Public Sector Penetration Testing: NIS2, National Baselines & Government Cybersecurity

Public administration cybersecurity is mandatory under NIS2 (essential entities), national baselines (BSI IT-Grundschutz Germany, ENS Spain, BIO Netherlands, ANSSI RGS France), and government audit requirements. Matproof Sentinel runs targeted public sector pentests with explicit mapping to all major EU national security baselines — from €149.

Start free scan

Written by Malte Wagenbach

Founder of Matproof Security. Specialized in AI-driven penetration testing and EU compliance (DORA, NIS2, ISO 27001, SOC 2).

Last reviewed: May 17, 2026

Why public sector faces unique pentest challenges

Public administration entities face intersecting cybersecurity regulations: NIS2 (EU) designates public administration as 'essential entities' since October 2024. National baselines impose specific technical requirements: BSI IT-Grundschutz (Germany) is mandatory for federal authorities, ENS Real Decreto 311/2022 (Spain) for public administration, BIO 2.0 (Netherlands) for municipalities and ministries, ANSSI RGS (France) for state organizations. Beyond compliance, public sector entities face unique threats: ransomware targeting municipal services (Augusta Georgia 2024, Münster 2023), state-sponsored attacks on government IT, citizen data breaches with severe political consequences. Specific public sector attack patterns include: legacy system exploitation (many systems are 10+ years old), federation/SSO compromises (DigiD NL, ID.me US, Cl@ve Spain), open data API misconfiguration leaking citizen PII, and supply-chain attacks via government IT suppliers.

NIS2 (EU): public administration entities designated 'essential entities' since Oct 2024 — Art. 21 mandates periodic security testing, fines up to €10M.
BSI IT-Grundschutz (Germany): mandatory baseline for federal authorities (BSI-Standard 200-2); KRITIS operators must demonstrate compliance.
ENS Real Decreto 311/2022 (Spain): updated Spanish National Security Scheme — public administration must demonstrate technical compliance.
BIO 2.0 (Netherlands): Baseline Informatiebeveiliging Overheid mandatory for municipalities, water boards, ministries — annual ENSIA self-assessment includes pentest evidence.
ANSSI RGS (France): Référentiel Général de Sécurité — mandatory for state organizations; PASSI qualification for sensitive systems.
Citizen data breaches: 2024 saw municipal breaches affecting 100K-1M citizens each — political fallout typically more severe than financial penalties.
Open data security: public APIs (data.gov initiatives) frequently leak citizen PII through misconfiguration.

What we specifically test in a public sector application

Citizen portal authentication: national eID integration (DigiD NL, Cl@ve ES, FranceConnect FR, BundID DE) security, multi-factor implementation.
Federated authentication: SAML / OIDC flows, signature validation, redirect_uri whitelist, scope minimization.
Citizen data access: IDOR on citizen records (SSN/AHV/INSEE/CPR-equivalent), administrative ID enumeration, audit logging.
Open data APIs: PII leakage in 'anonymized' datasets, k-anonymity verification, indirect re-identification risks.
Public service workflows: tax filing manipulation, benefit eligibility tampering, license/permit application security.
Legacy system integration: SOAP service security, X.509 certificate management, mainframe interface security.
Document management: PDF metadata leakage, file upload security, digital signature validation.
Geographic Information Systems (GIS): location data privacy, cadastral information access controls.
Procurement portals: tender bid manipulation, supplier authentication, conflict-of-interest detection.
Audit log integrity: tamper-evident logging, GDPR Art. 32 + national archive law compliance, retention period enforcement.

Sample finding

High

Citizen portal allows administrative ID enumeration — GDPR mass data exposure

Our pentest of a municipal citizen portal identified user enumeration via the password reset endpoint. The endpoint /api/auth/reset returns different responses based on whether the citizen ID exists in the system: 'Email sent if account exists' (existing) vs 'No matching account' (non-existing). Combined with the sequential citizen ID numbering (1-based incrementing for new registrations), an attacker can enumerate the full registered citizen population. Test demonstrated: 2.5 hours of automated enumeration confirmed 47,823 registered citizen IDs in the 150K population municipality (≈ 32% of adult population). While individual data isn't directly exposed, the enumeration enables targeted social engineering against confirmed users. Citizen ID + last name combinations are commonly used in identity verification across other government services.

