NIS2 HR Obligations: Pre-Employment Screening, Access Management, and Staff Training Requirements
Most NIS2 briefings reach HR from the IT department — a checklist to review, a training module to schedule, a policy to sign off. What they rarely convey is that HR has direct compliance obligations of its own.
Two provisions of the NIS2 Directive create those obligations. Article 21(2)(i) requires “human resources security, access control policies and asset management” as a minimum risk-management measure. Article 21(2)(g) requires “basic cyber hygiene practices and cybersecurity training” for the organisation’s workforce. Article 20(2) goes further: management body members “are required to follow training” in cybersecurity risk assessment.
These obligations run through the entire employment lifecycle. This guide maps each one to the stage where HR owns delivery: recruitment, onboarding, role changes, ongoing training, and exit.
What NIS2 Requires from HR
Three legally distinct NIS2 demands apply to People teams.
Article 21(2)(i) — Personnel security, access control, and asset management. The Commission Implementing Regulation (EU) 2024/2690 (CIR), which translates Article 21 into binding technical requirements, operationalises this through Section 10 (human resources security): security commitments in employment (CIR 10.1), background verification (CIR 10.2), termination and changes of employment (CIR 10.3), and the disciplinary process (CIR 10.4). For a full breakdown of all ten risk-management measures, see our guide to NIS2 requirements.
Article 21(2)(g) — Basic cyber hygiene and cybersecurity training. All staff must receive regular cybersecurity training. The CIR’s recitals specify that training must address “cyber threats, phishing or social engineering techniques.” This is an ongoing control, not a one-time event.
Article 20(2) — Management training. Member States must ensure that management body members “are required to follow training” to gain sufficient knowledge and skills to “identify risks and assess cybersecurity risk-management practices and their impact on the services provided.” General staff training is encouraged. Management training is a legal requirement — the distinction matters for how HR prioritises and evidences delivery.
All three obligations are proportionate to entity size and risk exposure. Article 21(1) requires that measures reflect “the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity.” A 40-person IT service provider operates under the same legal framework as a 4,000-person data centre operator, but the depth and formality of implementation should reflect the actual risk.
Pre-Employment Screening
CIR 10.2 requires background verification before anyone accesses the organisation’s network and information systems. This applies to all staff with any system access — not only technical or senior roles.
Who must be screened. All employees, contractors, temporary workers, consultants, and managed service provider personnel with system or information access are in scope. There is no carve-out for long-standing suppliers or “trusted” third parties.
What checks are required. CIR 10.2 specifies identity verification, professional qualifications, and verification of past professional duties. CIR Recital 22 states that checks “may include” criminal record checks where legally permitted. Reference verification and professional attestations complete the baseline. Criminal record checks require a legal basis under national law — consent alone is insufficient in many EU jurisdictions where such checks are restricted or prohibited.
Proportionality by access level. Screening depth should reflect the actual access risk of the role:
| Role Category | Access Level | Minimum Verification |
|---|---|---|
| General staff (no privileged access) | Low | Identity verification, right to work, professional references |
| Staff with access to personal data or business-critical systems | Medium | As Low, plus professional credentials and criminal record check (where legally permitted) |
| Privileged access: administrators, CISOs, executives | High | As Medium, plus adverse media, sanctions list, and PEP screening |
| Contractors and MSP personnel | Varies | Same criteria as the equivalent employee access level |
GDPR constraint. Criminal record checks in the EU require an explicit legal basis under Article 9 GDPR and applicable national law. Restrictions vary significantly across member states — seek legal advice before running criminal record checks in any EU jurisdiction.
Documentation standard. CIR 10.2 requires a living, centralised register per individual — not a static spreadsheet. Each record must include timestamps, check type, outcome, exception rationale (if a check was waived), and management sign-off. Every action must be attributable and exportable for regulatory review.
Onboarding Security Induction
CIR 10.1 requires that security responsibilities are communicated and formally acknowledged before an employee begins operational duties. In practice, this creates a compliance gate: system access provisioning must follow the completion of the security induction, not precede it.
A compliant onboarding induction delivers:
- Role security brief — which systems the individual may access and the justification for that access level
- Policy acknowledgment — digital, timestamped sign-offs on the information security policy, acceptable use policy, and data handling obligations
- Security awareness module — covering phishing, social engineering recognition, and the organisation’s incident reporting procedure
- Access provisioning gate — system access is granted only after the above are completed and recorded
Granting system access on day one before the security induction runs creates an auditable deficiency. CIR 10.1 requires that access conditions are agreed before access is granted. Digital, timestamped sign-offs are required; paper forms cannot be exported in clause-mapped format, which is the standard regulators request at audit.
