Content

    This article covers 8 points on the minimum training required for GDPR, ISO 27001, and NIS2 compliance:

    1. What each framework requires on training
    2. Checklist per framework: GDPR, ISO 27001, and NIS2
    3. Risks of not having a structured training plan
    4. What a corporate training plan must include
    5. Minimum cadence that holds up in audit
    6. Mistakes that can undermine compliance
    7. How PrivaLex can help (including FUNDAE)
    8. FAQs and next step

    When we talk about certifications and regulatory compliance, the focus is often on policies, technical controls, or audits. Yet there is one cross-cutting element that links GDPR, ISO 27001, and NIS2, and that many organisations neglect: staff training

    A training plan is not an add-on; it is a requirement. However advanced your security systems are, if your team is not trained and you cannot prove it, you risk non-compliance and failing an audit.

    This guide provides a checklist of the minimum training required by the three frameworks, what your plan should include, at what cadence, and which mistakes to avoid. 

    At PrivaLex Partners we design integrated training plans and the documentation auditors ask for, so compliance does not stay on paper.

    What each framework requires on training

    All three frameworks share one principle: training must be documented, periodic, and role-appropriate. What changes is the emphasis and the specific articles or clauses.

    ISO 27001: competence and awareness

    ISO 27001 requires that people under the organisation’s control are competent and aware of the information security policy, their role, and the consequences of non-compliance. 

    Clauses 7.2 and 7.3 set this out; Annex A (control A.6.3) requires ongoing security awareness, education, and training.

    In practice, auditors expect: a training plan, records of who received what training and when, and some form of evaluation or evidence that awareness is effective. If ISO 27001 certification is on your roadmap, how to obtain ISO 27001 certification is a useful companion read.

    NIS2: cybersecurity and management

    The NIS2 Directive, in force since 2024 with consolidated practical application from 2025, strengthens training for essential and important sectors. 

    It establishes that management bodies must receive training to identify risks and assess cyber risk-management practices (Article 20). 

    It also includes that cybersecurity training if encouraged as part of the risk-management measures expected from entities (Article 21), together with basic cyber hygiene practices.

    If your organisation is in scope of NIS2, training is not optional: it is a pillar of compliance, and authorities can ask for evidence of plans, records, and evaluations.

    GDPR: proactive accountability

    The GDPR does not specify a syllabus, but it does require proactive accountability and that anyone processing personal data does so with full knowledge of their obligations. That translates into practical training for HR, Marketing, Sales, Customer Support, and any area that handles personal information.

    To align privacy training with what a GDPR audit expects, use that post as a reference.

    “ISO 27001, NIS2 and the GDPR share one principle: there is no real compliance without trained staff.”

    Checklist per framework: GDPR, ISO 27001, and NIS2

    A minimum checklist that covers all three frameworks can be summarised as follows:

    For ISO 27001

    • Training plan with scope (who) and frequency (when).
    • Evidence of competence (training or experience) and awareness (policy, role, consequences).
    • Attendance or completion records and materials used.
    • Ongoing awareness activities (not just a one-off session).
    • Onboarding training for new joiners.

    Expanded checklist (what usually “closes” audit gaps):

    • Role-based competence matrix (who needs which training and why).
    • Content map (security, privacy, incidents, reporting) and what requirement it supports.
    • Change control for training content (how you update modules when risks or systems change).
    • Minimum metrics: completion rate, quiz results, simulation trends (e.g. phishing).

    For NIS2

    • Training for senior management (risks, responsibilities, oversight) with evidence of completion.
    • Cybersecurity training and awareness as part of risk-management measures (basic hygiene, reporting, incident readiness).
    • Records and evidence showing the programme exists, is maintained, and improves.
    • Recurring cadence (e.g. annual + quarterly refreshers) and onboarding.

    Expanded checklist (for supervisory resilience):

    • Board oversight evidence: plan approval, KPI review, periodic check-ins.
    • Incident linkage: post-incident training updates and documented lessons learned.
    • Third-party coverage: onboarding or training requirements for key suppliers with access/impact.

    For GDPR

    • Training for anyone who processes personal data.
    • Content covering principles, data subject rights, and internal procedures (breaches, rights requests).
    • Documentation that allows you to demonstrate that training has been delivered and is updated.