Fix: Immediate action: implement uniform response for password reset endpoint — always return 'If account exists, email sent' regardless of whether account exists. Same timing for both cases (constant time to prevent timing-side-channel). Rate limit by IP. Audit logs of /api/auth/reset over last 90 days for enumeration patterns (high volume from single IP, sequential ID requests). For affected citizens (confirmed registered), notification of potential targeted phishing risk. Move from sequential to UUID identifiers for citizen records.

Reference: CWE-204 Observable Response Discrepancy · OWASP A07:2021 Identification and Authentication Failures · GDPR Art. 32 · NIS2 Art. 21 · BSI IT-Grundschutz APP.3.1

Public sector pentest options compared

—	Free scan	Matproof Sentinel	Traditional consultancy
Automated scan engine	✓ (3-min preview)	✓ Full scan	✗ Manual only
OWASP Top 10 coverage	Partial	✓ Complete	✓ Complete
Proof-of-exploit evidence	✗	✓ Per finding	✓ Per finding
Regulatory mapping (DORA/NIS2/ISO 27001)	✗	✓ Automated	✓ Manual
Audit-ready PDF report	✗	✓ Instant	✓ 2–4 weeks delivery
Continuous / recurring scans	✗	✓ Per deploy	✗ Annual engagement
Time to first result	~3 min	~30 min full scan	2–4 weeks
Price	€0	From €149	€8,000–€25,000
Source code review (SAST)	✗	✓ On Growth plan	✓ Scoped engagement
API testing (REST/GraphQL)	✗	✓ Automated	✓ Manual

Public sector pentest packages

Single Run

€149 one-time

1 full pentest scan
AI-prioritized findings with CVSS 3.1
Proof-of-exploit per finding
Audit-ready PDF report
Regulatory mapping (DORA, NIS2, ISO 27001)

Unlimited scans (up to 3 domains)
Continuous monitoring
CI/CD integration (GitHub, GitLab)
All regulatory mappings
Priority support

Start Starter →

Growth

€799 / month

Unlimited scans + domains
Authenticated / White-Box testing
API & cloud infrastructure tests
Dedicated security account manager
24h SLA response time

Contact for Growth →

Frequently asked questions about public sector pentest

Are you authorized to test government systems?

We test public sector systems with explicit authorization from the responsible authority. We do NOT test critical national infrastructure without proper authorization process (PASSI qualification in France, BSI accreditation in Germany). For sensitive national security systems, we recommend qualified national PASSI/PASSI-LPM partners.

Do you support BSI IT-Grundschutz compliance documentation?

Yes. Our report includes explicit BSI IT-Grundschutz module mapping (APP.3.1 web applications, APP.4.3 client-server applications, NET.1.1 network design). Sufficient for ISO 27001 'based on IT-Grundschutz' certification.

Do you test government eID integrations (DigiD, Cl@ve, FranceConnect, BundID)?

Yes. Each eID system has specific protocol implementations (DigiD = SAML 2.0, FranceConnect = OIDC, BundID = eIDAS). We test the integration on your side — not the eID system itself.

What's the cost compared to traditional PASSI / qualified audit?

Traditional PASSI / BSI-qualified audit: €30,000-€100,000 per engagement. Matproof Sentinel: €149-€799/mo for ongoing coverage. We recommend combination: Matproof Sentinel continuous + qualified national pentest annually.

Can you test legacy systems (SOAP, mainframe interfaces)?

Yes within scope. Legacy government systems often have unique protocols (SOAP, X.400, older RPC). We adapt scanners to support legacy protocols within our pentest scope.

How do you handle citizen PII during testing?

We use test environments only — never real citizen data. For production environment testing (when unavoidable), we work with synthetic test citizen accounts and explicit data handling agreements.

Go deeper — related blog articles

NIS2 compliance for public administration

First scan in 3 minutes, complete public sector pentest with NIS2 / national baseline mapping (BSI, ENS, BIO, ANSSI). From €149.