Security Awareness Training: Building a Cyber-Aware Organisation
Comprehensive guide to building an effective security awareness training programme covering NIS2 Article 20(2) management body training, DORA Article 13(6) ICT security awareness, programme design principles, effectiveness measurement, and management body obligations.
- 1
NIS2 establishes two distinct training obligations: Article 20(2) for management body members (personal, non-delegable) and Article 21(2)(g) for all employees (basic cyber hygiene and cybersecurity training).
- 2
Segment training by audience — general staff, technical staff, privileged users, and management body — with differentiated content, depth, and assessment appropriate to each group's role and risk exposure.
- 3
Monthly phishing simulations provide the most operationally relevant measurement of training effectiveness. Target a click rate below 5% and a report rate above 60% for a mature programme.
- 4
Management body training must be documented with individual attendance, content delivered, and discussion points — this is your primary evidence of NIS2 Article 20(2) compliance during supervisory inspections.
- 5
Build a single, cross-referenced evidence repository mapping training activities to NIS2, DORA, GDPR, and ISO 27001 requirements to avoid duplicated compliance documentation effort.
1. Regulatory Training Requirements Under NIS2 and DORA
NIS2 establishes two distinct training obligations that organisations must address. Article 20(2) requires members of the management body to undergo training to gain sufficient knowledge and skills to identify risks, assess cybersecurity risk-management practices, and evaluate their impact on the services provided by the entity. This is a personal obligation on board members and C-suite executives — it cannot be satisfied by delegating attendance to subordinates or by passive awareness campaigns. Article 21(2)(g) separately requires basic cyber hygiene practices and cybersecurity training for all employees, establishing a general workforce training obligation that complements the management-level requirement.
DORA reinforces and extends these training requirements for financial entities. Article 13(6) requires financial entities to develop ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training schemes. The training must be proportionate to the functions performed and the entity's ICT risk profile, and must be adapted for critical ICT third-party service providers where relevant. The European Supervisory Authorities' RTS further specify that training programmes must cover ICT-related incident identification and reporting, business continuity procedures, and the entity's ICT risk management framework — moving beyond generic awareness into operationally specific training content.
GDPR Article 39(1)(b) assigns the Data Protection Officer the task of monitoring compliance including the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations. While GDPR does not prescribe training frequency or format, the accountability principle (Article 5(2)) and the requirement for appropriate technical and organisational measures (Article 32) together create an expectation that staff handling personal data receive adequate data protection training. For organisations subject to all three frameworks, the training programme must satisfy each framework's specific requirements — a single, well-designed programme can address all three, but only if it is structured to cover the distinct topics and audiences each framework demands.
NIS2 Article 20(2) training for management body members is a personal obligation — it cannot be satisfied by delegating attendance to subordinates or by generic awareness emails. Board members must demonstrably participate in substantive cybersecurity training.
2. Training Programme Design: Topics, Frequency, and Delivery
An effective security awareness training programme is structured around audience segmentation, topic coverage, and delivery cadence. Segment your workforce into at least four audiences with differentiated training content: (1) general staff — all employees regardless of role, (2) technical staff — IT, development, and security personnel, (3) privileged users — system administrators, database administrators, and anyone with elevated access, and (4) management body — board members, C-suite executives, and senior management. Each audience requires different topic depth, delivery format, and assessment rigour. General staff need practical, scenario-based training on recognising threats and following procedures. Technical staff need deeper content on secure development, incident response, and system hardening. Management body members need strategic training on risk governance, liability, and oversight responsibilities.
Core topics for the general staff programme should include: phishing and social engineering recognition (the single highest-impact topic for reducing human-factor risk), password hygiene and MFA usage, safe web browsing and email handling, physical security awareness (tailgating, clean desk policy, secure disposal), removable media risks, incident reporting procedures (how to recognise and report a suspected incident, and the importance of rapid reporting under NIS2's 24-hour early warning requirement), data handling and classification (supporting GDPR obligations), and supply chain awareness (recognising suspicious requests from purported suppliers or partners). For DORA-regulated financial entities, add specific modules on ICT incident identification, business continuity procedures, and the entity's digital operational resilience strategy.
Delivery frequency should balance training effectiveness with operational disruption. The recommended cadence is: a comprehensive annual training module (30-60 minutes) covering all core topics with assessment, supplemented by monthly micro-learning modules (5-10 minutes each) on specific topics that reinforce and extend the annual training. Monthly phishing simulations provide continuous, experiential learning that transfers to real-world scenarios far more effectively than passive content consumption. For management body members, deliver a dedicated annual briefing (60-90 minutes) covering the organisation's threat landscape, regulatory obligations, recent incidents (internal and industry), and emerging risks — this satisfies the NIS2 Article 20(2) training obligation when documented with attendance records and content evidence.
Monthly micro-learning modules (5-10 minutes) produce better retention and behaviour change than a single annual training session. Distribute topics across the year so that each month reinforces a different aspect of security awareness.
