The NIS2 Directive is not an update. It is a replacement. When it took effect in October 2024, it retired the original NIS1 framework and introduced a fundamentally different set of cybersecurity obligations for organizations across Europe. Among the most significant changes: cybersecurity training is no longer optional, informal or left to each company's discretion. It is a documented legal requirement, for every employee, at every level, including the boardroom.
As of early 2026, 14 of 27 EU member states have transposed NIS2 into national law, and the European Commission has opened infringement proceedings against 23 member states that missed the deadline. Enforcement is already active. In Germany alone, approximately 29,500 companies fall under the directive, and the BSI (Federal Office for Information Security) has shifted from registration guidance to active auditing after roughly 18,500 companies missed the March 2026 registration deadline.
For organizations still treating cybersecurity training as an annual checkbox, NIS2 changes the equation entirely.
The original NIS Directive, adopted in 2016, covered a narrow set of sectors and left much of the implementation to individual member states. Each country decided which organizations qualified as "operators of essential services," which led to wildly inconsistent outcomes — the same type of company might be in scope in one country but not in its neighbor.
NIS2 replaces that patchwork approach with harmonized, EU-wide criteria. The most important changes for training and compliance:
Scope expansion: NIS1 covered seven sectors. NIS2 covers 18, adding postal and courier services, food production, waste management, manufacturing, chemicals, space and public administration, among others. The directive now applies to all medium and large enterprises (50 or more employees, or EUR 10 million or more in annual revenue) operating in these sectors. According to European Commission estimates, this brings approximately 160,000 entities into scope across the EU — a tenfold increase from roughly 15,000 under NIS1.
Mandatory Training for Employees and Management (Article 20): NIS1 had no equivalent. Under NIS2, Article 20 requires that members of management bodies — CEOs, board members, executives — "are required to follow training" so they can "identify risks and assess cybersecurity risk-management practices." This is not a recommendation. It is a legal obligation with personal liability attached.
Regular Ongoing Security Awareness Training Programs: Article 21(2)(g) explicitly lists "basic cyber hygiene practices and cybersecurity training" among the mandatory risk management measures that every essential and important entity must implement.
Documented and Auditable Compliance Training: Organizations must now report significant incidents within 24 hours (early warning), 72 hours (detailed notification) and one month (final report). Under NIS1, reporting timelines were ambiguous and criteria varied widely between member states. NIS2 eliminates that ambiguity with a structured, multi-stage process. Employees who haven't been trained to recognize and escalate incidents cannot meet these deadlines — making training a direct enabler of incident response compliance.
Personal accountability. Under Article 32(6), regulators can hold individual executives responsible for compliance failures, including temporary bans from management positions in cases of gross negligence. As DLA Piper notes, this represents "unprecedented responsibility on management to ensure robust cybersecurity measures are in place." This has no NIS1 precedent.
NIS2's training obligations fall into five areas that auditors and regulators are actively assessing.
NIS2 does not limit training to IT or security teams. As the directive text makes clear, every person with access to company IT systems or business data is in scope — including permanent staff, contractors, temporary workers and remote employees. Advisera's NIS2 compliance guide confirms that training must be organized for separate target groups, from senior management to all other employees. The directive requires "basic cyber hygiene practices" covering:
This is a departure from NIS1, where training scope was largely undefined and left to each organization. Under NIS2, the logic is straightforward: if an employee can access a system or handle data, they can introduce risk — and they need to be trained accordingly.
Article 20(2) requires management body members to undergo cybersecurity training covering regulatory obligations and personal liability, the organization's cyber risk profile, how to assess whether security measures are adequate and their role during incident response and crisis management.
Auditors are no longer checking whether a policy exists. PwC's NIS2 executive training program emphasizes that management must receive documented, audit-proof training covering their specific oversight obligations — with completion records that satisfy regulatory requirements. The rationale behind this requirement is clear: management bodies must approve and oversee the cybersecurity risk management measures adopted under Article 21. They cannot meaningfully do so without understanding the risks those measures are designed to address.
A single annual course does not satisfy NIS2. ENISA's NIS2 technical implementation guidance makes clear that training programs must be continuous and repeated, with content updated to reflect the evolving threat landscape. Regulators look for evidence of:
NIS2 requires organizations to demonstrate compliance, not just claim it. Advisera's list of mandatory NIS2 documents details that organizations must maintain a Training and Awareness Plan with completion logs, certificates, timestamps and pass/fail records that map training to specific regulatory requirements. Auditors want to see which training sessions covered which NIS2 articles — for example, incident handling under Article 21(2)(b), cyber hygiene under Article 21(2)(g) — and whether participation covered the entire workforce.
Organizations that cannot produce this evidence face not just fines but binding remediation orders, mandatory security audits and public disclosure of non-compliance.
