NIS2 Cybersecurity Training Requirements: What Your Organisation Must Do

The human element is involved in more than 60% of cybersecurity breaches. Phishing alone accounts for 60% of initial intrusions observed across Europe. AI-crafted phishing emails now achieve click rates above 50%, compared to 12% for manually written campaigns. Every one of these statistics points to the same conclusion: technology alone does not prevent breaches. People do.

The drafters of NIS2 Directive (EU) 2022/2555 understood this. Training is not buried in the directive as a footnote to technical measures. It appears in two separate articles, aimed at two different audiences, with two different enforcement mechanisms. Article 20(2) requires every member of the management body to personally undergo cybersecurity training. Article 21(2)(g) requires basic cyber hygiene practices and cybersecurity training for all staff. Neither is optional. Neither can be fully delegated.

This guide explains exactly what each requirement demands, who it applies to, what topics must be covered, and what documentation you need to demonstrate compliance during supervisory review.

Article 20(2): Why Management Training Is Non-Negotiable

Article 20(2) of the NIS2 Directive contains language that is unusually direct for EU legislation:

“Member States shall ensure that the members of the management bodies of essential and important entities are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.”

Every word in this provision matters.

Who must train: the management body

The obligation applies to “members of the management bodies.” This means every director, board member, and senior manager who forms part of the governing body. It is not enough for a CISO to attend training and report back. Each individual member must personally complete the training.

The management body is defined broadly. In a private company, this typically includes the board of directors and, depending on governance structure, senior executives with decision-making authority over cybersecurity risk management. In public sector bodies, it covers whoever holds equivalent leadership authority.

What the training must achieve

Article 20(2) specifies three capabilities the training must enable:

1. Identify cybersecurity risks — management must be able to recognise when the organisation faces meaningful cyber risk, not just receive summary reports
2. Assess cybersecurity risk-management practices — they must evaluate whether the measures in place are adequate, which requires substantive understanding of what good practice looks like
3. Understand the impact on services — training must connect cybersecurity to business operations and the services the entity provides, making risk tangible rather than abstract

This is a materially higher bar than “awareness.” A one-hour general overview of cyber threats does not meet this requirement. NIS2 management training must give directors sufficient depth to make informed governance decisions about cybersecurity risk management.

The personal liability dimension

Article 20 is also the provision that establishes personal liability for management. Article 20(1) requires management bodies to approve the cybersecurity risk-management measures taken under Article 21, oversee their implementation, and accept liability for infringements. Supervisory authorities can hold individual managers directly accountable and can impose temporary bans on individuals exercising management functions in severe or repeated cases.

Management members who have not completed required training are significantly more exposed when regulators investigate an incident. The failure to train is itself a compliance violation — and it undermines any defence of good-faith governance. For the full scope of personal exposure, see our guide to NIS2 penalties and management liability.

Article 21(2)(g): Staff Cyber Hygiene and Awareness Training

Article 21(2)(g) requires essential and important entities to implement “basic cyber hygiene practices and cybersecurity training” as one of the ten mandatory risk-management measures. The Commission Implementing Regulation (CIR) 2024/2690 elaborates this in Annex Section 8 (“Basic Cyber Hygiene and Training”).

The key elements required by Section 8:

• Scope: the awareness programme must cover all personnel, including contractors, temporary workers, and third parties with access to the entity’s systems
• Currency: content must address the current threat landscape and common attack vectors relevant to the entity’s sector
• Practical skills: training must include actionable behaviours — recognising phishing, reporting security incidents, password management, social engineering awareness, and safe handling of sensitive data
• Regularity: training must be delivered regularly, not only at onboarding. A single induction session does not satisfy the ongoing requirement
• Measured effectiveness: the entity must assess whether training achieves behavioural change, not simply record attendance
• Role-based depth: staff in security-sensitive positions require training beyond the baseline awareness programme, covering the specific security implications of their role

Section 8 also requires documented cyber hygiene practices — patch schedules, email security configurations, secure configuration baselines, and removable media controls. Training and hygiene are treated as inseparable: the policy defines the rules, and training ensures people follow them.

Who Needs What: Training by Role

NIS2 does not prescribe a single programme for everyone. Different roles carry different obligations. The following table maps each group to its specific requirements.

