What is NIS2 Cybersecurity Training

NIS2 is the European Union Network and Information Systems Directive 2, formally Directive (EU) 2022/2555. It entered into force on 16 January 2023 and replaced the 2016 NIS Directive, expanding coverage to roughly 160,000 organizations across 18 sectors. Member States had until 17 October 2024 to transpose the directive into national law. Most missed that deadline. Belgium published its NIS 2-Wet / Loi NIS 2 in time and brought it into force in October 2024. Germany is still legislating the NIS2UmsuCG. The Netherlands continues to advance the Cyberbeveiligingswet draft. France issued ANSSI guidance pending the formal transposition. Italy, Spain, and Ireland are at various stages of decree, real decreto, or general scheme. The operative deadline in any given country is whichever date the national transposition law sets, but the directive obligations apply to in-scope entities regardless of national delays.

Article 21(2)(g) names cybersecurity training explicitly. It requires entities to implement "basic cyber hygiene practices and cybersecurity training" as one of ten minimum risk-management measures. The wording is short, but the practical effect is large. Every essential and important entity has to put a named training program in place, document who completed it, refresh it on a regular cadence, and present the records when a national competent authority audits. The directive does not prescribe a curriculum, which means the burden of demonstrating that training is proportionate to the risk and to the size of the entity sits with the entity itself.

Article 20 raises the stakes. It requires the management body of each essential and important entity to approve the cybersecurity risk-management measures, oversee their implementation, and follow specific training to gain enough knowledge to identify risks and assess practices. The directive then makes management body members personally liable for infringements of the risk-management duty. National competent authorities can publicly disclose infringements, suspend certifications, and temporarily prohibit named individuals from exercising managerial functions. Training that stops at general staff fails Article 20. Training that ignores management body members fails Article 20.

The penalty regime is split by entity tier. Essential entities (energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure including DNS, TLD registries, cloud, data centres, ICT-managed services, public administration, space) face administrative fines up to EUR 10 million or 2% of global annual turnover, whichever is higher. Important entities (postal and courier, waste management, chemicals, food, manufacturing of medical devices, computers, electronics, machinery, motor vehicles, transport equipment, digital providers including online marketplaces, search engines, social networks, research) face up to EUR 7 million or 1.4% of global annual turnover. The "cyber hygiene" framing in Article 21(2)(g) is the article auditors cite first when they sample a training program.

NIS2 audits sample evidence, not intent. A scenario-based exercise that drops the learner into an inbox, a vishing call, a BEC pretext, or a deepfake video conference produces a completion record an auditor can map back to Article 21(2)(g) and to the specific risk it addresses. A 30-minute compliance video produces a completion record that says the learner watched a video. The directive does not prescribe a format, but national competent authorities tend to read "proportionate to the risk" as evidence that the training reflects current attacker tradecraft. The Verizon DBIR 2024 baseline (68% of breaches involve a non-malicious human element) and the EUR 25 million Arup deepfake wire fraud both sit inside the NIS2 risk picture competent authorities reference. Scenario-based content tracks that reality in a way recorded videos cannot.

Role-based assignments are how a NIS2 program demonstrates proportionality. The management body track satisfies Article 20: governance content, the personal liability regime, and the current-threat briefing required to assess practices. The general staff track satisfies the Article 21(2)(g) workforce baseline: phishing, password hygiene, mobile device security, lock and encryption discipline, incident reporting. The IT and help desk track addresses Article 21(2)(b) and Article 21(2)(i): vishing, MFA-reset social engineering, verification procedures, joiner-mover-leaver hygiene. The procurement and engineering track addresses Article 21(2)(d) and (e): third-party app OAuth risks, vendor verification, supply chain BEC patterns. Each track ships with its own completion roster, so the audit evidence is segmented by role from day one.

The export pack is what national competent authorities request during inspection. RansomLeak completion records export per learner, per role, per module, with policy acknowledgment timestamps, scenario-pass evidence, and module-content metadata that ties the exercise back to the specific Article 21 measure it supports. The data lands in the format the CCB, BSI, ANSSI, NCSC, AGID, ACN, and the rest of the EU competent-authority pool sample during their reviews. Programs that built the export pack before the first inspection cycle save days of audit response time over programs that try to assemble the evidence after the request lands.