NIS2 is already enforceable. Article 20 requires your management body to be trained. Article 21 requires cyber hygiene for every employee. One live Business session checks both boxes — documented, EU-compliant, €830 flat.
Article 20 — Management Body Obligations. Management body members must approve cybersecurity risk management measures AND personally undergo training to gain sufficient knowledge to identify risks and oversee implementation. Personal liability for natural persons applies under Article 20(4) — individual managers can be held accountable for non-compliance, not just the organisation.
Article 21 — Mandatory Cyber Hygiene & Awareness Training. All employees must receive basic cyber hygiene and cybersecurity awareness training. ENISA guidelines require training to be role-relevant, documented, and recurring. Passive e-learning modules do not satisfy the standard in most Member State implementations.
Incident Notification. Significant incidents require a 24-hour early warning to the competent authority and a full 72-hour incident notification. Staff who can't recognise a significant incident trigger missed notification windows — creating a second violation on top of the original breach.
Penalty Exposure. Essential entities face fines up to €10 million or 2% of global annual turnover, whichever is higher. Important entities face up to €7 million or 1.4% of global turnover. Documented training is the single most cost-effective risk reduction available.
A single credential-harvesting email hitting a shift supervisor locks down operational technology — SCADA systems, ICS controllers, plant management software. ENISA's Threat Landscape 2023 reported ransomware as the top threat to critical infrastructure. Downtime for energy or water operators means regulatory breach notifications and public impact, not just IT recovery costs.
ENISA has ranked supply chain attacks as a top EU threat for three consecutive years. Attackers compromise a trusted software vendor or managed service provider, then pivot into essential entity networks through a legitimate update or support channel. NIS2 Article 21(2)(d) explicitly requires supply chain risk management — employees who can't recognise suspicious vendor communications are the first link in the chain.
Password spraying and MFA fatigue attacks against administrative and privileged accounts are the entry point for 80% of confirmed breaches in critical sector organisations (Verizon DBIR 2024). Once admin credentials are compromised, attackers move laterally into backup systems and access controls before triggering ransomware or data exfiltration. Training staff to recognise and resist MFA push fatigue attacks is not optional under NIS2.
Attackers research organisational structure, then impersonate a CEO or CFO in urgent "authorise this transfer" emails to finance staff. NIS2 entities — particularly in banking, insurance, and public administration — process high-value transactions daily. Business email compromise doesn't trigger technical controls; it exploits human trust. Training finance teams to verify out-of-band is the only defence that works.
"We had a BSI review coming up and needed to show documented management training under NIS2. The Business tier session covered Articles 20 and 21 in one afternoon — our management team was engaged, the scenarios were relevant to our logistics operations, and the attendance record was exactly what our compliance officer needed for the audit file."
— Head of IT Security, Mid-Sized German Logistics Operator
NIS2 covers two categories. Essential entities include operators in energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. Important entities include postal and courier services, waste management, manufacture of critical products (medical devices, pharmaceuticals, chemicals, food), digital providers (online marketplaces, search engines, social networks), and research organisations. Size thresholds apply: medium enterprises (50+ employees or €10M+ revenue) and large enterprises are in scope; some critical sectors are in scope regardless of size. If you're unsure, assume you're in scope — the cost of a voluntary compliance posture is far lower than the enforcement penalty.
Article 21(2)(g) requires entities to implement 'basic cyber hygiene practices and cybersecurity training' as part of their risk management measures. ENISA guidance interprets this as: training must be role-relevant, documented, and recurring — not a one-time checkbox. Regulators in Germany (BSI), the Netherlands (NCSC-NL), and France (ANSSI) have all indicated that live, interactive training meets the standard; passive e-learning alone does not. Our Business tier 2-hour live webinar covers all Article 21 hygiene requirements — phishing defence, MFA, password management, incident recognition, and supply chain awareness — with attendance records provided for your documentation file.
Yes. Article 20(1) states that the management body must approve the cybersecurity risk management measures and oversee their implementation. Article 20(2) requires management body members to follow training to gain sufficient knowledge and skills to identify risks and assess cybersecurity risk management practices. Personal liability attaches: Article 20(4) allows Member States to hold natural persons (individual managers) liable for NIS2 violations. Our Executive tier session is designed specifically for board members, C-suite, and senior management — covering NIS2 obligations, risk governance, and what approval of measures actually requires in practice.
GDPR (Article 39(1)(b)) already requires Data Protection Officers to raise awareness and train staff who participate in processing operations — so NIS2 training and GDPR training overlap substantially. DORA applies specifically to financial entities and their ICT third-party providers; if your organisation is in both scope (e.g., a bank that is also an essential entity), a single well-documented training programme can satisfy both Article 21 of NIS2 and Article 13 of DORA simultaneously. We provide a session summary and attendance record you can file with both your NIS2 compliance documentation and your DORA training register.
NIS2 was transposed into national law across EU Member States by 17 October 2024. Enforcement is live. Competent authorities in Germany, the Netherlands, France, and other Member States have begun registration exercises and supervisory reviews. It is not too late to get compliant — regulators in the first enforcement cycle are focused on whether organisations have a documented programme in place and are making demonstrable progress. Booking a training session this week and documenting it creates the most important artefact: evidence that management took Article 20 and Article 21 seriously. Essential entities face fines up to €10 million or 2% of global annual turnover (whichever is higher) for non-compliance.
One Business tier session satisfies both Article 20 (management training) and Article 21 (staff cyber hygiene). Attendance records provided. €830 flat, unlimited participants — no per-seat fees.