Role Group	Legal Basis	Core Topics Required	Minimum Frequency
Management Body / Board	Art. 20(2) — mandatory personal obligation	NIS2 regulatory obligations; organisational risk landscape; evaluating risk management effectiveness; personal liability implications; incident reporting obligations at board level	At least annually; plus when significant regulatory or organisational changes occur
NIS2 Officer / CISO	Art. 21(2)(g) + professional responsibility	Full NIS2 and CIR requirements; risk assessment methodology; incident handling and the 72-hour reporting rule; supply chain security management; all ten Art. 21 measures	Continuous professional development; minimum annual formal review
IT and Security Staff	Art. 21(2)(g) + CIR Section 8	Secure configuration; vulnerability management; incident detection and response; backup and recovery procedures; access control management; monitoring and logging	At least annually; technology-specific training as required by role changes or new deployments
HR and Administrative Staff	Art. 21(2)(g) + CIR Section 10	Pre-employment screening procedures; secure onboarding and offboarding; handling personal data; document classification; visitor management; access revocation on departure	Annually; at onboarding to HR role
All Employees	Art. 21(2)(g) + CIR Section 8	Phishing and social engineering recognition; password management and MFA use; reporting suspicious activity; clean desk and screen lock; removable media and BYOD policies; physical security; remote working security	At onboarding; annual comprehensive refresher; ad-hoc alerts for emerging threats

Required Training Topics Under CIR 2024/2690

CIR 2024/2690 Annex Section 8 provides the most detailed specification of required awareness content. Section 10 (Human Resources Security) adds employment lifecycle requirements. These define the baseline your programme must cover.

Section 8 — All-Staff Awareness Topics

• NIS2 regulatory obligations and the consequences of non-compliance
• Current threat landscape relevant to the entity’s sector and size
• Social engineering and phishing recognition and response
• Password security, password managers, and authentication best practices
• Email and internet security — safe browsing, link verification, attachment handling
• Removable media and mobile device security policies
• Physical security awareness — tailgating, visitor access, secure areas
• Incident recognition and reporting procedures
• Data classification and secure handling of sensitive information
• Clean desk and automatic screen lock policies
• Remote working security — VPN use, home network risks, public Wi-Fi

Management-Specific Topics (Article 20(2) Competency Requirements)

• Risk assessment principles and how to interpret risk reports
• Cybersecurity governance — roles, responsibilities, and board-level oversight
• Regulatory compliance obligations and enforcement mechanisms under NIS2
• Business continuity management and the cybersecurity dimension of resilience planning
• Supply chain security risks and how third-party relationships create exposure

If you are designing or procuring NIS2 management training, use these five areas as your content checklist. Any programme that does not cover all five is unlikely to satisfy Article 20(2).

Training Methods and Delivery

NIS2 and CIR do not mandate specific delivery formats. ENISA guidance is clear that effectiveness matters — not just completion. Different methods serve different purposes.

Method	Best For	Strengths	Limitations
E-learning platforms	Baseline awareness for all staff	Scalable, trackable, automatic attendance records and quiz scoring	Low engagement; passive consumption rarely changes behaviour without reinforcement
Instructor-led workshops	Management training (Art. 20(2))	Higher engagement, allows questions, credible evidence during supervisory review	Higher cost, scheduling complexity
Tabletop exercises	Incident response and crisis management	Tests actual decision-making under simulated pressure; quarterly for management	Requires preparation and facilitation
Phishing simulations	Measuring real behavioural change	Most direct effectiveness metric; declining click rates prove programme impact	Must be handled sensitively to avoid punitive culture
Emerging threat briefings	Keeping security visible between annual cycles	20-minute sessions on new phishing techniques or sector-specific incidents	Requires current threat intelligence feed

Recommended blend for most NIS2 entities:

• Monthly: phishing simulation for all staff
• Quarterly: emerging threat briefing (all staff) + tabletop exercise (management and IT)
• Annually: comprehensive e-learning refresher (all staff) + management workshop covering Article 20(2) competency requirements
• At onboarding: induction module within the first week of employment
• Trigger-based: additional training after significant incidents or when new threat intelligence warrants it

A tabletop exercise for the board that runs through a ransomware scenario — covering the 72-hour incident reporting obligation — is often the most efficient way to satisfy the Article 20(2) requirement that management can “assess cybersecurity risk-management practices” in a single session.

Frequency and Refresher Requirements

CIR 2024/2690 requires training to be “regular” without specifying exact intervals. ENISA provides practical benchmarks that supervisory authorities are likely to reference during audits.

Training Type	ENISA Recommended Frequency
New employee induction	Within first week of joining
Annual comprehensive refresher (all staff)	Once per year minimum
Emerging threat updates	Quarterly
Management training (Art. 20(2))	At least annually; plus after significant incidents or regulatory changes
Phishing simulations	At least quarterly; monthly preferred
Trigger-based training	After incidents, breaches, or near-misses; after significant system or process changes

Document your training calendar as a planned schedule, not a retrospective log. Supervisory authorities want evidence that training is intentional and systematic, not reactive.

