questions

Questions from municipalities.

Is a pentest mandatory under NIS2?
NIS2 requires demonstrable technical measures and periodic verification. A pentest is not a literal obligation, but is the standard evidence — especially in combination with ENSIA and BIO assessment. Without demonstrable verification, the municipality faces personal executive liability.
How do you handle data from civil registration systems?
Standard testing is done in an acceptance environment with synthetic data. If production is necessary, strict rules apply: no data export, no logging of personal data, all data fragments are demonstrably destroyed after completion. NDA and data processing agreement are standard.
Does a pentest fit in the ENSIA planning timeline?
Yes. The lead time from intake to completed report is typically 1 to 3 weeks. For the ENSIA deadline (annually around May/June), planning in Q1/Q2 is comfortable. Earlier means more time for remediation and retesting.

Demonstrably NIS2-compliant, without the pain.

One conversation about scope, ENSIA context and planning. Fixed-price quote within one business day, free intake, retest included.

Book a free intake → Back to home
NIS2-compliant report Fits in ENSIA Retest included
Related

Other sector pages & services

SERVICE · WEB APP

Web Application Pentest

Citizen portals and internal web apps — OWASP, business logic, IDOR.
HEALTHCARE · NEN 7510

Pentest for Healthcare Organisations

EHR portals, patient applications, medical devices.
BLOG · NIS2

NIS2 and Municipalities

What does the regulator expect from your municipality under NIS2?
Request free intake →