A pen test (penetration test) is not a one-time action. You probably already know that. But the question we hear most often from Flemish IT managers and business owners is: how often exactly? Every quarter? Annually? Only after an incident? The honest answer: that depends on your specific situation. But there are clear guidelines that will help you determine the right pentest frequency, without overpaying or taking too much risk.
In this article, we give you a practical framework to help you determine the ideal testing frequency for your organization. Based on your risk profile, sector requirements and Belgian regulations.
The basic rule: at least an annual pen test
For most medium-sized companies in Flanders, there is a simple rule of thumb: have a full penetration test performed at least once a year. That’s the minimum frequency recommended by both security experts and most compliance frameworks.
Why annually? Because a pen test is always a snapshot in time. Your IT environment is constantly changing: new software, updates, employees coming and going, links to external parties. Vulnerabilities that don’t exist today may pop up next month. Check Point figures show that Belgian organizations will face an average of 1,288 cyberattacks per week in 2025, up 14% from 2024. The threat landscape doesn’t stand still, so neither does your security.
But note that annual is the minimum, not the optimum. Depending on your industry and risk profile, a higher frequency may be prudent.
Five factors that determine pentest frequency for your company
Not every company needs the same frequency of testing. These five factors will help you weigh in.
1. The sensitivity of your data
Does your company process personal data, financial data or medical information? If so, the risk in the event of a data breach is greater, both financially and in terms of reputational damage. Companies that process sensitive data are better off testing semi-annually or even quarterly.
2. The speed of change in your IT environment.
Is your team rolling out regular updates? Are you migrating to the cloud? Are you adding new applications or links? Any major change can introduce new vulnerabilities. A good practice: schedule a targeted pen test after every significant infrastructure change.
3. Your industry and related regulations
The industry you operate in partially determines how often you must test. Financial institutions subject to DORA (Digital Operational Resilience Act) are required to test annually and perform an advanced Threat-Led Penetration Test (TLPT) every three years. NIS2 does not mandate an explicit pen test frequency, but it does require organizations to take “appropriate technical measures” to manage cyber risks. A regular pentest is the most concrete way to demonstrate that. Nor does ISO 27001 literally mandate pentesting, but auditors do expect it as part of your technical vulnerability management (Annex A.12.6.1).
4. The results of your previous pen test
Did your last test reveal many critical vulnerabilities? Then it is wise to schedule a retest after fixing them, and to schedule the next full pen test sooner. Are the results good? Then the standard annual frequency is usually sufficient.
5. Your budget and capacity
Let’s face it: not every company has the budget for quarterly pen tests. But one pen test is always better than no pen test. Through the VLAIO SME Portfolio, you get up to 45% back on cybersecurity advice and services as a small business, and 35% as a medium-sized business. That makes a professional pen test a lot more feasible.
When it’s better not to wait for the annual pen test
In addition to the regular annual schedule, there are times when it’s better to schedule a pen test right away. Don’t wait until your next scheduled test if any of these situations arise:
After a major infrastructure change: Consider a migration to Microsoft 365 or Azure, the introduction of a new ERP system, or a merger that involves merging networks.
After a security incident: Were you (almost) hacked? A pen test after an incident helps you understand how the attacker got in and if there are any other vulnerabilities.
When a major customer or partner asks for it: More and more companies are requiring a recent pentest report as part of their supplier evaluation. Especially in the context of NIS2, which also has requirements for your supply chain security.
When launching a new application or web shop: Before you go live, you want to make sure your application does not provide an open door for attackers.
When new threats emerge: Remember the Log4j vulnerability in late 2021? With those kinds of large-scale threats, it pays to run a targeted test quickly.
The ideal pentest frequency by type of business
To make it concrete, an overview of what we recommend based on business type:
- Standard SME (50-250 employees, limited sensitive data): at least annually, plus after major changes. Combine annual pen test with regular vulnerability scans (automated, monthly) for continuous insight.
- Companies in regulated sectors (financial, healthcare, energy): semi-annually to quarterly. Align frequency with requirements of DORA, NIS2 or industry-specific regulations. Financial institutions should additionally have a TLPT performed every three years.
