Cybersecurity Training Requirements: What Management and Staff Need to Know

Understand NIS2 Article 20 training mandates. Learn what cybersecurity knowledge management and staff must develop to comply with NIS2.

Daniel Grigorovich
Daniel Grigorovich
Founder · 3 Jun 2026 · 8 min read
NIS2
Cybersecurity Training Requirements: What Management and Staff Need to Know

Who should read this: Learning and Development Officers, Chief Risk Officers, Board Members, HR Directors, Chief Information Security Officers.

Cybersecurity training is not new. For years, organisations have conducted phishing simulation exercises, delivered awareness modules to employees, and occasionally sent an executive to a cybersecurity conference. What is new under NIS2 is the Directive’s explicit requirement that management bodies and their members follow training to develop “sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.” This is not soft guidance; it is a legal requirement with specific competence targets and governance implications.

Article 20(2) mandates training for management bodies and encourages it for employees. This two-tiered approach reflects a practical reality: boards must understand cybersecurity well enough to govern it effectively, whilst the broader workforce needs awareness sufficient to implement basic hygiene and incident reporting. The distinction matters because the training for each group has different objectives, different content, and different success criteria.

Management Training: Beyond Awareness

The training requirement for management bodies is fundamentally different from traditional cybersecurity awareness training. Directors and senior executives typically have no background in technical cybersecurity. They cannot be expected to understand protocol stacks or cryptographic algorithms. Instead, their training must develop competence in a narrower, more strategically focused domain: the ability to identify risks and assess cybersecurity risk-management practices.

This competence requires understanding several things. First, boards must understand the specific risk landscape facing their organisation. What are the primary threats to the entity’s services? Which threat actors target the sector? What are the typical attack vectors? What would be the consequences of a successful attack? Boards must be able to ask informed questions about whether management’s risk assessment is realistic and whether the risk-management measures being proposed are appropriate.

Second, boards must understand what “appropriate and proportionate” cybersecurity measures mean. This is critical to Article 20 governance because boards must approve the measures their organisation implements. Approving measures without understanding proportionality means boards are abdicating their governance responsibility. Training must therefore cover the principles of proportionality under Article 21: how size, threat exposure, likelihood and severity of incidents, and societal impact should shape your cybersecurity investment.

Third, boards must understand the regulatory environment. Directors must know what NIS2 requires, what penalties exist for non-compliance, and what incident reporting obligations apply. They must also understand the broader regulatory context, including sector-specific regulations, data protection obligations, and standards relevant to their industry.

Fourth, boards must understand the relationship between cybersecurity and business strategy. Cybersecurity is not a cost centre; it is an enabler of strategy. A manufacturing company pursuing digital transformation cannot do so securely without adequate cybersecurity measures. A financial services firm offering new digital services cannot do so without addressing cybersecurity risks. Boards need to understand how cybersecurity decisions affect strategic initiatives and vice versa.

Fifth, boards must understand governance structures and accountability. Article 20(1) makes management bodies explicitly liable for infringements. Boards must therefore understand how they exercise oversight, what reporting structures and information flows keep them informed about cybersecurity risks, and how they can be held accountable for the cybersecurity decisions their organisation makes.

Designing Board Cybersecurity Training Programmes

Training for boards must be practical and tailored to your organisation. A one-day conference session on cybersecurity trends is not sufficient. Neither is an annual mandatory training module that directors click through perfunctorily.

Effective board cybersecurity training typically involves several components. First, initial foundation training, often delivered when a director joins the board, covering NIS2 fundamentals, the entity’s risk profile, the measures currently in place, and the board’s governance role. This might span 4-6 hours of intensive content delivered by a combination of internal cybersecurity leaders and external experts.

Second, ongoing education throughout the year. This might include regular cybersecurity updates at board meetings covering emerging threats relevant to the sector, significant incidents affecting peer organisations, regulatory changes, and updates on the organisation’s own risk-management programme. These updates need not be lengthy (20-30 minutes at each board meeting), but they must be regular and substantive.

Third, specialised training for board committees with specific cybersecurity responsibility. Most boards establish an audit committee or a risk committee with oversight of cybersecurity. These committees need deeper training than the full board, covering topics such as risk assessment methodologies, vendor management practices, incident response processes, and regulatory reporting requirements.

Fourth, training on emerging issues. As new threats emerge or regulations change, board training must be updated. If your sector experiences a novel attack vector, board members need to understand it and how it affects your risk profile. If regulators issue new guidance on proportionality, board members need to understand how this affects your compliance approach.

The content of board training should be specific to your organisation and sector. A healthcare provider’s board needs training tailored to healthcare cybersecurity risks, regulatory requirements, and the business model of healthcare provision. A critical infrastructure operator’s board needs training appropriate to critical infrastructure defence. Generic cybersecurity training for boards is less effective than targeted training that speaks to your specific risk environment.

Board Member Expertise and Recruitment

Article 20(2) requires training for board members, which implies that boards should develop sufficient cybersecurity expertise through training. However, some organisations are choosing to accelerate this process by recruiting board members with cybersecurity expertise or by maintaining a board advisor with deep cybersecurity knowledge.