Generic, one-size-fits-all training raises red flags during audits. ENISA's guidance on cybersecurity roles and skills for NIS2 entities maps specific NIS2 obligations to distinct role profiles, making clear that differentiated content based on job function is expected:
NIS2 also introduces supply chain security obligations under Article 21(2)(d), meaning employees involved in procurement and vendor management need targeted training on assessing supplier security practices — an area many organizations still overlook.
Knowing the requirements is one thing. Building a program that satisfies them is another. Three strategies stand out.
Phishing Simulations
While NIS2 does not use the exact words "phishing simulation" in its legal text, Article 21(2)(f) explicitly requires organizations to have "policies and procedures to assess the effectiveness of cybersecurity risk-management measures." Since the human factor is the primary attack vector, simulations are the most widely recognized method for meeting this requirement. ENISA's NIS2 technical implementation guidance points directly to simulated phishing campaigns and scenario-based user testing as a core aspect of compliance, and auditors in regulated sectors increasingly expect to see logged simulation results, not just records of completed e-learning modules.
The key metrics to track: click-through rates on simulated phishing emails, report rates (how many employees flagged the test), and improvement trends over time. Auditors care about trajectory — declining click rates and rising report rates — more than any single data point.
Failed simulations should be treated as learning opportunities, not punitive events. The goal is to build a culture where employees feel comfortable reporting suspicious emails quickly, which is critical for meeting NIS2's tight incident notification deadlines. Providing immediate educational feedback after a failed simulation is far more effective than assigning blame.
Role-Based Training Paths
High-risk departments like HR, finance and IT face different threats than the general workforce. A finance team member is far more likely to encounter an invoice fraud attempt; an HR coordinator may be targeted with fake job applications containing malicious attachments. As Advisera's NIS2 training guide explains, organizations should define target groups and select topics based on each group's specific risks and responsibilities — ensuring training addresses the actual threats employees face, not generic scenarios that feel disconnected from their daily work.
Measuring and Proving Effectiveness
NIS2's emphasis on effectiveness means organizations must go beyond participation tracking. As EY's NIS2 compliance report emphasizes, compliance is "not a one-time exercise but an ongoing journey, requiring clear milestones, executive accountability, and continuous improvement." Regulators expect measurable improvement: reduced phishing click rates over time, faster incident reporting, higher completion rates across the workforce. These metrics should feed into management reviews and be linked to the organization's risk register — closing the loop between training activity and actual risk reduction.
This is where many organizations stumble. They can show that training was assigned but not that it changed behavior. NIS2 auditors are trained to look for exactly this gap. A program that demonstrates year-over-year improvement in measurable security behaviors is far stronger evidence of compliance than high module completion rates alone.
NIS2's enforcement model represents a step change from NIS1, which had minimal and inconsistent penalties. Under NIS2:
Real-world consequences are already materializing. In Germany, a managing director of a mid-sized IT service provider was unable to prove training attendance or approval of security measures after a ransomware attack, compounding the penalties for missed registration and late incident reporting. The BSI has signaled it is actively identifying non-compliant companies through industry registers, business partner reports and its own surveys.
The challenge for most organizations is not understanding what NIS2 requires. It is operationalizing those requirements without overwhelming their security or compliance teams. Most training platforms offer large course libraries but leave the regulatory mapping to the customer — forcing admins to figure out which courses cover which NIS2 articles, which employees need which content and how to document it all for auditors.
Nimblr's Adaptive Learning takes a different approach. When an organization selects its industry, country and applicable compliance frameworks — whether NIS2, GDPR, DORA or PCI DSS — the platform automatically delivers compliance-specific training paths to the right employees without manual course assignment. Training content reflects the actual threat landscape and regulatory environment of each organization, with industry-specific paths for financial services, health care, manufacturing, public sector and retail that go beyond generic awareness.
Completion tracking maps directly to specific regulatory requirements, providing the audit-ready documentation NIS2 demands. And because compliance training paths are included in every subscription rather than sold as a premium add-on, there is no cost barrier to getting the program right from the start.
The result is a training program that meets NIS2's five core requirements — universal coverage, management training, ongoing delivery, auditable records and role-specific content — without adding administrative complexity. For organizations operating across multiple EU jurisdictions, where regulatory environments and threat landscapes differ by country, this kind of automated adaptation is especially valuable.
NIS2 has fundamentally changed what "cybersecurity training" means for European organizations. It is no longer about checking a box once a year. It is about building a documented, measurable, role-appropriate training program that reflects your actual risk profile and regulatory obligations — and being able to prove it to an auditor at any time.
With enforcement now active across multiple member states and personal liability on the table for executives, the cost of inaction is clear. The organizations that act now — aligning their training to NIS2's specific requirements and automating as much of the process as possible — will turn regulatory pressure into a genuine improvement in their security posture.
The question every CISO, compliance officer and board member should be asking is not "do we have a training program?" It is "does our training reflect what NIS2 actually requires — and can we prove it?"