Change language:
Get a quote

NIS2 and Human Security Awareness Training: Not a “Nice to Have”

May, 5 2026
NIS2 and Human Security Awareness Training: Not a “Nice to Have”

Humans are one of the biggest entry points for cyberattacks. Around 70% to 90% of security incidents in organizations are caused by human error, for example by clicking on phishing emails, misconfigurations, or using weak or shared passwords.

 

In short, IT security often does not fail because of technology, but because of the people using it.

 

Security awareness – meaning the conscious and responsible handling of cyber risks – is therefore a core requirement of NIS2.

 

The goal is for employees to recognize threats early, understand risks, and respond appropriately in critical situations.

 

Many companies rely on standardized training tools, such as online platforms with short learning modules. These solutions provide a solid foundation for regularly training employees and documenting that training has taken place.

 

However, a common misconception is that implementing such a platform is sufficient to cover the topic of security awareness. NIS2 explicitly requires not only the execution of such measures, but also their effectiveness and proper governance.

 

A simple example from practice illustrates this. A company conducts an annual online training followed by a multiple-choice test. All employees pass the test, and the company can prove that the training was completed. A few weeks later, an employee who successfully completed the training receives a phishing email and enters their credentials. Despite passing the test, the employee’s behavior in the critical moment was not secure.

 

This is exactly where NIS2 comes into play. The directive requires companies not only to carry out measures, but also to verify their effectiveness. Management is responsible for ensuring that this effectiveness is regularly reviewed, results are analyzed, and targeted improvements are implemented where necessary.

 

In this example, the company could complement the online platform with an annual in-person training session tailored to its specific infrastructure and security requirements. In practice, such in-person trainings often lead to a significantly higher learning effect compared to purely online formats. The reason lies in how people learn and process information.

 

A key advantage is the direct and individualized connection to internal processes, systems, and real risks within the organization. Because participants actively engage with realistic scenarios and practical examples, the content feels less abstract and is perceived as relevant to their daily work.

 

Another important benefit of in-person training is its interactive nature. Real-life scenarios can be simulated and discussed, and employees are actively involved. This typically leads to higher engagement and a stronger commitment to the topic. As a result, security awareness and team cohesion are strengthened across the organization, as each employee becomes an active part of the process.

Raising awareness of cyber risks is just as important as implementing technical measures.

Conclusion: Security awareness training can protect executives from liability and organizations from cyber risks. However, awareness is not a one-time training, regardless of the format. Security awareness is a continuously managed process that must deliver measurable and sustainable improvements to an organization’s security posture. The key is to achieve measurable results and ensure ongoing improvement.

Tags

Security Awareness TrainingComplianceNIS2

Recent articles

ai-powered-automation-of-cybercrime

Apr, 2 2024

AI-Powered Automation of Cybercrime

In Germany, businesses are experiencing an unprecedented wave of cyberattacks, with damages reaching €206 billion in 2022. Artificial Intelligence (AI) plays a dual role, being utilized for both defense and as a tool in cybercrime. AI aids in detecting anomalies and preventing attacks, but it is also used by cybercriminals to automate attacks....

starsstars
line
line