- Software companies and SaaS providers: with every major release, plus at least annual full infrastructure testing. Integrate security testing into your development process (DevSecOps) for continuous insight.
- Manufacturing companies with OT environments: annual for IT, and specific OT security assessments when new systems are connected or existing ones are updated. OT pentesting requires a specialized approach because of the impact on production continuity.
Pentest frequency and compliance: what does the law say?
Belgian and European regulations are becoming increasingly strict, but do not prescribe an exact frequency everywhere. A brief overview:
NIS2: no explicit pen testing requirement, but does require appropriate technical and organizational measures. The CyberFundamentals (CyFun) framework, the Belgian reference framework for NIS2 compliance, expects organizations to regularly test their security. Essential entities must begin compliance assessments by April 18, 2026.
DORA: mandatory annual digital operational resilience testing, plus triennial TLPT for larger financial institutions. In effect since Jan. 17, 2025.
ISO 27001: no set frequency, but annual pen tests are common practice. Auditors expect evidence that you actively manage technical vulnerabilities.
PCI DSS: mandatory quarterly vulnerability scans and annual penetration testing for companies that process payment data.
The common thread? “Regular and risk-based” is the standard. An annual pen test is the bare minimum for most companies to demonstrate that you take your duty of care seriously.
Vulnerability scans and pen tests: the ideal combination
A common question: can vulnerability scanning replace pen testing? The short answer: no. But they complement each other extremely well.
A vulnerability scan is an automated check that identifies known vulnerabilities in your systems. Fast, affordable, and ideal as a periodic check (monthly or weekly). A pen test goes further: an ethical hacker manually tests how far an attacker can actually get. That involves creativity, chain thinking and combining small weaknesses into a big problem, something automated tools cannot do.
The smart approach for most Flemish SMEs: combine monthly or quarterly vulnerability scans with an annual manual pen test. That way, you continuously keep an eye on new vulnerabilities, while going in depth with an experienced pentester every year.
Frequently asked questions about pentest frequency
How often should an SME have a pen test performed?
For most SMEs, an annual pen test is the minimum. Companies with sensitive data, rapid IT changes or compliance obligations are better off testing semi-annually. Additionally, monthly vulnerability scans are recommended for ongoing insight.
Is a pen test mandatory under NIS2?
NIS2 does not mandate a pen test literally, but it does require that organizations take appropriate technical measures to manage cyber risks. A regular pen test is the most recognized method of complying with this and demonstrating your duty of care.
What does an annual pen test cost for a Flemish company?
Costs vary depending on scope and complexity. Through the VLAIO SME Portfolio, small businesses receive up to 45% subsidy and medium-sized businesses 35% back on cybersecurity services, making a professional pen test significantly more affordable.
Can I use a vulnerability scan instead of a pen test?
No, a vulnerability scan does not replace a pen test. A scan detects known vulnerabilities automatically, while a pen test by an ethical hacker manually tests how far an attacker can actually get. The combination of both produces the best results.
Should I have another pen test after a major IT change?
Yes, this is strongly recommended. Migrations, new applications, mergers or major updates can introduce new vulnerabilities. A targeted pen test after such a change gives you assurance that your environment remains secure.
How often should financial institutions pen test under DORA?
DORA requires financial institutions to conduct annual tests of their digital operational resilience. On top of that, larger institutions must have a Threat-Led Penetration Test (TLPT) conducted every three years.
Do you know when your next pen test is scheduled?
Determining the right pentest frequency doesn’t have to be complicated. Start with an annual test, tailor the schedule to your risk profile and compliance requirements, and supplement with automated vulnerability scans in between.
Cyberplan helps Flemish companies with professional penetration tests, performed by OSCP-certified ethical hackers. We think along with you about the right scope, frequency and approach, tailored to your situation. And through the KMO-portefeuille, you may be eligible for up to 45% subsidy on our services.
Wondering what the ideal testing schedule is for your company? Book a no-obligation consultation and we’ll look at it together.
