Many organisations are preparing for NIS2 as if it were mainly a documentation exercise. That is a mistake.
Across Europe, NIS2 has moved cybersecurity from the IT department to the boardroom.
Policies, risk assessments, incident response plans, supplier controls, backup procedures and reporting processes are all important. They are also necessary.
But they are not enough.
Because many cyber incidents do not start with a missing policy. They start with a human action.
An employee clicks a phishing link.
A manager approves a request too quickly.
A finance team receives a convincing fake invoice.
A user ignores a multi-factor authentication prompt.
A supplier relationship is trusted without proper verification.
A suspicious message is not reported in time.
This is where NIS2 becomes more than compliance.
Implementing effective NIS2 awareness training is crucial for ensuring that employees understand their role in maintaining cybersecurity.
It becomes a question of behaviour.
NIS2 raises the cybersecurity baseline across the EU
The NIS2 Directive was introduced to create a higher and more consistent level of cybersecurity across the European Union. According to the European Commission, NIS2 establishes a unified legal framework for cybersecurity across 18 critical sectors and introduces risk-management and reporting requirements for more entities than the original NIS Directive.
The directive applies to a wider range of sectors, including energy, transport, healthcare, finance, water management, digital infrastructure, public administration, postal and courier services, waste and wastewater management, critical manufacturing and several digital services.
This matters because NIS2 is not only about preventing cyberattacks. It is about strengthening the resilience of essential and important entities that society, citizens and businesses depend on.
And resilience is not created by documents alone.
NIS2 brings cybersecurity into the boardroom
To enhance security measures, organizations must invest in NIS2 awareness training that educates staff on best practices and potential threats.
One of the most important changes in NIS2 is governance.
The European Commission states that NIS2 introduces accountability for top management in relation to cybersecurity risk-management measures, bringing cybersecurity directly to the attention of the boardroom.
That changes the conversation.
Cybersecurity is no longer something leadership can simply delegate and forget. Management must understand the risks, approve the right measures, oversee implementation and ensure the organisation is continuously improving.
For many companies, this is a significant shift.
The question is no longer:
“Do we have an IT security policy?”
The question becomes:
“Can we prove that our organisation actually works securely in practice?”
That includes technology, processes, suppliers, incident response and — critically — people.
Article 21 explicitly includes cyber hygiene and cybersecurity training
NIS2 Article 21 is particularly important because it describes the cybersecurity risk-management measures that essential and important entities must implement.
These measures include areas such as risk analysis, incident handling, business continuity, supply-chain security, vulnerability handling, access control and multi-factor authentication.
But the directive also includes something very practical:
basic cyber hygiene practices and cybersecurity training.
That single requirement is important.
It means awareness training is not just a “nice to have”. It is part of the broader risk-management picture under NIS2.
A company cannot realistically claim to manage cyber risk if employees are not trained to recognise and respond to the most common threats they face every day.
ENISA treats awareness and cyber hygiene as part of NIS2 implementation
The European Union Agency for Cybersecurity, ENISA, describes NIS2 as a cornerstone of the EU’s effort to ensure a high common level of cybersecurity across Member States. ENISA also provides dedicated NIS2 awareness materials to help businesses and authorities understand the directive and its impact on cybersecurity practices. See rapport
That is an important signal.
NIS2 is not only about legal text and technical controls. It also requires organisations to understand, communicate and operationalise cybersecurity in a way people can actually follow.
In other words, compliance must move from paper to practice.
The threat landscape makes employee behaviour impossible to ignore
Cybersecurity awareness is not important because compliance teams say so. It is important because the threat landscape demands it.
ENISA’s threat landscape work identifies social engineering as one of the major cybersecurity threat types and describes the annual ENISA Threat Landscape report as its assessment of the state of cybersecurity threats, trends, threat actors and attack techniques.
Social engineering remains dangerous because it targets people rather than systems.
Attackers exploit trust, urgency, fear, curiosity, authority and routine. They do not always need to break through technical defences if they can convince an employee to open the door for them.
This is especially relevant in a NIS2 context because incidents can have consequences far beyond the individual organisation. For essential and important entities, a successful attack may disrupt services, affect customers, impact suppliers or create reporting obligations.
That is why behaviour matters.
AI makes social engineering harder to detect
Traditional phishing awareness often taught employees to look for spelling mistakes, strange formatting and poor grammar.
That advice is no longer enough.
AI can help attackers write better messages, localise content, imitate tone of voice and generate more convincing phishing campaigns at scale. ENISA’s 2025 threat reporting highlights artificial intelligence as a defining element of the cyber threat landscape and notes that AI-supported phishing campaigns represented a major share of observed social engineering activity by early 2025.
