10 key measures to ensure your cybersecurity training is NIS2-compliant
Now that the NIS2 Directive is officially in effect, CISOs and IT managers are asking: What does our cybersecurity training need to include to comply with Art.20 and 21? This checklist helps you assess whether your organization meets the requirements—and how the Phished platform ensures full compliance. Implementing these measures in time helps avoid fines and limits potential management liability.
Once completed, this checklist can serve as official proof of compliance during audits or inspections.
Not just awareness training, but cybersecurity training for managers & IT teams
Companies are required to regularly provide cybersecurity training to all managers (C-level, board members, team leads, etc.) and their IT teams, under Art.20(2) of NIS2.
- NIS2 Essential Training – what are you legally required to know?
Training that covers legal obligations, liabilities, and incident reporting duties under NIS2, including a certificate to demonstrate compliance. - NIS2 Implementation Training – turning requirements into practice
Practical training with a project-based approach and ready-to-use templates. Supports NIS2 implementation and includes a certificate to demonstrate compliance. - NIS2 Resource Centre – turning practices into proof of compliance
Practical checklists, useful templates, and essential resources for an efficient workflow — and extra proof of compliance in case of audits and inspections.
Not just awareness training, but cybersecurity training for employees
Companies are also required to provide recurring cybersecurity training to employees, as stated in Art.21(2)(g) of NIS2.
- AI-driven phishing simulations with microlearnings – personalized & automated
Employees learn to identify and report malicious emails via the report button (Art.21(2)(g))—without disrupting their daily email flow and fully tailored to their individual skill level. - Cyber Resilience Training – immediately applicable skills
Cybersecurity training covering key topics such as incident handling (Art. 21(2)(g)), access control, data classification, HR security & supply chain risk (Art.21(2)(i))—bundled into a practical course. Includes hands-on workflows & best practices, along with certification (from Silver to Platinum) as proof of compliance. - Repeat Offender Training – tackle the 30% highest phishing risk
Zero Incident Mail™ delivers targeted training in a secure environment to upskill and protect high-risk profiles, such as repeat offenders and low performers.
Cyber hygiene practices for apps & devices
Since more than 50% of workplace apps and devices are insecure, NIS2 mandates basic cyber hygiene practices (Art.21(2)(g)).
- Let’s Secure This Now – 1-minute video training
Hands-on nanolearning focused on allowlisted employee apps and devices—helping to optimize privacy and security settings quickly and effectively. - Cyber Defense Team with real-time Threat Alerts
The Cyber Defense Team sends employees immediate alerts about vulnerabilities, data leaks, and threats affecting the apps and devices they use—along with clear, actionable steps to secure themselves right away.
Behavioral Risk Score™ & reporting for management & IT
Management is required to conduct risk assessments, including the likelihood of cyber incidents (Art. 21 of NIS2).
- Behavioral Risk Score™ – measurable impact on human risk
Clear insight into the cyber resilience of your organization, teams, and employees— including risk predictions for incidents caused by human error (Art.21(2)(a)). - Reporting that proves the impact of your training
IT receives detailed reports via Power BI, CSV, Excel, and APIs, while management gets concise, easy-to-digest summaries. Includes documented evidence showing that both employees and management have completed their training.
