Does NIS2 Apply to All Employees? Training Requirements Explained
NIS2 Article 20(2) encourages all-staff cybersecurity training. Here's why 'encouraged' effectively means mandatory for audit purposes.
If you have read Article 20 of the NIS2 Directive carefully, you will have noticed something that trips up most compliance teams: the word "encouraged."
Article 20(2) is unambiguous about management bodies. They are required to follow training. But for the rest of the workforce, the directive uses softer language — it "shall encourage essential and important entities to offer similar training to their employees on a regular basis."
This creates a natural question. If board training is mandatory and staff training is merely encouraged, can organisations reasonably deprioritise general workforce training? The short answer is no. The longer answer is that the distinction between "required" and "encouraged" is far less meaningful in practice than it appears on paper.
Here is why, and what proportionate training actually looks like for different roles across an organisation.
The Two-Tier Structure of Article 20(2)
The full text of Article 20(2) reads:
"Member States shall ensure that the members of the management bodies of essential and important entities are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order for them to gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity."
The structure is deliberate. The EU legislator created two distinct obligations within a single paragraph.
Tier 1: Management body training — mandatory. Member states must ensure this happens. There is no discretion. If your directors and senior executives have not completed documented cybersecurity training, your organisation is non-compliant. We covered this obligation in detail in our Article 20 board training guide.
Tier 2: Employee training — strongly encouraged. Member states are directed to encourage organisations to extend similar training to their wider workforce. The language is not "may encourage" — it is "shall encourage," which places an obligation on the state to actively promote this, even if it stops short of mandating it directly on every employer.
This two-tier approach is consistent with how the EU legislates proportionality. The directive sets a hard floor for those with the highest accountability (the board), then creates strong expectations for broader adoption without dictating exactly how every organisation should implement it.
The problem arises when compliance teams read "encouraged" and conclude that employee training is optional. It is not, for reasons that become clear when you look at what else the directive requires.
Why "Encouraged" Effectively Means Mandatory
Three provisions in the directive, taken together, make general workforce training a practical necessity even though the word "required" is not used.
Article 21(2)(g): Basic cyber hygiene practices and cybersecurity training. Article 21 sets out the cybersecurity risk-management measures that essential and important entities must implement. Subparagraph (g) explicitly lists "basic cyber hygiene practices and cybersecurity training" as one of those mandatory measures. This is not a soft encouragement. This is a binding obligation on the entity to have cybersecurity training as part of its risk-management framework.
Read that again. Article 20(2) encourages organisations to train employees. Article 21(2)(g) requires organisations to implement cybersecurity training as a risk-management measure. The effect is that while Article 20 frames employee training as an encouragement, Article 21 makes it a compliance requirement through a different mechanism.
Article 21(1): Proportionate measures. The risk-management measures in Article 21 must be "proportionate to the risks posed." An organisation that trains its board but leaves its operational staff without cybersecurity awareness has not taken proportionate measures. If a phishing attack succeeds because a finance team member was never trained to recognise one, the question an auditor will ask is not "was training encouraged?" but "was the risk-management framework proportionate?"
Recital 89: Cyber hygiene for all. The recitals are not legally binding in the same way as the articles, but they are used by courts and regulators to interpret legislative intent. Recital 89 states that entities should "promote cyber hygiene practices, such as... cybersecurity awareness training for their staff." When a supervisory authority is deciding whether your training programme is adequate, the recitals inform their interpretation.
The combined effect is straightforward. You cannot satisfy Article 21(2)(g) without providing cybersecurity training to your workforce. The "encouraged" language in Article 20(2) creates the policy aspiration; Article 21 creates the legal obligation.
What Auditors Will Actually Look For
When a supervisory authority — or an auditor acting on their behalf — examines your NIS2 compliance posture, they will not ask "did you encourage training?" They will ask a series of practical questions.
Coverage. Which roles received training? If only the IT department and the board were trained, but the organisation has 500 employees across operations, procurement, finance, and customer service, the auditor will want to know why those groups were excluded from the risk-management framework.
Frequency. Article 20(2) specifies "on a regular basis." A one-off awareness session in 2025 does not satisfy an ongoing obligation. Auditors will look for evidence of recurring training — annual at minimum, with more frequent touchpoints for roles that handle sensitive systems or data.
Relevance. Generic cybersecurity training that covers abstract concepts but never addresses the specific risks your organisation faces is unlikely to satisfy the proportionality requirement. If your organisation processes health data, training should cover healthcare-specific threat scenarios. If you operate critical infrastructure, training should address operational technology risks.
