NIS2 Training Obligations — What Do SMEs Really Need to Do?
The EU NIS2 directive introduces new cybersecurity obligations for thousands of companies in the DACH region — and one directly concerns management: regular security awareness training for all employees. But what does this actually mean? And how can SMEs fulfill this obligation pragmatically?
What NIS2 Says About Training
Art. 20 (Governance) requires management to participate in cybersecurity training themselves and provide it to all employees. Art. 21 (Risk management measures) lists “basic cyber hygiene practices and cybersecurity training” as a mandatory measure.
Important: NIS2 does not require a specific format or provider. What counts is regular, documented training measures.
The Often Overlooked Obligation: Management Itself
Many companies implement the training obligation for employees — and overlook that Art. 20(2) explicitly requires the members of the governing bodies themselves to follow training. The goal: leadership must be able to independently assess cyber risks and risk management practices — after all, they must approve the measures, oversee their implementation, and can be held accountable for infringements.
There is a dedicated, compact format for exactly this requirement: the NIS2 training for management and governing bodies — 30 minutes, tailored to the governance perspective, with documented proof of participation.
Am I Even Affected?
NIS2 affects companies in specific sectors (energy, transport, health, digital infrastructure, etc.) above a certain size. But even if your company isn’t directly affected: large clients increasingly demand evidence from their suppliers. Security awareness is becoming a competitive factor in the supply chain.
What Auditors Want to See
- Evidence that training takes place — regularly, not just once a year
- Participation documentation — certificates, completion logs, or a summary report
- Effectiveness measurement — phishing simulations with concrete click rates
The Pragmatic Solution for SMEs
You don’t need an enterprise tool costing €20,000/year. With Webguardiola you train your entire team for free — interactive e-learning with quizzes, personal certificates and documented proof of participation for your NIS2 audit. For companies with their own LMS, the training is also available as a SCORM package.
How Webguardiola Covers NIS2 Training Obligations
- Part 1 training for all employees — interactive e-learning in comic format
- Quiz & personal certificate — documents every participation
- Training records as audit evidence — exportable for your NIS2 documentation