For a compliance officer, knowing what NIS2 is no longer enough. The directive has been transposed or is in the process of being transposed in every Member State, and the first audits are starting to scrutinize the human component of the programme with a level of detail that has surprised more than one CISO. Article 21 of Directive (EU) 2022\/2555 includes cybersecurity training and basic cyber hygiene practices among the minimum mandatory measures. Article 20 adds a requirement that many people overlook, because members of the management body must also receive specific training and can be held personally accountable for the lack of adequate measures.<\/p>\n
This piece does not repeat what NIS2 is. It assumes you already know. What it develops is the next layer, the one that determines whether an awareness programme will or will not pass an audit. What the directive actually requires regarding training, who it applies to, what content to cover, how to prove it, and where the programme typically falls apart once the audit starts pulling on the thread.<\/p>\n
If you need the general framework first, we have a previous article on what NIS2 is and how SMARTFENSE can help you comply with the European directive<\/a> covering scope, affected sectors and formal deadlines.<\/p>\n Article 21 of Directive (EU) 2022\/2555 lists the technical, operational and organisational measures that essential and important entities are obliged to adopt. Among those measures, paragraph 21.2 expressly includes \u201cbasic cyber hygiene practices and cybersecurity training\u201d. The text does not frame them as an optional annex or a recommendation; it treats them as part of the minimum measures the entity must demonstrate.<\/p>\n Article 20 adds a different and more political front. Members of the management body must approve risk management measures, oversee their implementation and receive specific training to be able to do so. The directive also enables individual liability for the management when those measures fail. In practice this changes the way an awareness programme is sold internally, because it stops being a CISO initiative and becomes a personal obligation of whoever signs off the security decisions.<\/p>\n Summed up in a single read, the regulatory block says NIS2 treats people as a first-class security control, requires training for everyone and reinforced training for management, and allows sanctioning both the entity and its directors when that control fails. The awareness programme stops being internal communications and enters the audit perimeter.<\/p>\n One of the first sources of confusion appears when the directive is translated into an internal scope. \u201cAll staff\u201d does not mean the same thing in a banking entity as in an energy operator with a distributed industrial workforce, and auditors will ask about the segmentation logic. It helps to distinguish four audiences with different treatment.<\/p>\n Management body.<\/strong> Board, executive committee or equivalent. They must receive targeted training that enables them to approve and oversee risk management measures. The content is not the same as for an end user, because the objective is to enable informed decision making, not to teach them how to spot phishing.<\/p>\n Technical staff with operational responsibility.<\/strong> IT, security, platform engineering, administrators of critical systems. Role-specific training with content on vulnerability management, secure configuration, incident response and the concrete role each function plays within the contingency plan.<\/p>\n Other employees with access to systems.<\/strong> The largest block of the programme. Periodic training on basic cyber hygiene, social engineering awareness, secure data handling, credential use and incident reporting. A good practice is to segment this group further by level of exposure, not by org chart.<\/p>\n Third parties with access to critical systems.<\/strong> Suppliers, integrators, technical partners. The directive incorporates supply chain security as a mandatory measure under the same Article 21, and that includes human access from third parties. If a supplier with an active account has never been through your programme, the risk and the responsibility remain yours.<\/p>\n Being classified as an essential or important entity changes the rigour of supervision but not the logic of the scope. Both categories are obligated to train their staff. What changes is the intensity of subsequent oversight by the competent authorities.<\/p>\n The directive does not publish a curriculum, which leaves the entity responsible for justifying that the programme covers what is needed. The cleanest strategy is to build the content plan by crossing two axes, the technical measures listed in Article 21 and the real threats affecting the sector.<\/p>\n From that intersection, a typically solid programme includes at least these domains:<\/p>\n Each domain should have core material, brief reinforcements and at least one assessment mechanism. Having one course per domain is not enough for a demanding auditor, because what NIS2 measures is the continuous nature of the programme, not its punctual existence.<\/p>\n This is where programmes that look complete on paper tend to fall short. An NIS2 audit asks for evidence, and evidence is measured in layers. When we talk to CISOs who have already been through a serious review, they all describe the same problem: the courses exist, what is missing is per-user traceability.<\/p>\n It pays to have four evidence layers ready.<\/p>\n Attendance and completion.<\/strong> What percentage of staff completed each mandatory module, within what timeframe, with how many reminders. This includes directors and third parties, not just internal employees.<\/p>\n Comprehension.<\/strong> Assessment results, not learner satisfaction. The directive does not ask for satisfaction surveys, it requires staff to be able to apply what they have learned. A post-training assessment with a passing threshold is the standard piece.<\/p>\n Behaviour.<\/strong> Controlled simulations of phishing, ransomware or vishing where real conduct is measured against a stimulus. This layer is what tells apart a formal programme from an effective one, because it lets you compare what the user says they know with what they actually do when the lure arrives.