NIS2 Training - What Your IT Team Needs to Know

The NIS2 Directive is not just about new technical regulations or compliance procedures. It represents a fundamental shift in the approach to cybersecurity, placing the competencies of IT teams at the heart of every organisation’s defensive strategy. In conversations with clients from the public and defence sectors, I regularly hear the same question: “Where do we start with NIS2 preparations?” The answer always begins with the same thing - with people.

This article, written from a consultancy perspective, shows precisely what competencies IT teams must possess in the context of NIS2, what training obligations the directive imposes, and how to systematically build organisational readiness for new regulatory requirements.

What is the NIS2 Directive and why is training crucial?

The Directive of the European Parliament and of the Council (EU) 2022/2555, known as NIS2, is the successor to the first NIS Directive from 2016. It entered into force on 16 January 2023, and EU Member States were obliged to transpose it into their legal systems by 17 October 2024.

NIS2 significantly expands the scope of regulation - it now covers not only operators of essential services, but also medium and large enterprises in 18 critical and important sectors, including: energy, transport, banking, healthcare, digital infrastructure, public administration, manufacturing, waste management and postal services.

Why is training the foundation of NIS2 compliance?

In many compliance regulations, training is “nice to have” - something that needs to be done for documentation purposes. NIS2 is different. The directive explicitly requires members of management bodies to undergo regular training in cybersecurity. Moreover, Article 20 imposes on entities covered by the directive the obligation to apply “basic practices in terms of cyberhygiene and cybersecurity training”.

This is not about formality. It is about building real awareness and competencies throughout the organisation - from the board to operational teams. In practice, this means that the lack of appropriate training may be grounds for imposing penalties, which in the case of essential entities can reach EUR 10 million or 2% of the total annual worldwide turnover of the enterprise.

What training obligations does NIS2 impose?

The NIS2 Directive sets out specific training requirements at various levels of the organisation. Let us examine them systematically.

Training for management - a new standard of responsibility

Article 20(1) of the directive is unequivocal: Member States shall ensure that members of management bodies of entities covered by the directive undergo training and that those entities offer regular training to their employees.

This is a groundbreaking change. Until now, boards could delegate responsibility for cybersecurity to IT directors or CISOs. NIS2 introduces personal responsibility of board members for overseeing cybersecurity measures and for approving implemented actions.

In practice, this means that the CEO, board members and supervisory board members must:

• Understand the cyber threat landscape for their industry
• Know the key requirements of NIS2 and their impact on the organisation
• Be able to assess the adequacy of protection measures implemented in the company
• Approve security policies and risk management plans
• Oversee the incident management and reporting process

Training for IT and security teams

This is an obvious area, but NIS2 raises the bar. Basic knowledge of firewalls or antivirus software is no longer sufficient. Technical teams must possess competencies in:

• Cybersecurity risk management in accordance with methodologies (ISO 27005, NIST)
• Incident handling according to procedures (detection, analysis, response, recovery)
• Business continuity management and disaster recovery planning
• Supply chain security and technology vendor assessment
• Vulnerability management and patch management processes
• Access control implementation, including multi-factor authentication
• Application of encryption and cryptography

Awareness training for all employees

The directive requires “basic practices in terms of cyberhygiene”. In practice, this means awareness programmes for the entire organisation. Every employee should understand:

• How to recognise phishing attacks and social engineering
• Principles of secure password management
• Procedures for reporting suspicious incidents
• Security policies in force in the organisation
• Consequences of security breaches

This cannot be a one-off onboarding training session. NIS2 expects regularity and continuous awareness raising.

What competencies must the IT team have in the context of NIS2?

Let us move from formal requirements to practical competencies. From experience working with clients, I see that IT teams need to develop skills in five key areas.

1. Cybersecurity risk management

This is the foundation. NIS2 requires a systematic approach to identifying, assessing and treating risk. The team must be able to:

• Conduct risk analysis for systems and processes
• Classify assets according to their criticality to the business
• Assess the likelihood and impact of potential threats
• Define and implement remedial measures
• Monitor the effectiveness of security controls

In practice, this means knowledge of frameworks such as ISO 27001, ISO 27005 or the NIST Cybersecurity Framework.