    Expanded checklist (where teams often fail):

    • Induction training before/at the point of access to personal data (especially HR, Sales, Support).
    • Breach readiness module: what a personal data breach is, internal escalation, evidence preservation.
    • Rights handling module: how to recognise a request and route it internally.
    • Vendor and sharing discipline: approved tools, when to involve Legal/Compliance, what not to do.

    A single role-based training plan can satisfy all three frameworks if it clearly defines scope, content per profile, cadence, and evidence.

    If you want to make the checklist truly actionable, add one more layer: minimum topics that should appear in your baseline modules. A practical baseline topic list includes:

    • Phishing and social engineering: how to recognise it and how to report it.
    • Authentication basics: password manager use, MFA expectations, device security basics.
    • Secure sharing and data handling: approved tools, classification, what not to send over email.
    • Incident reporting: what counts as an incident, internal escalation path, no-blame reporting.
    • Privacy fundamentals (GDPR): what is personal data, when to escalate, rights requests routing.

    These topics map cleanly to ISO 27001 awareness expectations, NIS2 “basic cyber hygiene and training” expectations, and GDPR accountability needs without overwhelming teams.

    Risks of not having a structured training plan

    Auditors and authorities agree: the weak link is often not technology but people. Cybersecurity and training go hand in hand. Phishing, weak passwords, lost devices, or lack of familiarity with internal procedures are frequent incidents linked to missing training.

    The most common non-conformities in training audits are:

    • No defined training programme: no plan, no owners, no dates.
    • Training limited to IT or management: the rest of the organisation is left out.
    • No clear records of dates, content, and attendees.
    • Staff unable to explain how to act in an incident or whom to report to.

    These failures are avoidable with a structured plan; if left unaddressed, they can lead to regulatory sanctions, ISO 27001 non-conformities, or corrective measures under NIS2.

    “The biggest risk is not technology, but people who do not know how to use it.”

    One practical indicator: if you ask a non-technical employee where they would report phishing, or what they would do if they think they accidentally shared a sensitive file, and they cannot answer, your programme is “formal” but not “operational”. In audits, this kind of interview sampling is common.

    What a corporate training plan must include

    An effective plan does not need to be complex, but it should be strategic and auditable. Recommended elements:

    • Role-appropriate content: what an IT technician needs is not the same as Sales or HR.
    • Periodicity: at least once a year as a baseline, with short refresher sessions during the year.
    • Documentation and evaluation: record attendance, materials used, and training outcomes (quizzes, simulations, etc.).
    • Onboarding: every new joiner should receive basic training from day one.
    • Practical application: incident simulations, privacy or cybersecurity scenarios.

    This approach turns training into a pillar of corporate culture and solid evidence in an audit.

    A simple way to implement this is to structure your programme in three layers:

    • Layer 1 (company baseline): phishing, passwords/MFA, secure sharing, incident reporting.
    • Layer 2 (role-based): IT/SecOps (incident response, logging), HR (employee data), Sales/Support (verification and sharing), Management (governance).
    • Layer 3 (risk-driven refreshers): short modules when tools/suppliers change or after incidents.

    Then tie it together with one audit-friendly artefact: a training matrix that maps roles to modules, periodicity, and evidence expected.

    A minimal matrix example (summary) could be:

    • All staff: phishing + incident reporting + secure sharing (annual + micro-sessions).
    • HR: employee data + onboarding/offboarding + breach basics (annual + refresher).
    • Sales/Support: verification + sharing + rights requests routing (annual + refresher).
    • IT/SecOps: incident response + logging + privileged access (annual + drills).
    • Management: governance + KPI review + risk-based decisions (annual + mid-year review).

    It does not need to be perfect on day one, but it should exist, match reality, and you should be able to prove execution.

    Minimum cadence that usually holds up in audit

    A cadence that is usually defensible to auditors and authorities is:

    • Onboarding: training within the first two weeks of joining.
    • Annual refresh: baseline update for the whole organisation.
    • Quarterly micro-training: short sessions tied to current threats (phishing, MFA, supplier scams).
    • Post-incident: short training update after relevant incidents or near-misses.

    Adjust intensity to your organisation’s size and risk; what matters is that it is documented and repeatable.

    If you want the cadence to be truly defensible, avoid relying solely on “one annual session”. Instead, use training in pulses: smaller, repeated pieces. 

    This improves retention and makes it easier to demonstrate continuity (a key expectation in ISO 27001 and NIS2 supervision).

