NIS2 Training Requirements: Complete Guide to Cybersecurity Education

NIS2 requires cybersecurity training for both management and employees. Get an overview of the requirements, what the training should include, and how to get started with compliance.

NIS2 requires that both management and employees in covered organisations receive proper training in cybersecurity.

This article examines the training requirements in NIS2, including who must be trained, what the training should contain, and tips for getting started.

You can read our introduction to NIS2 if you want an overview of the directive.

Training is a Management Responsibility

NIS2 places particular responsibility on management's involvement in steering the organisation's cybersecurity efforts, and therefore it is both a good idea and a requirement that members of management must have the necessary knowledge, which can come through participation in relevant cybersecurity courses. This ensures that management has a stronger professional foundation for managing these risks.

At the same time, NIS2 requires that measures include basic cyber hygiene practices and cybersecurity training, which employees must therefore be educated in.

This requirement must be met continuously, which means that you cannot simply ask relevant employees to take a one-off course. You must instead ensure that everyone in the organisation has skills in 'basic cyber hygiene practices'. Therefore, the organisation should establish a plan for how knowledge and behaviour are developed and maintained over time.

So there is both a NIS2 requirement for training for managers and the organisation as a whole, and that everyone has the necessary knowledge and practice in cybersecurity to fulfil their roles.

What Should Management Training Contain?

To comply with NIS2, management must have sufficient knowledge of cybersecurity so they can make qualified decisions about it. NIS2 therefore requires that members of management acquire knowledge and skills, for example through relevant courses on managing cybersecurity risks. There are no rigid requirements for how this should be met. What's important is that management as a whole gains the competencies to understand cybersecurity threats, assess the organisation's risks, and make qualified decisions on the subject.

For example, it would be appropriate for management to be trained in general IT security courses, risk management, relevant legal requirements in the IT area, and relevant IT security standards.

Examples of Relevant Training for Management

General courses in cyber and information security – Introduction to the cybersecurity landscape and threat picture
Targeted executive courses – Strategic cybersecurity leadership for directors and board members
Workshops on governance and strategy – Focus on the organisation's specific needs and sector
Certification courses – For example ISO 27001 or other information security standards
Internal courses – Teaching that focuses on management's specific organisation and sector

NIS2 does not establish detailed requirements for the form and content of training, but it is important that training is seen in the light of NIS2, which concerns cybersecurity in critical infrastructure, and in light of the management requirements NIS2 sets regarding governance.

What Should Employee Training Contain?

It is employees who work daily with systems, data, and communication, and who are therefore also the most important in the organisation's daily cybersecurity efforts. NIS2 therefore also emphasises that cybersecurity is about behaviour and competencies in individual employees.

Management should encourage employees to receive corresponding training, meaning that employees also receive education that corresponds to their role in the organisation, which may therefore be different from management's training.

Awareness Training for All Employees

For example, you can educate employees with awareness training, which all employees complete, and which lays a foundation for employees' awareness and knowledge of cybersecurity. This can happen through an e-learning course that explains the most common threats such as phishing and other social engineering attacks, password security, information sharing, and physical security.

Training must be understandable and relevant to everyone with responsibility for delivering the critical service to end users. This can be operational staff who have direct access to production facilities, or administrative staff with access to central systems, as well as anyone with access to the organisation's facilities.

Targeted Training for Critical Personnel

You should ensure that staff with particular responsibility for the delivered service, such as operational staff or IT, receive training that aligns with the risk assessment. Critical personnel should therefore have targeted training, as their work entails greater risk for service delivery.

Targeted training can also take place as e-learning courses with specialised courses, or with internal workshops on the topics, or through participation in external training courses. What's most important is that employees are continuously trained so they can each handle the risks that the organisation and sector face.

Employee Group	Training Needs	Examples
Management	Strategic cybersecurity, governance, risk management	Executive courses, ISO 27001, workshops
All employees	Basic cyber hygiene, phishing, passwords	Awareness training, e-learning
IT personnel	Technical cybersecurity, incident response, network security	Certifications, technical courses
Operational staff	Operational security, physical security, procedures	Targeted workshops, on-the-job training
HR & Administration	Data protection, confidential information, social engineering	GDPR courses, awareness training

Documenting Training

Training must be documented, for example with a course certificate or written confirmation of participation, so it can be provided to authorities during inspection.

If you choose to conduct your own training courses, you can create a participant list, describe the learning objectives and course content, and save the training materials. It doesn't need to be complicated.

What Should Be Documented?

✓ Participant lists – Who has completed which courses
✓ Course content – What was taught
✓ Learning objectives – What participants should learn
✓ Course certificates – Documentation of completed training
✓ Training materials – Slides, manuals, e-learning
✓ Evaluations – Tests or assessments of learning

Use information security software to keep track of documentation and ensure all employees are up to date with their training.

Training Policy: Structured Approach to NIS2 Requirements

NIS2's requirements for the organisation's cybersecurity training are significant, and therefore it is also a good idea to take a structured approach to the requirement by creating a training policy or plan.

