Blog

The FTC Safeguards Rule at 16 CFR Part 314 requires non-bank financial institutions to maintain a written information security program, and that program must include security awareness training plus specialized training for the personnel responsible for it. The amended rule became fully enforceable on June 9, 2023, and it reaches well beyond banks.

Auto dealers, mortgage brokers, tax preparers, retailers offering in-house financing, collection agencies, and investment advisors all fall inside the FTC’s definition of a “financial institution.” Many of them spent 2023 and 2024 scrambling to document training programs their compliance teams had assumed were already in place.

HIPAA security awareness training is a mandatory Administrative Safeguard under the HIPAA Security Rule. Every covered entity and every business associate must run a training program for all members of its workforce, including management, and the documentation must survive OCR audits that can sample records going back six years.

The rule itself is short. The expectations around it are not. Covered entities that treat HIPAA training as a fifteen-minute annual video tend to learn this the hard way, usually during a breach investigation or a Resolution Agreement that costs six or seven figures.

For the §164.308(a)(5) framework breakdown end-to-end, see our HIPAA security awareness training framework guide. This post focuses on what OCR investigators actually sample during an audit.

The best Hoxhunt alternatives in 2026 depend on what you actually need. Teams that want broader training beyond phishing simulation often pick RansomLeak or KnowBe4. Teams in the EU often pick SoSafe for GDPR-native hosting. Teams that want a behavioral-science moat often pick CybSafe. This guide compares seven platforms so you can match a vendor to your program.

Updated April 2026.

NIS2 is the EU Network and Information Systems Directive 2. It came into force on October 17, 2024 after a two-year transposition window, and it requires roughly 160,000 European organizations to implement cybersecurity risk-management measures that include workforce training. Management bodies are personally accountable for approving and following that training.

If you run security inside an essential or important entity, the training question is no longer abstract. Auditors and national competent authorities now expect documented evidence that staff and leadership have been trained, that the content reflects current threats, and that management is involved rather than observing from a distance.

RansomLeak and SoSafe both sell human risk management, but they reach employees through very different models. SoSafe ships behavioral microlearning modules and phishing simulations from EU-hosted infrastructure, with deep NIS2 and TISAX alignment. RansomLeak ships interactive 3D simulations where employees practice handling attacks, with deeper AI threat coverage and SCORM export into any LMS. This comparison covers content, pricing, EU regulatory fit, data residency, and who each platform fits.

Updated April 2026.