Content

    This article covers 8 points on what training your employees need to comply with NIS2:

    1. What NIS2 requires on training (Article 20)
    2. Training by role: not everyone needs the same
    3. Checklist: minimum training for GDPR, ISO 27001 and NIS2
    4. What auditors and authorities expect to see
    5. How to prove in an audit that your staff is properly trained
    6. Mistakes that can undermine NIS2 training compliance
    7. How PrivaLex can help (including FUNDAE in Spain)
    8. FAQs and next step

    Most serious cybersecurity incidents are not due to complex technical failures but to human error: a click on a phishing link, a weak password, a poorly protected device, or a file shared over an insecure channel. 

    The NIS2 Directive turns that reality into a governance requirement: resilience is not only technical, it is organisational.

    This guide explains what training NIS2 requires, what changes when you align it with the GDPR and ISO 27001, and what evidence you need to keep to demonstrate training in an audit or supervisory review.

    At PrivaLex Partners we design role-based programmes and deliver the documentation auditors actually ask for, so compliance does not stay in slide decks.

    What NIS2 requires on training (Article 20)

    NIS2 places responsibility at the top. Under Article 20, management bodies must approve and oversee cybersecurity risk management measures and are expected to receive training to understand risks and responsibilities.

    In practice, training must be:

    • Recurring: not a one-off awareness session.
    • Documented: so you can demonstrate it to auditors or authorities.
    • Role-appropriate: according to what each team actually does.

    The training programme should also be treated as a control, not a slide deck. A practical way to operationalise it is to define:

    • Scope: who is included (employees, contractors, interns, key suppliers).
    • Cadence: minimum refresh frequency (e.g. quarterly micro-sessions + full annual refresh).
    • Owner: who maintains the plan (Security, Compliance, or a shared owner).
    • Evidence: what you will keep (completion records, materials, assessments).
    • Escalation: how employees report suspicious events and who responds.

    If your organisation is in a sector covered by NIS2, assume that authorities will not only ask “have you trained people?” but also “can you prove the programme is maintained and fits your risk profile?” The strongest answer is a measurable programme: attendance, phishing simulation results, completion rates, and improvement over time.

    For the official text, see the NIS2 Directive on EUR-Lex: Directive (EU) 2022/2555.

    Training by role: not everyone needs the same

    One of the most common compliance failures is delivering the same generic course to the whole workforce. 

    NIS2 expects a practical and risk-proportionate approach, and that starts by differentiating by role.

    Non-technical staff

    Non-technical profiles (Operations, HR, Sales, Customer Support) need training that is applicable day to day:

    • Security hygiene: password managers, MFA basics, secure use of devices.
    • Phishing and social engineering: real examples, reporting flow, “stop and verify” habits.
    • Handling sensitive information: classification basics, secure sharing, least-privilege culture.

    To make it effective, anchor training to concrete tasks. For example:

    • HR: handling employee data, secure document sharing, offboarding checklists, avoiding “informal” channels for sensitive files.
    • Sales: receiving external files, urgent “CEO requests”, using approved tools for proposals, preventing account takeover on email/CRM.
    • Customer Support: identity verification scripts, secure resets, avoiding over-disclosure, detecting suspicious customer requests.

    Format matters as much as content. For non-technical teams, short modules (15–30 minutes) with realistic scenarios work better than long lectures. 

    A simple goal: every employee can confidently answer three questions: What is suspicious? How do I report it? What must I not do?

    Technical staff

    Technical teams need deeper operational readiness:

    • Incident management: detection, escalation paths, evidence preservation, communication.
    • Access control and authentication: MFA enforcement, privileged access, account lifecycle.
    • Monitoring and hardening: logging, alerting, patch cycle, configuration baselines.
    • Backup and recovery: restore testing, disaster recovery plans.

    To align training with what NIS2 expects, include “muscle memory” exercises:

    • Incident simulations: walk through a ransomware, data leak or supplier compromise scenario and validate who does what in the first hour.
    • Runbook walkthroughs: not just where the document is, but how to execute it (rotate credentials, isolate workloads, collect logs).
    • Change management checkpoints: training on how to document security impact for changes affecting critical services.

    If your organisation works in the cloud, include cloud-specific topics (IAM, secrets, logging, least privilege). 

    NIS2 does not distinguish between on-prem and cloud; what matters is that you can demonstrate the controls and the human side of operating them.