Joiner-Mover-Leaver Access Management
CIR 10.3 applies to all changes of employment, not only departures. Every role move is a triggering event requiring a formal access review.
Joiner. Access provisioning begins after the security induction is complete. Access grants should be role-based and follow the least privilege principle: only the access the role requires, nothing carried over from the recruitment process.
Mover. When an employee changes role, the default response is to add new access permissions and leave existing ones in place. CIR 10.3 requires an active review: permissions that no longer apply to the new role must be formally revoked. An employee who has moved through three roles over five years and accumulated all associated access rights represents a compliance failure. Every HRIS-logged role change must trigger a formal access review — new access granted, superseded access formally closed.
Leaver. CIR 10.3 requires immediate access removal. Asset recovery must be complete: corporate devices, credentials, physical access cards, and remote access tokens. Contractor and supplier leavers receive identical treatment — the standard makes no distinction between employee and third-party departures.
| Stage | HR Trigger | IT Action Required | Documentation Required |
|---|---|---|---|
| Joiner | Contract signed, induction complete | Provision role-based access (least privilege) | Access grant log, induction completion record |
| Mover | Role change confirmed in HRIS | Add new access AND revoke superseded access | Access change log showing both additions and removals |
| Leaver | Departure confirmed | Immediate deactivation of all accounts | Closure trail with timestamps, asset return checklist |
The JML process must be trigger-driven — logged immediately on notification, not at end of day or week. Every exception — a device not returned, an account that cannot be immediately deactivated — requires a documented rationale with an assigned closure deadline. Undocumented exceptions are compliance failures at audit.
Contractor and Third-Party Security
CIR 10.2 and 10.3 apply to all external personnel with system access. There are no exceptions for trusted vendors, long-standing suppliers, or read-only access arrangements.
Pre-placement screening for contractors must follow the same role-based criteria as employee screening — applying the same proportionality matrix to the equivalent access level. A contractor with administrator privileges requires the same high-level vetting as an employee in the same role. Contractor offboarding must follow the same process as employee offboarding: immediate access revocation, complete asset return, and a documented closure trail.
The most efficient enforcement mechanism is the contractor agreement. Standard agreements should embed:
- Consent to background verification proportionate to the assigned access level
- Confirmation of completed security awareness training before system access is granted
- Access use limitations aligned with the specific role scope
- An access revocation clause triggered automatically at contract end or early termination
Require procurement to make these terms non-negotiable. Contractors who cannot agree to proportionate screening are not suitable for roles involving access to regulated systems.
Annual Security Awareness Refresh
Article 21(2)(g) establishes cybersecurity training as an ongoing risk-management measure. CIR Recital 20 specifies that training must cover “cyber threats, phishing or social engineering techniques.” Annual training is the minimum frequency; significant incidents or material policy changes require additional modules outside the regular cycle.
A compliant annual refresh for general staff covers:
- Phishing and social engineering — how attacks are structured and how to recognise them before acting
- Incident reporting — who to contact, what constitutes a reportable event, and within what timeframe
- Authentication hygiene — multi-factor authentication use and credential management practices
- Acceptable use — data handling standards, remote access rules, and personal device restrictions
Role-based training tracks are more defensible than generic programmes. Technical staff need scenario-based modules relevant to their system access. Management needs risk-framed content focused on decision-making, not operational hygiene. Delivering a single 30-minute e-learning to all staff and logging it as “completed” satisfies neither the spirit nor the evidence standard of NIS2.
Audit-ready records must capture: the individual’s name and role, training module title and version, completion date, assessment score where applicable, and policy acknowledgment date. Auditors sample individual records — a high completion percentage provides no cover if the underlying records are incomplete or missing. For a full treatment of training content, frequency standards, and effectiveness measurement, see our guide to NIS2 cybersecurity training requirements.
Mandatory Management Training (Article 20)
Article 20(2) creates a training obligation legally distinct from the general staff requirement under Article 21(2)(g). The language is unambiguous: management body members “are required to follow training.” For general staff, Article 20(2) uses permissive language — entities “shall encourage” regular training. Management training is a legal requirement. General staff training is a strong encouragement that carries compliance weight but a different legal character.
The content requirement is specific: training must enable management to “identify risks and assess cybersecurity risk-management practices and their impact on the services provided.” This does not require technical proficiency — it requires enough understanding to challenge expert advice, approve appropriate controls, and recognise when risk is being understated.
Accountability under Article 20 cannot be delegated. A CEO who assigns day-to-day cybersecurity oversight to the CISO remains personally accountable for the management body’s compliance. National regulators have the power to temporarily suspend senior management from their roles in essential entities where management accountability obligations are not met. HR directors who sit on the management body are subject to the same mandatory training requirement — and should understand this before scheduling the programme.
