Compliance
NIS2 training requirements, explained
What the NIS2 Directive actually expects from security awareness training — who's in scope, what 'cyber hygiene' means in practice, and how to prove it works.
The NIS2 Directive significantly raises the bar for cybersecurity across the EU — and unlike its predecessor, it puts awareness training and management accountability front and centre. Here's what it means in plain terms.
What NIS2 says about awareness
NIS2 requires essential and important entities to adopt 'cyber hygiene practices and cybersecurity training.' Crucially, it makes management bodies responsible for approving and overseeing those measures — leadership can no longer treat training as someone else's problem.
Who's in scope
NIS2 covers a much wider range of sectors than NIS1, including energy, transport, banking, health, digital infrastructure, public administration, food, and more. Many mid-sized organizations that were previously exempt now fall under its requirements.
- 'Essential' entities — large operators in critical sectors.
- 'Important' entities — medium and large organizations in other covered sectors.
- Supply-chain partners pulled in by their customers' obligations.
How to prove your training works
Compliance isn't a one-time slideshow. Regulators expect ongoing, measurable risk reduction. That means continuous awareness training, regular phishing simulations, and records you can show an auditor.
- Deliver role-based training on a recurring schedule, not once a year.
- Run phishing simulations and track click and report rates over time.
- Keep completion records and trend data as evidence.
- Report human-risk metrics up to the management body.
Treat NIS2 as a prompt to build a living awareness program. The organizations that do well aren't the ones with the thickest policy binder — they're the ones who can show their people getting measurably harder to phish.