Training Records and Compliance Evidence

Completing training is necessary but not sufficient. You must demonstrate compliance with documentary evidence. During a supervisory review or following a significant incident, you may be required to produce records at short notice.

What to document

• Attendance records: names, dates, and method of delivery for every training session
• Training content: materials, slides, or e-learning modules used — sufficient to show topics align with CIR Section 8 and Article 20(2) competency requirements
• Assessment results: quiz scores, phishing simulation click rates, reporting rates — evidence of effectiveness, not just participation
• Management attestation: signed confirmation from each management body member that they have completed their Article 20(2) training
• Training plan: forward-looking schedule showing planned activities, responsible parties, and target audiences
• Gap analysis: a live record of who has outstanding training, with planned completion dates

Retention period

NIS2 and CIR do not specify an exact retention period for training records. Best practice, aligned with general EU administrative timelines, is to retain records for a minimum of three years and ideally five. Records should be readily retrievable and should survive employee departures — do not delete records when someone leaves the organisation.

Management attestation as a compliance anchor

For Article 20(2) specifically, introduce a formal annual attestation process: each management body member signs a declaration confirming they have completed required training and understand their personal obligations under NIS2. This creates an unambiguous audit trail — and it focuses minds before the training, not after. The attestation is among the first documents supervisory authorities will request when assessing governance compliance.

NIS2 Training and Awareness Templates

Building a compliant security awareness training programme requires more than delivering sessions. The governance layer — policies, plans, and records — is what makes training auditable and sustainable.

Our NIS2 compliance template library includes documents specifically designed for training obligations:

• Training and Awareness Plan — a comprehensive planning document covering all roles, topics, delivery methods, frequencies, and responsibilities. Pre-populated with training matrices aligned to CIR Section 8 topic requirements and Article 20(2) competency areas. Includes a training calendar template, gap tracker, and record-keeping log.
• HR Security Policy — covers the security aspects of the full employment lifecycle, including training obligations at each stage: pre-employment screening, induction training, annual refresher obligations, role-change triggers, and secure offboarding.

Both templates are built to satisfy supervisory scrutiny, with explicit references to the NIS2 articles and CIR sections they implement. For the complete set, see the full template library. For your overall compliance roadmap, use our NIS2 compliance checklist.

Frequently Asked Questions

Can management delegate their NIS2 training obligation?

No. Article 20(2) requires members of the management body to personally undergo training. A CISO or IT director cannot attend on their behalf. Each board member and senior manager must individually complete training that enables them to identify risks and assess the organisation’s cybersecurity risk-management practices.

What happens if a director refuses to complete NIS2 training?

Failure to comply with Article 20(2) is a standalone compliance violation. It increases the individual’s personal liability exposure under NIS2’s enforcement provisions, which include administrative fines and, in severe cases, temporary prohibition from exercising management functions. See our full guide on NIS2 penalties and personal liability.

How often must NIS2 training be delivered?

NIS2 and CIR require training on a “regular basis” without specifying exact intervals. ENISA recommends annual comprehensive refreshers for all staff, at least annual management training, quarterly emerging threat updates, and monthly phishing simulations. Training must also be triggered by significant incidents or regulatory changes.

Do contractors and temporary workers need NIS2 training?

Yes. CIR 2024/2690 Section 8 requires the awareness programme to cover all personnel with access to the entity’s systems, including contractors, temporary workers, and third parties.

Can free online courses satisfy NIS2 training requirements?

Yes, provided the content covers CIR Section 8 topics for staff and Article 20(2) competency requirements for management, and you document completion. Generic cybersecurity courses may not cover NIS2-specific obligations such as incident reporting timelines or management governance responsibilities — verify coverage before deployment.

How do we prove our training programme is effective?

CIR Section 8 requires effectiveness measurement beyond attendance tracking. Practical metrics include: phishing simulation click-through and reporting rates over time; quiz pass rates and score trends; incident reporting volume changes (an increase in reported low-level incidents often indicates improved awareness); and time from occurrence to staff report. Document these metrics and include trend analysis in your training records.

Sources

1. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 (NIS2 Directive), Articles 20 and 21. EUR-Lex.
2. Commission Implementing Regulation (EU) 2024/2690, 17 October 2024, Annex Section 8 and Section 10. EUR-Lex.
3. ENISA, Technical Implementation Guidance on Cybersecurity Risk Management Measures, Version 1.0, June 2025. ENISA.europa.eu.
4. ENISA, Threat Landscape 2025, November 2025. ENISA.europa.eu.
5. Verizon, 2025 Data Breach Investigations Report. Verizon.com.

This article is for informational purposes only and does not constitute legal advice. For advice specific to your organisation and jurisdiction, consult a qualified legal or compliance professional.