This changes what awareness training must look like.
Employees cannot only be trained to identify “bad-looking emails”.
They must be trained to question context:
- Is this request expected?
- Is the sender legitimate?
- Does the link go where it should?
- Is there unusual urgency?
- Is the request normal for this process?
- Should this be verified through another channel?
- Should this be reported?
Modern awareness training must teach employees to understand risk signals, not just visual mistakes.
Documentation proves intent. Behaviour proves maturity.
A company can have a cybersecurity policy.
But if employees do not know how to report suspicious emails, the organisation still has a weakness.
A company can have an incident response procedure.
But if nobody reports the incident early, the response starts too late.
A company can have access control rules.
But if users approve unexpected MFA prompts, credentials can still be abused.
A company can have supplier security requirements.
But if employees trust every supplier-looking email without verification, the supply chain remains exposed.
This is why NIS2 readiness should not be measured only by the existence of documents.
It should also be measured by whether people understand what to do.
That is the difference between formal compliance and operational resilience.
Awareness training must become measurable
One of the biggest problems with traditional awareness training is that it is often treated as a checkbox.
Employees complete an annual course.
A certificate is generated.
The organisation marks the requirement as done.
But this does not necessarily tell management whether behaviour has improved.
A stronger approach is to measure awareness continuously.
For example:
- How many employees complete training?
- Which departments are most exposed?
- Which phishing scenarios create the most clicks?
- How many employees report suspicious messages?
- Does the click rate decrease over time?
- Does the reporting rate increase over time?
- Are high-risk groups receiving targeted follow-up?
- Can the organisation document continuous improvement?
This is where cybersecurity awareness becomes useful for both compliance and risk management.
Not because it creates another report.
But because it creates evidence.
NIS2 creates an opportunity for IT partners
For IT partners and managed service providers, NIS2 is not only a regulatory challenge. It is also an opportunity to help customers in a more strategic way.
Many customers will need help understanding what NIS2 means in practice. They may already have technical security solutions in place, but lack structured awareness training, phishing simulations, reporting and documentation.
That creates a clear partner opportunity.
IT partners can help customers move from:
“We have to comply with NIS2”
to:
“We are improving our security behaviour and can document progress.”
This is a much stronger customer conversation than simply selling another technical product.
It allows the partner to provide an ongoing service around awareness, phishing resilience, reporting and continuous improvement.
What practical NIS2 awareness should include
NIS2 awareness training should not be generic.
It should be practical, relevant and connected to the risks employees actually face.
A strong awareness programme should include training on:
- phishing and social engineering
- password and MFA behaviour
- secure handling of personal data
- reporting suspicious activity
- safe use of email and collaboration tools
- supplier and invoice fraud
- secure use of AI tools
- incident awareness
- business continuity behaviour
- role-specific risks for finance, HR, management, IT and operations
The goal is not to turn every employee into a cybersecurity expert.
The goal is to help employees make better decisions in everyday situations.
That is where real risk reduction happens.
CyberLearn makes NIS2 awareness practical and measurable
CyberLearn is built for companies and IT partners that want cybersecurity awareness to be more than an annual checkbox.
The platform combines short learning modules, realistic phishing simulations and clear reporting, making it easier to train employees, measure behaviour and document progress over time.
With CyberLearn, organisations and IT partners can:
- deliver targeted awareness training
- run realistic phishing simulations
- measure employee behaviour
- identify exposed departments or groups
- follow progress over time
- document training activity
- support NIS2 and GDPR-related awareness work
- turn cybersecurity into an ongoing service instead of a one-time activity
For companies, this helps reduce human risk.
For IT partners, it creates a practical way to help customers operationalise cybersecurity requirements and strengthen resilience.
NIS2 compliance starts on paper — but it only works in practice
NIS2 has made cybersecurity more structured, more visible and more accountable across Europe.
That is a positive development.
But organisations should be careful not to reduce NIS2 to documents, templates and policy folders.
The real test is whether the organisation becomes more resilient.
Do employees recognise suspicious requests?
Do they report phishing attempts?
Do managers understand their cybersecurity responsibilities?
Do departments know how to react during an incident?
Can the company prove that awareness is improving over time?
That is where NIS2 becomes meaningful.
Because cybersecurity is not only about having the right documents.
It is about creating the right behaviour.
Ready to make NIS2 awareness practical?
CyberLearn helps companies and IT partners turn cybersecurity awareness into a measurable and ongoing process.
With targeted training, realistic phishing simulations and clear reporting, CyberLearn makes it easier to support NIS2 readiness and build stronger security behaviour across the organisation.
Contact Cyber Detector to learn how CyberLearn can help your company or your customers make NIS2 awareness practical, measurable and easy to manage.