Your training policy can describe the different employee groups and their tasks. You can use this to provide targeted training, so that tasks involving greater risks receive targeted training.

What Should a Training Policy Contain?

Purpose and scope – Why do we train, and who does it cover?
Roles and responsibilities – Who is responsible for what in training work?
Training needs per role – What competencies are required in different positions?
Training content – Which topics should be covered?
Frequency – How often should training be repeated?
Delivery method – E-learning, workshops, external courses?
Documentation and follow-up – How is training documented and evaluated?
Updates – How is the policy kept current with new threats?

You should specify the purpose of training for each employee group, and then organise their training accordingly, such as content, frequency, tests, and documentation.

The training policy doesn't need to be long, and should simply be used as operational help for training work, and it also functions as documentation.

Non-Compliance with NIS2 Training Requirements

If your organisation does not meet NIS2's training requirements, it can have consequences for management, who can be sanctioned, and additionally the organisation can receive a fine.

NIS2 involves personal management liability, which means that board members or directors can become personally liable in cases of gross negligence, including lack of cybersecurity training.

Fines for non-compliance can be significant:

Essential entities: Up to €10 million or 2% of global annual turnover
Important entities: Up to €7 million or 1.4% of global annual turnover

In addition to financial sanctions, lack of training can also weaken the organisation's actual cybersecurity and increase the risk of security incidents.

Take Action: Getting Started with NIS2 Training

NIS2 sets training requirements for both management and employees. Here's a practical approach to getting started:

Step 1: Assess Current Competencies

Map existing cybersecurity knowledge in the organisation
Identify competency gaps in relation to NIS2 requirements
Prioritise which areas require most urgent training

Step 2: Develop Training Policy

Define roles and their training needs
Establish frequency and delivery methods
Set up documentation procedures

Step 3: Implement Training

Start with management training – it sends an important signal
Roll out awareness training to all employees
Provide targeted training to critical personnel

Step 4: Document and Evaluate

Keep track of who has completed which courses
Evaluate the effectiveness of training
Update and adjust continuously based on new knowledge and threats

Organise the organisation's training so it matches roles and needs, and describe all this in a training policy. This will make it easier to decide how the training requirement is continuously met, and adjust the training effort as needed.

At .legal, we can help you structure your NIS2 compliance, including handling training requirements and documentation. See how our Frameworks module supports NIS2 compliance or book a demo.

Frequently Asked Questions about NIS2 Training Requirements

Who must be trained under NIS2?

NIS2 requires that both management and all employees in covered organisations are trained in cybersecurity. Management should have strategic knowledge of cybersecurity risks and governance, whilst employees should have basic cyber hygiene and role-specific training based on their responsibilities in the organisation.

What should management cybersecurity training contain?

Management should be trained in strategic cybersecurity, governance, risk management and relevant standards such as ISO 27001. Training can be executive courses, strategy workshops, or certification courses. What's important is that management gains competencies to understand cybersecurity threats, assess risks and make qualified decisions.

Should all employees have the same training?

No, training should be tailored to roles and responsibilities. All employees should have basic awareness training in cyber hygiene, phishing and passwords. However, critical personnel such as IT staff or operational staff should have targeted, specialised training that matches their specific risks and responsibilities.

How often should NIS2 training be repeated?

NIS2 requires continuous training, not just a one-off course. The organisation must establish a plan for how knowledge is developed and maintained over time. Typically annual awareness training is recommended for all employees and more frequent updates for critical personnel, as well as ongoing training for management on new threats.

How do I document NIS2 training?

Document with course certificates, participant lists, description of learning objectives and course content, and saved training materials. For own courses: create participant list, describe content and save materials. Documentation must be available to authorities during inspections. Consider using software to track who has completed which courses.

What is a training policy, and should I have one?

A training policy systematically describes how the organisation meets NIS2's training requirements. It contains roles, training needs per role, content, frequency and documentation. It's not a formal requirement, but a strongly recommended structured approach that both facilitates compliance work and functions as documentation for authorities.

Can we use e-learning for NIS2 training?

Yes, e-learning is an effective method for NIS2 training, especially for awareness training for all employees. E-learning platforms can cover phishing, passwords, social engineering etc. For management and critical personnel it can be supplemented with workshops, external courses or certifications. What's important is that documentation is in place.

What does it cost if we don't train our employees?

Non-compliance with NIS2's training requirements can result in fines up to €10 million or 2% of global turnover for essential entities (€7 million/1.4% for important entities). Additionally, management can be personally sanctioned for gross negligence. Most importantly, lack of training weakens actual cybersecurity and increases the risk of security incidents.

Should new employees also have cybersecurity training?

Yes, new employees should have cybersecurity training as part of their onboarding. This ensures that everyone from the start has the necessary knowledge of the organisation's security practices. Include basic awareness training in the introduction programme, and add role-specific training based on the position's responsibilities.

How do I keep training updated with new threats?

Establish a process for continuous updating of training content based on new threats and incidents. Follow cybersecurity news, incident reports from CSIRT and industry updates. Update training materials at least annually, and consider ad-hoc updates when new significant threats emerge. Include current examples in awareness training.