Both NIS2 and DORA are live and enforceable. NIS2's transposition deadline (17 Oct 2024) has passed — enforcement is active across most EU member states. DORA became directly applicable on 17 January 2025. Both require security awareness training. Both make management personally accountable. Penalties stack with GDPR exposure.
Free Tool: NIST CSF Maturity Assessment
Benchmark your security program against the NIST Cybersecurity Framework — the same framework national supervisors reference when assessing NIS2 compliance readiness. Takes 10 minutes.
Take the Assessment →Who's in Scope?
Understanding whether these regulations apply to your organization is step one. Both frameworks use size thresholds as a primary qualifier.
NIS2: Essential vs Important Entities
| Category | Size Threshold | Sectors |
|---|---|---|
| Essential Entities | ≥250 employees OR ≥€50M annual turnover | Energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space |
| Important Entities | ≥50 employees OR ≥€10M annual turnover | Postal/courier, waste management, chemicals, food production, manufacturing, digital providers, research |
Critical note: DNS providers, TLD registries, cloud providers, data centres, and CDNs are in scope regardless of size. Supply chain effects can pull in smaller companies — if you serve a NIS2 entity as a supplier, expect contractual cybersecurity obligations.
DORA: Financial Entities + ICT Third-Party Providers
| Entity Type | Examples |
|---|---|
| Credit institutions | Banks, building societies |
| Investment firms | Broker-dealers, asset managers, hedge funds |
| Insurance and reinsurance undertakings | Life and non-life insurers |
| Electronic money institutions | Payment e-money issuers |
| Crypto-asset service providers | CASPs operating in the EU |
| ICT third-party providers | Cloud, data centres, SaaS supporting critical financial functions |
Overlap alert: A European bank is an essential entity under NIS2 AND a financial entity under DORA. For ICT risk management, incident reporting, and training — DORA applies as the sector-specific lex specialis regime. But NIS2 Article 20 management training obligations still apply to the board.
What NIS2 Article 20 Actually Requires
Article 20 is two sentences that changed everything about board accountability in EU cybersecurity law.
"Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities pursuant to Article 21, oversee its implementation and can be held liable for infringements by those entities."
NIS2 Article 20(1)
"Member States shall ensure that the members of the management bodies...are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order for them to gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity."
NIS2 Article 20(2)
Three things auditors and regulators look for under Article 20:
1. Personal obligation. The board — not the CISO, not IT, not the compliance department — is required to follow training. When a supervisory authority requests evidence of Article 20 compliance, they want records showing that specific named directors completed specific training. A team training record for IT staff does not satisfy this.
2. Risk oversight capability. Article 20(2) frames the training as enabling directors to "identify risks and assess cybersecurity risk-management practices." Training isn't a box-check; it's a competence requirement. What the board learned must demonstrably change how they oversee security.
3. Documented oversight. Article 20(1) requires management bodies to approve and oversee Article 21 measures. Training records are part of that evidence package.
What Article 21 Adds for Employee Training
Article 21(2)(g) requires entities to implement "basic cyber hygiene practices and cybersecurity training" as part of the 10 minimum risk management measures. This is the employee training obligation — distinct from the management body requirement above but connected.
Minimum content for employee training under Article 21:
- Phishing recognition and response
- Password and authentication hygiene
- Physical security and data handling
- Incident reporting procedures
- Current threat landscape (threat-led, not generic)
The standard is "appropriate and proportionate" — meaning content must be calibrated to the organization's actual risk profile, not a generic compliance module.
Not sure where your program stands?
Take the NIST CSF 2.0 Maturity Assessment — 18 questions, ~10 minutes. Get a maturity tier, per-function scores, and a personalized gap-analysis PDF delivered to your inbox.
Take the Free Assessment →What DORA Article 13 Actually Requires
DORA Article 13 is titled "Learning and evolving" and it is the training provision that caught most financial sector organizations unprepared — partly because it requires two distinct training categories, and partly because it extends the obligation to ICT third-party provider staff.
"Financial entities shall develop ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training schemes. Those programmes and training shall be applicable to all employees and to senior management staff, and shall have a level of complexity commensurate to the remit of their functions."
DORA Article 13(6)
The Two Training Categories
| Category | What It Covers | Who Needs It |
|---|---|---|
| ICT Security Awareness | Threat recognition, safe behavior, basic cyber hygiene, phishing response, data handling | All employees, plus ICT third-party provider staff where appropriate |
| Digital Operational Resilience Training | Incident response, business continuity, third-party risk, recovery planning, post-incident review | All employees + senior management, with TLPT for staff with privileged ICT access |
Article 13(6) and Privileged ICT Access
Article 13(6) requires training complexity "commensurate to the remit of functions." Staff with privileged ICT access — system administrators, SOC analysts, anyone with elevated access to critical financial systems — require more intensive training than general staff. This includes hands-on incident response drills, not just awareness content.
Management Body Under DORA
Article 5 requires the management body to approve the digital operational resilience strategy and oversee its implementation. The management body must have sufficient knowledge to fulfill this oversight role — which connects back to Article 13(6) training for senior management. Separate governance track, not lumped into generic staff training.
ICT Third-Party Provider Staff
Article 30(2)(i) requires contractual clauses enabling financial entities to include their ICT third-party providers in relevant training schemes. If your critical cloud provider's staff aren't trained on your incident response protocols, that's a gap when a disruption occurs.
