NIS2 Training Requirements: Complete Guide for EU Organizations (2026)

Apr 25, 2026

NIS2 is the EU Network and Information Systems Directive 2. It came into force on October 17, 2024 after a two-year transposition window, and it requires roughly 160,000 European organizations to implement cybersecurity risk-management measures that include workforce training. Management bodies are personally accountable for approving and following that training.

If you run security inside an essential or important entity, the training question is no longer abstract. Auditors and national competent authorities now expect documented evidence that staff and leadership have been trained, that the content reflects current threats, and that management is involved rather than observing from a distance.

What is NIS2?

NIS2 (Directive (EU) 2022/2555) is the European Union’s expanded cybersecurity framework for network and information systems. It replaces the original 2016 NIS Directive and closes several gaps the first version left open, most notably the weak enforcement and narrow sector coverage that limited NIS1’s impact.

The directive entered into force on January 16, 2023. Member States had until October 17, 2024 to transpose it into national law, though several countries missed that deadline and continued to legislate into 2025 and 2026.

NIS2 is enforced through national competent authorities in each EU Member State. That means the same directive produces slightly different enforcement regimes in Germany, France, Ireland, Spain, and Italy. The training obligations themselves are uniform across the bloc.

Who must comply with NIS2?

NIS2 splits covered organizations into two tiers: essential entities and important entities. The distinction matters because penalties, supervisory regimes, and reporting obligations differ between them.

Essential entities include large organizations in sectors considered critical to public welfare. These cover energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space.

Important entities include medium-sized organizations in those same critical sectors plus additional sectors such as postal and courier services, waste management, chemicals, food, manufacturing, digital providers, and research. Important entities face slightly lower maximum penalties but the same training requirements.

NIS2 sector coverage

Tier	Size threshold	Sectors covered
Essential	Large (250+ employees or EUR 50M+ turnover)	Energy, transport, banking, finance, health, water, digital infrastructure, ICT management, public administration, space
Important	Medium (50-249 employees or EUR 10-50M turnover)	All essential sectors plus postal, waste, chemicals, food, manufacturing, digital providers, research

Size thresholds follow the EU Commission Recommendation 2003/361/EC definition of medium and large enterprises. Some smaller organizations fall into scope regardless of size, for example trust service providers, top-level domain registries, DNS providers, and public electronic communications providers.

NIS2 training requirements (Articles 20 and 21)

The directive places training obligations in two places. Article 20 governs management body accountability, and Article 21 enumerates the cybersecurity risk-management measures that must be implemented across the organization, including training.

Article 20(2) states that management bodies “shall follow training” and that entities “shall offer similar training to their employees on a regular basis.” This is the clearest training mandate in the directive and it applies equally to essential and important entities.

Article 21(2)(g) requires “basic cyber hygiene practices and cybersecurity training” as one of ten minimum risk-management measures. This covers the whole workforce, not just management. The measures must be proportionate to the risk, the size of the entity, and the likelihood of incidents.

Taken together, these two articles mean an NIS2-compliant training program must reach every employee with baseline awareness and every member of the management body with deeper, governance-focused content. Training that stops at general staff fails the Article 20(2) management clause.

NIS2 training content that meets the requirement

The directive does not prescribe a curriculum, but Article 21(2) enumerates the risk-management measures the entity must implement. Training content is most defensible when it maps clearly to those measures.

A program that covers the following areas tends to satisfy auditor questions about scope:

Risk management policies and procedures
Incident handling, including detection, response, and recovery
Business continuity and crisis management
Supply chain security, including supplier and service-provider risk
Network and information systems security in acquisition, development, and maintenance
Policies for assessing the effectiveness of risk-management measures
Basic cyber hygiene and cybersecurity training
Cryptography and encryption policies
Human resources security, access control, and asset management
Use of multi-factor authentication, secured communications, and secured emergency channels

Role-based tracks help. An incident reporting exercise trains front-line staff on the notification path. A supply-chain OAuth awareness module trains procurement and engineering on supplier risk. A management-body module covers governance responsibilities the directive places on leadership specifically.

