Resources

Why generic training no longer works in Europe

Written by Nimblr Security Awareness | Mar 18, 2026 8:48:02 PM

Key takeaways

  • What is Adaptive Learning in cybersecurity?

  • Why does NIS2 require more than generic training?

  • How does Nimblr deliver adaptive learning?

Most organizations in Europe have done the basics. They have rolled out security awareness training, run some phishing simulations, and checked the compliance box. But here is the uncomfortable truth: for many employees, generic training stopped being useful a long time ago.

The same lessons cycle back with the same generic advice being repeated. And employees who have already completed the full curriculum are left with nothing new to learn. Meanwhile, the threats targeting their specific industry, country, and regulatory environment keep evolving.

This is the gap that adaptive learning is designed to close.

The problem with one-size-fits-all training

Traditional security awareness programs follow a standard curriculum. Every employee, regardless of industry or location, receives the same set of courses in the same order. This approach works well in the beginning. It builds a solid foundation in topics like phishing, password security, social engineering, and safe browsing.

But what happens after everyone has completed that foundation?

For organizations that have been running their awareness program for several years, the limitations become clear:

  • Engagement drops because employees feel like they are repeating material they have already learned.
  • Relevance fades because generic content cannot address the specific threats facing a bank in Frankfurt, a hospital in Stockholm, or a logistics company in Warsaw.
  • Compliance gaps emerge because regulations like NIS2, DORA, and GDPR demand training that reflects your organization's actual risk profile, not just a generic overview.

The result is a training program that technically exists but no longer delivers real value. Employees tune out, risk exposure stays the same, and the investment in security awareness stops producing results.

What is Adaptive Learning?

Adaptive learning is a shift from a single, universal training path to a model that adapts content based on who your organization is and where it operates. Instead of treating every company the same, adaptive learning considers three key dimensions for targeting:

Industry: A financial services company faces different threats than a healthcare provider or a manufacturer. Payment fraud, CEO impersonation attacks, and credential theft look different depending on the sector. Adaptive learning delivers industry-specific courses that address these real-world scenarios.

Region: Cyber threats are not the same everywhere. In Sweden, BankID and Swish fraud are persistent problems. In the broader EU market, business email compromise and AI-driven fraud are rising fast. A training program that ignores local threat patterns is leaving employees unprepared for the attacks most likely to target them.

Compliance requirements: European organizations operate under a patchwork of regulations. Depending on your sector and size, you may need to address NIS2, DORA, GDPR, or a combination of all three. Adaptive learning maps compliance-specific training directly to your organization's regulatory obligations.

NIS2 and the case for Adaptive Learning 

The NIS2 Directive is now the most significant cybersecurity regulation in Europe. It replaced the original NIS Directive in October 2024 and dramatically expanded the scope of organizations that must comply. As of early 2026, 14 of the 27 EU member states have fully transposed NIS2 into national law, with the remaining countries close to completion or under active infringement proceedings from the European Commission.

For security awareness training, NIS2 changes the game in three important ways:

1. Everyone must be trained

NIS2 Article 21 is explicit: organizations must implement "basic cyber hygiene practices and cybersecurity training" as part of their risk management measures. This is not limited to IT staff. Every employee, contractor, and temporary worker with access to your systems is in scope. Auditors will look for documented proof that training reached the entire workforce, not just the security team.

2. Management is accountable

Article 20 introduces something new: direct board-level accountability for cybersecurity. Senior management must approve and oversee cybersecurity risk management measures. They are required to undergo regular cybersecurity training themselves. And if things go wrong, they face personal liability. Fines for essential entities can reach 10 million euros or 2% of global annual turnover. For board members, this makes cybersecurity a standing governance issue, not a quarterly afterthought.

3. Generic training is not enough

NIS2 requires measures that are "appropriate and proportionate" to the risks an organization actually faces. A cookie-cutter program that delivers the same content to a 50-person fintech and a 5,000-person energy company is unlikely to satisfy an auditor. Organizations need training that reflects their industry, their location, their regulatory obligations, and the threat landscape relevant to their operations.

This is where adaptive learning directly supports NIS2 compliance. By delivering training paths tailored to your sector, your geography, and your compliance requirements, it turns a checkbox exercise into a defensible, audit-ready program.

How Adaptive Learning works at Nimblr

At Nimblr, we have built adaptive learning directly into the platform. There is nothing extra to buy and no complicated setup. Here is how it works:

Step 1: Set your organization's profile. Through the admin portal, you select your industry, your country, and the compliance frameworks that apply to you (NIS2, DORA, GDPR, PCI DSS, and others). This takes about two minutes.

Step 2: Complete the general curriculum. Your employees work through Nimblr's core security awareness training, which covers the essential topics every organization needs: phishing, social engineering, ransomware, password hygiene, data protection, and more. This builds a strong, shared baseline.

Step 3: Targeted paths activate automatically. Once the general curriculum is complete, employees are automatically enrolled in targeted learning paths based on your organization's profile. These are carefully designed course sequences that go deeper into the threats, regulations, and scenarios that matter most to your specific environment.

What Adaptive Learning looks like in practice

The power of adaptive learning is in its specificity. Instead of one more generic course on phishing, your employees receive training that reflects their actual working reality.

Industry specific paths

Financial services: Courses on payment fraud in financial environments, CEO fraud and business email compromise in finance, credential abuse in banking, third-party vendor risk, and ransomware impact on financial operations.

Healthcare: Training on ransomware in healthcare, patient data protection, phishing targeting medical staff, insider risk, and medical device security.

Manufacturing: Content covering ransomware in production environments, supply chain compromise, operational technology (OT) security awareness, and physical security in industrial facilities.

Public sector: Courses on state-sponsored cyber threats, ransomware against public services, disinformation and deepfake risks, and citizen data protection.

Region specific paths

Because Nimblr was built in Europe for European organizations, we understand that threats and regulations vary across the continent. A company in Estonia needs to know about SMART-ID phishing and the vishing while an organization in the EU region, more broadly, needs to understand business email compromise trends, GDPR incident reporting in practice, and the implications of NIS2. Our regional learning paths reflect these differences, delivering content that is locally relevant and immediately applicable.

Compliance overlays 

On top of industry and regional paths, Nimblr adds compliance overlays that are triggered based on the regulatory frameworks you selected during setup:

  • GDPR overlay: Personal data in daily work, what constitutes a data breach, the 72-hour reporting obligation, documentation and accountability, and data minimization.
  • NIS2 overlay: Organizational cybersecurity obligations, incident reporting timelines (24h / 72h), supply chain and third-party risk, management accountability, and building a cybersecurity culture under regulatory oversight.
  • DORA overlay: ICT risk management, third-party ICT risk, incident reporting requirements, digital operational resilience, and testing and preparedness.

These overlays are not standalone programs. They work alongside your industry and regional training, ensuring that every employee gets a complete, relevant learning experience.

Why this matters for your organization

If you are evaluating security awareness training platforms, there are a few things worth considering:

 
View full post