Penalty Exposure
| Regulation | Entity Type | Maximum Fine | Personal Liability | Notes |
|---|---|---|---|---|
| NIS2 | Essential Entities | €10M OR 2% global annual turnover (whichever higher) | Yes — management body can be suspended from managerial functions | Article 32(4) |
| NIS2 | Important Entities | €7M OR 1.4% global annual turnover (whichever higher) | Yes — administrative penalties | Article 32(5) |
| DORA | Financial Entities | Determined by member state competent authorities (advisory/supervisory powers) | Yes — management body individually accountable | Article 35 |
| DORA | Critical ICT Third-Party Providers | Up to 1% of average daily worldwide turnover, per day, up to 6 months | N/A (entity sanction) | Article 35(2) |
| GDPR overlay | Any entity processing EU personal data | Up to €20M or 4% global annual turnover | Yes — DPO / management | Separate regime, stacks with NIS2/DORA |
Practical reality: For most medium-sized organizations, the percentage-of-turnover fine is the more painful number. A €200M revenue company facing a 2% global turnover penalty pays €4M. A €2M annual revenue company pays €7M (the absolute cap). Both are existential events.
What a Compliant Program Looks Like
Both NIS2 and DORA ask a question that compliance checklists can't answer: does your training actually change behavior? Regulators have caught on that a certificate of completion means nothing if the employee clicks the phishing link the following week.
Frequency
| Requirement | Minimum | Recommended |
|---|---|---|
| NIS2 Article 21(g) | At least annual, documented | Quarterly for high-risk roles; annual refresh for general staff |
| DORA Article 13(6) | Annual, role-proportionate | Quarterly ICT security refresh; annual digital resilience deep-dive |
Role-Specific Training Tracks
| Role | Content Focus | Format |
|---|---|---|
| Finance / AP teams | BEC, wire fraud, invoice manipulation, vendor impersonation | Scenario-based, live simulation |
| IT Administrators / SOC | Credential compromise, lateral movement, privileged access abuse, incident response | Hands-on drills, tabletop exercises |
| Executive / Board | Governance oversight, personal liability, risk appetite, incident accountability | Briefing-style, role-specific (not generic IT training) |
| General Staff | Phishing, social engineering, password hygiene, data handling, reporting | Interactive, threat-led scenarios |
| ICT Third-Party Staff (DORA) | Operational resilience, incident coordination, your entity's response protocols | Contractually required under DORA Art. 30(2)(i) |
Documentation Requirements
Every session needs: attendance list (names + roles), content outline, assessment results, instructor credentials, date and duration. Keep records for 3–5 years depending on your national transposition requirements.
Threat-Led Content
Generic training modules from 2019 are a red flag in any audit. Regulators look for content that reflects current TTPs — especially business email compromise, deepfake-enabled fraud, AI-assisted phishing, and supply chain compromise. If your training provider can't show you what threat intelligence is driving this quarter's curriculum, that's a gap.
Common Gaps Auditors Flag
These are the findings that appear in the first round of NIS2 supervisory reviews. Fix them now.
1. No management training records. The board hasn't completed training — or the records exist but show generic IT compliance content, not board-specific governance training. Article 20(2) requires personal training for management members.
2. Generic content only. Same module for the CISO and the reception staff. Doesn't meet the proportionality test under either Article 20(2) or DORA Article 13(6).
3. No measurement of effectiveness. Completion certificates exist, but there's no assessment of whether training changed behavior. Phishing simulation results, click rates, and reporting rates are the standard evidence.
4. No incident response drills. DORA Article 13(6) requires training applicable to incident response for staff with privileged ICT access. Passive video consumption doesn't qualify.
5. No ICT third-party provider training (DORA gap). Financial entities under DORA are required to include ICT TPP staff in relevant training schemes where appropriate. Most organizations haven't addressed this yet.
6. Training content not threat-led. Modules reference outdated scenarios. Auditors can spot generic compliance content immediately. Your training should reference what's happening in your sector this quarter.
How SecurEveryone Delivers Compliant Training
We built our program specifically around what supervisors and auditors actually look for — not just what the regulations technically require.
Live sessions, not pre-recorded. Every engagement is a real instructor on Zoom, adapting to your team's questions and threat profile in real time. No 2019 slide decks.
Role-specific tracks. Finance teams get BEC scenarios. IT admins get incident response simulations. Your board gets a governance briefing — not a technical walkthrough.
Audit-ready documentation. We provide attendance records, content outlines, assessment scores, and instructor credentials for every session. Your compliance team will have everything they need before the audit window opens.
Current threat intelligence driving content. Our instructors track active TTPs in your sector and industry right now. When deepfake-enabled CEO fraud starts targeting your industry, your next training session addresses it.
No per-seat pricing. At $900 flat for unlimited users, SecurEveryone's Business plan covers your entire organization — including management body training and any ICT third-party provider staff your DORA obligations extend to.
Compare the math: At EU scale, KnowBe4's per-seat model compounds fast. 500 employees × €16/user/year = €8,000/year before you've trained anyone properly. SecurEveryone's $900 flat handles 500 users with live, instructor-led training. The math gets absurd at 1,000+ employees — which is exactly the headcount most NIS2/DORA entities have.
Book a session → | See all pricing →
If you're not sure where your program stands, take the NIST CSF Maturity Assessment. It's the fastest way to identify what your supervisory authority will flag first.
Free Assessment
Benchmark your security program against NIST CSF 2.0
The same framework national supervisors reference when assessing NIS2 compliance readiness. 18 questions, ~10 minutes. Get a maturity tier, per-function scores, and a personalized gap-analysis PDF.
Take the Free Maturity Assessment →
Get your free pocket guide
Enter your work email and we'll send the SMB Phishing Defense Pocket Guide — 6 red flags + 5-step incident response playbook.
Check your inbox!
Your pocket guide is on its way.
No spam. Unsubscribe anytime. Unsubscribe