    Senior management

    Under NIS2, management cannot “delegate away” responsibility. It must be trained on:

    • Governance duties: oversight, accountability, decision-making under risk.
    • Risk management: how to assess impact and prioritise mitigations.
    • Business continuity and reporting: what happens in an incident, when and how to notify, and what documentation is expected.

    Management training should also cover how to ask the right questions. For example:

    • What are our critical services and dependencies (including suppliers)?
    • What are the most likely incident vectors (phishing, SaaS compromise, supplier breach)?
    • What evidence will we have ready if an authority asks for proof of our programme?
    • What is our escalation threshold for incident response, legal and communications?

    “With NIS2, security is no longer just an IT matter: every employee contributes to operational resilience.”

    Checklist: minimum training for GDPR, ISO 27001 and NIS2

    Even if your starting point is NIS2, most organisations need training that also supports GDPR accountability and ISO 27001 audits. A practical “minimum viable” checklist looks like this:

    NIS2 (Directive obligations)

    • Cybersecurity awareness for the whole organisation, delivered periodically.
    • Management training on oversight and risk-based decision-making.
    • Evidence and records showing the programme exists and is effective.

    A minimum cadence that usually holds up well in audits:

    • Onboarding: training within the first two weeks of joining.
    • Annual refresh: baseline update for the whole company.
    • Quarterly micro-training: short sessions tied to current threats (phishing, MFA fatigue, supplier scams).
    • Post-incident learning: short training update after relevant incidents or near-misses.

    ISO 27001 (competence and awareness)

    ISO 27001 requires that people under the organisation’s control are competent and aware of the information security policy, their role and the consequences of non-compliance (clauses 7.2 and 7.3), plus ongoing awareness expectations in Annex A controls.

    If ISO 27001 is on your roadmap, how to obtain ISO 27001 certification is a useful reference. In practice, auditors typically ask for:

    • A competence matrix (who needs what training and why).
    • Security awareness coverage (phishing, device security, passwords/MFA, reporting).
    • Role-specific competence (e.g. administrators trained on privileged access and logging).
    • Signs of continuous improvement (updated materials, repeated sessions, measured outcomes).

    GDPR (privacy in day-to-day operations)

    The GDPR does not define a single syllabus but does require proactive accountability and that anyone processing personal data does so correctly. For most teams that means:

    • Recognising personal data, lawful use and internal processing rules.
    • Knowing how to channel data subject requests and incidents.
    • Knowing what documentation exists (records, policies, procedures) and where to find it.

    If you process personal data at scale, add two modules that reduce real-world risk: breach basics (what counts as a personal data breach, who to notify internally, what to preserve) and vendor and sharing discipline (approved tools, when to involve Legal/Compliance, how to avoid uncontrolled transfers).

    To align privacy training with what a GDPR audit expects, use that post as a reference.

    What auditors and authorities expect to see

    NIS2 is not a certification like ISO 27001, but supervision is similar in one key respect: you must be able to provide evidence. Auditors and authorities typically look for:

    • A training plan (scope, audiences, frequency, owners).
    • Proof it was delivered: attendance records and course completion logs.
    • Proof it works: evaluations, simulations or metrics showing progress.
    • Proof it is maintained: onboarding processes and periodic refreshers.

    What they want to validate is simple: training exists, it is relevant, and it is repeatable.

    In many audits they also sample reality: interviewing employees from different departments on where they would report phishing or an incident; asking for proof for a specific month (not “your best deck”, but real logs and attendance); asking how training is updated when new risks appear (new supplier, new SaaS, new incident). 

    If you prepare for that approach, the audit feels predictable: your plan describes what you do, your records show you did it, and your people can explain the basics without improvising.

    How to prove in an audit that your staff is properly trained

    If you want to pass an audit smoothly, prepare the evidence as if you had to hand it over tomorrow. A solid evidence pack includes:

    • Annual training plan and schedule (including refreshers and ad hoc sessions after incidents).
    • Attendance lists (signatures), LMS exports or access logs for online courses.
    • Training materials: slide decks, videos, internal policy summaries.
    • Assessment results: short quizzes, phishing simulations, tabletop exercises, satisfaction surveys.
    • Onboarding evidence for new joiners (and, where relevant, third parties): what they were trained on and when.