<\/p>\n Executive reporting and per-user traceability.<\/strong> The auditor will ask to pick a specific name from the roster and see their full trajectory, with assigned modules, completions, passed assessments, simulations received and recorded behaviour. If the system cannot produce that view within minutes, the control fails regardless of content quality.<\/p>\n Alongside these layers it pays to maintain a documentary log capturing the programme\u2019s logic, with the policy approved by management, the audience segmentation, the annual calendar, success criteria and periodic reviews. When the audit asks why the programme is designed this way, that log is the answer.<\/p>\n After accompanying awareness programme implementations for several years, there is a small group of failures that recurs with uncomfortable frequency. It pays to review them before the audit, not after.<\/p>\n Annual one-shot programme.<\/strong> A mandatory training session in January, no reinforcement, no simulation, and the year is considered covered. NIS2 talks about continuous nature, and an experienced auditor will flag it.<\/p>\n Same content for management and users.<\/strong> Article 20 requires specific training for the management body. Serving them the same introductory module as the rest of the staff does not satisfy the obligation, even if attendance is documented.<\/p>\n Phishing simulations without longitudinal metrics.<\/strong> Running a quarterly simulation with a snapshot result is not the same as showing behaviour evolution per user, per group and per lure type. Data compared over time is what evidences improvement.<\/p>\n No evidence for third parties.<\/strong> Suppliers with access to critical systems often fall outside the scope, until the audit asks how human supply chain risk is managed and there is no answer.<\/p>\n No per-user traceability.<\/strong> Aggregated reports with global percentages look good until the auditor picks three people at random and asks for their individual history. If the system cannot deliver, the whole programme is in question.<\/p>\n Weak governance documentation.<\/strong> Unsigned policy, no periodic review, no minutes of the management body\u2019s approval. The formal component weighs more than many expect, because the audit is built on paper before practice.<\/p>\n At this point, the operational question is how to sustain a programme that covers all these requirements without exhausting the security team. The SMARTFENSE platform is designed for exactly this scenario and covers the points an NIS2 auditor will ask about.<\/p>\n The multi-catalogue of content<\/a> allows different modules to be assigned by role, language and exposure level, which solves the segmentation between management, technical staff, users and third parties. Content is mapped to relevant European regulatory frameworks, NIS2 included, and is updated whenever regulators publish new guidance. For the specific training of the management body there is differentiated material, respecting the tone and depth the management needs.<\/p>\n On top of that segmentation come the automated programmes<\/a>, predefined plans designed by our experts that assign modules, reinforcements and simulations according to each person\u2019s role, exposure level and applicable regulations. Content assignment stops depending on manual spreadsheets kept by the security team: the system reactivates the plan when the workforce changes, when a vendor with access is onboarded, or when the regulator releases new guidance, and it links each module to the regulatory framework it answers to. It\u2019s the piece that cuts management time by up to seventy percent without losing per-user traceability.<\/p>\n The campaign calendar<\/a> sustains the continuous nature the directive demands, alternating core modules, brief reinforcements, phishing simulations and assessments throughout the year. Per-user traceability is native, which means when the auditor asks for the view of a specific person, the information comes out in seconds, not weeks.<\/p>\n SMARTFENSE is a security awareness platform with a consolidated presence in Latin America and Spain, native content in English, Spanish, Italian and European Portuguese, and support for multi-catalogue environments that compliance officers of multinational groups appreciate. If your organisation is preparing NIS2 audit documentation, it is worth also reviewing our regulatory compliance<\/a> page and the article on regulatory compliance as a sustained commitment<\/a>, where we go deeper into how the different frameworks fit together.<\/p>\n NIS2 finally consolidates an idea the industry has been asking for over years. The human factor is a security control, with everything that implies. It needs an approved policy, defined scope, justified content, periodic assessment, individual evidence and management review. What used to be solved with one annual course and a few reminder emails now requires an architecture. For compliance officers who had been arguing the awareness programme budget for too long, the directive settles the debate for them. It is worth taking advantage.<\/p>\n","protected":false},"excerpt":{"rendered":" Article 21 of NIS2 requires training for all staff and the management body. What to cover, how to measure it, and how to prove it under audit.<\/p>\n","protected":false},"author":31,"featured_media":41246,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[3,686],"tags":[591,1362,920,995,448],"class_list":["post-41249","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-compliance-en","tag-cumplimiento-normativo-en","tag-europa-en","tag-nis2-en","tag-security-awareness"],"acf":[],"yoast_head":" \nWhat does Article 21 of NIS2 require in terms of training and cyber hygiene?<\/h2>\n
Who is actually covered by NIS2 training?<\/h2>\n
What content should an NIS2-compatible awareness programme cover?<\/h2>\n
\n
How is awareness compliance measured and proven during an audit?<\/h2>\n
What typical mistakes sink an awareness programme during an NIS2 audit?<\/h2>\n
How SMARTFENSE helps sustain NIS2\u2019s human component<\/h2>\n
The human factor as an auditable control<\/h2>\n