    An example yearly cadence (adaptable) could look like this:

    • January: baseline refresh (company-wide) + key policy updates.
    • March: phishing simulation + incident reporting reminder.
    • June: role-based module (HR/Sales/Support) + short assessment.
    • September: technical session (IT/SecOps) + tabletop incident drill.
    • November: lessons learned (year’s incidents) + management refresher.

    What matters is not the month, but that the programme is predictable, leaves evidence (records/materials/results), and you can explain why that cadence fits your risk profile.

    Mistakes that can undermine compliance

    No plan and no owner. If nobody owns the programme and there are no defined dates or scope, no framework will consider it satisfied.

    Training only part of the organisation. ISO 27001, NIS2, and the GDPR all expect coverage appropriate to risk; limiting training to IT or management leaves a clear gap.

    Not keeping evidence. “We trained people” without attendance records, materials, or evaluations will not stand up to review. Every session should leave a documentary trail.

    Ignoring management. NIS2 explicitly requires training for senior management. Excluding them is a governance failure, not a detail.

    Not preparing exportable evidence. In audits and supervisory reviews, it is not enough to say “it’s in our LMS”. You need to export: plan, attendance, materials, and evaluation outputs. Ideally with a stable internal repository structure (by year / by module / by role).

    Not defining what happens when someone misses training. Auditors do not expect perfection, but they do expect a process: reminders, a catch-up window, an exceptions log, and evidence of closure. Without that loop, training becomes an “event” rather than a control.

    Treating training as “content delivery” instead of “behaviour change”. If the only evidence you have is a deck and a sign-in sheet, you will struggle to show effectiveness. 

    Add small mechanisms that prove learning: a short quiz, a phishing simulation, a tabletop drill, or a simple metric like time-to-report improvements.

    How PrivaLex can help

    At PrivaLex Partners we help organisations define and deliver training plans that meet GDPR, ISO 27001, and NIS2 in an integrated way. We offer:

    • Plan design by role and by regulatory framework.
    • Delivery (live sessions, workshops, or blended format).
    • Audit-ready documentation (plans, records, templates).
    • FUNDAE management in Spain to subsidise training and reduce cost.

    The aim is for your team not only to receive training but to know how to act, and for you to prove it with clear evidence.

    Schedule a strategic session with PrivaLex and we will help you close the minimum training checklist for GDPR, ISO 27001, and NIS2.

    Frequently Asked Questions (FAQs)

    Is training mandatory under ISO 27001, NIS2, and GDPR?

    Yes, in all three. ISO 27001 requires competence and awareness (clauses 7.2, 7.3, and control A.6.3). NIS2 requires periodic cybersecurity training and training for management. The GDPR requires anyone processing personal data to do so with knowledge of their obligations; training is the practical way to demonstrate that.

    Can I use one training plan for all three frameworks?

    Yes. A single role-based plan can cover the awareness, competence, and documentation requirements of all three, as long as it defines scope, content per profile, cadence, and evidence for each framework.

    What minimum training cadence do auditors usually accept?

    A defensible pattern is: onboarding training in the first few weeks, annual refresh for the whole workforce, and quarterly refreshers (micro-training). What matters is that it is documented and repeatable.

    If your organisation has higher risk exposure (critical services, sensitive data, many suppliers), consider adding short, role-specific refreshers after changes (new tool, new vendor, incident) rather than waiting for the annual cycle.

    What evidence should I keep?

    At minimum: training plan, attendance or completion records, materials used, and evaluation results, plus onboarding evidence for new joiners.

    If you want to reduce audit friction, add: role-based competence matrix, KPIs (completion, results, phishing simulation), and a corrective-action log for missed training.

    Can I subsidise training in Spain?

    Yes. Cybersecurity and privacy training can be subsidised through FUNDAE. At PrivaLex we manage the process so you can meet the checklist without bearing the full cost.

    What if I only train IT?

    ISO 27001, NIS2, and the GDPR all expect coverage appropriate to risk. 
    Limiting training to IT usually leads to non-conformities or gaps in an inspection, because human risk exists in every department that handles information or systems.

    Next step

    Meeting the minimum training required by GDPR, ISO 27001, and NIS2 is not optional if you want to pass audits and reduce risk. Schedule a strategic session with PrivaLex and we will help you define your checklist and put it into practice with audit-ready documentation.

    For the official NIS2 text, refer to EUR-Lex: Directive (EU) 2022/2555.