Recruiting a board member with cybersecurity credentials (perhaps a CISO from another large organisation, a cybersecurity consultant, or a technology executive with strong cybersecurity background) can bring expertise to board discussions that otherwise must be developed through training. This is not a substitute for training other board members, but it can improve the quality of board governance by ensuring that at least one board member can ask informed technical questions and challenge management assumptions.

Alternatively, some boards appoint an independent cybersecurity advisor who attends relevant board meetings and provides expert advice on cybersecurity issues. This advisor might not be a board member but can contribute expertise to discussion and help the board ask better questions of management.

Employee and Staff Training

Article 20(2) encourages essential and important entities to offer cybersecurity training to employees on a regular basis. The requirement is less prescriptive than the board training mandate, but the principle is the same: employees must gain sufficient knowledge and skills to do their jobs securely and to contribute to the organisation’s cybersecurity posture.

For the general workforce, this training covers basic cyber hygiene. What are common phishing techniques, and how do you recognise them? How do you handle passwords securely? What should you do if you suspect a breach? How do you report security concerns? When and how should you share sensitive information? General employee training also covers the specific tools and systems employees use in their roles and the security considerations relevant to those tools.

For employees with specific cybersecurity responsibilities, such as security teams, incident response personnel, development teams, and infrastructure teams, training must be deeper and role-specific. Development teams need training on secure coding practices. Infrastructure teams need training on system hardening and vulnerability management. Incident response teams need training on investigation methodologies and forensics. Security teams need training on risk assessment, vulnerability management, and threat intelligence.

Article 21(2)(g) explicitly requires “basic cyber hygiene practices and cybersecurity training” as part of the mandatory cybersecurity risk-management measures. This suggests that training should be documented, formal, and available to relevant personnel. Informal “everyone gets a phishing test” approaches satisfy the letter of the requirement but not necessarily the spirit. Organisations should document their training programmes, track participation, measure effectiveness where possible, and demonstrate that the training is regularly updated.

Demonstrating Compliance with Training Obligations

Regulators will ask how your organisation demonstrates compliance with the training requirements. This requires documentation. At a minimum, you should maintain:

  • A description of your board cybersecurity training programme, including the topics covered, the frequency of training, and how the training is tailored to the specific role of board members in approving and overseeing cybersecurity measures.

  • Training materials or, if using external trainers, evidence that training was delivered. You need not keep full recordings of all training, but you should maintain sufficient documentation that you can show a regulator that training occurred and what it covered.

  • Attendance records. Who received training? When? You do not need to maintain detailed records if training is mandatory, but you should be able to demonstrate that the training was offered and that relevant personnel had the opportunity to participate.

  • Training evaluation. Did participants learn anything? Did their knowledge improve? Some organisations require participants to complete a brief assessment or feedback form. This serves both as evidence that training occurred and as an opportunity to identify gaps where additional training or reinforcement is needed.

  • Evidence of ongoing updates. Training is not a one-time activity. Document how your training programme is reviewed and updated. If new threats emerge or regulations change, how does that affect your training? Documentation of updates demonstrates that training remains current and relevant.

Integration with Risk-Management Framework

Training is not isolated from the rest of your risk-management programme. Article 21 requires a comprehensive approach including risk analysis, incident handling, business continuity, and other measures. Training supports all of these. Employees who understand why business continuity plans exist are more likely to follow them. Staff who understand incident response procedures are more likely to report suspected breaches. Boards that understand their cybersecurity obligations are more likely to allocate adequate resources to cybersecurity measures.

Effective organisations integrate training with their broader cybersecurity governance. After conducting a risk assessment, training might be updated to address risks identified in the assessment. After an incident, training might be updated to help prevent similar incidents. When implementing new technologies or processes, training prepares staff for the changes. This integration makes training more relevant and increases the likelihood that it affects behaviour.

Key Takeaways

  • Article 20(2) mandates training for management bodies and their members, not merely awareness training. Directors must develop knowledge and skills to identify risks and assess cybersecurity risk-management practices.

  • Board training should cover the organisation’s specific risk landscape, proportionality principles, regulatory obligations, the relationship between cybersecurity and business strategy, and governance and accountability structures. Training must be ongoing, not one-time.

  • Employee training should include basic cyber hygiene for all staff and role-specific training for personnel with cybersecurity responsibilities. Training should be documented, regularly updated, and tracked.

  • Some organisations accelerate board expertise development by recruiting board members with cybersecurity credentials or appointing independent cybersecurity advisors. This complements (but does not replace) formal training.

  • Demonstrate compliance by maintaining documentation of training programmes, materials, attendance, evaluation, and evidence of ongoing updates. Training records are key evidence that you are meeting Article 20 obligations.

Daniel Grigorovich

Daniel Grigorovich · Founder

I believe that no business should suffer from "compliance checklists" or navigating vague regulatory text. While I still stand by the principle that all software products should be reliable and secure, I want to give companies a way to overcome the challenges faced when implementing these requirements.