How NIS2 Changes Your Security Awareness Training Requirements

What NIS2 says about security awareness

The NIS2 Directive includes explicit requirements for human risk management. Article 21 requires covered entities to implement cyber hygiene practices and cybersecurity training as part of their risk management measures.

Unlike its predecessor NIS1, NIS2 applies to a broader set of organisations, including medium-sized companies in critical sectors.

What security awareness training means under NIS2

• Regular phishing simulations that demonstrate staff are tested, not just lectured
• Role-based training for executives, general staff, and IT teams
• Documented completion records showing who completed what and when
• Incident reporting procedures communicated to all staff
• Management awareness and oversight of the program

What auditors will ask for

1. Training completion records per employee
2. Phishing simulation reports with frequency and trend data
3. Evidence that high-risk roles receive additional training
4. Incident response procedures communicated to staff
5. Board or management sign-off on the training program

How frequently should training happen?

NIS2 does not prescribe a minimum frequency, but annual training alone is generally insufficient. In practice, this means simulations at least quarterly, with ongoing briefings and onboarding coverage.

How Phishy supports NIS2 evidence

Phishy includes a built-in NIS2 compliance checklist that maps simulation and training activity to Article 21 requirements. Exportable reports can show simulation coverage, trend lines, training completion, and incident reporting activity.