3. Measuring Effectiveness: Phishing Simulations and Knowledge Assessments
Measuring the effectiveness of security awareness training is essential for both operational improvement and regulatory compliance. Supervisory authorities under NIS2 and DORA will assess not just whether training exists, but whether it demonstrably changes behaviour. The two primary measurement mechanisms are phishing simulations and knowledge assessments, and an effective programme uses both in combination.
Phishing simulations provide the most operationally relevant metric: how do employees actually behave when confronted with a simulated attack? Deploy monthly phishing simulations using progressively sophisticated scenarios — start with obvious phishing indicators (misspelled domains, generic greetings, urgency pressure) and advance to targeted spear-phishing scenarios that mimic real attack patterns observed in your sector. Track three key metrics: click rate (percentage of users who click the malicious link or open the attachment), report rate (percentage who report the simulation through your incident reporting channel), and susceptibility trend (how click and report rates change over time). A mature programme targets a click rate below 5% and a report rate above 60%. Users who fail simulations should receive immediate just-in-time training — a brief module explaining what indicators they missed, delivered within seconds of the click.
Knowledge assessments complement phishing simulations by measuring cognitive understanding of security concepts. Deploy assessments at the end of each training module to verify comprehension, and conduct annual baseline assessments to track organisational knowledge levels over time. Structure assessments as scenario-based questions rather than rote knowledge tests — asking "what would you do if you received an email requesting urgent wire transfer from a colleague" tests applied knowledge, while asking "what is the definition of phishing" tests only recall. Track pass rates, repeat-failure rates, and topic-specific scores to identify areas where additional training investment is needed. Document all measurement results with timestamps and participant records — this evidence directly supports NIS2 Article 21(2)(g) compliance and DORA Article 13(6) training programme effectiveness requirements.
4. Management Body Training Obligations
NIS2 Article 20(2) creates a distinct and more demanding training obligation for management body members than the general workforce requirement under Article 21(2)(g). Management body members must undergo training that enables them to identify risks, assess cybersecurity risk-management practices and their impact on services, and take informed decisions about the entity's cybersecurity posture. The personal liability provisions of Article 20 — including the potential for temporary prohibition from exercising management functions — make this training obligation genuinely consequential at the individual level.
The content of management body training should be strategic rather than technical. Board members and C-suite executives do not need to understand firewall configuration syntax — they need to understand the organisation's threat landscape, the risk-management measures in place and their effectiveness, the regulatory obligations and penalty exposure, the incident reporting requirements and their personal role in the response chain, and the supply chain risk profile. Structure management body training around these five themes, using your organisation's specific context rather than generic industry content. Include real-world case studies of regulatory enforcement actions, data breach consequences, and management liability outcomes from recent NIS2 and DORA enforcement — these create engagement and urgency in a way that abstract compliance content does not.
Document management body training with the same rigour as board resolutions. Record attendance (individual names, roles, and dates), training content delivered (agenda, slides, materials), key discussion points and questions raised, and any decisions or actions arising from the training session. This documentation serves dual purposes: it provides evidence of Article 20(2) compliance during supervisory inspections, and it creates a defensible record that individual management body members participated in and engaged with cybersecurity governance. Where a management body member cannot attend the scheduled training session, ensure alternative arrangements are made and documented — absences without remediation create personal liability exposure for the absent individual and a governance gap for the entity.
Document management body training attendance with individual names, dates, content delivered, and discussion points. This documentation is your primary evidence of NIS2 Article 20(2) compliance during supervisory inspections.
5. Programme Governance and Continuous Improvement
A security awareness training programme requires formal governance to ensure it remains effective, current, and aligned with regulatory requirements. Assign programme ownership to a senior role — typically the CISO, Head of Security, or DPO (for GDPR-focused training components). The programme owner is responsible for content currency, delivery execution, effectiveness measurement, and regulatory alignment. Establish an annual programme review cycle that assesses: whether training content reflects the current threat landscape and regulatory requirements, whether delivery mechanisms are reaching all required audiences, whether effectiveness metrics demonstrate improvement over the previous period, and whether the programme satisfies audit and supervisory expectations.
Content must be updated at least annually and more frequently when significant changes occur. Trigger events for content updates include: new regulatory requirements or supervisory guidance (such as NCA-published training expectations), significant changes to the organisation's threat landscape (new attack techniques targeting your sector), internal incidents that reveal training gaps, changes to organisational IT environment (new cloud platforms, remote working policies, BYOD programmes), and employee feedback indicating content is not relevant or engaging. Stale training content is worse than useless — it signals to employees that security is a check-box exercise rather than an operational priority, undermining the cultural change that effective awareness training seeks to achieve.
Integrate the training programme into your broader security culture initiatives. Training alone does not create a security-aware organisation — it must be reinforced by leadership behaviour, security champions within business units, visible recognition of good security practices (employees who report phishing attempts), and a blame-free reporting culture where employees report incidents without fear of punishment. The combination of formal training, continuous phishing simulations, management body engagement, and cultural reinforcement produces a security awareness posture that is both regulatory-compliant and operationally effective. Measure cultural indicators alongside training metrics: incident reporting volume (higher is better — it means people are noticing and reporting), time-to-report for security events, and employee survey results on security culture questions.