2. Incident Response - responding to incidents

NIS2 introduces rigorous time requirements for incident reporting: early warning within 24 hours, notification within 72 hours, final report within one month.

The team must possess the following skills:

• Detecting anomalies and potential incidents in real time
• Classifying incidents according to severity and impact
• Conducting forensic analysis and root cause analysis
• Threat containment and damage limitation
• Documenting incidents in accordance with regulatory requirements
• Communicating with CSIRT and supervisory authorities

This requires not only technical knowledge, but also knowledge of procedures and the ability to work under time pressure.

3. Business continuity management and disaster recovery

The directive requires organisations to be prepared for the loss of availability of their systems. Key competencies include:

• Identifying critical processes and their dependencies
• Defining RTO (Recovery Time Objective) and RPO (Recovery Point Objective) targets
• Designing and testing backup and restore procedures
• Developing Business Continuity and Disaster Recovery plans
• Conducting simulations and system resilience tests

Many companies have plans on paper. NIS2 requires them to be tested, updated and actually working.

4. Supply chain security

This is one of the most difficult areas. NIS2 obliges entities to take into account risks related to IT service and product suppliers. The team must be able to:

• Conduct due diligence on suppliers in terms of cybersecurity
• Assess third-party security practices
• Define security requirements in SLA contracts
• Monitor supplier compliance during cooperation
• Manage risks related to open source software

In practice, I often encounter situations where organisations use dozens of external services (cloud, SaaS, managed SOC), but have no clarity about what risks they introduce into their ecosystem.

5. Governance, Risk, Compliance (GRC)

NIS2 is not the only regulation that organisations must deal with. It often overlaps with GDPR, DORA (for the financial sector), the AI Act or ISO standards. The team needs competencies in:

• Managing multiple compliance frameworks simultaneously
• Documenting policies and procedures in accordance with requirements
• Conducting internal and external audits
• Reporting to the board and supervisory authorities
• Managing proof of compliance

These are more process competencies than technical ones, but absolutely crucial in the context of NIS2.

What training is required for management?

Many organisations struggle with the question: what specifically should the board learn in the context of NIS2? From my experience, effective training for management should cover three layers.

Strategic layer - understanding the business context

The board does not need to know the technical details of SIEM or EDR. However, it must understand:

• The cyber threat landscape for its industry and company
• The potential impact of cyberattacks on business continuity and reputation
• NIS2 requirements and consequences of non-compliance (penalties, personal liability)
• The framework of board members’ responsibilities in the context of cybersecurity
• Indicators (KPIs, KRIs) allowing assessment of the organisation’s cyber resilience level

Decision-making layer - risk management

The board approves security strategy and policies. It therefore needs competencies in:

• Risk assessment methodologies (high-level)
• Interpreting reports from risk analyses and audits
• Principles of proportionality of protection measures to the level of risk
• Budgeting investments in cybersecurity (ROI vs. ROSI)
• Evaluating technology proposals presented by CISO/CIO

Supervisory layer - oversight of processes

The board oversees strategy implementation. It must be able to:

• Ask the right questions to the CISO and IT teams
• Assess the maturity of security processes in the organisation
• Understand incident reports and corrective actions
• Oversee the crisis management process in the event of serious attacks
• Communicate cybersecurity issues to the supervisory board and stakeholders

Training for the board cannot be “going through slides”. The most effective forms are scenario workshops, crisis simulations (tabletop exercises) and case studies from real incidents.

NIS2 training plan - where to start?

Building a training programme compliant with NIS2 is a process, not a one-off action. Here is a proven framework that I use in working with clients.

Stage 1: Needs analysis and gap analysis

Before you start training, you must understand:

• Who exactly is covered by the directive in your organisation (essential vs. important entities)
• What competencies you already have in the team
• What competency gaps exist in the context of NIS2 requirements
• What critical roles are key to compliance (CISO, DPO, Incident Response Team)

Useful tools include competency matrices or assessments based on frameworks (NICE Cybersecurity Workforce Framework).

Stage 2: Prioritisation and roadmap

It is impossible to train everyone on everything at once. Prioritise according to:

• Regulatory risk - what is absolutely required by NIS2
• Operational risk - where lack of competencies can lead to incidents
• NIS2 implementation schedule - when national regulations come into force
• Resource availability - budget, team time, trainer availability

Create a roadmap for 12-18 months with clear milestones.

