Phishy
← All articles
Compliance· 10 min read

How NIS2 Changes Your Security Awareness Training Requirements

NIS2 mandates regular security training for all staff. Here’s exactly what you need to document, how often you need to train, and what auditors will ask for.

What NIS2 says about security awareness

The NIS2 Directive (EU 2022/2555), which became enforceable across EU member states in October 2024, includes explicit requirements for human risk management. Article 21 requires covered entities to implement “cyber hygiene practices and cybersecurity training” as part of their risk management measures.

Unlike its predecessor NIS1, NIS2 applies to a much broader set of organisations — including medium-sized companies (50+ employees or €10M+ turnover) in critical sectors such as energy, transport, health, digital infrastructure, and public administration.

What “security awareness training” means under NIS2

NIS2 doesn’t prescribe exact training formats, but based on ENISA guidance and national implementations, your programme should include:

  • Regular phishing simulations — demonstrating that employees are tested, not just lectured
  • Role-based training — different content for executives vs. general staff vs. IT teams
  • Documented completion records — audit evidence showing who completed what, when
  • Incident reporting procedures — employees must know how to report suspected attacks
  • Management board awareness — Article 20 specifically requires management bodies to oversee cybersecurity measures

What auditors will ask for

Based on early NIS2 audit patterns across EU member states, expect these evidence requests:

  1. Training completion records per employee (names, dates, module content)
  2. Phishing simulation reports — frequency, click rates, improvement trends over time
  3. Evidence that high-risk roles (finance, HR, IT) receive additional training
  4. Incident response procedures that were communicated to all staff
  5. Board/management sign-off on the cybersecurity training programme

How frequently does NIS2 require training?

NIS2 doesn’t specify a minimum frequency. However, annual training alone is widely considered insufficient — ENISA recommends a continuous awareness programme. In practice, this means:

  • Phishing simulations: monthly or quarterly
  • Formal training modules: at least annually, with new-hire onboarding
  • Threat briefings: when significant new attack types emerge

How Phishy generates NIS2 compliance reports

Phishy includes a built-in NIS2 compliance checklist that maps your simulation and training activity to Article 21 requirements. You can export a PDF compliance report showing:

  • Simulation frequency and coverage (% of employees tested)
  • Click rate trends over time
  • Training module completion by department
  • Incident report rate

This is the documentation your auditor needs, generated automatically.

Get NIS2-ready with Phishy

Built-in compliance reporting. Free 14-day trial, no credit card.

Start free trial →