6. Documentation and Evidence for Regulatory Compliance
Building a comprehensive evidence package for your security awareness training programme is essential for demonstrating compliance during NIS2 supervisory inspections, DORA examinations, ISO 27001 audits, and GDPR accountability assessments. The evidence package should be structured to allow an auditor to trace from regulatory requirement to training programme design to delivery evidence to effectiveness measurement — a complete chain of compliance that requires no oral explanation.
The minimum evidence set includes: the training programme policy document (scope, audiences, topics, frequency, delivery methods, governance), annual training plans with scheduled delivery dates, training content for each module (slides, videos, e-learning content, assessment questions), delivery records for each session (attendance by individual, date, module delivered, assessment scores), phishing simulation results (monthly reports showing click rates, report rates, and trends), management body training records (attendance, content, discussion notes), remediation records for users who failed assessments or simulations (just-in-time training delivered, subsequent performance), and annual programme effectiveness reports presented to the management body.
For multi-framework compliance, organise evidence with cross-references to specific regulatory provisions. Map each training module to the NIS2 Article it addresses (20(2) for management body, 21(2)(g) for general workforce), the DORA Article it satisfies (13(6) for ICT security awareness), the ISO 27001 control it supports (A.6.3 Information security awareness, education and training), and the GDPR Article it relates to (39(1)(b) for DPO training responsibilities, 32 for appropriate organisational measures). This cross-referencing enables auditors and supervisory authorities to verify compliance against their specific framework without requiring the organisation to maintain separate evidence packages for each regulation — a single, well-indexed evidence repository serves all frameworks simultaneously.
Maintain a single, cross-referenced training evidence repository that maps each module and delivery record to NIS2, DORA, GDPR, and ISO 27001 requirements. This eliminates duplicated effort across multiple compliance frameworks.
How often must security awareness training be delivered under NIS2?
NIS2 does not prescribe a specific training frequency — Article 21(2)(g) requires basic cyber hygiene practices and cybersecurity training, and Article 20(2) requires management body members to undergo training to gain sufficient knowledge and skills. The prevailing interpretation among EU cybersecurity authorities is that training must be regular, current, and demonstrably effective. Best practice is annual comprehensive training supplemented by monthly micro-learning and continuous phishing simulations. Management body training should be delivered at least annually with additional briefings following significant incidents or regulatory changes.
Does GDPR require specific security awareness training?
GDPR does not mandate a specific training programme, but several provisions create a strong implicit requirement. Article 39(1)(b) tasks the DPO with awareness-raising and training of staff involved in processing operations. Article 32 requires appropriate technical and organisational measures, which supervisory authorities interpret as including staff training on data protection practices. Article 5(2) (accountability principle) requires controllers to demonstrate compliance, and training records are a key element of that demonstration. In practice, any organisation processing personal data should deliver data protection training to all staff who handle personal data, documented with attendance records and assessment results.
What should management body cybersecurity training cover?
Management body training under NIS2 Article 20(2) should cover: the organisation's current threat landscape and risk profile, the cybersecurity risk-management measures adopted under Article 21 and their effectiveness, the regulatory framework (NIS2, DORA where applicable, GDPR) including penalty exposure and personal liability provisions, incident reporting obligations and the management body's role in the response chain, supply chain risk and third-party dependency exposure, and recent enforcement actions and case studies relevant to the organisation's sector. The training should be strategic and governance-focused, not technical — board members need decision-making capability, not system administration knowledge.
How do we measure whether security awareness training is working?
Measure training effectiveness through a combination of behavioural metrics and knowledge assessments. The primary behavioural metric is phishing simulation performance: track click rate (target below 5%), report rate (target above 60%), and trend direction over time. Supplement with knowledge assessment scores at the end of each training module, annual baseline knowledge assessments, and operational metrics including security incident reporting volume (higher is better), time-to-report for security events, and help desk queries related to security topics. Present effectiveness metrics to the management body annually as evidence that the training programme is producing measurable improvement in organisational security behaviour.
Can we use a single training programme for NIS2, DORA, and ISO 27001?
Yes, and this is the recommended approach. Design a single training programme with modular content that addresses the specific requirements of each framework. Map each module to the regulatory provisions it satisfies: NIS2 Article 20(2) and 21(2)(g), DORA Article 13(6), ISO 27001 A.6.3, and GDPR Article 39(1)(b). Use audience segmentation to deliver framework-specific content to relevant populations — DORA-specific ICT resilience training to financial services staff, NIS2-specific incident reporting procedures to all staff in NIS2-scoped entities. Maintain a cross-referenced evidence repository that allows auditors from any framework to verify compliance against their specific requirements without duplicated documentation.
Ready to Operationalise This?
Turn this guide into working compliance workflows. Create an account or schedule a personalised demo.