Penalties for NIS2 non-compliance

Article 34 sets the penalty framework. For essential entities, administrative fines can reach at least EUR 10 million or 2% of the total worldwide annual turnover, whichever is higher. For important entities, the maximum is EUR 7 million or 1.4% of global turnover.

The directive also allows national competent authorities to suspend certifications, prohibit the natural persons exercising managerial functions from continuing in that role, and publicly disclose infringements. Management liability is a structural feature of the directive, not an afterthought.

Individual Member States sometimes set higher penalties in national transposition laws. The exact enforcement posture varies, so check the implementing legislation for the country your entity operates in. Ireland, Germany, and France have published detailed enforcement guidance as of early 2026.

NIS2 vs NIS1 training expectations

NIS1 required operators of essential services to take “appropriate and proportionate technical and organisational measures.” The language was soft and enforcement uneven across Member States. Training was mentioned indirectly rather than mandated explicitly.

NIS2 is stricter on three fronts. Management bodies are now personally accountable, reporting windows are shorter, and the scope of covered entities roughly triples the NIS1 population.

Reporting obligations under Article 23 require an early warning within 24 hours of becoming aware of a significant incident, an incident notification within 72 hours, and a final report within one month. Front-line staff have to recognize significant incidents and start the notification chain immediately. That skill has to be trained, not assumed.

How to build a NIS2-compliant training program

There is no single template the Commission endorses. The steps below match what national competent authorities and larger audit firms look for in a defensible program.

Step 1: Gap assessment. Map your current training content against Article 21(2) measures and Article 20(2) management obligations. Most organizations already have phishing and incident response content. The gaps tend to sit in supply chain, cryptography, and management-body training.

Step 2: Role-based tracks. Build distinct content for general staff, technical staff, and management. A general-staff module on phishing and password hygiene is not enough for an IT administrator. A general-staff module alone is not enough for a board member.

Step 3: Documentation. Keep granular records of who took which module, when, and what the content covered. Record policy acknowledgments. Record assessment scores where applicable. Auditors and competent authorities will sample the records, not trust your dashboard.

Step 4: Annual refresh and event-driven top-ups. Annual training is the floor. Add top-up modules after incidents, after policy updates, and after sector-specific threat intelligence the competent authority issues.

Step 5: Incident-response drills. Run tabletop exercises and simulation-based drills. An actual 24-hour early-warning clock is different from reading about the 24-hour rule.

Step 6: Management-specific modules. Article 20(2) is explicit. Do not skip this. Management bodies need content on their own role, on the organization’s risk posture, and on the implications of non-conformance.

Step 7: Audit-ready reporting. Build dashboards that show coverage by role, by business unit, and by content area. Exportable reports save days during supervisory reviews.

NIS2 training and other EU frameworks

NIS2 rarely arrives alone. EU organizations typically have to align training with GDPR, DORA, and the Cyber Resilience Act simultaneously. The good news is that content overlaps meaningfully.

Framework	Training-relevant obligation	Overlap with NIS2
GDPR (EU 2016/679)	Articles 39 and 47 on DPO support and controller-processor training	Incident response, data handling, supply chain
DORA (EU 2022/2554)	Article 13 on ICT-related incident training for financial entities	Incident response, third-party risk, business continuity
Cyber Resilience Act (EU 2024/2847)	Manufacturer training on product security	Secure development, supply chain
ISO/IEC 27001:2022	Clause 7.3 on awareness	Policy literacy, incident reporting

A good GDPR employee training program already covers several NIS2 measures. An ISO 27001 awareness backbone covers several more. Organizations that build a single awareness program mapped across frameworks spend significantly less than those running parallel trainings.

How RansomLeak supports NIS2 training

RansomLeak training is interactive, scenario-based, and documented in a way NIS2 supervisors recognize. The catalogue covers the Article 21(2) topics in role-appropriate depth, and completion records export cleanly for audit review.

