Creating NIS2 Training Records — Requirements, Checklist, and What Auditors Actually Check

April 2026

Conducting training is the first step. Evidencing it is the second — and in practice often the harder one. In an audit, what counts is not what employees have learned, but what is documented.

This article explains what a NIS2-compliant training record must contain, which mistakes companies commonly make, and how to minimize the documentation effort.

What a NIS2-Compliant Training Record Must Contain

A training record is not a formal document with a prescribed layout. There is no official form. What matters is that the following information is documented in a traceable way.

The participant's name must be clearly attributable. The date of the training must be documented — not the date an email was sent, but the date the training was actually completed. The topics covered must be named, ideally with reference to the risk areas relevant under the law. A form of learning verification should exist — a quiz, an assessment, or at least a documented knowledge check. And the provider or platform through which the training took place should be identifiable.

Beyond that, there are two levels of documentation: the individual record per employee (certificate) and the aggregated company report.

The Difference Between Attendance Confirmation and Proof of Competence

An attendance confirmation says: "This person was present." A proof of competence says: "This person understood the content and can apply it." For NIS2, an attendance confirmation is formally sufficient — but a proof of competence with a quiz result is considerably more convincing.

The reason: NIS2 requires employees to acquire "sufficient knowledge and skills". When an auditor asks how the company ensures the training was effective, a passed quiz is a more concrete answer than "they watched the video to the end".

Common Mistakes with Training Records

The most common mistake is confusing information with training. An email with the subject "Important security notes" to all employees is not training. A PDF on the intranet is not training. Even a one-hour video only counts as training if it is documented who actually watched it.

The second common mistake is a lack of regularity. A one-off training at hiring that is never repeated does not fulfill the requirement of "regular" training. The common recommendation is at least annually, supplemented by event-driven training after security incidents or when new threat forms emerge.

The third mistake concerns completeness. If 80 percent of office employees are trained but the entire production, logistics, and field staff are missing, the training obligation is not fulfilled. NIS2 speaks of "all employees" — not just the employees with a company laptop.

The Company Report — What Management Needs

Alongside the individual certificates, management needs an aggregated overview. A good company report answers the following questions: What percentage of the workforce is trained? Which topic areas were covered? Are there departments or locations with gaps? How have results developed compared with the previous year? What is the current phishing click rate?

This report serves not only the audit but also internal steering. It shows where resources need to be deployed — and it gives management the basis for the approval of risk-management measures that the law requires.

Generating Training Records Automatically

Digital training platforms solve the documentation problem at its core. Every module completion is logged automatically — with date, duration, result, and topic area. Certificates are generated as PDFs. Company reports can be retrieved at any time.

With SCORM integration, the learning management system takes over the tracking. The SCORM standard reports completion status and score back to the LMS, which in turn manages the training records.

With cloud solutions without an LMS, the same principle applies: the platform logs progress and provides records — the only difference is that no company-owned LMS sits in between.

Checklist: Is Your Training Record Audit-Ready?

Check your existing documentation against these points: Are all employees who completed a training recorded by name? Is the date of the last training documented, not just the send date of an email? Are the topics covered listed individually? Is there a form of learning verification (quiz, assessment)? Is training repeated at least annually? Are employees without a company laptop or company access also covered? Is an aggregated company report available for management?

If you answer more than two points with "no", there is need for action before October 2026.

Generate training records automatically — start for free now. Learn more in the free security awareness training.

Start for free →