There are many variations of passages of Lorem Ipsum available, but the majority have suffered alteration in some form, by injected humour believable.

4140 Parker Ave, St. Louis, MO 63116


      NIS2 Training Requirements: What the Directive Demands

      NIS2 makes ongoing security awareness training a legal requirement. Who is covered, what Article 20 and 21 require, and what auditors look for.

      Shortcuts:

      NIS2 is in force. Here's what it means for security awareness training.

      The NIS2 Directive's transposition deadline passed in October 2024, and member states have implemented it in national law; in Sweden, its requirements apply through the new Cybersecurity Act. If your organization is in scope, ongoing security awareness training for all employees, and specific cybersecurity training for management, is now a legal requirement, not a recommendation.

      In this article:

      What NIS2 is and who it applies to

      The specific training and awareness requirements

      Fines and consequences for non-compliance

      What auditors will look for

      How Nimblr helps you meet NIS2's training obligations

       

      What is NIS2?

      NIS2 (Network and Information Security Directive 2) is the EU's updated framework for cybersecurity across critical sectors. It replaces the original NIS Directive, which was widely criticized for being too narrow, too vague, and inconsistently enforced across member states.

      The update significantly expands the scope of who is covered, raises the bar for what organizations must do, and introduces much stronger enforcement powers, including personal liability for management bodies in organizations that fail to comply.

      When does NIS2 apply

      Which organizations does NIS2 apply to?

      NIS2 distinguishes between essential entities (subject to proactive supervision) and important entities (subject to reactive supervision). Both categories must comply with the same security requirements; the difference is how, and how often, they are audited.

      Essential entities include energy (electricity, oil, gas, hydrogen), transport (air, rail, road, water), banking and financial market infrastructure, health (hospitals, pharma, medical devices), drinking water and wastewater, digital infrastructure (cloud, DNS, data centers), public administration, and space.

      Important entities include postal and courier services, waste management, chemical manufacturing, food production and distribution, manufacturing (medical devices, electronics, machinery), digital providers (online marketplaces, search engines, social networks), and research organizations.

      NIS2 also reaches beyond directly regulated entities via supply chain requirements: even organizations not formally in scope may need to meet NIS2 standards to remain approved suppliers to organizations that are.

      The core security requirements under Article 21

      Article 21 sets out the cybersecurity risk management measures organizations must implement. These are not optional best practices; they are enforceable legal requirements:

      Policies on risk analysis and information system security. Documented processes for identifying and managing cybersecurity risks, reviewed and updated regularly.

      Incident handling. Procedures for detecting, reporting, and responding to security incidents, including early notification to national authorities of significant incidents.

      Supply chain security. Assessment of cybersecurity practices across suppliers and service providers, with appropriate contractual requirements. See our guide to supply chain attacks.

      Cybersecurity training and awareness. Ongoing security awareness training for employees, and specific cybersecurity training for management bodies, who are also held personally accountable for compliance.

      Access control and authentication. Policies covering multi-factor authentication, privileged access management, and modern access principles.

      Business continuity and crisis management. Backup procedures, disaster recovery plans, and tested crisis response capabilities.

      Fines and management liability

      NIS2 substantially increases the financial consequences of non-compliance compared with the original directive, and introduces personal liability for management that was absent before:

      Essential entities: fines of up to €10 million or 2% of global annual turnover, whichever is higher.

      Important entities: fines of up to €7 million or 1.4% of global annual turnover.

      Management bodies can be held personally liable, and in serious cases temporarily prohibited from holding leadership positions.

      What NIS2 requires for training and awareness specifically

      This is where NIS2 breaks new ground compared to its predecessor:

      All employees must receive cybersecurity awareness training. Not just IT teams. Everyone who handles systems, data, or communications is in scope, which in most organizations means the entire workforce.

      Management bodies must receive specific cybersecurity training. Article 20 requires that members of the management bodies of essential and important entities follow training to understand cybersecurity risks and their impact on the business.

      Training must be measurable and documented. Auditors will ask for evidence. A policy document that says "we do security training" is not sufficient. You need records: who was trained, when, on what topics, and what their awareness level is.

      Training must be ongoing, not annual. The directive's language around regularity, and its emphasis on demonstrable awareness, means a once-a-year compliance course is unlikely to satisfy auditors looking for evidence of a genuine program.

      How Nimblr meets NIS2's training requirements

      Nimblr's platform is designed to satisfy exactly what NIS2 Articles 20 and 21 require from a training and awareness perspective, and to generate the documented evidence auditors look for:

      Automated ongoing training. Micro Training delivered continuously, not once a year, with built-in spaced repetition.

      Real-time completion records. Every completed module is logged. Export your training data for auditors at any time.

      Phishing and smishing simulations. Simulated attacks provide behavioral evidence of awareness, not just self-reported completion rates.

      Management training included. Dedicated content for leadership and management bodies to meet Article 20 requirements.

      Awareness Level scoring. Quantified, per-employee and per-team awareness scores that demonstrate measurable progress over time.

      No login required. Employees complete training via email link, maximizing completion rates across the whole organization.

      Need to demonstrate NIS2 compliance? Book a demo and see how Nimblr generates the training records and awareness evidence auditors require, or explore our compliance page.

      FAQ

      FAQ: NIS2

      When did NIS2 come into force?

      NIS2 was adopted by the European Parliament in November 2022, and EU member states had until October 17, 2024 to transpose it into national law. Implementation timelines have varied by country; in Sweden, the requirements apply through the Cybersecurity Act. Organizations in scope should treat NIS2 as active now.

      Does NIS2 apply to SMEs?

      NIS2 generally applies to organizations with more than 50 employees or over €10 million in annual turnover that operate in a covered sector. Smaller organizations may still be indirectly affected as part of the supply chain of a covered entity.

      What is the difference between NIS2 and GDPR?

      GDPR focuses specifically on the protection of personal data. NIS2 is broader: it covers the security of network and information systems across critical sectors, regardless of whether personal data is involved. The two overlap significantly, and organizations that comply well with one are generally better positioned for the other.

      Does a once-a-year security training course satisfy NIS2?

      Almost certainly not on its own. The directive calls for ongoing training and demonstrable awareness programs. Auditors look for evidence of a continuous process, not a single annual checkbox.

      What evidence do NIS2 auditors look for on training?

      Typically: completion records showing who completed what training and when, evidence that training covers the right topics (phishing, incident reporting, access control, data handling), awareness measurement over time, and documentation of management-level training specifically.

      Author
      Nimblr Security Awareness
      Nimblr Security Awareness
      The Nimblr team is made up of people who are passionate about cyber security, developing training for real people, and tracking behavioral change.
      Get a personalized demo session at your convenience. Book a demo and let one of our experts walk you through Nimblr solution, the platform, and how quickly you can get started.