Evidence. Completion records, assessment scores, competency demonstrations. The directive does not prescribe a format, but the absence of documentation is itself a compliance gap. If you cannot prove training happened and produced measurable outcomes, the training effectively did not happen.
Outcomes. The most rigorous auditors — particularly in member states that have transposed NIS2 with detailed implementing provisions — will look beyond completion data. They will want to see that training led to behavioural change: reduced click rates on phishing simulations, faster incident reporting times, improved scores on periodic assessments.
This is why the "encouraged" language is a distraction. In practice, the audit framework treats employee training as a component of your Article 21 risk-management obligations, and the evidence expectations are the same as for any other mandatory measure.
Proportionate Training by Role
NIS2 does not require every employee to complete the same training as the board. Proportionality is a core principle of the directive, and it applies to training scope and depth.
Here is what proportionate training looks like across a typical organisation.
Board and senior executives. This group has the most demanding obligation. Training must enable them to identify risks, assess cybersecurity risk-management practices, and understand the impact on services. This means governance-level training covering risk frameworks, incident response decision-making, regulatory obligations, and third-party risk oversight. This is not a 30-minute awareness module. It is a substantive programme, ideally scenario-based, that builds genuine decision-making competence.
IT and security teams. These roles need technical depth appropriate to their function. Network engineers need different training from application security analysts. The directive does not prescribe specific technical certifications, but the risk-management framework should include role-appropriate technical training that is documented and assessed.
Operational staff with system access. Employees who use business-critical systems daily — whether that is an ERP platform, a SCADA interface, or a customer database — need training that addresses the specific threats relevant to their access. This includes recognising phishing attempts, understanding access control policies, knowing how to report suspicious activity, and following secure data handling procedures.
General workforce. Every employee, regardless of role, should receive basic cyber hygiene training. Article 21(2)(g) lists this explicitly. At minimum, this covers password management, device security, social engineering awareness, and incident reporting procedures. The training does not need to be technically deep, but it does need to be engaging enough to produce actual behavioural change.
Third-party and contractor staff. Article 21(2)(d) addresses supply chain security. If contractors access your systems or handle your data, their training status becomes part of your risk-management posture. While you cannot mandate training for another organisation's employees, you can — and should — include training requirements in contractual terms and verify compliance.
The key principle is that training depth should match risk exposure. A receptionist and a systems administrator face different threat profiles. Proportionate training recognises this and adjusts accordingly.
The Cost of Getting This Wrong
The penalty framework for NIS2 is significant — up to EUR 10 million or 2% of global annual turnover for essential entities, and up to EUR 7 million or 1.4% for important entities. We covered this in detail in our NIS2 penalties guide.
But penalties are the headline number. The practical cost of inadequate employee training is often more immediate.
A phishing attack that succeeds because a staff member was never trained costs time, money, and reputation. An incident that is reported late because employees did not know the reporting procedure triggers enforcement action under Article 23. A supply chain compromise that was avoidable with basic vendor awareness training becomes a board-level accountability issue under Article 20.
Training is not an overhead. It is risk mitigation. When it is done well, it reduces the probability and severity of the incidents that trigger the penalties in the first place. The organisation benefits, the employees benefit, and the compliance posture improves simultaneously.
Building a Compliant Training Programme
If you are building or reviewing your NIS2 training programme, here is a practical framework.
Step 1: Map your roles to risk tiers. Identify which employees fall into each of the categories above. Use your existing risk assessment to determine which roles have the highest exposure.
Step 2: Define learning outcomes for each tier. The directive requires "sufficient knowledge and skills." Define what sufficient means for each group. For the board, that means governance competence. For general staff, that means cyber hygiene behaviours. Document these outcomes — they become your audit evidence.
Step 3: Choose training formats that produce evidence. Attendance records alone will not satisfy an auditor. Scenario-based training that requires learners to make decisions under realistic conditions produces far stronger evidence of competence than slide-based courses with multiple-choice quizzes. The format matters because the evidence it produces matters.
Step 4: Establish a recurring schedule. "On a regular basis" means at least annual refresher training, with more frequent interventions for high-risk roles or when the threat landscape changes materially. Build this into your compliance calendar.
Step 5: Document everything. Completion records, assessment results, competency benchmarks, training content versions, delivery dates, attendance by role. If it is not documented, it did not happen.
If you are looking for a training programme that covers these requirements — from board-level governance scenarios to general workforce cyber hygiene — our NIS2 course is built specifically for this purpose. It is scenario-based, produces the evidence auditors look for, and can be deployed across your organisation at different depth levels.
Not sure where your current training programme stands? Our free diagnostic takes two minutes and gives you a clear picture of your NIS2 training gaps.