Legally Compliant Penetration Tests: IT Security, Data Protection and the Role of the Works Council

Cyberattacks are among the most significant risks for companies today. The number of professional attacks continues to rise, and in 2024, cyber incidents caused economic damages exceeding EUR 178 billion in Germany alone. Against this backdrop, hardly any organisation can avoid regularly testing its IT systems for vulnerabilities.

Penetration tests are one of the most effective tools for this purpose. They simulate real‑world attacks, uncover security weaknesses and help minimise risks before they can be exploited. At the same time, Pentests often involve systems that process personal data. This brings IT security into direct contact with data protection law – and often with the participation rights of the works council.

Why Penetration Tests Are Essential for Companies

Penetration tests replicate realistic attack scenarios and demonstrate how vulnerable systems actually are. They enable organisations to strengthen their IT security measures and meet regulatory expectations.

The legal requirements arise from various regulatory frameworks – from the NIS‑2‑reformed BSIG (German IT Security Act) to the Cyber Resilience Act and all the way to DORA.
This makes one thing clear: modern IT security is hardly feasible without regular Pentests.

Legal Framework: DSGVO, BSIG, NIS‑2, CRA and DORA

In some areas, penetration tests are explicitly mandated by law. This includes digital health applications subject to Section 139e SGB V (German Fifth Social Code Book) as well as financial institutions falling under DORA.

In addition, there are numerous implicit obligations. Companies within the scope of the BSIG, as reformed by the NIS‑2 Directive, must implement comprehensive security and risk management measures. Manufacturers of digital products must demonstrate regular security testing under the Cyber Resilience Act. Moreover, Art. 32 GDPR requires appropriate technical and organisational measures which often cannot be achieved without Pentests.

Data Protection Requirements

Whenever a penetration test involves personal data, a clear legal basis is required. For mandatory tests, Art. 6(1)(c) GDPR applies. Even where a specific Pentest obligation is not expressly stated but required in effect, this legal basis may still be appropriate.

Employee consent is not suitable, as IT security must not depend on voluntary individual decisions. The legitimate interests ground is also weak in situations where the organisation is effectively compelled to conduct Pentests.

In practice, Pentests are frequently performed by external service providers. When an external provider is involved – which is regularly the case – an order processing agreement under Art. 28 GDPR generally must be concluded.

Things become more complex when systems include special categories of personal data under Art. 9 GDPR. In such cases, an additional legal exemption is necessary, often the “substantial public interest” ground under Art. 9(2)(g). Whether this applies must be assessed carefully.

Works Council: Information Duties and Legal Boundaries

The works council also plays an important role in the Pentest process. Employers must inform the works council whenever a measure affects employee data. This is particularly relevant for social engineering tests, which may reveal behavioural responses of individual employees.

Technical details without any link to employee data – such as IP ranges or architectural specifics – do not fall within these information rights.

The decisive question is whether the employer is legally required to conduct the Pentest. If so, there is typically no discretion and therefore no co‑determination right regarding whether the Pentest is carried out.

Regardless of the specific legal framework, Pentest reports must be anonymised to prevent identification of individual employees. This is essential to avoid qualifying the test as impermissible behavioural or performance monitoring.

Conclusion

Penetration tests are an indispensable component of modern IT security and are legally required in many cases. At the same time, they operate at the intersection of data protection, IT security law and workplace co‑determination.

Organisations should therefore carefully assess:

• the legal basis for the Pentest,
• whether special categories of personal data are affected,
• how external providers are integrated, and
• what information obligations exist toward the works council.

With clear processes and legally sound implementation, Pentests can be carried out efficiently and in full compliance – strengthening a company’s resilience against modern cyber threats.