    “In compliance, what is not documented is treated as if it did not exist.”

    To keep it manageable, store evidence in a consistent structure. For example:

    • Training/Plan/ (annual plan, scope, competence matrix)
    • Training/Materials/ (slide versions and dates)
    • Training/Records/YYYY/ (attendance, exports, completion logs)
    • Training/Assessments/YYYY/ (quizzes, simulation results, drill notes)
    • Training/Onboarding/ (checklists and completion evidence)

    Two more elements strongly reinforce the “prove it” story: exceptions and remediation (record of what happens when someone misses training and evidence of catch-up sessions) and KPIs (completion rate, simulated phishing click rate, reporting rate, time-to-report improvement). 

    They are not “optional”: they are how you demonstrate continuous improvement, which is what auditors and regulators expect when they see a recurring programme.

    4 Mistakes that can undermine NIS2 training compliance

    1. Training only the IT team. NIS2 expects resilience across the organisation. Most incidents start outside IT and audits sample different departments. 

    If Sales and Support do not know how to report a suspicious email, your incident response will be slower, noisier and harder to document.

    2. Treating training as a one-off. A single annual awareness session is rarely defensible. Training needs cadence and refreshers, especially as teams and threats change. A practical pattern: annual baseline + quarterly micro-training + onboarding.

    3. Not keeping records or evidence. “We trained people” without attendance, materials or evaluation results will not stand up to review. Make evidence collection part of the process: every session should produce a log, dated materials and an assessment result.

    4. Excluding management. NIS2 makes management oversight explicit. If senior management has no training record, it is a governance gap, not a minor detail. 

    Management should be able to explain how it oversees cyber risk, what it reviews and what it expects from the programme.

    How PrivaLex can help

    At PrivaLex Partners we help organisations build training programmes aligned with NIS2, GDPR and ISO 27001 without turning training into a checkbox exercise. We typically support with:

    • Role-based training design (staff, technical teams, management).
    • Delivery (live sessions, workshops or blended format).
    • Audit-ready documentation (plans, evidence packs, templates and reports).
    • Spain-specific optimisation: if you operate in Spain, we can help you manage FUNDAE bonuses so compliance training is cost-efficient.

    The difference is not only the content but how it fits into your operating model. We help you define what “good” looks like for your risk profile and turn it into a programme you can sustain with a small internal team:

    • Clear scope and cadence (what happens annually, quarterly and at onboarding).
    • An evidence pack that is easy to update (so you do not scramble when an audit comes).
    • Short, practical modules focused on behaviour change, not compliance theatre.
    • A simple reporting layer so management can oversee the programme and demonstrate that oversight.

    Schedule a strategic session with PrivaLex and we will help you define the minimum training and the evidence you need to keep.

    Frequently Asked Questions (FAQs)

    Is training mandatory under NIS2?

    Yes. NIS2 makes training a practical requirement of cybersecurity risk management. Organisations must be able to show that staff training is periodic, documented and appropriate to roles.

    What does NIS2 Article 20 mean for management teams?

    It means management bodies are expected to oversee cybersecurity measures and to have sufficient training to understand risks and responsibilities. It is part of demonstrating governance, not just operational security.

    What is the minimum training auditors typically ask for in ISO 27001 audits?

    Auditors typically expect evidence that staff are competent for their role and aware of security policies and procedures, plus recurring awareness activities. 

    In practice: a training plan, attendance/completions and some form of evaluation.

    Does the GDPR require security and privacy training?

    The GDPR does not define a single mandatory course, but it does require that personal data is processed correctly and that organisations can demonstrate compliance. Training is one of the most practical ways to reduce human error and demonstrate accountability.

    What evidence should we keep to prove employees are properly trained?

    Keep at least a training plan, attendance or completion records, materials and evaluation results, plus onboarding evidence for new joiners. This is what auditors and authorities rely on.

    Can we combine NIS2, GDPR and ISO 27001 training into one programme?

    Yes, and it is usually the best approach. 

    A single role-based programme can cover overlapping requirements (awareness, competence, documentation) while keeping workload and evidence management under control.

    Next step

    If your NIS2 compliance plan is missing a training programme (or it exists but you cannot prove it), closing that gap is one of the fastest ways to reduce audit risk and improve real resilience. 

    Schedule a strategic session with PrivaLex and we will help you define the minimum training and an evidence pack you can defend.