Stage 3: Selection of training forms

Different roles require different forms:

• Board: Strategic workshops (4-8h), crisis simulations (tabletop), executive briefings
• CISO/Security Managers: Certification training (CISSP, CISM, ISO 27001 Lead Implementer), GRC workshops
• IT/SOC teams: Technical training (incident response, threat hunting, secure architecture), hands-on laboratories
• All employees: Awareness e-learning, micro-training, phishing simulations

Diversity of forms increases effectiveness and maintains engagement.

Stage 4: Implementation and effectiveness measurement

Conduct training according to the plan, but - and this is crucial - measure its effectiveness:

• Knowledge tests before and after training
• Incident simulations and practical exercises
• Internal audits checking the application of knowledge in practice
• Operational indicators: incident response time, number of false alarms, penetration test results

Stage 5: Continuous improvement

NIS2 requires regular training. Build a continuous development programme:

• Cyclical knowledge refresh (e.g. every 12 months)
• Update training after changes in regulations or infrastructure
• On-the-job training and mentoring for junior team members
• Participation in industry conferences and experience sharing

Penalties for non-compliance with NIS2 - how much can lack of training cost?

Lack of appropriate training can be treated as failure to fulfil obligations specified in NIS2. The financial consequences are very severe.

Amount of penalties

For essential entities: up to EUR 10 million or 2% of the total annual worldwide turnover of the enterprise (whichever amount is higher).

For important entities: up to EUR 7 million or 1.4% of total annual worldwide turnover.

What can result in a penalty in the context of training?

• Lack of documented training for board members
• Lack of regular awareness programmes for employees
• Failure to complete required training by key personnel (CISO, SOC teams)
• Lack of competencies leading to an incident or inappropriate response to an incident
• Failure to demonstrate “due diligence” in building team competencies

In practice, supervisory authorities will assess not only whether training took place, but whether it was adequate, effective and regularly updated.

NIS2 and other regulations - integration of training

Many organisations must simultaneously meet the requirements of several regulations. Good practice is to build integrated training programmes.

NIS2 + GDPR

Intersecting areas: personal data security, breach response procedures, documentation and audits.

NIS2 + DORA (for the financial sector)

DORA (Digital Operational Resilience Act) imposes additional requirements on the financial sector. Training should cover both NIS2 requirements and DORA-specific aspects of operational resilience.

NIS2 + ISO 27001

Many companies have implemented ISO 27001. Good news: the training requirements of ISO 27001 (control A.6.3 in the 2022 version) are compatible with NIS2. The existing programme can be expanded to include specific directive elements.

NIS2 + AI Act

For organisations using AI systems in cybersecurity-related processes (e.g. AI in SOC), training on the AI Act will also be necessary, particularly in terms of governance and AI systems risk assessment.

FAQ - most frequently asked questions about NIS2 training

Does NIS2 specify a minimum number of training hours?

No. The directive does not specify the required number of hours. It imposes the obligation for training to be “regular” and “appropriate”. In practice, this means they must be proportionate to the risk and complexity of the organisation. For the board, a minimum of 8-16 hours per year can be assumed, for technical teams 40-80 hours per year.

Who can conduct NIS2 training?

Training can be conducted by both internal experts and external training providers. The key is that the trainer possesses appropriate substantive competencies (certificates such as CISSP, CISM, ISO 27001 Lead Auditor) and practical experience in cybersecurity. It is worth choosing providers with documented experience in compliance training.

Must training end with a certificate?

NIS2 does not require certification. However, it does require documenting completed training. In practice, it is worth maintaining a training register containing: who, when, in what scope completed training and competency test results. Industry certificates (CISSP, CEH, ISO 27001) are welcome, but not mandatory.

How often should training be conducted?

The directive requires regularity. Accepted best practices suggest:

• Board: minimum once a year
• IT/Security teams: at least once a year + update training after significant changes
• All employees: minimum once a year + continuous micro-training (e.g. phishing simulations quarterly)

What about small IT teams - how to ensure all competencies?

