In force since 17 Oct 2024·Day 601·

GovernanceMar 22, 20255 min

The cybersecurity training every NIS2 board now owes its shareholders

Article 20(2) requires directors to follow training. Here is what good looks like — and what regulators will accept as evidence.

The cybersecurity training every NIS2 board now owes its shareholdersGovernance

Article 20(2) of Directive (EU) 2022/2555 is unusually direct for a European directive. It does not say should, consider, or take into account. It says, in operative form: members of the management bodies of essential and important entities shall be required to follow training.

The same paragraph extends the obligation a half-step further. Member States shall encourage essential and important entities to offer similar training to their employees on a regular basis. The verb softens — encourage rather than require — but the cross-reference to Article 21(2)(g), which lists "basic cyber hygiene practices and cybersecurity training" among the categories of measures entities shall adopt, hardens it again. In the round, NIS2 makes board training mandatory and employee training expected.

This is the article that boards consistently underestimate. Not because they refuse to train — because they cannot tell what the regulator will accept as evidence that they did.

What the directive actually requires

Reading Article 20(2) and recital 81 together, the legal must-haves are four:

  1. The training is followed by members of the management body themselves. Not the CISO. Not the legal team. The directors.
  2. The training enables them to identify risks. Generic awareness is not enough — the content must connect to the entity's threat landscape.
  3. The training enables them to assess cybersecurity risk-management practices and their impact on the services provided. The directors must be able to read the risk register, ask challenging questions, and evaluate whether the proposed measures are proportionate.
  4. Similar training is offered to employees on a regular basis. Recurring, with a measurable cadence, traceable to a record.

That is the floor. Anything below this is a finding. Anything above is the entity's choice on how much to over-engineer.

The hour count: what the regulators will accept

The directive does not specify hours. National competent authorities have not contradicted each other on the defensible threshold. Drawn from their published guidance, three numbers recur:

  • Onboarding for new directors: 6 to 12 hours. Covering the directive itself, the entity's threat landscape, the risk register, and the entity's incident response procedure.
  • Annual refresh for sitting directors: 2 to 4 hours. Covering material changes since the previous session — new threats, new measures, new regulatory guidance, and any incidents that occurred in the past year.
  • Employee programme: 30 to 60 minutes per employee per year, with role-specific modules for high-risk roles (finance, IT operations, executive assistants).

Anything significantly below those numbers is harder to defend in front of an inspector. Significantly above is normal in regulated sectors where supervisory expectations were already higher (financial services, energy).

What the content has to cover

Three blocks are non-negotiable, regardless of sector:

Block 1 — The directive itself, and the entity's classification. Five to fifteen minutes of content. What is NIS2, who does it apply to, why does this entity fall in scope, what are the consequences of non-compliance. Recital 81 frames this as the floor of director awareness.

Block 2 — The entity's threat model, in plain language. What attacks have hit comparable entities in the past two years. What is the entity's high-value target. What is the realistic worst-day scenario. This block is what differentiates training from awareness — directors leave it able to challenge their CISO with the right questions, not just nod.

Block 3 — The board's specific responsibilities. The five Article 20 responsibilities (approve, oversee, accept liability, follow training, ensure organisation-wide training), the 72-hour clock the board may need to feed, the document trail the regulator will look for. This is the operational block — what the board does, on what cadence.

What passes as evidence

Across the published inspection notes from European national competent authorities, three artefacts consistently satisfy:

  • A dated training log listing each director's name, the session(s) attended, the date, and the duration. This document, signed off by the corporate secretary or equivalent, is the single most important piece of evidence.
  • The training materials retained — the slide deck, the case studies, the test if there was one. Inspectors do not require the materials be exhaustive; they require the materials be findable and demonstrate the three blocks above.
  • A brief board minute acknowledging completion of the cycle, ideally with one or two action items the directors took away from the session. Action items are the strongest possible signal that the training was substantive rather than a checkbox.

What does not satisfy, in regulator terms:

  • A general security awareness video sent by email, with no attendance log.
  • A CISO presentation at a board meeting, treated as the training. (This can complement training but does not replace it. Recital 81 is explicit on the management body following dedicated training.)
  • A delegated certification — for example, the director who attended a third-party governance course in 2023 and now considers the obligation discharged.

Cadence and ownership

The training programme has to be owned by a named role. The defensible pattern is the company secretary or equivalent (head of governance, head of legal in smaller entities) maintains the training register, schedules the cycles, and reports completion to the audit or risk committee. The CISO supplies the content; the company secretary owns the artefact.

This separation matters. A CISO who both delivers and certifies director training is creating a self-mark — a signal regulators are increasingly noting in their published methodologies.

What good looks like

In the published inspection notes from European national competent authorities, four signals come up:

  1. The training log shows 100 % completion by every member of the management body, with the prior cycle dated within the past 12 months.
  2. The training content was tailored to the entity — not a generic video — and a sample of the materials is producible on request.
  3. Onboarding occurs before a new director attends their first risk-and-cyber meeting, not after.
  4. Employee training has a measurable completion rate that the board reviews, with role-specific modules for high-risk functions.

This is not a heavy lift. The barrier is not budget — director training in the 6-to-12-hour range costs €5 000 to €15 000 per cohort to deliver well. The barrier is owning the cadence and producing the documents. Both are clerical — and both are exactly what the regulator measures.

Sources

  1. Directive (EU) 2022/2555, Article 20(2) (training of management bodies and encouragement of employee training).
  2. Directive (EU) 2022/2555, Article 21(2)(g) (basic cyber hygiene practices and cybersecurity training).
  3. Directive (EU) 2022/2555, recital 81 (rationale for mandatory management training).
  4. Directive (EU) 2022/2555, recital 89 (encouragement of cybersecurity culture and training across entities).
  5. Published guidance from national competent authorities on training expectations: ANSSI (FR), BSI (DE), INCIBE (ES), ACN (IT), NCSC-IE (IE), and ENISA.

Other articles

NIS2 essential and important entities: the 4 scope testsScope & compliance

NIS2 essential and important entities: the 4 scope tests

10 June 2026·Read · 7 min
NIS2 multi-factor authentication: 5 access classes that need itTechnical measures

NIS2 multi-factor authentication: 5 access classes that need it

11 May 2026·Read · 7 min
NIS2 transposition status: where the four markets stand in 2026National execution

NIS2 transposition status: where the four markets stand in 2026

May 6, 2026·Read · 7 min