The privacy and compliance catalogue covers incident handling, data protection, and supply chain scenarios. The security awareness catalogue covers phishing, credential hygiene, and access control. The AI security catalogue covers the AI-specific risks that several national competent authorities now call out as part of Article 21(2)(e) “ICT products and services” obligations.

Our compliance mapping guide links each Article 21 measure to specific courses and exercises, which shortens the time between “we need NIS2 training” and “here is the program we rolled out.”

Frequently asked questions

What is the NIS2 compliance deadline?

October 17, 2024 is the transposition deadline in the directive itself. Member States were required to have national legislation in force by that date. Several Member States missed this and continued legislating through 2025 and into 2026, so the operative deadline in any specific country is whichever date the national transposition law sets. Registration obligations for specific sectors usually applied within a short window after national law entered into force.

Who is covered by NIS2?

Essential and important entities across 18 sectors including energy, transport, banking, health, water, digital infrastructure, public administration, postal, waste, chemicals, food, manufacturing, digital providers, and research. Size thresholds follow the EU medium and large enterprise definitions, with some smaller organizations in scope regardless of size.

What are the NIS2 reporting windows?

Article 23 requires an early warning to the competent authority or CSIRT within 24 hours of becoming aware of a significant incident, a follow-up incident notification within 72 hours, and a final report within one month. Recipients of service affected by the incident must also be informed when appropriate.

Do NIS2 training requirements apply to management?

Yes. Article 20(2) requires members of management bodies to follow training. The entity must also offer similar training to employees on a regular basis. A training program that ignores leadership does not satisfy the directive.

What are the penalties for NIS2 non-compliance?

Article 34 sets administrative fines up to EUR 10 million or 2% of global turnover for essential entities, and up to EUR 7 million or 1.4% of global turnover for important entities. National competent authorities can also suspend certifications and temporarily prohibit managerial individuals from exercising managerial functions.

How often is NIS2 training required?

The directive requires “regular” training. Most national guidance and audit practice reads this as at least annual, with event-driven top-ups after significant incidents, policy changes, or emerging threats in the sector. Annual alone is the floor, not a ceiling.

Does NIS2 apply to non-EU companies?

Some non-EU companies fall in scope if they offer services in the EU. Article 26 on jurisdiction and territoriality requires such entities to designate a representative in the EU. Cloud computing service providers, data centre providers, and DNS service providers are typical examples.

How does NIS2 align with ISO 27001?

Organizations already certified to ISO/IEC 27001:2022 cover most of NIS2’s Article 21(2) measures because Annex A reorganizes controls into organizational, people, physical, and technological themes that overlap the NIS2 list. The ISO 27001 awareness training program usually needs NIS2-specific additions on reporting windows, management body training, and supply chain notification.

Can training records from NIS1 be used for NIS2?

Sometimes, but expect gaps. NIS1 training tended to focus on technical operators. NIS2 requires wider coverage including management bodies and supply chain awareness. Old records may show general staff completion but fail to demonstrate the Article 20(2) management obligation.

What counts as a significant incident under NIS2?

A significant incident is one that has caused or is capable of causing severe operational disruption or financial loss, or that has affected or is capable of affecting natural or legal persons by causing considerable material or non-material damage. National competent authorities publish more specific thresholds by sector.

Bottom line

NIS2 is a directive with teeth, and training is one of the measures it tests explicitly. Management body accountability, reporting windows, and sector coverage all expanded compared to NIS1. Organizations that built a proper awareness program before October 2024 have a head start. Those still running a generic annual video will see findings in the first round of supervisory activity.

Treat the 24-hour early-warning clock, the 72-hour notification, and the one-month final report as skills that require rehearsal. Treat the management body training as a real obligation rather than a nice-to-have. And document everything at a level of detail a competent authority can sample with confidence.

If your entity is in scope and you want to see how scenario-based training maps to Article 21 measures, explore the privacy and compliance catalogue or book a walkthrough with our team.