Smaller organisations can use a hybrid model:

• Develop key competencies (incident response, risk management) internally
• Outsource specialist areas (audits, forensics, threat intelligence) to Managed Security Service Providers (MSSP)
• Use external CISO (vCISO) for strategic oversight

It is important that the internal team understands how to cooperate with external providers and supervise their work.

Does e-learning meet NIS2 requirements?

Yes, provided that:

• It is interactive and engaging
• It contains knowledge verification mechanisms (tests, quizzes)
• It is regularly updated
• It is supplemented with practical elements (simulations, scenarios, case studies)

Simply “clicking through” slides is not sufficient. E-learning is particularly effective for awareness training, but specialist IT training should contain hands-on components (laboratories, workshops).

How to document training in accordance with NIS2 requirements?

Good documentation should contain:

• Training programme (substantive scope)
• List of participants with signatures/confirmations
• Date and duration of training
• Trainer/training provider details
• Competency test results (if conducted)
• Completion certificates

It is worth maintaining a central training register in the organisation, accessible to auditors and supervisory authorities.

How EITT supports organisations in preparing for NIS2

At EITT, we have been supporting organisations in building IT and security team competencies for years. The NIS2 Directive is a natural extension of this mission for us. We understand that compliance is not an end in itself - it is a way to build real digital resilience for organisations.

Our approach

We do not believe in “catalogue” training. Every organisation has a different risk profile, different systems, different culture. That is why we start by understanding your needs:

• We conduct an assessment of team competencies in the context of NIS2
• We identify gaps and areas of greatest risk
• We design a training programme tailored to your organisation
• We implement training in forms adapted to roles (workshops, e-learning, simulations)
• We help measure effectiveness and build a continuous development programme

Our NIS2 training programmes

For management:

• “NIS2 for the board” workshop (8h) - strategy, risks, responsibility
• Tabletop exercise - cyber incident simulation for the board
• Executive briefings - regular updates on the threat landscape

For IT and security teams:

• Cybersecurity risk management (ISO 27005, NIST CSF)
• Incident Response and Cyber Crisis Management
• Secure Architecture and Zero Trust
• GRC (Governance, Risk, Compliance) for IT specialists
• Supply chain security and third-party risk management

For all employees:

• Security Awareness programmes tailored to the industry
• Phishing and social engineering simulations
• Micro-training and communication campaigns

Why EITT?

• 500+ experts with practical experience in cybersecurity
• 2500+ training courses delivered for organisations from sectors covered by NIS2
• 4.8/5 average rating from training participants
• Industry-specific adaptation - we understand the differences between the public, financial and industrial sectors
• Comprehensive support - from needs analysis to measuring training effectiveness

Summary - invest in competencies, not just technology

The NIS2 Directive is a breakthrough in the European approach to cybersecurity. For the first time, regulations place equal emphasis on technology and on people - their knowledge, awareness and competencies.

Key conclusions:

• NIS2 imposes a direct training obligation for the board and employees
• Lack of appropriate competencies can result in penalties of up to EUR 10 million or 2% of turnover
• IT teams need competencies in 5 areas: risk management, incident response, business continuity, supply chain, GRC
• An effective training programme is a process, not a one-off action - it requires analysis, prioritisation, implementation and continuous improvement
• Integration with other regulations (GDPR, DORA, ISO 27001) allows building more efficient programmes

In my conversations with clients, the question often arises: “Can we not just buy a better firewall and be compliant with NIS2?” The answer is: no. The best technology in the hands of a team without appropriate competencies is a waste of money. The most valuable investment in cybersecurity is investment in people.

---

Need support in preparing your team for NIS2?

Contact us - we will help you conduct a competency assessment and build a training programme compliant with directive requirements.

Check our cybersecurity training | Contact an expert

Read Also

• AI Agents in Enterprise - What Your Team Needs to Learn
• AI Act and Team Competencies - How to Prepare Your Company
• IT Training for Software Houses - How to Develop Your R&D Team

Read also

• The NIS2 Directive: what do companies need to know and how to prepare?
• Cyber security in the company: the NIS2 directive, DORA and building resilience
• Mandatory IT Training in Regulated Industries - 2026 Checklist

Develop your skills

Want to deepen your knowledge in this area? Check out our training led by experienced EITT instructors.

➡️ The NIS2 Directive: what do companies need to know and how to prepare? — EITT training