HR’s delivery role is straightforward: schedule management training on an annual basis, log attendance and completion, and retain records. Provider and content decisions can involve the CISO. The scheduling, tracking, and evidence function is HR’s.
Exit Procedures
Exit is the highest-risk lifecycle event from a system access perspective. A departing employee who retains access after their last working day creates a compliance gap that is straightforward for auditors to identify — and that regulators treat as evidence of a failed JML control.
CIR 10.3 requires immediate access removal. For employees with privileged access, same-day deactivation is the expected standard. For general staff, the requirement remains immediate — risk level determines enforcement priority, not the timing standard.
The exit checklist must cover:
- All digital access — corporate email, business applications, VPN, cloud services, SaaS platforms the individual used
- Physical access — building keys, office access cards, server room credentials
- Hardware — laptops, mobile phones, security tokens, smart cards
- Known credentials — any passwords or cryptographic keys held by the individual, which must be rotated upon departure
For employees who held privileged access, conduct an exit knowledge capture: what systems could they access, what credentials did they hold, what data did they routinely work with. This is an NIS2 control, not a courtesy procedure — it establishes the scope of what must be secured or rotated following the individual’s departure.
Retain exit documentation — closure trails with timestamps, asset return receipts, and account deactivation logs — for the full statutory retention period, aligned with GDPR in the relevant jurisdiction. For detailed guidance on access control evidence standards, see our complete guide to NIS2 access control and human resources security.
Documentation HR Must Maintain
NIS2 does not prescribe a document management system, but auditors expect records that are organised, attributable, and exportable on demand. Understanding which documentation sits with HR and which sits with IT avoids both duplication and gaps at audit.
| Document | Owner | Location | Audit Relevance |
|---|---|---|---|
| Background check records | HR | HR system / secure HR file | CIR 10.2 evidence |
| Employment contract (security clauses) | HR / Legal | HR system | CIR 10.1 evidence |
| Policy acknowledgment logs | HR | HR system or LMS | CIR 10.1, Art. 21(2)(g) |
| Training completion records | HR / L&D | LMS | Art. 21(2)(g), Art. 20(2) |
| JML access change log | IT (HR-triggered) | ISMS / access management system | CIR 10.3, CIR Section 11 |
| Exit checklist with timestamps | HR + IT | HR file and ISMS | CIR 10.3 evidence |
| Exception logs (waived checks, delayed revocations) | HR / Compliance | ISMS | Gap documentation for auditors |
GDPR retention limits apply. Background check records should not be retained beyond the employment period plus the statutory minimum in the relevant jurisdiction. Where employment law and data protection law overlap across EU member states, seek specific legal advice before setting retention schedules.
Frequently Asked Questions
What background checks does NIS2 require?
CIR 10.2 requires identity verification, professional credential checks, and verification of past professional duties. Criminal record checks are permitted where national law allows. Screening depth must be proportionate to the role’s access level — high-privilege roles require more extensive vetting than general staff positions.
How quickly must access be revoked when an employee leaves?
CIR 10.3 requires immediate revocation. For privileged access, same-day deactivation is the expected standard in practice. Any delay must be documented with a formal rationale and an assigned closure deadline — undocumented delays are treated as compliance failures at audit.
Does the Article 20 management training obligation apply to HR directors?
Yes, where the HR director forms part of the management body. If the HR director sits on the board or the senior management committee that formally approves cybersecurity risk measures, the Article 20(2) mandatory training requirement applies directly.
Do contractors require the same pre-employment screening as employees?
Yes. CIR 10.2 includes contractors, temporary workers, consultants, and MSP personnel without exception. Screening depth should match the access level assigned to the individual, using the same proportionality criteria applied to employees.
Our member state has not fully transposed NIS2. Does the directive still apply?
The NIS2 transposition deadline was October 2024. Commission Implementing Regulation (EU) 2024/2690 is directly applicable to in-scope entities in the digital infrastructure and ICT service management sectors from its entry into force, irrespective of national transposition status. For other sectors, check your national regulator’s implementation timeline.
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
Sources
- NIS 2 Directive, Article 20: Governance — nis-2-directive.com
- NIS 2 Directive, Article 21: Cybersecurity risk-management measures — nis-2-directive.com
- Commission Implementing Regulation (EU) 2024/2690 — EUR-Lex
- CIR 10.1: Security Commitments in Employment — ISMS.online
- CIR 10.2: Background Verification — ISMS.online
- CIR 10.3: Termination and Change of Employment — ISMS.online
- NIS2 and Employee Background Checks — Indicium
- HR Security in NIS2: Best Practices — Cyberday
- NIS2 Technical Implementation Guidance (June 2025) — ENISA
